From e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 21 Nov 2017 10:22:31 +0100 Subject: New upstream version 5.6.1 --- Android.common.mk | 2 +- Makefile.am | 2 +- Makefile.in | 4 +- NEWS | 43 + conf/Makefile.am | 2 +- conf/Makefile.in | 4 +- conf/options/charon.conf | 3 + conf/options/charon.opt | 3 + conf/options/pacman.conf | 12 - conf/options/pacman.opt | 7 - conf/options/sec-updater.conf | 42 + conf/options/sec-updater.opt | 29 + conf/plugins/eap-radius.conf | 4 + conf/plugins/eap-radius.opt | 4 + conf/plugins/systime-fix.conf | 4 + conf/plugins/systime-fix.opt | 4 + conf/strongswan.conf.5.main | 62 +- config.h.in | 5 +- configure | 210 +- configure.ac | 72 +- fuzz/Makefile.am | 23 +- fuzz/Makefile.in | 235 +- fuzz/libFuzzerLocal.c | 59 + init/Makefile.in | 2 + init/systemd-swanctl/Makefile.in | 2 + init/systemd/Makefile.in | 2 + man/Makefile.in | 2 + man/ipsec.conf.5.in | 16 +- scripts/Makefile.in | 2 + scripts/oid2der.c | 17 + scripts/pubkey_speed.c | 4 +- src/Makefile.am | 4 + src/Makefile.in | 11 +- src/_copyright/Makefile.in | 2 + src/_updown/Makefile.in | 2 + src/aikgen/Makefile.in | 2 + src/charon-cmd/Makefile.in | 2 + src/charon-nm/Makefile.in | 2 + src/charon-svc/Makefile.in | 2 + src/charon-systemd/Makefile.in | 2 + src/charon-tkm/Makefile.in | 2 + src/charon-tkm/src/charon-tkm.c | 47 +- src/charon-tkm/src/tkm/tkm_id_manager.c | 48 +- src/charon-tkm/src/tkm/tkm_id_manager.h | 20 +- src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 8 + src/charon-tkm/src/tkm/tkm_keymat.c | 19 +- src/charon-tkm/src/tkm/tkm_private_key.c | 3 +- src/charon-tkm/src/tkm/tkm_public_key.c | 3 +- src/charon-tkm/tests/id_manager_tests.c | 97 +- src/charon-tkm/tests/kernel_sad_tests.c | 4 +- src/charon/Makefile.in | 2 + src/charon/charon.c | 30 +- src/checksum/Makefile.am | 4 + src/checksum/Makefile.in | 5 +- src/conftest/Makefile.in | 2 + src/conftest/hooks/pretend_auth.c | 2 +- src/conftest/hooks/rebuild_auth.c | 2 +- src/dumm/Makefile.in | 2 + src/include/Makefile.in | 2 + src/ipsec/Makefile.in | 2 + src/ipsec/_ipsec.8 | 2 +- src/ipsec/_ipsec.in | 2 +- src/libcharon/Makefile.am | 7 + src/libcharon/Makefile.in | 299 +- src/libcharon/config/child_cfg.h | 3 + src/libcharon/config/ike_cfg.c | 1 + src/libcharon/config/proposal.c | 15 +- src/libcharon/config/proposal.h | 2 +- src/libcharon/control/controller.c | 5 +- src/libcharon/encoding/payloads/cert_payload.h | 2 +- src/libcharon/encoding/payloads/eap_payload.c | 2 +- src/libcharon/encoding/payloads/nonce_payload.c | 2 +- .../encoding/payloads/transform_substructure.h | 2 +- src/libcharon/kernel/kernel_ipsec.h | 2 +- src/libcharon/plugins/addrblock/Makefile.in | 2 + src/libcharon/plugins/android_dns/Makefile.in | 2 + src/libcharon/plugins/android_log/Makefile.in | 2 + src/libcharon/plugins/attr/Makefile.in | 2 + src/libcharon/plugins/attr_sql/Makefile.in | 2 + src/libcharon/plugins/bypass_lan/Makefile.in | 2 + src/libcharon/plugins/certexpire/Makefile.in | 2 + src/libcharon/plugins/connmark/Makefile.in | 2 + src/libcharon/plugins/counters/Makefile.am | 19 + src/libcharon/plugins/counters/Makefile.in | 804 ++++ src/libcharon/plugins/counters/counters_listener.c | 464 ++ src/libcharon/plugins/counters/counters_listener.h | 49 + src/libcharon/plugins/counters/counters_plugin.c | 101 + src/libcharon/plugins/counters/counters_plugin.h | 45 + src/libcharon/plugins/counters/counters_query.h | 124 + src/libcharon/plugins/coupling/Makefile.in | 2 + src/libcharon/plugins/dhcp/Makefile.in | 2 + src/libcharon/plugins/dhcp/dhcp_socket.c | 4 +- src/libcharon/plugins/dnscert/Makefile.in | 2 + src/libcharon/plugins/duplicheck/Makefile.in | 2 + src/libcharon/plugins/eap_aka/Makefile.in | 2 + src/libcharon/plugins/eap_aka_3gpp/Makefile.in | 2 + .../plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c | 2 +- src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 2 + .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c | 2 +- src/libcharon/plugins/eap_dynamic/Makefile.in | 2 + src/libcharon/plugins/eap_gtc/Makefile.in | 2 + src/libcharon/plugins/eap_identity/Makefile.in | 2 + src/libcharon/plugins/eap_md5/Makefile.in | 2 + src/libcharon/plugins/eap_mschapv2/Makefile.in | 2 + src/libcharon/plugins/eap_peap/Makefile.in | 2 + src/libcharon/plugins/eap_radius/Makefile.in | 2 + src/libcharon/plugins/eap_radius/eap_radius.c | 45 +- .../plugins/eap_radius/eap_radius_accounting.c | 48 +- .../plugins/eap_radius/eap_radius_accounting.h | 11 + src/libcharon/plugins/eap_sim/Makefile.in | 2 + src/libcharon/plugins/eap_sim_file/Makefile.in | 2 + src/libcharon/plugins/eap_sim_pcsc/Makefile.in | 2 + .../plugins/eap_simaka_pseudonym/Makefile.in | 2 + .../plugins/eap_simaka_reauth/Makefile.in | 2 + src/libcharon/plugins/eap_simaka_sql/Makefile.in | 2 + src/libcharon/plugins/eap_tls/Makefile.in | 2 + src/libcharon/plugins/eap_tnc/Makefile.in | 2 + src/libcharon/plugins/eap_ttls/Makefile.in | 2 + src/libcharon/plugins/error_notify/Makefile.in | 2 + src/libcharon/plugins/ext_auth/Makefile.in | 2 + src/libcharon/plugins/farp/Makefile.in | 2 + src/libcharon/plugins/forecast/Makefile.in | 2 + src/libcharon/plugins/ha/Makefile.in | 2 + src/libcharon/plugins/ipseckey/Makefile.in | 2 + src/libcharon/plugins/kernel_iph/Makefile.in | 2 + src/libcharon/plugins/kernel_libipsec/Makefile.in | 2 + src/libcharon/plugins/kernel_netlink/Makefile.am | 10 +- src/libcharon/plugins/kernel_netlink/Makefile.in | 113 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 7 +- .../plugins/kernel_netlink/kernel_netlink_net.c | 4 +- src/libcharon/plugins/kernel_pfkey/Makefile.in | 2 + .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 18 +- src/libcharon/plugins/kernel_pfroute/Makefile.in | 2 + .../plugins/kernel_pfroute/kernel_pfroute_net.c | 5 + src/libcharon/plugins/kernel_wfp/Makefile.in | 2 + src/libcharon/plugins/led/Makefile.in | 2 + src/libcharon/plugins/load_tester/Makefile.in | 2 + src/libcharon/plugins/lookip/Makefile.in | 2 + src/libcharon/plugins/medcli/Makefile.in | 2 + src/libcharon/plugins/medsrv/Makefile.in | 2 + src/libcharon/plugins/osx_attr/Makefile.in | 2 + src/libcharon/plugins/p_cscf/Makefile.in | 2 + src/libcharon/plugins/radattr/Makefile.in | 2 + src/libcharon/plugins/resolve/Makefile.in | 2 + src/libcharon/plugins/smp/Makefile.in | 2 + src/libcharon/plugins/socket_default/Makefile.in | 2 + src/libcharon/plugins/socket_dynamic/Makefile.in | 2 + src/libcharon/plugins/socket_win/Makefile.in | 2 + src/libcharon/plugins/sql/Makefile.in | 2 + src/libcharon/plugins/stroke/Makefile.am | 1 + src/libcharon/plugins/stroke/Makefile.in | 3 + src/libcharon/plugins/stroke/stroke_counter.c | 369 +- src/libcharon/plugins/stroke/stroke_counter.h | 60 +- src/libcharon/plugins/stroke/stroke_plugin.c | 1 + src/libcharon/plugins/stroke/stroke_socket.c | 3 +- src/libcharon/plugins/systime_fix/Makefile.in | 2 + .../plugins/systime_fix/systime_fix_plugin.c | 52 +- src/libcharon/plugins/tnc_ifmap/Makefile.in | 2 + src/libcharon/plugins/tnc_pdp/Makefile.in | 2 + src/libcharon/plugins/uci/Makefile.in | 2 + src/libcharon/plugins/unity/Makefile.in | 2 + src/libcharon/plugins/updown/Makefile.in | 2 + src/libcharon/plugins/vici/Makefile.am | 1 + src/libcharon/plugins/vici/Makefile.in | 3 + src/libcharon/plugins/vici/README.md | 29 + src/libcharon/plugins/vici/perl/Makefile.in | 2 + src/libcharon/plugins/vici/python/Makefile.in | 2 + src/libcharon/plugins/vici/ruby/Makefile.in | 4 +- src/libcharon/plugins/vici/vici_config.c | 26 +- src/libcharon/plugins/vici/vici_plugin.c | 1 + src/libcharon/plugins/vici/vici_query.c | 161 +- src/libcharon/plugins/whitelist/Makefile.in | 2 + src/libcharon/plugins/xauth_eap/Makefile.in | 2 + src/libcharon/plugins/xauth_generic/Makefile.in | 2 + src/libcharon/plugins/xauth_noauth/Makefile.in | 2 + src/libcharon/plugins/xauth_pam/Makefile.in | 2 + src/libcharon/sa/child_sa.c | 19 +- src/libcharon/sa/ike_sa.c | 18 +- src/libcharon/sa/ike_sa.h | 10 +- src/libcharon/sa/ike_sa_manager.c | 88 +- src/libcharon/sa/ike_sa_manager.h | 15 +- .../ikev1/authenticators/pubkey_v1_authenticator.c | 4 +- src/libcharon/sa/ikev1/iv_manager.c | 1 + src/libcharon/sa/ikev1/tasks/main_mode.c | 3 +- .../sa/ikev2/authenticators/pubkey_authenticator.c | 173 +- src/libcharon/sa/ikev2/keymat_v2.h | 5 +- src/libcharon/sa/ikev2/task_manager_v2.c | 22 +- src/libcharon/sa/ikev2/tasks/child_create.c | 1 - src/libcharon/sa/ikev2/tasks/child_delete.c | 2 +- src/libcharon/sa/ikev2/tasks/ike_auth.c | 1 - src/libcharon/sa/ikev2/tasks/ike_init.c | 15 +- src/libcharon/sa/ikev2/tasks/ike_vendor.c | 2 + src/libcharon/sa/shunt_manager.c | 21 +- src/libcharon/tests/Makefile.in | 2 + src/libfast/Makefile.in | 2 + src/libfast/fast_dispatcher.c | 2 +- src/libfast/fast_dispatcher.h | 8 +- src/libfast/fast_session.h | 2 +- src/libimcv/Android.mk | 2 + src/libimcv/Makefile.in | 2 + src/libimcv/ietf/ietf_attr.c | 6 +- src/libimcv/ietf/ietf_attr.h | 2 +- src/libimcv/ietf/ietf_attr_pa_tnc_error.c | 16 +- src/libimcv/ietf/ietf_attr_pa_tnc_error.h | 20 +- src/libimcv/ietf/swima/ietf_swima_attr_req.c | 4 +- src/libimcv/imv/data.sql | 92 +- src/libimcv/imv/imv_agent.c | 4 +- src/libimcv/imv/tables.sql | 16 +- src/libimcv/plugins/imc_attestation/Makefile.in | 2 + src/libimcv/plugins/imc_hcd/Makefile.in | 2 + src/libimcv/plugins/imc_os/Makefile.in | 2 + src/libimcv/plugins/imc_scanner/Makefile.in | 2 + src/libimcv/plugins/imc_swid/Makefile.in | 2 + .../strongswan.org__strongSwan-5-6-0.swidtag | 11 - .../strongswan.org__strongSwan-5-6-1.swidtag | 11 + src/libimcv/plugins/imc_swima/Makefile.in | 2 + src/libimcv/plugins/imc_swima/imc_swima.c | 10 +- .../strongswan.org__strongSwan-5-6-0.swidtag | 11 - .../strongswan.org__strongSwan-5-6-1.swidtag | 11 + src/libimcv/plugins/imc_test/Makefile.in | 2 + src/libimcv/plugins/imv_attestation/Makefile.in | 2 + .../imv_attestation/imv_attestation_process.c | 15 +- src/libimcv/plugins/imv_hcd/Makefile.in | 2 + src/libimcv/plugins/imv_os/Makefile.am | 9 - src/libimcv/plugins/imv_os/Makefile.in | 110 +- src/libimcv/plugins/imv_os/imv_os_agent.c | 3 +- src/libimcv/plugins/imv_os/imv_os_database.c | 34 +- src/libimcv/plugins/imv_os/imv_os_state.c | 24 +- src/libimcv/plugins/imv_os/imv_os_state.h | 10 +- src/libimcv/plugins/imv_os/pacman.c | 499 -- src/libimcv/plugins/imv_os/pacman.sh | 203 - src/libimcv/plugins/imv_scanner/Makefile.in | 2 + src/libimcv/plugins/imv_swid/Makefile.in | 2 + src/libimcv/plugins/imv_swima/Makefile.in | 2 + src/libimcv/plugins/imv_swima/imv_swima_agent.c | 4 +- src/libimcv/plugins/imv_test/Makefile.in | 2 + src/libimcv/pts/pts.c | 2 +- src/libimcv/pts/pts_database.c | 108 +- src/libimcv/pts/pts_database.h | 21 +- src/libimcv/pts/pts_file_meas.c | 12 +- src/libimcv/suites/test_imcv_seg.c | 24 +- src/libimcv/suites/test_imcv_swima.c | 2 +- src/libimcv/swid_gen/swid_gen.h | 2 +- src/libimcv/swima/swima_error.c | 2 +- src/libipsec/Makefile.in | 2 + src/libipsec/ip_packet.c | 70 +- src/libipsec/ipsec_sa_mgr.c | 11 +- src/libipsec/tests/Makefile.in | 2 + src/libpttls/Makefile.in | 2 + src/libradius/Makefile.in | 2 + src/libsimaka/Makefile.in | 2 + src/libstrongswan/Android.mk | 1 + src/libstrongswan/Makefile.am | 18 + src/libstrongswan/Makefile.in | 477 +- src/libstrongswan/asn1/asn1.c | 32 +- src/libstrongswan/asn1/asn1.h | 25 +- src/libstrongswan/asn1/oid.c | 940 ++-- src/libstrongswan/asn1/oid.h | 477 +- src/libstrongswan/asn1/oid.txt | 6 +- src/libstrongswan/credentials/auth_cfg.c | 188 +- src/libstrongswan/credentials/auth_cfg.h | 4 +- src/libstrongswan/credentials/builder.c | 1 + src/libstrongswan/credentials/builder.h | 4 +- .../credentials/certificates/certificate.h | 7 +- src/libstrongswan/credentials/certificates/x509.c | 9 + src/libstrongswan/credentials/certificates/x509.h | 7 +- src/libstrongswan/credentials/containers/pkcs12.c | 1 + src/libstrongswan/credentials/cred_encoding.h | 2 +- src/libstrongswan/credentials/credential_manager.c | 6 +- src/libstrongswan/credentials/credential_manager.h | 5 +- src/libstrongswan/credentials/keys/private_key.h | 6 +- src/libstrongswan/credentials/keys/public_key.c | 57 +- src/libstrongswan/credentials/keys/public_key.h | 16 +- .../credentials/keys/signature_params.c | 366 ++ .../credentials/keys/signature_params.h | 129 + src/libstrongswan/credentials/sets/cert_cache.c | 28 +- src/libstrongswan/credentials/sets/cert_cache.h | 5 +- src/libstrongswan/crypto/hashers/hasher.c | 77 +- src/libstrongswan/crypto/hashers/hasher.h | 18 +- src/libstrongswan/crypto/prfs/prf.h | 3 +- .../crypto/proposal/proposal_keywords_static.h | 2 +- .../crypto/proposal/proposal_keywords_static.h.in | 25 + src/libstrongswan/crypto/signers/signer.h | 3 +- src/libstrongswan/crypto/xofs/xof.c | 33 + src/libstrongswan/crypto/xofs/xof.h | 19 +- src/libstrongswan/math/libnttfft/Makefile.in | 2 + src/libstrongswan/math/libnttfft/tests/Makefile.in | 2 + .../networking/streams/stream_manager.c | 9 + .../networking/streams/stream_service_systemd.c | 71 + .../networking/streams/stream_service_systemd.h | 40 + src/libstrongswan/plugins/acert/Makefile.in | 2 + src/libstrongswan/plugins/aes/Makefile.in | 2 + src/libstrongswan/plugins/aesni/Makefile.in | 2 + src/libstrongswan/plugins/af_alg/Makefile.in | 2 + src/libstrongswan/plugins/agent/Makefile.in | 2 + .../plugins/agent/agent_private_key.c | 2 +- src/libstrongswan/plugins/bliss/Makefile.in | 2 + .../plugins/bliss/bliss_private_key.c | 2 +- src/libstrongswan/plugins/bliss/bliss_public_key.c | 2 +- src/libstrongswan/plugins/bliss/tests/Makefile.in | 2 + .../plugins/bliss/tests/suites/test_bliss_sign.c | 14 +- src/libstrongswan/plugins/blowfish/Makefile.in | 2 + src/libstrongswan/plugins/ccm/Makefile.in | 2 + src/libstrongswan/plugins/chapoly/Makefile.in | 2 + src/libstrongswan/plugins/cmac/Makefile.in | 2 + src/libstrongswan/plugins/constraints/Makefile.in | 2 + src/libstrongswan/plugins/ctr/Makefile.in | 2 + src/libstrongswan/plugins/curl/Makefile.in | 2 + src/libstrongswan/plugins/curve25519/Makefile.in | 2 + .../plugins/curve25519/curve25519_private_key.c | 2 +- .../plugins/curve25519/curve25519_public_key.c | 2 +- src/libstrongswan/plugins/des/Makefile.in | 2 + src/libstrongswan/plugins/dnskey/Makefile.in | 2 + src/libstrongswan/plugins/files/Makefile.in | 2 + src/libstrongswan/plugins/fips_prf/Makefile.in | 2 + src/libstrongswan/plugins/gcm/Makefile.in | 2 + src/libstrongswan/plugins/gcrypt/Makefile.in | 2 + src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 6 +- src/libstrongswan/plugins/gcrypt/gcrypt_dh.h | 6 +- src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 22 + .../plugins/gcrypt/gcrypt_rsa_private_key.c | 229 +- .../plugins/gcrypt/gcrypt_rsa_public_key.c | 75 +- src/libstrongswan/plugins/gmp/Makefile.in | 2 + src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 11 +- src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h | 5 +- src/libstrongswan/plugins/gmp/gmp_plugin.c | 15 + .../plugins/gmp/gmp_rsa_private_key.c | 232 +- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 128 +- src/libstrongswan/plugins/hmac/Makefile.in | 2 + src/libstrongswan/plugins/keychain/Makefile.in | 2 + src/libstrongswan/plugins/ldap/Makefile.in | 2 + src/libstrongswan/plugins/md4/Makefile.in | 2 + src/libstrongswan/plugins/md5/Makefile.in | 2 + src/libstrongswan/plugins/mgf1/Makefile.in | 2 + src/libstrongswan/plugins/mgf1/mgf1_plugin.c | 4 + src/libstrongswan/plugins/mgf1/mgf1_xof.c | 8 +- src/libstrongswan/plugins/mysql/Makefile.in | 2 + src/libstrongswan/plugins/newhope/Makefile.in | 2 + .../plugins/newhope/tests/Makefile.in | 2 + src/libstrongswan/plugins/nonce/Makefile.in | 2 + src/libstrongswan/plugins/ntru/Makefile.in | 2 + src/libstrongswan/plugins/openssl/Makefile.in | 2 + src/libstrongswan/plugins/openssl/openssl_crl.c | 111 +- .../plugins/openssl/openssl_diffie_hellman.c | 5 +- .../plugins/openssl/openssl_diffie_hellman.h | 5 +- .../plugins/openssl/openssl_ec_private_key.c | 15 +- .../plugins/openssl/openssl_ec_private_key.h | 3 +- .../plugins/openssl/openssl_ec_public_key.c | 2 +- src/libstrongswan/plugins/openssl/openssl_hasher.c | 22 +- src/libstrongswan/plugins/openssl/openssl_hasher.h | 14 +- src/libstrongswan/plugins/openssl/openssl_pkcs7.c | 2 +- src/libstrongswan/plugins/openssl/openssl_plugin.c | 158 +- .../plugins/openssl/openssl_rsa_private_key.c | 512 ++- .../plugins/openssl/openssl_rsa_private_key.h | 3 +- .../plugins/openssl/openssl_rsa_public_key.c | 146 +- .../plugins/openssl/openssl_sha1_prf.c | 1 + src/libstrongswan/plugins/openssl/openssl_x509.c | 93 +- src/libstrongswan/plugins/padlock/Makefile.in | 2 + src/libstrongswan/plugins/pem/Makefile.in | 2 + src/libstrongswan/plugins/pem/pem_encoder.c | 2 + src/libstrongswan/plugins/pgp/Makefile.in | 2 + src/libstrongswan/plugins/pgp/pgp_builder.c | 20 +- src/libstrongswan/plugins/pgp/pgp_cert.c | 2 +- src/libstrongswan/plugins/pgp/pgp_encoder.c | 1 + src/libstrongswan/plugins/pkcs1/Makefile.in | 2 + src/libstrongswan/plugins/pkcs1/pkcs1_builder.c | 7 +- src/libstrongswan/plugins/pkcs11/Makefile.in | 2 + src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 6 +- src/libstrongswan/plugins/pkcs11/pkcs11_dh.h | 6 +- src/libstrongswan/plugins/pkcs11/pkcs11_manager.c | 23 +- .../plugins/pkcs11/pkcs11_private_key.c | 2 +- .../plugins/pkcs11/pkcs11_public_key.c | 2 +- src/libstrongswan/plugins/pkcs12/Makefile.in | 2 + src/libstrongswan/plugins/pkcs7/Makefile.in | 2 + .../plugins/pkcs7/pkcs7_signed_data.c | 5 +- src/libstrongswan/plugins/pkcs8/Makefile.in | 2 + src/libstrongswan/plugins/pkcs8/pkcs8_builder.c | 11 + src/libstrongswan/plugins/plugin_loader.c | 6 +- src/libstrongswan/plugins/pubkey/Makefile.in | 2 + src/libstrongswan/plugins/pubkey/pubkey_cert.c | 11 +- src/libstrongswan/plugins/random/Makefile.in | 2 + src/libstrongswan/plugins/rc2/Makefile.in | 2 + src/libstrongswan/plugins/rdrand/Makefile.in | 2 + src/libstrongswan/plugins/revocation/Makefile.in | 2 + src/libstrongswan/plugins/sha1/Makefile.in | 2 + src/libstrongswan/plugins/sha2/Makefile.in | 2 + src/libstrongswan/plugins/sha3/Makefile.in | 2 + src/libstrongswan/plugins/soup/Makefile.in | 2 + src/libstrongswan/plugins/sqlite/Makefile.in | 2 + src/libstrongswan/plugins/sshkey/Makefile.in | 2 + src/libstrongswan/plugins/test_vectors/Makefile.in | 2 + src/libstrongswan/plugins/unbound/Makefile.in | 2 + src/libstrongswan/plugins/winhttp/Makefile.in | 2 + src/libstrongswan/plugins/x509/Makefile.in | 2 + src/libstrongswan/plugins/x509/x509_ac.c | 89 +- src/libstrongswan/plugins/x509/x509_cert.c | 97 +- src/libstrongswan/plugins/x509/x509_crl.c | 85 +- src/libstrongswan/plugins/x509/x509_ocsp_request.c | 4 +- .../plugins/x509/x509_ocsp_response.c | 35 +- src/libstrongswan/plugins/x509/x509_pkcs10.c | 80 +- src/libstrongswan/plugins/xcbc/Makefile.in | 2 + src/libstrongswan/processing/watcher.c | 8 +- src/libstrongswan/selectors/traffic_selector.c | 223 +- src/libstrongswan/settings/settings.c | 44 +- src/libstrongswan/settings/settings.h | 4 +- src/libstrongswan/tests/Makefile.am | 13 +- src/libstrongswan/tests/Makefile.in | 1110 ++--- src/libstrongswan/tests/suites/test_asn1.c | 41 +- src/libstrongswan/tests/suites/test_auth_cfg.c | 105 +- src/libstrongswan/tests/suites/test_ecdsa.c | 7 +- src/libstrongswan/tests/suites/test_ed25519.c | 30 +- src/libstrongswan/tests/suites/test_hasher.c | 37 +- src/libstrongswan/tests/suites/test_rsa.c | 4827 +++++++++++++++++++- .../tests/suites/test_signature_params.c | 461 ++ .../tests/suites/test_traffic_selector.c | 38 +- src/libstrongswan/tests/suites/test_utils.c | 79 +- src/libstrongswan/tests/test_runner.c | 49 +- src/libstrongswan/tests/test_suite.c | 49 + src/libstrongswan/tests/test_suite.h | 24 + src/libstrongswan/tests/tests.h | 1 + src/libstrongswan/utils/debug.h | 4 +- src/libstrongswan/utils/identification.c | 3 + src/libstrongswan/utils/utils.h | 1 + src/libstrongswan/utils/utils/time.c | 68 +- src/libstrongswan/utils/utils/time.h | 16 +- src/libtls/Makefile.in | 2 + src/libtls/tests/Makefile.in | 2 + src/libtls/tls_crypto.c | 15 +- src/libtls/tls_prf.c | 2 + src/libtnccs/Makefile.in | 2 + src/libtnccs/plugins/tnc_imc/Makefile.in | 2 + src/libtnccs/plugins/tnc_imc/tnc_imc.c | 2 +- src/libtnccs/plugins/tnc_imv/Makefile.in | 2 + src/libtnccs/plugins/tnc_imv/tnc_imv.c | 2 +- src/libtnccs/plugins/tnc_tnccs/Makefile.in | 2 + src/libtnccs/plugins/tnccs_11/Makefile.in | 2 + src/libtnccs/plugins/tnccs_20/Makefile.in | 2 + src/libtnccs/plugins/tnccs_dynamic/Makefile.in | 2 + src/libtncif/Makefile.in | 2 + src/libtncif/tncif_pa_subtypes.c | 6 +- src/libtncif/tncif_pa_subtypes.h | 2 +- src/libtpmtss/Makefile.in | 2 + src/libtpmtss/plugins/tpm/Makefile.in | 2 + src/libtpmtss/plugins/tpm/tpm_private_key.c | 4 +- src/libtpmtss/tpm_tss_tss2.c | 2 +- src/manager/Makefile.in | 2 + src/manager/templates/static/jquery.js | 2 +- src/medsrv/Makefile.in | 2 + src/pki/Makefile.in | 2 + src/pki/command.c | 8 +- src/pki/command.h | 2 +- src/pki/commands/acert.c | 23 +- src/pki/commands/gen.c | 2 +- src/pki/commands/issue.c | 25 +- src/pki/commands/req.c | 45 +- src/pki/commands/self.c | 27 +- src/pki/commands/signcrl.c | 49 +- src/pki/man/Makefile.in | 2 + src/pki/man/pki---acert.1.in | 5 + src/pki/man/pki---issue.1.in | 5 + src/pki/man/pki---req.1.in | 5 + src/pki/man/pki---self.1.in | 5 + src/pki/man/pki---signcrl.1.in | 5 + src/pki/pki.c | 52 +- src/pki/pki.h | 14 +- src/pool/Makefile.in | 2 + src/pool/pool.c | 38 +- src/pool/pool_usage.c | 8 +- src/pt-tls-client/Makefile.in | 2 + src/pt-tls-client/pt-tls-client.1.in | 4 +- src/pt-tls-client/pt-tls-client.c | 3 +- src/scepclient/Makefile.in | 2 + src/sec-updater/Makefile.am | 18 + src/sec-updater/Makefile.in | 845 ++++ src/sec-updater/sec-updater.8.in | 84 + src/sec-updater/sec-updater.c | 565 +++ src/sec-updater/sec-updater.sh | 168 + src/starter/Makefile.am | 14 +- src/starter/Makefile.in | 16 +- src/starter/confread.c | 20 +- src/starter/keywords.c | 1 + src/starter/keywords.h | 4 + src/starter/keywords.h.in | 203 + src/starter/keywords.txt | 1 + src/starter/tests/Makefile.in | 2 + src/stroke/Makefile.am | 14 +- src/stroke/Makefile.in | 16 +- src/stroke/stroke_keywords.h | 3 +- src/stroke/stroke_keywords.h.in | 79 + src/sw-collector/Makefile.in | 2 + src/sw-collector/sw-collector.8.in | 18 +- src/sw-collector/sw-collector.c | 1 + src/swanctl/Makefile.am | 1 + src/swanctl/Makefile.in | 15 +- src/swanctl/command.c | 9 + src/swanctl/command.h | 2 +- src/swanctl/commands/counters.c | 154 + src/swanctl/swanctl.conf | 3 + src/swanctl/swanctl.conf.5.main | 72 +- src/swanctl/swanctl.opt | 47 +- testing/Makefile.in | 2 + testing/config/kernel/config-4.13 | 2613 +++++++++++ testing/do-tests | 2 +- testing/hosts/default/etc/strongswan.conf.testing | 10 + testing/scripts/build-baseimage | 2 +- testing/scripts/build-strongswan | 3 +- testing/scripts/recipes/013_strongswan.mk | 3 +- testing/ssh_config | 1 + testing/testing.conf | 2 +- testing/tests/af-alg/alg-camellia/description.txt | 6 +- .../alg-camellia/hosts/carol/etc/strongswan.conf | 11 +- .../alg-camellia/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/af-alg/alg-camellia/posttest.dat | 4 +- testing/tests/af-alg/alg-camellia/pretest.dat | 4 +- .../af-alg/rw-cert/hosts/carol/etc/strongswan.conf | 12 +- .../af-alg/rw-cert/hosts/dave/etc/strongswan.conf | 12 +- .../af-alg/rw-cert/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/af-alg/rw-cert/posttest.dat | 6 +- testing/tests/af-alg/rw-cert/pretest.dat | 6 +- .../tests/gcrypt-ikev1/alg-serpent/description.txt | 6 +- .../alg-serpent/hosts/carol/etc/strongswan.conf | 11 +- .../alg-serpent/hosts/moon/etc/strongswan.conf | 11 +- .../tests/gcrypt-ikev1/alg-serpent/posttest.dat | 4 +- testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat | 10 +- .../tests/gcrypt-ikev1/alg-twofish/description.txt | 6 +- .../alg-twofish/hosts/carol/etc/strongswan.conf | 11 +- .../alg-twofish/hosts/moon/etc/strongswan.conf | 11 +- .../tests/gcrypt-ikev1/alg-twofish/posttest.dat | 4 +- testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat | 8 +- .../gcrypt-ikev2/alg-camellia/description.txt | 7 +- .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat | 10 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/gcrypt-ikev2/alg-camellia/posttest.dat | 5 +- .../tests/gcrypt-ikev2/alg-camellia/pretest.dat | 8 +- testing/tests/gcrypt-ikev2/alg-camellia/test.conf | 4 + testing/tests/gcrypt-ikev2/rw-cert/description.txt | 8 +- testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat | 12 +- .../rw-cert/hosts/carol/etc/ipsec.conf | 22 - .../rw-cert/hosts/carol/etc/strongswan.conf | 7 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 27 + .../gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf | 22 - .../rw-cert/hosts/dave/etc/strongswan.conf | 7 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 27 + .../gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf | 21 - .../rw-cert/hosts/moon/etc/strongswan.conf | 7 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/gcrypt-ikev2/rw-cert/posttest.dat | 8 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 14 +- testing/tests/gcrypt-ikev2/rw-cert/test.conf | 4 + .../ikev1/net2net-ah/hosts/moon/etc/ipsec.conf | 3 - .../net2net-ah/hosts/moon/etc/strongswan.conf | 6 + .../ikev1/net2net-ah/hosts/sun/etc/ipsec.conf | 3 - .../ikev1/net2net-ah/hosts/sun/etc/strongswan.conf | 6 + .../ikev1/net2net-esn/hosts/moon/etc/ipsec.conf | 3 - .../net2net-esn/hosts/moon/etc/strongswan.conf | 6 + .../ikev1/net2net-esn/hosts/sun/etc/ipsec.conf | 3 - .../net2net-esn/hosts/sun/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../rw-cert-aggressive/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-cert-aggressive/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf | 3 - .../alg-blowfish/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf | 3 - .../alg-blowfish/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf | 5 +- .../nat-rw-mark/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/net2net-ah/hosts/moon/etc/ipsec.conf | 3 - .../net2net-ah/hosts/moon/etc/strongswan.conf | 6 + .../ikev2/net2net-ah/hosts/sun/etc/ipsec.conf | 3 - .../ikev2/net2net-ah/hosts/sun/etc/strongswan.conf | 6 + .../ikev2/net2net-esn/hosts/moon/etc/ipsec.conf | 5 +- .../net2net-esn/hosts/moon/etc/strongswan.conf | 6 + .../ikev2/net2net-esn/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-esn/hosts/sun/etc/strongswan.conf | 6 + .../hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-psk-dscp/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 5 + .../net2net-psk-dscp/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf | 3 - .../net2net-rekey/hosts/moon/etc/strongswan.conf | 5 + .../net2net-rfc3779/hosts/moon/etc/ipsec.conf | 5 +- .../net2net-rfc3779/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-rfc3779/hosts/sun/etc/strongswan.conf | 5 + .../redirect-active/hosts/carol/etc/ipsec.conf | 2 - .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-tls-radius/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf | 5 +- .../rw-mark-in-out/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/trap-any/hosts/carol/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/dave/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/sun/etc/strongswan.conf | 5 + .../ipv6-stroke/host2host-ikev1/description.txt | 5 + .../tests/ipv6-stroke/host2host-ikev1/evaltest.dat | 7 + .../host2host-ikev1/hosts/moon/etc/ipsec.conf | 32 + .../host2host-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev1/hosts/sun/etc/ipsec.conf | 31 + .../host2host-ikev1/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/host2host-ikev1/posttest.dat | 6 + .../tests/ipv6-stroke/host2host-ikev1/pretest.dat | 9 + .../tests/ipv6-stroke/host2host-ikev1/test.conf | 25 + .../ipv6-stroke/host2host-ikev2/description.txt | 5 + .../tests/ipv6-stroke/host2host-ikev2/evaltest.dat | 7 + .../host2host-ikev2/hosts/moon/etc/ipsec.conf | 31 + .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev2/hosts/sun/etc/ipsec.conf | 30 + .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/host2host-ikev2/posttest.dat | 6 + .../tests/ipv6-stroke/host2host-ikev2/pretest.dat | 9 + .../tests/ipv6-stroke/host2host-ikev2/test.conf | 25 + .../ipv6-stroke/net2net-ikev1/description.txt | 6 + .../tests/ipv6-stroke/net2net-ikev1/evaltest.dat | 7 + .../net2net-ikev1/hosts/moon/etc/ipsec.conf | 31 + .../net2net-ikev1/hosts/moon/etc/strongswan.conf | 7 + .../net2net-ikev1/hosts/sun/etc/ipsec.conf | 31 + .../net2net-ikev1/hosts/sun/etc/strongswan.conf | 7 + .../tests/ipv6-stroke/net2net-ikev1/posttest.dat | 10 + .../tests/ipv6-stroke/net2net-ikev1/pretest.dat | 13 + testing/tests/ipv6-stroke/net2net-ikev1/test.conf | 25 + .../ipv6-stroke/net2net-ikev2/description.txt | 6 + .../tests/ipv6-stroke/net2net-ikev2/evaltest.dat | 7 + .../net2net-ikev2/hosts/moon/etc/ipsec.conf | 32 + .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 7 + .../net2net-ikev2/hosts/sun/etc/ipsec.conf | 32 + .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 7 + .../tests/ipv6-stroke/net2net-ikev2/posttest.dat | 10 + .../tests/ipv6-stroke/net2net-ikev2/pretest.dat | 13 + testing/tests/ipv6-stroke/net2net-ikev2/test.conf | 25 + .../net2net-ip4-in-ip6-ikev1/description.txt | 4 + .../net2net-ip4-in-ip6-ikev1/evaltest.dat | 7 + .../hosts/moon/etc/ipsec.conf | 31 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ipsec.conf | 31 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip4-in-ip6-ikev1/posttest.dat | 6 + .../net2net-ip4-in-ip6-ikev1/pretest.dat | 9 + .../ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf | 25 + .../net2net-ip4-in-ip6-ikev2/description.txt | 4 + .../net2net-ip4-in-ip6-ikev2/evaltest.dat | 7 + .../hosts/moon/etc/ipsec.conf | 31 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ipsec.conf | 31 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip4-in-ip6-ikev2/posttest.dat | 6 + .../net2net-ip4-in-ip6-ikev2/pretest.dat | 9 + .../ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf | 25 + .../net2net-ip6-in-ip4-ikev1/description.txt | 6 + .../net2net-ip6-in-ip4-ikev1/evaltest.dat | 7 + .../hosts/moon/etc/ip6tables.rules | 20 + .../hosts/moon/etc/ipsec.conf | 21 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ip6tables.rules | 20 + .../hosts/sun/etc/ipsec.conf | 21 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip6-in-ip4-ikev1/posttest.dat | 10 + .../net2net-ip6-in-ip4-ikev1/pretest.dat | 13 + .../ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf | 25 + .../net2net-ip6-in-ip4-ikev2/description.txt | 6 + .../net2net-ip6-in-ip4-ikev2/evaltest.dat | 7 + .../hosts/moon/etc/ip6tables.rules | 20 + .../hosts/moon/etc/ipsec.conf | 22 + .../hosts/moon/etc/strongswan.conf | 6 + .../hosts/sun/etc/ip6tables.rules | 20 + .../hosts/sun/etc/ipsec.conf | 22 + .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-ip6-in-ip4-ikev2/posttest.dat | 10 + .../net2net-ip6-in-ip4-ikev2/pretest.dat | 13 + .../ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf | 25 + testing/tests/ipv6-stroke/rw-ikev1/description.txt | 7 + testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat | 15 + .../rw-ikev1/hosts/carol/etc/ipsec.conf | 27 + .../rw-ikev1/hosts/carol/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf | 27 + .../rw-ikev1/hosts/dave/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf | 26 + .../rw-ikev1/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ipv6-stroke/rw-ikev1/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-ikev1/pretest.dat | 17 + testing/tests/ipv6-stroke/rw-ikev1/test.conf | 25 + testing/tests/ipv6-stroke/rw-ikev2/description.txt | 7 + testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat | 15 + .../rw-ikev2/hosts/carol/etc/ipsec.conf | 26 + .../rw-ikev2/hosts/carol/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf | 26 + .../rw-ikev2/hosts/dave/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf | 25 + .../rw-ikev2/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ipv6-stroke/rw-ikev2/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-ikev2/pretest.dat | 17 + testing/tests/ipv6-stroke/rw-ikev2/test.conf | 25 + .../rw-ip6-in-ip4-ikev1/description.txt | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat | 15 + .../hosts/carol/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf | 21 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf | 21 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf | 20 + .../hosts/moon/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat | 15 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf | 25 + .../rw-ip6-in-ip4-ikev2/description.txt | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat | 15 + .../hosts/carol/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf | 21 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/dave/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf | 21 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/moon/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf | 20 + .../hosts/moon/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat | 15 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf | 25 + .../tests/ipv6-stroke/rw-psk-ikev1/description.txt | 7 + .../tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat | 15 + .../rw-psk-ikev1/hosts/carol/etc/ipsec.conf | 18 + .../rw-psk-ikev1/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ikev1/hosts/dave/etc/ipsec.conf | 19 + .../rw-psk-ikev1/hosts/dave/etc/ipsec.secrets | 3 + .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ikev1/hosts/moon/etc/ipsec.conf | 18 + .../rw-psk-ikev1/hosts/moon/etc/ipsec.secrets | 5 + .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/rw-psk-ikev1/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat | 20 + testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf | 25 + .../tests/ipv6-stroke/rw-psk-ikev2/description.txt | 7 + .../tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat | 15 + .../rw-psk-ikev2/hosts/carol/etc/ipsec.conf | 18 + .../rw-psk-ikev2/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/dave/etc/ipsec.conf | 19 + .../rw-psk-ikev2/hosts/dave/etc/ipsec.secrets | 3 + .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/moon/etc/ipsec.conf | 18 + .../rw-psk-ikev2/hosts/moon/etc/ipsec.secrets | 5 + .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/rw-psk-ikev2/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat | 20 + testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf | 25 + .../ipv6-stroke/transport-ikev1/description.txt | 5 + .../tests/ipv6-stroke/transport-ikev1/evaltest.dat | 9 + .../transport-ikev1/hosts/moon/etc/ipsec.conf | 27 + .../transport-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../transport-ikev1/hosts/sun/etc/ipsec.conf | 27 + .../transport-ikev1/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/transport-ikev1/posttest.dat | 6 + .../tests/ipv6-stroke/transport-ikev1/pretest.dat | 9 + .../tests/ipv6-stroke/transport-ikev1/test.conf | 25 + .../ipv6-stroke/transport-ikev2/description.txt | 5 + .../tests/ipv6-stroke/transport-ikev2/evaltest.dat | 10 + .../transport-ikev2/hosts/moon/etc/ipsec.conf | 27 + .../transport-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../transport-ikev2/hosts/sun/etc/ipsec.conf | 27 + .../transport-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/transport-ikev2/posttest.dat | 6 + .../tests/ipv6-stroke/transport-ikev2/pretest.dat | 9 + .../tests/ipv6-stroke/transport-ikev2/test.conf | 25 + testing/tests/ipv6/host2host-ikev1/description.txt | 11 +- testing/tests/ipv6/host2host-ikev1/evaltest.dat | 6 +- .../ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf | 32 - .../host2host-ikev1/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 + .../ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf | 31 - .../host2host-ikev1/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 32 + testing/tests/ipv6/host2host-ikev1/posttest.dat | 4 +- testing/tests/ipv6/host2host-ikev1/pretest.dat | 9 +- testing/tests/ipv6/host2host-ikev1/test.conf | 4 + testing/tests/ipv6/host2host-ikev2/description.txt | 11 +- testing/tests/ipv6/host2host-ikev2/evaltest.dat | 8 +- .../ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf | 31 - .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf | 30 - .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 33 + testing/tests/ipv6/host2host-ikev2/posttest.dat | 4 +- testing/tests/ipv6/host2host-ikev2/pretest.dat | 6 +- testing/tests/ipv6/host2host-ikev2/test.conf | 6 +- testing/tests/ipv6/net2net-ikev1/description.txt | 13 +- testing/tests/ipv6/net2net-ikev1/evaltest.dat | 6 +- .../ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf | 31 - .../net2net-ikev1/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 35 + .../ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf | 31 - .../net2net-ikev1/hosts/sun/etc/strongswan.conf | 7 +- .../hosts/sun/etc/swanctl/swanctl.conf | 35 + testing/tests/ipv6/net2net-ikev1/posttest.dat | 4 +- testing/tests/ipv6/net2net-ikev1/pretest.dat | 7 +- testing/tests/ipv6/net2net-ikev1/test.conf | 6 +- testing/tests/ipv6/net2net-ikev2/description.txt | 13 +- testing/tests/ipv6/net2net-ikev2/evaltest.dat | 6 +- .../ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf | 32 - .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf | 32 - .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 7 +- .../hosts/sun/etc/swanctl/swanctl.conf | 36 + testing/tests/ipv6/net2net-ikev2/posttest.dat | 4 +- testing/tests/ipv6/net2net-ikev2/pretest.dat | 6 +- testing/tests/ipv6/net2net-ikev2/test.conf | 6 +- .../ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 31 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 35 + .../hosts/sun/etc/ipsec.conf | 31 - .../hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 35 + .../ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat | 4 +- .../ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat | 7 +- .../tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf | 6 +- .../ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat | 7 +- .../hosts/moon/etc/ipsec.conf | 31 - .../hosts/moon/etc/strongswan.conf | 10 +- .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../hosts/sun/etc/ipsec.conf | 31 - .../hosts/sun/etc/strongswan.conf | 10 +- .../hosts/sun/etc/swanctl/swanctl.conf | 36 + .../ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat | 4 +- .../ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat | 6 +- .../tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf | 6 +- .../ipv6/net2net-ip6-in-ip4-ikev1/description.txt | 14 +- .../ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 21 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 28 + .../hosts/sun/etc/ipsec.conf | 21 - .../hosts/sun/etc/strongswan.conf | 11 +- .../hosts/sun/etc/swanctl/swanctl.conf | 28 + .../ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat | 4 +- .../ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat | 7 +- .../tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf | 6 +- .../ipv6/net2net-ip6-in-ip4-ikev2/description.txt | 14 +- .../ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat | 7 +- .../hosts/moon/etc/ipsec.conf | 22 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../hosts/sun/etc/ipsec.conf | 22 - .../hosts/sun/etc/strongswan.conf | 11 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + .../ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat | 4 +- .../ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat | 6 +- .../tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf | 6 +- .../ipv6/net2net-rfc3779-ikev2/description.txt | 23 +- .../tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 31 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 28 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf | 31 - .../sun/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/sun/etc/ipsec.d/certs/sunCert.pem | 28 - .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 - .../hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 27 + .../hosts/sun/etc/swanctl/swanctl.conf | 36 + .../hosts/sun/etc/swanctl/x509/sunCert.pem | 28 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../tests/ipv6/net2net-rfc3779-ikev2/posttest.dat | 4 +- .../tests/ipv6/net2net-rfc3779-ikev2/pretest.dat | 6 +- testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf | 6 +- testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 8 +- .../rw-compress-ikev2/hosts/carol/etc/ipsec.conf | 25 - .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../rw-compress-ikev2/hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 + testing/tests/ipv6/rw-compress-ikev2/posttest.dat | 4 +- testing/tests/ipv6/rw-compress-ikev2/pretest.dat | 6 +- testing/tests/ipv6/rw-compress-ikev2/test.conf | 4 + testing/tests/ipv6/rw-ikev1/description.txt | 4 +- testing/tests/ipv6/rw-ikev1/evaltest.dat | 12 +- .../tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf | 27 - .../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf | 34 + .../tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf | 27 - .../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf | 34 + .../tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf | 26 - .../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf | 32 + testing/tests/ipv6/rw-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-ikev1/pretest.dat | 10 +- testing/tests/ipv6/rw-ikev1/test.conf | 4 + testing/tests/ipv6/rw-ikev2/description.txt | 4 +- testing/tests/ipv6/rw-ikev2/evaltest.dat | 12 +- .../tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf | 26 - .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf | 34 + .../tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf | 26 - .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf | 34 + .../tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf | 25 - .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf | 32 + testing/tests/ipv6/rw-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-ikev2/test.conf | 4 + .../tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt | 18 +- .../tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat | 12 +- .../rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 + .../tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat | 10 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf | 4 + .../tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt | 18 +- .../tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat | 12 +- .../rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 + .../tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf | 4 + testing/tests/ipv6/rw-psk-ikev1/description.txt | 10 +- testing/tests/ipv6/rw-psk-ikev1/evaltest.dat | 13 +- .../ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf | 18 - .../rw-psk-ikev1/hosts/carol/etc/ipsec.secrets | 3 - .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf | 19 - .../ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets | 3 - .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 8 +- .../hosts/dave/etc/swanctl/swanctl.conf | 34 + .../ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf | 18 - .../ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets | 5 - .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 37 + testing/tests/ipv6/rw-psk-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-psk-ikev1/pretest.dat | 16 +- testing/tests/ipv6/rw-psk-ikev1/test.conf | 4 + testing/tests/ipv6/rw-psk-ikev2/description.txt | 10 +- testing/tests/ipv6/rw-psk-ikev2/evaltest.dat | 12 +- .../ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf | 18 - .../rw-psk-ikev2/hosts/carol/etc/ipsec.secrets | 3 - .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf | 19 - .../ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets | 3 - .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 8 +- .../hosts/dave/etc/swanctl/swanctl.conf | 34 + .../ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf | 18 - .../ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets | 5 - .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 37 + testing/tests/ipv6/rw-psk-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-psk-ikev2/pretest.dat | 16 +- testing/tests/ipv6/rw-psk-ikev2/test.conf | 4 + testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat | 13 +- .../rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf | 26 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 27 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 27 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 27 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf | 26 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 27 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/rsa/daveKey.pem | 27 + .../hosts/dave/etc/swanctl/swanctl.conf | 34 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 27 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf | 25 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 28 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 32 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-rfc3779-ikev2/test.conf | 4 + testing/tests/ipv6/transport-ikev1/description.txt | 11 +- testing/tests/ipv6/transport-ikev1/evaltest.dat | 6 +- .../ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf | 27 - .../transport-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf | 27 - .../transport-ikev1/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 33 + testing/tests/ipv6/transport-ikev1/posttest.dat | 4 +- testing/tests/ipv6/transport-ikev1/pretest.dat | 6 +- testing/tests/ipv6/transport-ikev1/test.conf | 6 +- testing/tests/ipv6/transport-ikev2/description.txt | 11 +- testing/tests/ipv6/transport-ikev2/evaltest.dat | 7 +- .../ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf | 27 - .../transport-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 34 + .../ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf | 27 - .../transport-ikev2/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 34 + testing/tests/ipv6/transport-ikev2/posttest.dat | 4 +- testing/tests/ipv6/transport-ikev2/pretest.dat | 6 +- testing/tests/ipv6/transport-ikev2/test.conf | 6 +- testing/tests/libipsec/host2host-cert/evaltest.dat | 6 +- .../host2host-cert/hosts/moon/etc/ipsec.conf | 19 - .../host2host-cert/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../host2host-cert/hosts/sun/etc/ipsec.conf | 19 - .../host2host-cert/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 26 + testing/tests/libipsec/host2host-cert/posttest.dat | 5 +- testing/tests/libipsec/host2host-cert/pretest.dat | 6 +- testing/tests/libipsec/host2host-cert/test.conf | 4 + testing/tests/libipsec/net2net-3des/evaltest.dat | 10 +- .../net2net-3des/hosts/moon/etc/ipsec.conf | 24 - .../net2net-3des/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-3des/hosts/sun/etc/ipsec.conf | 24 - .../net2net-3des/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-3des/posttest.dat | 5 +- testing/tests/libipsec/net2net-3des/pretest.dat | 10 +- testing/tests/libipsec/net2net-3des/test.conf | 4 + .../libipsec/net2net-cert-ipv6/description.txt | 14 + .../tests/libipsec/net2net-cert-ipv6/evaltest.dat | 5 + .../hosts/moon/etc/strongswan.conf | 10 + .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../net2net-cert-ipv6/hosts/moon/etc/updown | 597 +++ .../hosts/sun/etc/strongswan.conf | 10 + .../hosts/sun/etc/swanctl/swanctl.conf | 29 + .../net2net-cert-ipv6/hosts/sun/etc/updown | 597 +++ .../tests/libipsec/net2net-cert-ipv6/posttest.dat | 9 + .../tests/libipsec/net2net-cert-ipv6/pretest.dat | 11 + testing/tests/libipsec/net2net-cert-ipv6/test.conf | 25 + testing/tests/libipsec/net2net-cert/evaltest.dat | 6 +- .../net2net-cert/hosts/moon/etc/ipsec.conf | 22 - .../net2net-cert/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-cert/hosts/sun/etc/ipsec.conf | 22 - .../net2net-cert/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-cert/posttest.dat | 5 +- testing/tests/libipsec/net2net-cert/pretest.dat | 10 +- testing/tests/libipsec/net2net-cert/test.conf | 4 + testing/tests/libipsec/net2net-null/evaltest.dat | 10 +- .../net2net-null/hosts/moon/etc/ipsec.conf | 24 - .../net2net-null/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-null/hosts/sun/etc/ipsec.conf | 24 - .../net2net-null/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-null/posttest.dat | 5 +- testing/tests/libipsec/net2net-null/pretest.dat | 10 +- testing/tests/libipsec/net2net-null/test.conf | 4 + testing/tests/libipsec/rw-suite-b/description.txt | 10 - testing/tests/libipsec/rw-suite-b/evaltest.dat | 19 - .../libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf | 23 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 15 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 5 - .../rw-suite-b/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/carol/etc/strongswan.conf | 13 - .../libipsec/rw-suite-b/hosts/carol/etc/updown | 638 --- .../libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf | 23 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 15 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 5 - .../rw-suite-b/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b/hosts/dave/etc/iptables.rules | 32 - .../rw-suite-b/hosts/dave/etc/strongswan.conf | 13 - .../libipsec/rw-suite-b/hosts/dave/etc/updown | 638 --- .../libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf | 23 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 15 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 5 - .../rw-suite-b/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/moon/etc/strongswan.conf | 11 - .../libipsec/rw-suite-b/hosts/moon/etc/updown | 638 --- testing/tests/libipsec/rw-suite-b/posttest.dat | 6 - testing/tests/libipsec/rw-suite-b/pretest.dat | 11 - testing/tests/libipsec/rw-suite-b/test.conf | 21 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 5 + .../pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf | 3 - .../net2net-rekey/hosts/moon/etc/strongswan.conf | 5 + testing/tests/sql/ip-pool-db-expired/evaltest.dat | 4 +- testing/tests/sql/ip-pool-db-expired/posttest.dat | 6 +- testing/tests/sql/ip-pool-db-expired/pretest.dat | 9 +- testing/tests/sql/ip-pool-db-restart/posttest.dat | 6 +- testing/tests/sql/ip-pool-db-restart/pretest.dat | 9 +- testing/tests/sql/ip-pool-db/posttest.dat | 6 +- testing/tests/sql/ip-pool-db/pretest.dat | 9 +- .../sql/ip-split-pools-db-restart/posttest.dat | 6 +- .../sql/ip-split-pools-db-restart/pretest.dat | 9 +- testing/tests/sql/ip-split-pools-db/posttest.dat | 6 +- testing/tests/sql/ip-split-pools-db/pretest.dat | 9 +- testing/tests/sql/multi-level-ca/posttest.dat | 6 +- testing/tests/sql/multi-level-ca/pretest.dat | 9 +- testing/tests/sql/net2net-cert/posttest.dat | 4 +- testing/tests/sql/net2net-cert/pretest.dat | 8 +- testing/tests/sql/net2net-psk/posttest.dat | 4 +- testing/tests/sql/net2net-psk/pretest.dat | 8 +- testing/tests/sql/net2net-route-pem/posttest.dat | 4 +- testing/tests/sql/net2net-route-pem/pretest.dat | 6 +- testing/tests/sql/net2net-start-pem/posttest.dat | 4 +- testing/tests/sql/net2net-start-pem/pretest.dat | 8 +- testing/tests/sql/rw-cert/posttest.dat | 6 +- testing/tests/sql/rw-cert/pretest.dat | 9 +- testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 4 +- testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 6 +- testing/tests/sql/rw-psk-ipv4/posttest.dat | 6 +- testing/tests/sql/rw-psk-ipv4/pretest.dat | 9 +- testing/tests/sql/rw-psk-ipv6/posttest.dat | 6 +- testing/tests/sql/rw-psk-ipv6/pretest.dat | 9 +- testing/tests/sql/rw-psk-rsa-split/posttest.dat | 6 +- testing/tests/sql/rw-psk-rsa-split/pretest.dat | 9 +- testing/tests/sql/rw-rsa-keyid/posttest.dat | 6 +- testing/tests/sql/rw-rsa-keyid/pretest.dat | 9 +- testing/tests/sql/rw-rsa/posttest.dat | 6 +- testing/tests/sql/rw-rsa/pretest.dat | 9 +- .../tests/sql/shunt-policies-nat-rw/posttest.dat | 6 +- .../tests/sql/shunt-policies-nat-rw/pretest.dat | 9 +- .../config-payload/hosts/carol/etc/strongswan.conf | 9 +- .../config-payload/hosts/dave/etc/strongswan.conf | 9 +- .../config-payload/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/config-payload/posttest.dat | 6 +- testing/tests/swanctl/config-payload/pretest.dat | 6 +- .../crl-to-cache/hosts/carol/etc/strongswan.conf | 9 +- .../crl-to-cache/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/crl-to-cache/posttest.dat | 4 +- testing/tests/swanctl/crl-to-cache/pretest.dat | 4 +- .../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 9 +- .../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 9 +- .../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/dhcp-dynamic/posttest.dat | 6 +- testing/tests/swanctl/dhcp-dynamic/pretest.dat | 6 +- .../frags-ipv4/hosts/carol/etc/strongswan.conf | 9 +- .../frags-ipv4/hosts/dave/etc/strongswan.conf | 9 +- .../frags-ipv4/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/frags-ipv4/posttest.dat | 6 +- testing/tests/swanctl/frags-ipv4/pretest.dat | 6 +- .../frags-ipv6/hosts/carol/etc/strongswan.conf | 10 +- .../frags-ipv6/hosts/dave/etc/strongswan.conf | 10 +- .../frags-ipv6/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/frags-ipv6/posttest.dat | 6 +- testing/tests/swanctl/frags-ipv6/pretest.dat | 6 +- .../ip-pool-db/hosts/carol/etc/strongswan.conf | 11 +- .../ip-pool-db/hosts/dave/etc/strongswan.conf | 9 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/swanctl/ip-pool-db/posttest.dat | 6 +- testing/tests/swanctl/ip-pool-db/pretest.dat | 6 +- .../ip-pool/hosts/carol/etc/strongswan.conf | 11 +- .../swanctl/ip-pool/hosts/dave/etc/strongswan.conf | 11 +- .../swanctl/ip-pool/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/swanctl/ip-pool/posttest.dat | 6 +- testing/tests/swanctl/ip-pool/pretest.dat | 6 +- .../manual-prio/hosts/carol/etc/strongswan.conf | 11 +- .../manual-prio/hosts/dave/etc/strongswan.conf | 11 +- .../manual-prio/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/manual-prio/posttest.dat | 6 +- testing/tests/swanctl/manual-prio/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 7 +- .../hosts/dave/etc/strongswan.conf | 7 +- .../hosts/moon/etc/strongswan.conf | 7 +- .../swanctl/mult-auth-rsa-eap-sim-id/posttest.dat | 6 +- .../swanctl/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- .../multi-level-ca/hosts/carol/etc/strongswan.conf | 9 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 9 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/multi-level-ca/posttest.dat | 12 +- testing/tests/swanctl/multi-level-ca/pretest.dat | 6 +- .../net2net-cert/hosts/moon/etc/strongswan.conf | 11 +- .../net2net-cert/hosts/sun/etc/strongswan.conf | 11 +- testing/tests/swanctl/net2net-cert/posttest.dat | 4 +- testing/tests/swanctl/net2net-cert/pretest.dat | 4 +- .../net2net-ed25519/hosts/moon/etc/strongswan.conf | 19 +- .../net2net-ed25519/hosts/sun/etc/strongswan.conf | 19 +- testing/tests/swanctl/net2net-ed25519/posttest.dat | 4 +- testing/tests/swanctl/net2net-ed25519/pretest.dat | 4 +- .../net2net-gw/hosts/carol/etc/strongswan.conf | 7 +- .../net2net-gw/hosts/moon/etc/strongswan.conf | 7 +- .../net2net-gw/hosts/sun/etc/strongswan.conf | 7 +- testing/tests/swanctl/net2net-gw/posttest.dat | 6 +- testing/tests/swanctl/net2net-gw/pretest.dat | 6 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/sun/etc/strongswan.conf | 8 +- .../tests/swanctl/net2net-multicast/posttest.dat | 4 +- .../tests/swanctl/net2net-multicast/pretest.dat | 4 +- .../net2net-pubkey/hosts/moon/etc/strongswan.conf | 7 +- .../net2net-pubkey/hosts/sun/etc/strongswan.conf | 7 +- testing/tests/swanctl/net2net-pubkey/posttest.dat | 4 +- testing/tests/swanctl/net2net-pubkey/pretest.dat | 4 +- .../net2net-route/hosts/moon/etc/strongswan.conf | 11 +- .../net2net-route/hosts/sun/etc/strongswan.conf | 11 +- testing/tests/swanctl/net2net-route/posttest.dat | 4 +- testing/tests/swanctl/net2net-route/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../hosts/sun/etc/strongswan.conf | 11 +- .../swanctl/net2net-sha3-rsa-cert/posttest.dat | 4 +- .../swanctl/net2net-sha3-rsa-cert/pretest.dat | 4 +- .../net2net-start/hosts/moon/etc/strongswan.conf | 9 +- .../net2net-start/hosts/sun/etc/strongswan.conf | 9 +- testing/tests/swanctl/net2net-start/posttest.dat | 4 +- testing/tests/swanctl/net2net-start/pretest.dat | 4 +- .../ocsp-disabled/hosts/carol/etc/strongswan.conf | 9 +- .../ocsp-disabled/hosts/moon/etc/strongswan.conf | 6 +- testing/tests/swanctl/ocsp-disabled/posttest.dat | 4 +- testing/tests/swanctl/ocsp-disabled/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 10 +- .../hosts/dave/etc/strongswan.conf | 10 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/swanctl/ocsp-multi-level/posttest.dat | 12 +- testing/tests/swanctl/ocsp-multi-level/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/moon/etc/strongswan.conf | 7 +- .../tests/swanctl/ocsp-signer-cert/posttest.dat | 4 +- testing/tests/swanctl/ocsp-signer-cert/pretest.dat | 4 +- .../protoport-dual/hosts/carol/etc/strongswan.conf | 7 +- .../protoport-dual/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/protoport-dual/posttest.dat | 4 +- testing/tests/swanctl/protoport-dual/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 7 +- .../protoport-range/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/protoport-range/posttest.dat | 4 +- testing/tests/swanctl/protoport-range/pretest.dat | 4 +- testing/tests/swanctl/rw-cert-pss/description.txt | 8 + testing/tests/swanctl/rw-cert-pss/evaltest.dat | 14 + .../rw-cert-pss/hosts/carol/etc/strongswan.conf | 18 + .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 30 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../rw-cert-pss/hosts/dave/etc/strongswan.conf | 18 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../rw-cert-pss/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/swanctl/rw-cert-pss/posttest.dat | 8 + testing/tests/swanctl/rw-cert-pss/pretest.dat | 11 + testing/tests/swanctl/rw-cert-pss/test.conf | 25 + .../rw-cert/hosts/carol/etc/strongswan.conf | 9 +- .../swanctl/rw-cert/hosts/dave/etc/strongswan.conf | 9 +- .../swanctl/rw-cert/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/rw-cert/posttest.dat | 6 +- testing/tests/swanctl/rw-cert/pretest.dat | 6 +- .../rw-dnssec/hosts/carol/etc/strongswan.conf | 7 +- .../rw-dnssec/hosts/dave/etc/strongswan.conf | 7 +- .../rw-dnssec/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-dnssec/posttest.dat | 6 +- testing/tests/swanctl/rw-dnssec/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat | 4 +- .../tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 9 +- .../tests/swanctl/rw-eap-md5-id-rsa/posttest.dat | 4 +- .../tests/swanctl/rw-eap-md5-id-rsa/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat | 6 +- .../tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 10 +- .../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 10 +- .../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/rw-hash-and-url/posttest.dat | 6 +- testing/tests/swanctl/rw-hash-and-url/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 18 +- .../hosts/dave/etc/strongswan.conf | 18 +- .../hosts/moon/etc/strongswan.conf | 18 +- .../swanctl/rw-multi-ciphers-ikev1/posttest.dat | 6 +- .../swanctl/rw-multi-ciphers-ikev1/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/swanctl/rw-newhope-bliss/posttest.dat | 6 +- testing/tests/swanctl/rw-newhope-bliss/pretest.dat | 6 +- .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 7 +- .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 7 +- .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 8 +- testing/tests/swanctl/rw-ntru-bliss/posttest.dat | 6 +- testing/tests/swanctl/rw-ntru-bliss/pretest.dat | 6 +- .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 7 +- .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 7 +- .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-psk-fqdn/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-fqdn/pretest.dat | 6 +- .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 16 +- .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 16 +- .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 16 +- testing/tests/swanctl/rw-psk-ikev1/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-ikev1/pretest.dat | 6 +- .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 7 +- .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 7 +- .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-psk-ipv4/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-ipv4/pretest.dat | 6 +- .../rw-pubkey-anon/hosts/carol/etc/strongswan.conf | 11 +- .../rw-pubkey-anon/hosts/dave/etc/strongswan.conf | 11 +- .../rw-pubkey-anon/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/rw-pubkey-anon/posttest.dat | 6 +- testing/tests/swanctl/rw-pubkey-anon/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../rw-pubkey-keyid/hosts/dave/etc/strongswan.conf | 11 +- .../rw-pubkey-keyid/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/rw-pubkey-keyid/posttest.dat | 6 +- testing/tests/swanctl/rw-pubkey-keyid/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 6 +- .../hosts/sun/etc/strongswan.conf | 8 +- .../hosts/venus/etc/strongswan.conf | 6 +- .../swanctl/shunt-policies-nat-rw/posttest.dat | 6 +- .../swanctl/shunt-policies-nat-rw/pretest.dat | 6 +- .../xauth-rsa/hosts/carol/etc/strongswan.conf | 7 +- .../xauth-rsa/hosts/dave/etc/strongswan.conf | 7 +- .../xauth-rsa/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/xauth-rsa/posttest.dat | 6 +- testing/tests/swanctl/xauth-rsa/pretest.dat | 6 +- .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-11-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-fhh/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/tnc/tnccs-11-radius-block/posttest.dat | 6 +- .../tests/tnc/tnccs-11-radius-block/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 10 +- testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-11-radius/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/tnc/tnccs-11-radius/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius/pretest.dat | 6 +- .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf | 9 +- .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf | 9 +- .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-11/posttest.dat | 6 +- testing/tests/tnc/tnccs-11/pretest.dat | 6 +- .../tnccs-20-block/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-20-block/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-20-block/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-block/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-block/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 13 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../tests/tnc/tnccs-20-client-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-client-retry/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fail-init/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fail-resp/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 4 +- .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fhh/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 12 +- .../hosts/carol/etc/strongswan.conf | 21 +- .../hosts/dave/etc/strongswan.conf | 25 +- .../hosts/moon/etc/strongswan.conf | 8 +- testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat | 8 +- testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 8 +- .../hosts/moon/etc/strongswan.conf | 15 +- .../hosts/sun/etc/strongswan.conf | 20 +- .../tnc/tnccs-20-mutual-eap-fail/posttest.dat | 4 +- .../tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 13 +- .../hosts/sun/etc/strongswan.conf | 20 +- testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 4 +- .../hosts/sun/etc/strongswan.conf | 18 +- .../tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat | 2 +- .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 12 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 15 +- testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 10 +- .../tnccs-20-os/hosts/carol/etc/strongswan.conf | 11 +- .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf | 11 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-os/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 12 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 8 +- testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 10 +- testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 10 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 6 +- .../tnccs-20-pts/hosts/carol/etc/strongswan.conf | 13 +- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 13 +- .../hosts/dave/etc/strongswan.conf | 13 +- .../hosts/moon/etc/strongswan.conf | 13 +- .../tests/tnc/tnccs-20-server-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-server-retry/pretest.dat | 6 +- .../tnccs-20-tls/hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-tls/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-tls/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-tls/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-tls/pretest.dat | 6 +- .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf | 9 +- .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf | 9 +- .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20/posttest.dat | 6 +- testing/tests/tnc/tnccs-20/pretest.dat | 6 +- .../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-dynamic/posttest.dat | 6 +- testing/tests/tnc/tnccs-dynamic/pretest.dat | 6 +- 1514 files changed, 28150 insertions(+), 11296 deletions(-) delete mode 100644 conf/options/pacman.conf delete mode 100644 conf/options/pacman.opt create mode 100644 conf/options/sec-updater.conf create mode 100644 conf/options/sec-updater.opt create mode 100644 fuzz/libFuzzerLocal.c create mode 100644 src/libcharon/plugins/counters/Makefile.am create mode 100644 src/libcharon/plugins/counters/Makefile.in create mode 100644 src/libcharon/plugins/counters/counters_listener.c create mode 100644 src/libcharon/plugins/counters/counters_listener.h create mode 100644 src/libcharon/plugins/counters/counters_plugin.c create mode 100644 src/libcharon/plugins/counters/counters_plugin.h create mode 100644 src/libcharon/plugins/counters/counters_query.h delete mode 100644 src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag create mode 100644 src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag delete mode 100644 src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag create mode 100644 src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag delete mode 100644 src/libimcv/plugins/imv_os/pacman.c delete mode 100755 src/libimcv/plugins/imv_os/pacman.sh create mode 100644 src/libstrongswan/credentials/keys/signature_params.c create mode 100644 src/libstrongswan/credentials/keys/signature_params.h create mode 100644 src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in create mode 100644 src/libstrongswan/networking/streams/stream_service_systemd.c create mode 100644 src/libstrongswan/networking/streams/stream_service_systemd.h create mode 100644 src/libstrongswan/tests/suites/test_signature_params.c create mode 100644 src/sec-updater/Makefile.am create mode 100644 src/sec-updater/Makefile.in create mode 100644 src/sec-updater/sec-updater.8.in create mode 100644 src/sec-updater/sec-updater.c create mode 100755 src/sec-updater/sec-updater.sh create mode 100644 src/starter/keywords.h.in create mode 100644 src/stroke/stroke_keywords.h.in create mode 100644 src/swanctl/commands/counters.c create mode 100644 testing/config/kernel/config-4.13 delete mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/test.conf delete mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/description.txt create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/posttest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/pretest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/test.conf delete mode 100644 testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/description.txt delete mode 100644 testing/tests/libipsec/rw-suite-b/evaltest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/posttest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/pretest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/test.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/description.txt create mode 100755 testing/tests/swanctl/rw-cert-pss/evaltest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/posttest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/pretest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/test.conf diff --git a/Android.common.mk b/Android.common.mk index 1243e26f7..19d654e0c 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.6.0" +strongswan_VERSION := "5.6.1" diff --git a/Makefile.am b/Makefile.am index 47e9e8ce6..54b822050 100644 --- a/Makefile.am +++ b/Makefile.am @@ -59,7 +59,7 @@ cov-report: lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ --rc lcov_branch_coverage=1 lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \ - -o $(top_builddir)/coverage/coverage.cleaned.info \ + -o $(abs_top_builddir)/coverage/coverage.cleaned.info \ --rc lcov_branch_coverage=1 genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \ -t "$(PACKAGE_STRING)" \ diff --git a/Makefile.in b/Makefile.in index b08cb7bef..a3abb3483 100644 --- a/Makefile.in +++ b/Makefile.in @@ -276,9 +276,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -1039,7 +1041,7 @@ cov-reset-common: @COVERAGE_TRUE@ lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \ @COVERAGE_TRUE@ --rc lcov_branch_coverage=1 @COVERAGE_TRUE@ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \ -@COVERAGE_TRUE@ -o $(top_builddir)/coverage/coverage.cleaned.info \ +@COVERAGE_TRUE@ -o $(abs_top_builddir)/coverage/coverage.cleaned.info \ @COVERAGE_TRUE@ --rc lcov_branch_coverage=1 @COVERAGE_TRUE@ genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \ @COVERAGE_TRUE@ -t "$(PACKAGE_STRING)" \ diff --git a/NEWS b/NEWS index 8e82607b3..fe0d6f9c2 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,46 @@ +strongswan-5.6.1 +---------------- + +- In compliance with RFCs 8221 and 8247 several algorithms were removed from the + default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from + ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in + custom proposals. + +- Added support for RSASSA-PSS signatures. For backwards compatibility they are + not used automatically by default, enable charon.rsa_pss to change that. To + explicitly use or require such signatures with IKEv2 signature authentication + (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss... + authentication constraints. + +- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the + `--rsa-padding pss` option. + +- The sec-updater tool checks for security updates in dpkg-based repositories + (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database + accordingly. Additionally for each new package version a SWID tag for the + given OS and HW architecture is created and stored in the database. + Using the sec-updater.sh script template the lookup can be automated + (e.g. via an hourly cron job). + +- The introduction of file versions in the IMV database scheme broke file + reference hash measurements. This has been fixed by creating generic product + versions having an empty package name. + +- A new timeout option for the systime-fix plugin stops periodic system time + checks after a while and enforces a certificate verification, closing or + reauthenticating all SAs with invalid certificates. + +- The IKE event counters, previously only available via ipsec listcounters, may + now be queried/reset via vici and the new swanctl --counters command. They are + provided by the new optional counters plugin. + +- Class attributes received in RADIUS Access-Accept messages may optionally be + added to RADIUS accounting messages. + +- Inbound marks may optionally be installed on the SA again (was removed with + 5.5.2) by enabling the mark_in_sa option in swanctl.conf. + + strongswan-5.6.0 ---------------- diff --git a/conf/Makefile.am b/conf/Makefile.am index 87319db22..38181db2c 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -18,13 +18,13 @@ options = \ options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ - options/pacman.opt \ options/pki.opt \ options/pool.opt \ options/scepclient.opt \ options/starter.opt \ options/swanctl.opt \ options/tnc.opt \ + options/sec-updater.opt \ options/sw-collector.opt plugins = \ diff --git a/conf/Makefile.in b/conf/Makefile.in index b403c727d..c2cb213f7 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -199,9 +199,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -422,13 +424,13 @@ options = \ options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ - options/pacman.opt \ options/pki.opt \ options/pool.opt \ options/scepclient.opt \ options/starter.opt \ options/swanctl.opt \ options/tnc.opt \ + options/sec-updater.opt \ options/sw-collector.opt plugins = \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index f0d084bed..cef9fe36c 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -230,6 +230,9 @@ charon { # Priority of the routing table. # routing_table_prio = + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + # Delay in ms for sending packets, to simulate larger RTT. # send_delay = 0 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 900b9b46b..161ebb724 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -341,6 +341,9 @@ charon.routing_table charon.routing_table_prio Priority of the routing table. +charon.rsa_pss = no + Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + charon.send_delay = 0 Delay in ms for sending packets, to simulate larger RTT. diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf deleted file mode 100644 index 730e5435c..000000000 --- a/conf/options/pacman.conf +++ /dev/null @@ -1,12 +0,0 @@ -pacman { - - # Database URI for the database that stores the package information. If it - # contains a password, make sure to adjust the permissions of the config - # file accordingly. - # database = - - # Plugins to load in package manager. - # load = - -} - diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt deleted file mode 100644 index dfb4ba2b1..000000000 --- a/conf/options/pacman.opt +++ /dev/null @@ -1,7 +0,0 @@ -pacman.database = - Database URI for the database that stores the package information. If it - contains a password, make sure to adjust the permissions of the config file - accordingly. - -pacman.load = - Plugins to load in package manager. diff --git a/conf/options/sec-updater.conf b/conf/options/sec-updater.conf new file mode 100644 index 000000000..081476a50 --- /dev/null +++ b/conf/options/sec-updater.conf @@ -0,0 +1,42 @@ +# Options for the sec-updater tool. +sec-updater { + + # Global IMV policy database URI. If it contains a password, make sure to + # adjust the permissions of the config file accordingly. + # database = + + # Plugins to load in sec-updater tool. + # load = + + # strongTNC manage.py command used to import SWID tags. + # tnc_manage_command = /var/www/tnc/manage.py + + swid_gen { + + # SWID generator command to be executed. + # command = /usr/local/bin/swid_generator + + tag_creator { + + # Name of the tagCreator entity. + # name = strongSwan Project + + # regid of the tagCreator entity. + # regid = strongswan.org + + } + + } + + tmp { + + # Temporary storage for downloaded deb package file. + # deb_file = /tmp/sec-updater.deb + + # Temporary storage for generated SWID tags. + # tag_file = /tmp/sec-updater.tag + + } + +} + diff --git a/conf/options/sec-updater.opt b/conf/options/sec-updater.opt new file mode 100644 index 000000000..f6669250e --- /dev/null +++ b/conf/options/sec-updater.opt @@ -0,0 +1,29 @@ +sec-updater {} + Options for the sec-updater tool. + + Options for the sec-updater tool. + +sec-updater.database = + Global IMV policy database URI. If it contains a password, make sure to + adjust the permissions of the config file accordingly. + +sec-updater.swid_gen.command = /usr/local/bin/swid_generator + SWID generator command to be executed. + +sec-updater.swid_gen.tag_creator.name = strongSwan Project + Name of the tagCreator entity. + +sec-updater.swid_gen.tag_creator.regid = strongswan.org + regid of the tagCreator entity. + +sec-updater.tnc_manage_command = /var/www/tnc/manage.py + strongTNC manage.py command used to import SWID tags. + +sec-updater.tmp.deb_file = /tmp/sec-updater.deb + Temporary storage for downloaded deb package file. + +sec-updater.tmp.tag_file = /tmp/sec-updater.tag + Temporary storage for generated SWID tags. + +sec-updater.load = + Plugins to load in sec-updater tool. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 8858f3fc5..5a486114e 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -15,6 +15,10 @@ eap-radius { # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. # accounting_requires_vip = no + # If enabled, adds the Class attributes received in Access-Accept message to + # the RADIUS accounting messages. + # accounting_send_class = no + # Use class attributes in Access-Accept messages as group membership # information. # class_group = no diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index c3668ec06..f18a74c49 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -13,6 +13,10 @@ charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. +charon.plugins.eap-radius.accounting_send_class = no + If enabled, adds the Class attributes received in Access-Accept message to + the RADIUS accounting messages. + charon.plugins.eap-radius.class_group = no Use class attributes in Access-Accept messages as group membership information. diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf index f5cd4cd5d..1d9a6983a 100644 --- a/conf/plugins/systime-fix.conf +++ b/conf/plugins/systime-fix.conf @@ -18,5 +18,9 @@ systime-fix { # strptime(3) format used to parse threshold option. # threshold_format = %Y + # How long to wait for a valid system time if an interval is configured. 0 + # to recheck indefinitely. + # timeout = 0s + } diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt index 7abd03627..714981a52 100644 --- a/conf/plugins/systime-fix.opt +++ b/conf/plugins/systime-fix.opt @@ -10,3 +10,7 @@ charon.plugins.systime-fix.threshold = charon.plugins.systime-fix.threshold_format = %Y **strptime**(3) format used to parse threshold option. + +charon.plugins.systime-fix.timeout = 0s + How long to wait for a valid system time if an interval is configured. 0 to + recheck indefinitely. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 4f38c9b03..b54f3e492 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -631,6 +631,11 @@ the RADIUS server in the Access\-Accept message. If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. +.TP +.BR charon.plugins.eap-radius.accounting_send_class " [no]" +If enabled, adds the Class attributes received in Access\-Accept message to the +RADIUS accounting messages. + .TP .BR charon.plugins.eap-radius.class_group " [no]" Use the @@ -1494,6 +1499,11 @@ Threshold date where system time is considered valid. Disabled if not specified. .RB "" "strptime" "(3)" format used to parse threshold option. +.TP +.BR charon.plugins.systime-fix.timeout " [0s]" +How long to wait for a valid system time if an interval is configured. 0 to +recheck indefinitely. + .TP .BR charon.plugins.tnc-ifmap.client_cert " []" Path to X.509 certificate file of IF\-MAP client. @@ -1762,6 +1772,10 @@ Numerical routing table to install routes to. .BR charon.routing_table_prio " []" Priority of the routing table. +.TP +.BR charon.rsa_pss " [no]" +Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + .TP .BR charon.send_delay " [0]" Delay in ms for sending packets, to simulate larger RTT. @@ -2306,16 +2320,6 @@ Number of thread for mediation service web application. .BR medsrv.timeout " [15m]" Session timeout for mediation service. -.TP -.BR pacman.database " []" -Database URI for the database that stores the package information. If it -contains a password, make sure to adjust the permissions of the config file -accordingly. - -.TP -.BR pacman.load " []" -Plugins to load in package manager. - .TP .BR pki.load " []" Plugins to load in ipsec pki tool. @@ -2334,6 +2338,44 @@ Plugins to load in ipsec pool tool. .BR scepclient.load " []" Plugins to load in ipsec scepclient tool. +.TP +.B sec-updater +.br +Options for the sec\-updater tool. + +.TP +.BR sec-updater.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR sec-updater.load " []" +Plugins to load in sec\-updater tool. + +.TP +.BR sec-updater.swid_gen.command " [/usr/local/bin/swid_generator]" +SWID generator command to be executed. + +.TP +.BR sec-updater.swid_gen.tag_creator.name " [strongSwan Project]" +Name of the tagCreator entity. + +.TP +.BR sec-updater.swid_gen.tag_creator.regid " [strongswan.org]" +regid of the tagCreator entity. + +.TP +.BR sec-updater.tmp.deb_file " [/tmp/sec-updater.deb]" +Temporary storage for downloaded deb package file. + +.TP +.BR sec-updater.tmp.tag_file " [/tmp/sec-updater.tag]" +Temporary storage for generated SWID tags. + +.TP +.BR sec-updater.tnc_manage_command " [/var/www/tnc/manage.py]" +strongTNC manage.py command used to import SWID tags. + .TP .BR starter.config_file " [${sysconfdir}/ipsec.conf]" Location of the ipsec.conf file diff --git a/config.h.in b/config.h.in index 06d399922..ba1deb1ce 100644 --- a/config.h.in +++ b/config.h.in @@ -136,7 +136,7 @@ /* Define to 1 if you have the `mmap' function. */ #undef HAVE_MMAP -/* have mpz_mown_sec() */ +/* have mpz_powm_sec() */ #undef HAVE_MPZ_POWM_SEC /* Define to 1 if you have the header file. */ @@ -199,6 +199,9 @@ /* have PF_ROUTE RTM_IFANNOUNCE defined */ #undef HAVE_RTM_IFANNOUNCE +/* Define to 1 if you have the `sd_listen_fds_with_names' function. */ +#undef HAVE_SD_LISTEN_FDS_WITH_NAMES + /* Define to 1 if you have the `sem_timedwait' function. */ #undef HAVE_SEM_TIMEDWAIT diff --git a/configure b/configure index 287d2b6eb..9eca70911 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.6.0. +# Generated by GNU Autoconf 2.69 for strongSwan 5.6.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.6.0' -PACKAGE_STRING='strongSwan 5.6.0' +PACKAGE_VERSION='5.6.1' +PACKAGE_STRING='strongSwan 5.6.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -741,6 +741,8 @@ USE_LOCK_PROFILER_FALSE USE_LOCK_PROFILER_TRUE USE_LEAK_DETECTIVE_FALSE USE_LEAK_DETECTIVE_TRUE +USE_COUNTERS_FALSE +USE_COUNTERS_TRUE USE_ATTR_SQL_FALSE USE_ATTR_SQL_TRUE USE_ATTR_FALSE @@ -1064,6 +1066,7 @@ RUBY_GEMS_INSTALL_FALSE RUBY_GEMS_INSTALL_TRUE RUBYGEMDIR GEM +FUZZING_LDFLAGS COVERAGE_LDFLAGS COVERAGE_CFLAGS GENHTML @@ -1080,6 +1083,7 @@ nm_LIBS nm_CFLAGS pcsclite_LIBS pcsclite_CFLAGS +OPENSSL_LIB MYSQLCFLAG MYSQLCONFIG MYSQLLIB @@ -1111,7 +1115,6 @@ USE_X86X64_FALSE USE_X86X64_TRUE USE_WINDOWS_FALSE USE_WINDOWS_TRUE -OPENSSL_LIB RTLIB USE_SYSLOG_FALSE USE_SYSLOG_TRUE @@ -1121,6 +1124,7 @@ SOCKLIB BTLIB DLLIB ALLOCA +GPERF_LEN_TYPE GPERF PERL pkgpyexecdir @@ -1447,6 +1451,7 @@ enable_android_log enable_bypass_lan enable_certexpire enable_connmark +enable_counters enable_forecast enable_duplicheck enable_error_notify @@ -2103,7 +2108,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.6.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.6.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2174,7 +2179,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.6.0:";; + short | recursive ) echo "Configuration of strongSwan 5.6.1:";; esac cat <<\_ACEOF @@ -2350,6 +2355,8 @@ Optional Features: certificates. --enable-connmark enable connmark plugin using conntrack based marks to select return path SA. + --enable-counters enable plugin that collects several performance + counters. --enable-forecast enable forecast plugin forwarding broadcast/multicast messages. --enable-duplicheck advanced duplicate checking plugin using liveness @@ -2652,7 +2659,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.6.0 +strongSwan configure 5.6.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3174,7 +3181,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.6.0, which was +It was created by strongSwan $as_me 5.6.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4037,7 +4044,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.6.0' + VERSION='5.6.1' cat >>confdefs.h <<_ACEOF @@ -7044,6 +7051,22 @@ fi disabled_by_default=${disabled_by_default}" connmark" +# Check whether --enable-counters was given. +if test "${enable_counters+set}" = set; then : + enableval=$enable_counters; counters_given=true + if test x$enableval = xyes; then + counters=true + else + counters=false + fi +else + counters=false + counters_given=false + +fi + + disabled_by_default=${disabled_by_default}" counters" + # Check whether --enable-forecast was given. if test "${enable_forecast+set}" = set; then : enableval=$enable_forecast; forecast_given=true @@ -18070,6 +18093,45 @@ fi $as_echo_n "checking gperf version >= 3.0.0... " >&6; } if test -x "$GPERF"; then if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + GPERF_OUTPUT="`echo foo | ${GPERF}`" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + const char *in_word_set(const char*, size_t); $GPERF_OUTPUT +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + GPERF_LEN_TYPE=size_t +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + const char *in_word_set(const char*, unsigned); $GPERF_OUTPUT +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + GPERF_LEN_TYPE=unsigned +else + as_fn_error $? "unable to determine gperf len type" "$LINENO" 5 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else @@ -18166,10 +18228,14 @@ if test x$aikgen = xtrue; then tss_trousers=true fi -if test x$ntru = xtrue -o x$bliss = xtrue; then +if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then mgf1=true fi +if test x$stroke = xtrue; then + counters=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -19605,7 +19671,7 @@ if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } windows=true - openssl_lib=eay32 + PTHREADLIB="" # explicitly disable ms-bitfields, as it breaks __attribute__((packed)) @@ -19618,7 +19684,6 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - openssl_lib=crypto # check for clock_gettime() on non-Windows only. Otherwise this # check might find clock_gettime() in libwinpthread, but we don't want @@ -19699,8 +19764,6 @@ done fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -OPENSSL_LIB=-l$openssl_lib - if test "x$windows" = xtrue; then USE_WINDOWS_TRUE= USE_WINDOWS_FALSE='#' @@ -19923,7 +19986,7 @@ $as_echo_n "checking mpz_powm_sec... " >&6; } int main () { -void *x = mpz_powm_sec; +void *x __attribute__((unused)); x = mpz_powm_sec; ; return 0; } @@ -20869,6 +20932,20 @@ $as_echo "yes" >&6; } fi + saved_LIBS=$LIBS + LIBS="$systemd_LIBS $systemd_daemon_LIBS" + for ac_func in sd_listen_fds_with_names +do : + ac_fn_c_check_func "$LINENO" "sd_listen_fds_with_names" "ac_cv_func_sd_listen_fds_with_names" +if test "x$ac_cv_func_sd_listen_fds_with_names" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SD_LISTEN_FDS_WITH_NAMES 1 +_ACEOF + +fi +done + + LIBS=$saved_LIBS fi if test x$tss_trousers = xtrue; then @@ -21945,7 +22022,57 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test x$openssl = xtrue; then - as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` + if test "x$windows" = xtrue; then + openssl_lib=eay32 + as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5 +$as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; } +if eval \${$as_ac_Lib+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-l$openssl_lib $DLLIB $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char EVP_CIPHER_CTX_new (); +int +main () +{ +return EVP_CIPHER_CTX_new (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_ac_Lib=yes" +else + eval "$as_ac_Lib=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +eval ac_res=\$$as_ac_Lib + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : + LIBS="$LIBS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; };openssl_lib="" +fi + + fi + if test -z "$openssl_lib"; then + openssl_lib=crypto + as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5 $as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; } if eval \${$as_ac_Lib+:} false; then : @@ -21989,6 +22116,9 @@ else as_fn_error $? "OpenSSL lib$openssl_lib not found" "$LINENO" 5 fi + fi + OPENSSL_LIB=-l$openssl_lib + ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_evp_h" = xyes; then : @@ -23043,6 +23173,19 @@ $as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;} CFLAGS="${CFLAGS} -g -O0" fi +if test x$fuzzing = xtrue; then + if test x$libfuzzer = x; then + { $as_echo "$as_me:${as_lineno-$LINENO}: fuzz targets enabled without libFuzzer, using local driver" >&5 +$as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&6;} + CFLAGS="${CFLAGS} -fsanitize=address" + libfuzzer="libFuzzerLocal.a" + else + # required for libFuzzer + FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + + fi +fi + if test x$ruby_gems = xtrue; then # Extract the first word of "gem", so it can be a program name with args. set dummy gem; ac_word=$2 @@ -24364,6 +24507,12 @@ if test x$unity = xtrue; then fi +if test x$counters = xtrue; then + c_plugins=${c_plugins}" counters" + charon_plugins=${charon_plugins}" counters" + + fi + @@ -25569,6 +25718,14 @@ else USE_ATTR_SQL_FALSE= fi + if test x$counters = xtrue; then + USE_COUNTERS_TRUE= + USE_COUNTERS_FALSE='#' +else + USE_COUNTERS_TRUE='#' + USE_COUNTERS_FALSE= +fi + # other options # --------------- @@ -25780,7 +25937,7 @@ else USE_LIBPTTLS_FALSE= fi - if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue; then + if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue; then USE_LIBTPMTSS_TRUE= USE_LIBTPMTSS_FALSE='#' else @@ -26079,8 +26236,8 @@ fi if test -z "$USE_IMCV_TRUE"; then : strongswan_options=${strongswan_options}" imcv" fi -if test -z "$USE_IMV_OS_TRUE"; then : - strongswan_options=${strongswan_options}" pacman" +if test -z "$USE_IMV_SWIMA_TRUE"; then : + strongswan_options=${strongswan_options}" sec-updater" fi if test -z "$USE_LIBTNCCS_TRUE"; then : strongswan_options=${strongswan_options}" tnc" @@ -26110,14 +26267,14 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= # build man pages # ================= -ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---acert.1 src/pki/man/pki---dn.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8" +ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---acert.1 src/pki/man/pki---dn.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8 src/sec-updater/sec-updater.8" cat >confcache <<\_ACEOF @@ -26870,6 +27027,10 @@ if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_COUNTERS_TRUE}" && test -z "${USE_COUNTERS_FALSE}"; then + as_fn_error $? "conditional \"USE_COUNTERS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -27483,7 +27644,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.6.0, which was +This file was extended by strongSwan $as_me 5.6.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27549,7 +27710,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.6.0 +strongSwan config.status 5.6.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -28102,6 +28263,7 @@ do "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;; "src/libcharon/plugins/bypass_lan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/bypass_lan/Makefile" ;; "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;; + "src/libcharon/plugins/counters/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/counters/Makefile" ;; "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;; "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;; "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;; @@ -28168,6 +28330,7 @@ do "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;; "src/pt-tls-client/Makefile") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/Makefile" ;; "src/sw-collector/Makefile") CONFIG_FILES="$CONFIG_FILES src/sw-collector/Makefile" ;; + "src/sec-updater/Makefile") CONFIG_FILES="$CONFIG_FILES src/sec-updater/Makefile" ;; "src/swanctl/Makefile") CONFIG_FILES="$CONFIG_FILES src/swanctl/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; @@ -28195,6 +28358,7 @@ do "src/swanctl/swanctl.conf.5.tail") CONFIG_FILES="$CONFIG_FILES src/swanctl/swanctl.conf.5.tail" ;; "src/pt-tls-client/pt-tls-client.1") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/pt-tls-client.1" ;; "src/sw-collector/sw-collector.8") CONFIG_FILES="$CONFIG_FILES src/sw-collector/sw-collector.8" ;; + "src/sec-updater/sec-updater.8") CONFIG_FILES="$CONFIG_FILES src/sec-updater/sec-updater.8" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index 45277d967..6effecce3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ # # Copyright (C) 2007-2017 Tobias Brunner -# Copyright (C) 2006-2016 Andreas Steffen +# Copyright (C) 2006-2017 Andreas Steffen # Copyright (C) 2006-2014 Martin Willi # HSR Hochschule fuer Technik Rapperswil # @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.6.0]) +AC_INIT([strongSwan],[5.6.1]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -263,6 +263,7 @@ ARG_ENABL_SET([android-log], [enable Android specific logger plugin.]) ARG_ENABL_SET([bypass-lan], [enable plugin to install bypass policies for local subnets.]) ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.]) ARG_ENABL_SET([connmark], [enable connmark plugin using conntrack based marks to select return path SA.]) +ARG_ENABL_SET([counters], [enable plugin that collects several performance counters.]) ARG_ENABL_SET([forecast], [enable forecast plugin forwarding broadcast/multicast messages.]) ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.]) ARG_ENABL_SET([error-notify], [enable error notification plugin.]) @@ -378,6 +379,21 @@ AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) AC_MSG_CHECKING([gperf version >= 3.0.0]) if test -x "$GPERF"; then if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + GPERF_OUTPUT="`echo foo | ${GPERF}`" + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include + const char *in_word_set(const char*, size_t); $GPERF_OUTPUT]])], + [GPERF_LEN_TYPE=size_t], + [AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include + const char *in_word_set(const char*, unsigned); $GPERF_OUTPUT]])], + [GPERF_LEN_TYPE=unsigned], + [AC_MSG_ERROR([unable to determine gperf len type])] + )] + ) + AC_SUBST(GPERF_LEN_TYPE) AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) @@ -471,10 +487,14 @@ if test x$aikgen = xtrue; then tss_trousers=true fi -if test x$ntru = xtrue -o x$bliss = xtrue; then +if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then mgf1=true fi +if test x$stroke = xtrue; then + counters=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -827,7 +847,7 @@ AC_COMPILE_IFELSE( [ AC_MSG_RESULT([yes]) windows=true - openssl_lib=eay32 + AC_SUBST(PTHREADLIB, "") # explicitly disable ms-bitfields, as it breaks __attribute__((packed)) case "$CFLAGS" in @@ -837,7 +857,6 @@ AC_COMPILE_IFELSE( ], [ AC_MSG_RESULT([no]) - openssl_lib=crypto # check for clock_gettime() on non-Windows only. Otherwise this # check might find clock_gettime() in libwinpthread, but we don't want @@ -851,7 +870,6 @@ AC_COMPILE_IFELSE( LIBS=$saved_LIBS ] ) -AC_SUBST(OPENSSL_LIB, [-l$openssl_lib]) AM_CONDITIONAL(USE_WINDOWS, [test "x$windows" = xtrue]) AC_MSG_CHECKING([for working __attribute__((packed))]) @@ -919,9 +937,9 @@ if test x$gmp = xtrue; then AC_COMPILE_IFELSE( [AC_LANG_PROGRAM( [[#include "gmp.h"]], - [[void *x = mpz_powm_sec;]])], + [[void *x __attribute__((unused)); x = mpz_powm_sec;]])], [AC_MSG_RESULT([yes]); - AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])], + AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_powm_sec()])], [AC_MSG_RESULT([no])] ) else @@ -989,6 +1007,10 @@ if test x$systemd = xtrue; then AC_SUBST(systemd_journal_CFLAGS) AC_SUBST(systemd_journal_LIBS)] ) + saved_LIBS=$LIBS + LIBS="$systemd_LIBS $systemd_daemon_LIBS" + AC_CHECK_FUNCS(sd_listen_fds_with_names) + LIBS=$saved_LIBS fi if test x$tss_trousers = xtrue; then @@ -1103,8 +1125,17 @@ if test x$sqlite = xtrue; then fi if test x$openssl = xtrue; then - AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], - [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB]) + if test "x$windows" = xtrue; then + openssl_lib=eay32 + AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], + [AC_MSG_RESULT([no]);openssl_lib=""],[$DLLIB]) + fi + if test -z "$openssl_lib"; then + openssl_lib=crypto + AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], + [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB]) + fi + AC_SUBST(OPENSSL_LIB, [-l$openssl_lib]) AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])]) fi @@ -1253,6 +1284,18 @@ if test x$coverage = xtrue; then CFLAGS="${CFLAGS} -g -O0" fi +if test x$fuzzing = xtrue; then + if test x$libfuzzer = x; then + AC_MSG_NOTICE([fuzz targets enabled without libFuzzer, using local driver]) + CFLAGS="${CFLAGS} -fsanitize=address" + libfuzzer="libFuzzerLocal.a" + else + # required for libFuzzer + FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + AC_SUBST(FUZZING_LDFLAGS) + fi +fi + if test x$ruby_gems = xtrue; then AC_PATH_PROG([GEM], [gem], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) if test x$GEM = x; then @@ -1459,6 +1502,7 @@ ADD_PLUGIN([radattr], [c charon]) ADD_PLUGIN([uci], [c charon]) ADD_PLUGIN([addrblock], [c charon]) ADD_PLUGIN([unity], [c charon]) +ADD_PLUGIN([counters], [c charon]) AC_SUBST(charon_plugins) AC_SUBST(starter_plugins) @@ -1635,6 +1679,7 @@ AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue) AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue) +AM_CONDITIONAL(USE_COUNTERS, test x$counters = xtrue) # other options # --------------- @@ -1664,7 +1709,7 @@ AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue) AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue) AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue) AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue) -AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue) +AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue) AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) @@ -1737,7 +1782,7 @@ AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charo AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"]) AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"]) AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"]) -AM_COND_IF([USE_IMV_OS], [strongswan_options=${strongswan_options}" pacman"]) +AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updater"]) AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"]) AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"]) AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"]) @@ -1891,6 +1936,7 @@ AC_CONFIG_FILES([ src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile + src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile @@ -1957,6 +2003,7 @@ AC_CONFIG_FILES([ src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile + src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile @@ -1991,6 +2038,7 @@ AC_CONFIG_FILES([ src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8 + src/sec-updater/sec-updater.8 ]) AC_OUTPUT diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 66debc226..bdc3e2ebc 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -1,12 +1,12 @@ -CPPFLAGS = @CPPFLAGS@ \ +AM_CPPFLAGS = @CPPFLAGS@ \ -I$(top_srcdir)/src/libstrongswan \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS="\"${fuzz_plugins}\"" -LDFLAGS = @LDFLAGS@ ${libfuzzer} \ +fuzz_ldflags = ${libfuzzer} \ $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ - -stdlib=libc++ -lstdc++ + @FUZZING_LDFLAGS@ FUZZ_TARGETS=fuzz_certs @@ -14,5 +14,18 @@ all-local: $(FUZZ_TARGETS) CLEANFILES=$(FUZZ_TARGETS) -fuzz_certs: fuzz_certs.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(LDFLAGS) +fuzz_certs: fuzz_certs.c ${libfuzzer} + $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags) + +noinst_LIBRARIES = libFuzzerLocal.a +libFuzzerLocal_a_SOURCES = libFuzzerLocal.c +libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la + +check: all + for f in $(FUZZ_TARGETS); do \ + corpus=$${f#fuzz_}; \ + corpus=$${corpus%%_*}; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ + test ! -d $${crashes} || ./$$f $${crashes}/*; \ + done diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in index 8306f44ec..31b590273 100644 --- a/fuzz/Makefile.in +++ b/fuzz/Makefile.in @@ -13,6 +13,7 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -106,6 +107,17 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +LIBRARIES = $(noinst_LIBRARIES) +ARFLAGS = cru +AM_V_AR = $(am__v_AR_@AM_V@) +am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) +am__v_AR_0 = @echo " AR " $@; +am__v_AR_1 = +libFuzzerLocal_a_AR = $(AR) $(ARFLAGS) +libFuzzerLocal_a_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la +am_libFuzzerLocal_a_OBJECTS = libFuzzerLocal.$(OBJEXT) +libFuzzerLocal_a_OBJECTS = $(am_libFuzzerLocal_a_OBJECTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -118,15 +130,59 @@ AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = -SOURCES = -DIST_SOURCES = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libFuzzerLocal_a_SOURCES) +DIST_SOURCES = $(libFuzzerLocal_a_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(srcdir)/Makefile.in +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -146,11 +202,7 @@ CFLAGS = @CFLAGS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ \ - -I$(top_srcdir)/src/libstrongswan \ - -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ - -DPLUGINS="\"${fuzz_plugins}\"" - +CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -165,9 +217,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -177,11 +231,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LCOV = @LCOV@ LD = @LD@ -LDFLAGS = @LDFLAGS@ ${libfuzzer} \ - $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ - -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ - -stdlib=libc++ -lstdc++ - +LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ @@ -372,11 +422,25 @@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = @CPPFLAGS@ \ + -I$(top_srcdir)/src/libstrongswan \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS="\"${fuzz_plugins}\"" + +fuzz_ldflags = ${libfuzzer} \ + $(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \ + -Wl,-Bstatic -lgmp -Wl,-Bdynamic \ + @FUZZING_LDFLAGS@ + FUZZ_TARGETS = fuzz_certs CLEANFILES = $(FUZZ_TARGETS) +noinst_LIBRARIES = libFuzzerLocal.a +libFuzzerLocal_a_SOURCES = libFuzzerLocal.c +libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am .SUFFIXES: +.SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -407,17 +471,103 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-noinstLIBRARIES: + -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) + +libFuzzerLocal.a: $(libFuzzerLocal_a_OBJECTS) $(libFuzzerLocal_a_DEPENDENCIES) $(EXTRA_libFuzzerLocal_a_DEPENDENCIES) + $(AM_V_at)-rm -f libFuzzerLocal.a + $(AM_V_AR)$(libFuzzerLocal_a_AR) libFuzzerLocal.a $(libFuzzerLocal_a_OBJECTS) $(libFuzzerLocal_a_LIBADD) + $(AM_V_at)$(RANLIB) libFuzzerLocal.a + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libFuzzerLocal.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -tags TAGS: -ctags CTAGS: - -cscope cscopelist: +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @@ -451,7 +601,7 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile all-local +all-am: Makefile $(LIBRARIES) all-local installdirs: install: install-am install-exec: install-exec-am @@ -486,11 +636,14 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool mostlyclean-am +clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ + mostlyclean-am distclean: distclean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile -distclean-am: clean-am distclean-generic +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags dvi: dvi-am @@ -533,12 +686,14 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am -mostlyclean-am: mostlyclean-generic mostlyclean-libtool +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf: pdf-am @@ -552,26 +707,36 @@ uninstall-am: .MAKE: install-am install-strip -.PHONY: all all-am all-local check check-am clean clean-generic \ - clean-libtool cscopelist-am ctags-am distclean \ - distclean-generic distclean-libtool distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am +.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-am clean \ + clean-generic clean-libtool clean-noinstLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am .PRECIOUS: Makefile all-local: $(FUZZ_TARGETS) -fuzz_certs: fuzz_certs.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< $(LDFLAGS) +fuzz_certs: fuzz_certs.c ${libfuzzer} + $(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags) + +check: all + for f in $(FUZZ_TARGETS); do \ + corpus=$${f#fuzz_}; \ + corpus=$${corpus%%_*}; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ + test ! -d $${crashes} || ./$$f $${crashes}/*; \ + done # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/fuzz/libFuzzerLocal.c b/fuzz/libFuzzerLocal.c new file mode 100644 index 000000000..af5c50c66 --- /dev/null +++ b/fuzz/libFuzzerLocal.c @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include + +extern int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size); +__attribute__((weak)) extern int LLVMFuzzerInitialize(int *argc, char ***argv); + +/** + * This is a simple driver for the fuzz targets to verify test inputs outside + * of OSS-Fuzz. + * + * Failures will usually cause crashes. + */ +int main(int argc, char **argv) +{ + chunk_t *data; + int i, res = 0; + + fprintf(stderr, "%s: running %d inputs\n", argv[0], argc - 1); + if (LLVMFuzzerInitialize) + { + LLVMFuzzerInitialize(&argc, &argv); + } + for (i = 1; i < argc; i++) + { + fprintf(stderr, "running: %s\n", argv[i]); + data = chunk_map(argv[i], FALSE); + if (!data) + { + fprintf(stderr, "opening %s failed: %s\n", argv[i], strerror(errno)); + return 1; + } + res = LLVMFuzzerTestOneInput(data->ptr, data->len); + fprintf(stderr, "done: %s: (%zd bytes)\n", argv[i], data->len); + chunk_unmap(data); + if (res) + { + break; + } + } + fprintf(stderr, "%s: completed %d inputs\n", argv[0], i-1); + return res; +} diff --git a/init/Makefile.in b/init/Makefile.in index a0b2b9bca..2db9855d3 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -223,9 +223,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in index b68958d46..a1af33e03 100644 --- a/init/systemd-swanctl/Makefile.in +++ b/init/systemd-swanctl/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index 3e20f5c7f..f79f43a13 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/man/Makefile.in b/man/Makefile.in index 795505a14..9b793627d 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -197,9 +197,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 69aeba8cb..774df75ac 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -631,6 +631,12 @@ constraint (without ike: prefix) will also apply to IKEv2 authentication, unless this is disabled in .BR strongswan.conf (5). +To use or require RSASSA-PSS signatures use rsa/pss instead of rsa as in e.g. +.BR ike:rsa/pss-sha256 . +If \fBpubkey\fR or \fBrsa\fR constraints are configured RSASSA-PSS signatures +will only be used/accepted if enabled in +.BR strongswan.conf (5). + For .BR eap , an optional EAP method can be appended. Currently defined methods are @@ -1031,8 +1037,8 @@ Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY below. .TP .BR mark " = [/]" -sets an XFRM mark in the inbound and outbound -IPsec SAs and policies. If the mask is missing then a default +sets an XFRM mark on the inbound policy and outbound +IPsec SA and policy. If the mask is missing then a default mask of .B 0xffffffff is assumed. The special value @@ -1043,13 +1049,13 @@ make the mark unique for each IPsec SA direction (in/out) the special value may be used. .TP .BR mark_in " = [/]" -sets an XFRM mark in the inbound IPsec SA and -policy. If the mask is missing then a default mask of +sets an XFRM mark on the inbound policy (not on the SA). If the mask is missing +then a default mask of .B 0xffffffff is assumed. .TP .BR mark_out " = [/]" -sets an XFRM mark in the outbound IPsec SA and +sets an XFRM mark on the outbound IPsec SA and policy. If the mask is missing then a default mask of .B 0xffffffff is assumed. diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 1f1c37bc5..b13d3c5c6 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -305,9 +305,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/scripts/oid2der.c b/scripts/oid2der.c index 793c9804a..c8ab8df0f 100644 --- a/scripts/oid2der.c +++ b/scripts/oid2der.c @@ -23,9 +23,26 @@ int main(int argc, char *argv[]) { int i, nr = 0; chunk_t oid; + char *decoded; + bool decode = FALSE; + + if (streq(argv[1], "-d")) + { + decode = TRUE; + nr++; + } while (argc > ++nr) { + if (decode) + { + oid = chunk_from_hex(chunk_from_str(argv[nr]), NULL); + decoded = asn1_oid_to_string(oid); + printf("%s\n", decoded); + free(decoded); + free(oid.ptr); + continue; + } oid = asn1_oid_from_string(argv[nr]); if (oid.len) { diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c index 66279ada3..2928772b8 100644 --- a/scripts/pubkey_speed.c +++ b/scripts/pubkey_speed.c @@ -118,7 +118,7 @@ int main(int argc, char *argv[]) start_timing(&timing); for (round = 0; round < rounds; round++) { - if (!private->sign(private, scheme, data, &sigs[round])) + if (!private->sign(private, scheme, NULL, data, &sigs[round])) { printf("creating signature failed\n"); exit(1); @@ -135,7 +135,7 @@ int main(int argc, char *argv[]) start_timing(&timing); for (round = 0; round < rounds; round++) { - if (!public->verify(public, scheme, data, sigs[round])) + if (!public->verify(public, scheme, NULL, data, sigs[round])) { printf("signature verification failed\n"); exit(1); diff --git a/src/Makefile.am b/src/Makefile.am index 1bdb8337c..7bef1a5dd 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -132,6 +132,10 @@ if USE_IMC_SWIMA SUBDIRS += sw-collector endif +if USE_IMV_SWIMA + SUBDIRS += sec-updater +endif + if USE_INTEGRITY_TEST SUBDIRS += checksum endif diff --git a/src/Makefile.in b/src/Makefile.in index 84d2ad9a1..baae1e09a 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -120,8 +120,9 @@ host_triplet = @host@ @USE_SVC_TRUE@am__append_31 = charon-svc @USE_LIBPTTLS_TRUE@am__append_32 = pt-tls-client @USE_IMC_SWIMA_TRUE@am__append_33 = sw-collector -@USE_INTEGRITY_TEST_TRUE@am__append_34 = checksum -@USE_AIKGEN_TRUE@am__append_35 = aikgen +@USE_IMV_SWIMA_TRUE@am__append_34 = sec-updater +@USE_INTEGRITY_TEST_TRUE@am__append_35 = checksum +@USE_AIKGEN_TRUE@am__append_36 = aikgen subdir = src ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -200,7 +201,7 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \ libcharon starter ipsec _copyright charon charon-systemd \ charon-nm stroke _updown scepclient pki swanctl conftest dumm \ libfast manager medsrv pool charon-tkm charon-cmd charon-svc \ - pt-tls-client sw-collector checksum aikgen + pt-tls-client sw-collector sec-updater checksum aikgen am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ @@ -261,9 +262,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -475,7 +478,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_25) $(am__append_26) $(am__append_27) \ $(am__append_28) $(am__append_29) $(am__append_30) \ $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) $(am__append_35) + $(am__append_34) $(am__append_35) $(am__append_36) all: all-recursive .SUFFIXES: diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 5ba747ac7..af7a95df3 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -213,9 +213,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index c51d65dd5..86aca5ff9 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -191,9 +191,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in index 61fcaf86c..7986a1d09 100644 --- a/src/aikgen/Makefile.in +++ b/src/aikgen/Makefile.in @@ -214,9 +214,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in index ea492f957..b9fe0b7f6 100644 --- a/src/charon-cmd/Makefile.in +++ b/src/charon-cmd/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index 6733a3321..3cff97e7c 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in index 263c6a3fb..8da578457 100644 --- a/src/charon-svc/Makefile.in +++ b/src/charon-svc/Makefile.in @@ -214,9 +214,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in index 9697c426b..f28204b33 100644 --- a/src/charon-systemd/Makefile.in +++ b/src/charon-systemd/Makefile.in @@ -218,9 +218,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index 258f33b0f..c2762f031 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index a4d4d0cf5..7f014237a 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -49,6 +50,11 @@ */ static tkm_listener_t *listener; +/** + * Name of the daemon + */ +static char *dmn_name; + /** * PID file, in which charon-tkm stores its process id */ @@ -186,8 +192,11 @@ static bool check_pidfile() pid = atoi(buf); } fclose(pidfile); + pidfile = NULL; if (pid && kill(pid, 0) == 0) - { /* such a process is running */ + { + DBG1(DBG_DMN, "%s already running ('%s' exists)", dmn_name, + pidfile_name); return TRUE; } } @@ -199,13 +208,31 @@ static bool check_pidfile() pidfile = fopen(pidfile_name, "w"); if (pidfile) { - ignore_result(fchown(fileno(pidfile), + int fd; + + fd = fileno(pidfile); + if (fd == -1) + { + DBG1(DBG_DMN, "unable to determine fd for '%s'", pidfile_name); + return TRUE; + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) + { + DBG1(DBG_LIB, "setting FD_CLOEXEC for '%s' failed: %s", + pidfile_name, strerror(errno)); + } + ignore_result(fchown(fd, lib->caps->get_uid(lib->caps), lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); + return FALSE; + } + else + { + DBG1(DBG_DMN, "unable to create pidfile '%s'", pidfile_name); + return TRUE; } - return FALSE; } /** @@ -221,15 +248,15 @@ static void unlink_pidfile() { ignore_result(ftruncate(fileno(pidfile), 0)); fclose(pidfile); + unlink(pidfile_name); } - unlink(pidfile_name); } + /** * Main function, starts TKM backend. */ int main(int argc, char *argv[]) { - char *dmn_name; if (argc > 0 && strlen(argv[0]) > 0) { dmn_name = basename(argv[0]); @@ -322,8 +349,6 @@ int main(int argc, char *argv[]) if (check_pidfile()) { - DBG1(DBG_DMN, "%s already running (\"%s\" exists)", dmn_name, - pidfile_name); goto deinit; } @@ -372,8 +397,6 @@ int main(int argc, char *argv[]) /* main thread goes to run loop */ run(); - unlink_pidfile(); - free(pidfile_name); status = 0; charon->bus->remove_listener(charon->bus, &listener->listener); listener->destroy(listener); @@ -384,6 +407,8 @@ deinit: destroy_dh_mapping(); libcharon_deinit(); tkm_deinit(); + unlink_pidfile(); + free(pidfile_name); library_deinit(); return status; } diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c index d8ff6753f..9a2ede03e 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.c +++ b/src/charon-tkm/src/tkm/tkm_id_manager.c @@ -43,7 +43,7 @@ struct private_tkm_id_manager_t { /** * Per-kind array of free context ids */ - bool* ctxids[TKM_CTX_MAX]; + int* ctxids[TKM_CTX_MAX]; /** * Per-kind context limits. @@ -85,9 +85,9 @@ METHOD(tkm_id_manager_t, acquire_id, int, this->locks[kind]->write_lock(this->locks[kind]); for (j = 0; j < this->limits[kind]; j++) { - if (!this->ctxids[kind][j]) + if (this->ctxids[kind][j] == 0) { - this->ctxids[kind][j] = true; + this->ctxids[kind][j] = 1; id = j + 1; break; } @@ -103,24 +103,55 @@ METHOD(tkm_id_manager_t, acquire_id, int, return id; } -METHOD(tkm_id_manager_t, release_id, bool, +METHOD(tkm_id_manager_t, acquire_ref, bool, + private_tkm_id_manager_t * const this, const tkm_context_kind_t kind, + const int ref_id) +{ + const int idx = ref_id - 1; + + if (!is_valid_kind(kind)) + { + DBG1(DBG_LIB, "tried to acquire reference for invalid context kind '%d'", + kind); + return FALSE; + } + + if (ref_id < 1 || (uint64_t)ref_id > this->limits[kind]) + { + DBG1(DBG_LIB, "tried to acquire reference for context id %d out of " + "bounds (max %llu)", ref_id, this->limits[kind]); + return FALSE; + } + + this->locks[kind]->write_lock(this->locks[kind]); + this->ctxids[kind][idx]++; + this->locks[kind]->unlock(this->locks[kind]); + + return TRUE; +} + +METHOD(tkm_id_manager_t, release_id, int, private_tkm_id_manager_t * const this, const tkm_context_kind_t kind, const int id) { const int idx = id - 1; + int refcount = 0; if (!is_valid_kind(kind)) { DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'", id, kind); - return FALSE; + return -1; } this->locks[kind]->write_lock(this->locks[kind]); - this->ctxids[kind][idx] = false; + if (this->ctxids[kind][idx] > 0) + { + refcount = --this->ctxids[kind][idx]; + } this->locks[kind]->unlock(this->locks[kind]); - return TRUE; + return refcount; } @@ -147,6 +178,7 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits) INIT(this, .public = { .acquire_id = _acquire_id, + .acquire_ref = _acquire_ref, .release_id = _release_id, .destroy = _destroy, }, @@ -155,7 +187,7 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits) for (i = 0; i < TKM_CTX_MAX; i++) { this->limits[i] = limits[i]; - this->ctxids[i] = calloc(limits[i], sizeof(bool)); + this->ctxids[i] = calloc(limits[i], sizeof(int)); this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT); DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i, limits[i]); diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.h b/src/charon-tkm/src/tkm/tkm_id_manager.h index 0fc9ff8ef..1c48b57f1 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.h +++ b/src/charon-tkm/src/tkm/tkm_id_manager.h @@ -73,16 +73,28 @@ struct tkm_id_manager_t { int (*acquire_id)(tkm_id_manager_t * const this, const tkm_context_kind_t kind); + /** + * Acquire reference to given context id for a specific context kind. + * + * @param kind kind of context id + * @param ref_id id to acquire a reference for + * @return TRUE if reference could be acquired, + * FALSE otherwise + */ + bool (*acquire_ref)(tkm_id_manager_t * const this, + const tkm_context_kind_t kind, + const int ref_id); + /** * Release a previously acquired context id. * * @param kind kind of context id to release * @param id id to release - * @return TRUE if id was released, FALSE otherwise + * @return current refcount if id was released, -1 otherwise */ - bool (*release_id)(tkm_id_manager_t * const this, - const tkm_context_kind_t kind, - const int id); + int (*release_id)(tkm_id_manager_t * const this, + const tkm_context_kind_t kind, + const int id); /** * Destroy a tkm_id_manager instance. diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 5decde92b..48dd40aa5 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -134,6 +134,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); + if (esa_id == 0) + { + DBG1(DBG_KNL, "unable to acquire esa context id"); + goto esa_id_failure; + } + if (!tkm->sad->insert(tkm->sad, esa_id, data->reqid, local, peer, spi_loc, spi_rem, id->proto)) { @@ -193,9 +199,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return SUCCESS; failure: + ike_esa_reset(esa_id); tkm->sad->remove(tkm->sad, esa_id); sad_failure: tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id); +esa_id_failure: chunk_free(&esa.nonce_i); chunk_free(&esa.nonce_r); return FAILED; diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index a24760445..ed5366c2c 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -279,8 +279,15 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, } isa_info = *((isa_info_t *)(rekey_skd.ptr)); DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu," - "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id, + " dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id, isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem); + + if (!tkm->idmgr->acquire_ref(tkm->idmgr, TKM_CTX_AE, isa_info.ae_id)) + { + DBG1(DBG_IKE, "unable to acquire reference for ae: %llu", + isa_info.ae_id); + return FALSE; + } this->ae_ctx_id = isa_info.ae_id; res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1, dh_id, nc_id, nonce_rem, this->initiator, @@ -416,11 +423,6 @@ METHOD(keymat_v2_t, get_skd, pseudo_random_function_t, *skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t)); - /* - * remove ae context id, since control has now been handed over to the new - * IKE SA keymat - */ - this->ae_ctx_id = 0; return PRF_HMAC_SHA2_512; } @@ -462,11 +464,12 @@ METHOD(keymat_t, destroy, void, /* only reset ae context if set */ if (this->ae_ctx_id != 0) { - if (ike_ae_reset(this->ae_ctx_id) != TKM_OK) + int count; + count = tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id); + if (count == 0 && ike_ae_reset(this->ae_ctx_id) != TKM_OK) { DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id); } - tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id); } DESTROY_IF(this->hash_algorithms); diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c index db57ec1c7..891b579ee 100644 --- a/src/charon-tkm/src/tkm/tkm_private_key.c +++ b/src/charon-tkm/src/tkm/tkm_private_key.c @@ -14,6 +14,7 @@ * for more details. */ +#include #include #include #include @@ -58,7 +59,7 @@ METHOD(private_key_t, get_type, key_type_t, } METHOD(private_key_t, sign, bool, - private_tkm_private_key_t *this, signature_scheme_t scheme, + private_tkm_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { signature_type sig; diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c index 9ebdc29e6..2a14a9bdd 100644 --- a/src/charon-tkm/src/tkm/tkm_public_key.c +++ b/src/charon-tkm/src/tkm/tkm_public_key.c @@ -14,6 +14,7 @@ * for more details. */ +#include #include #include "tkm_public_key.h" @@ -53,7 +54,7 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_tkm_public_key_t *this, signature_scheme_t scheme, + private_tkm_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { return TRUE; diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c index 8157496ca..fb5e56a05 100644 --- a/src/charon-tkm/tests/id_manager_tests.c +++ b/src/charon-tkm/tests/id_manager_tests.c @@ -84,21 +84,85 @@ START_TEST(test_acquire_id_same) } END_TEST -START_TEST(test_release_id) +START_TEST(test_acquire_ref) { int i, id = 0; - bool released = false; + bool acquired = false; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + for (i = 0; i < TKM_CTX_MAX; i++) + { + id = idmgr->acquire_id(idmgr, i); + acquired = idmgr->acquire_ref(idmgr, i, id); + fail_unless(acquired, "Error acquiring reference context kind %d", i); + + /* Reset test variable */ + acquired = false; + } + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_acquire_ref_invalid_kind) +{ + bool acquired; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + acquired = idmgr->acquire_ref(idmgr, TKM_CTX_MAX, 1); + fail_if(acquired, "Acquired reference for invalid context kind %d", TKM_CTX_MAX); + + /* Reset test variable */ + acquired = 0; + + acquired = idmgr->acquire_ref(idmgr, -1, 1); + fail_if(acquired, "Acquired reference for invalid context kind %d", -1); + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_acquire_ref_invalid_id) +{ + int i; + bool acquired; + tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); + + for (i = 0; i < TKM_CTX_MAX; i++) + { + acquired = idmgr->acquire_ref(idmgr, i, -1); + fail_if(acquired, + "Acquired reference for negative id of context kind %d", i); + + /* Reset test variable */ + acquired = false; + + acquired = idmgr->acquire_ref(idmgr, i, limits[i] + 1); + fail_if(acquired, + "Acquired reference exceeding limit of context kind %d", i); + + /* Reset test variable */ + acquired = false; + } + + idmgr->destroy(idmgr); +} +END_TEST + +START_TEST(test_release_id) +{ + int i, count, id = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); for (i = 0; i < TKM_CTX_MAX; i++) { id = idmgr->acquire_id(idmgr, i); - released = idmgr->release_id(idmgr, i, id); + count = idmgr->release_id(idmgr, i, id); - fail_unless(released, "Error releasing id of context kind %d", i); + fail_unless(count == 0, "Error releasing id of context kind %d", i); - /* Reset released variable */ - released = FALSE; + /* Reset count variable */ + count = 0; } idmgr->destroy(idmgr); @@ -107,17 +171,17 @@ END_TEST START_TEST(test_release_id_invalid_kind) { - bool released = TRUE; + int count = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); - released = idmgr->release_id(idmgr, TKM_CTX_MAX, 1); - fail_if(released, "Released id for invalid context kind %d", TKM_CTX_MAX); + count = idmgr->release_id(idmgr, TKM_CTX_MAX, 1); + fail_if(count >= 0, "Released id for invalid context kind %d", TKM_CTX_MAX); /* Reset test variable */ - released = TRUE; + count = 0; - released = idmgr->release_id(idmgr, -1, 1); - fail_if(released, "Released id for invalid context kind %d", -1); + count = idmgr->release_id(idmgr, -1, 1); + fail_if(count >= 0, "Released id for invalid context kind %d", -1); idmgr->destroy(idmgr); } @@ -125,11 +189,11 @@ END_TEST START_TEST(test_release_id_nonexistent) { - bool released = FALSE; + int count = 0; tkm_id_manager_t *idmgr = tkm_id_manager_create(limits); - released = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1); - fail_unless(released, "Release of nonexistent id failed"); + count = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1); + fail_unless(count == 0, "Release of nonexistent id failed"); idmgr->destroy(idmgr); } @@ -150,6 +214,9 @@ Suite *make_id_manager_tests() tcase_add_test(tc, test_acquire_id); tcase_add_test(tc, test_acquire_id_invalid_kind); tcase_add_test(tc, test_acquire_id_same); + tcase_add_test(tc, test_acquire_ref); + tcase_add_test(tc, test_acquire_ref_invalid_kind); + tcase_add_test(tc, test_acquire_ref_invalid_id); suite_add_tcase(s, tc); tc = tcase_create("release"); diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c index 39d8a790a..59ff77b68 100644 --- a/src/charon-tkm/tests/kernel_sad_tests.c +++ b/src/charon-tkm/tests/kernel_sad_tests.c @@ -123,11 +123,11 @@ START_TEST(test_remove) tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 23, "Error getting esa id"); fail_unless(sad->remove(sad, 23), "Error removing SAD entry"); - fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0, + fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50, FALSE) == 0, "Got esa id for removed SAD entry"); sad->destroy(sad); addr->destroy(addr); diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 9c5283cd7..14bde277c 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -217,9 +217,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/charon/charon.c b/src/charon/charon.c index 520cb3c74..f23717034 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -1,9 +1,9 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -203,8 +203,10 @@ static bool check_pidfile() pid = atoi(buf); } fclose(pidfile); + pidfile = NULL; if (pid && kill(pid, 0) == 0) - { /* such a process is running */ + { + DBG1(DBG_DMN, "charon already running ('"PID_FILE"' exists)"); return TRUE; } } @@ -219,18 +221,28 @@ static bool check_pidfile() int fd; fd = fileno(pidfile); - if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) + if (fd == -1) + { + DBG1(DBG_DMN, "unable to determine fd for '"PID_FILE"'"); + return TRUE; + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s", strerror(errno)); } - ignore_result(fchown(fileno(pidfile), + ignore_result(fchown(fd, lib->caps->get_uid(lib->caps), lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); + return FALSE; + } + else + { + DBG1(DBG_DMN, "unable to create pidfile '"PID_FILE"'"); + return TRUE; } - return FALSE; } /** @@ -246,8 +258,8 @@ static void unlink_pidfile() { ignore_result(ftruncate(fileno(pidfile), 0)); fclose(pidfile); + unlink(PID_FILE); } - unlink(PID_FILE); } /** @@ -402,7 +414,6 @@ int main(int argc, char *argv[]) if (check_pidfile()) { - DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)"); goto deinit; } @@ -434,12 +445,11 @@ int main(int argc, char *argv[]) /* main thread goes to run loop */ run(); - /* normal termination, cleanup and exit */ - unlink_pidfile(); status = 0; deinit: libcharon_deinit(); + unlink_pidfile(); library_deinit(); return status; } diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 1856e2a31..107b26c31 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -130,6 +130,10 @@ if USE_IMC_SWIMA exes += $(DESTDIR)$(sbindir)/sw-collector endif +if USE_IMV_SWIMA + exes += $(DESTDIR)$(sbindir)/sec-updater +endif + checksum.c : checksum_builder $(deps) $(exes) ./checksum_builder $(libs) $(exes) > checksum.c diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 87e78a99f..f46302994 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -123,6 +123,7 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT) @USE_IMV_ATTESTATION_TRUE@am__append_32 = $(DESTDIR)$(ipsecdir)/attest @USE_LIBPTTLS_TRUE@am__append_33 = $(DESTDIR)$(bindir)/pt-tls-client @USE_IMC_SWIMA_TRUE@am__append_34 = $(DESTDIR)$(sbindir)/sw-collector +@USE_IMV_SWIMA_TRUE@am__append_35 = $(DESTDIR)$(sbindir)/sec-updater subdir = src/checksum ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -288,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -528,7 +531,7 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \ exes = $(am__append_24) $(am__append_26) $(am__append_27) \ $(am__append_28) $(am__append_29) $(am__append_30) \ $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) + $(am__append_34) $(am__append_35) all: all-am .SUFFIXES: diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index 4f33d9891..1ea430c63 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -231,9 +231,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c index d80196ed6..4be6f45db 100644 --- a/src/conftest/hooks/pretend_auth.c +++ b/src/conftest/hooks/pretend_auth.c @@ -244,7 +244,7 @@ static bool build_auth(private_pretend_auth_t *this, private->destroy(private); return FALSE; } - if (!private->sign(private, scheme, octets, &auth_data)) + if (!private->sign(private, scheme, NULL, octets, &auth_data)) { chunk_free(&octets); private->destroy(private); diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c index b2df278a5..bc20292a1 100644 --- a/src/conftest/hooks/rebuild_auth.c +++ b/src/conftest/hooks/rebuild_auth.c @@ -143,7 +143,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, id->destroy(id); return FALSE; } - if (!private->sign(private, scheme, octets, &auth_data)) + if (!private->sign(private, scheme, NULL, octets, &auth_data)) { chunk_free(&octets); private->destroy(private); diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 6c7cc4176..50b0abb64 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -258,9 +258,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index dde85cb09..4106494db 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 494dc45ee..46715938e 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -194,9 +194,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index b23b04207..17c918f60 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.6.0dr1" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.6.1rc1" "strongSwan" . .SH NAME . diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 65fadf2de..283abdcd5 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -310,7 +310,7 @@ aikgen|pki) command_dir="$IPSEC_BINDIR" # fall through ;; -attest|conftest|dumm|irdumm|pacman|pool|pt-tls-client|scepclient|stroke|\ +attest|conftest|dumm|irdumm|pool|pt-tls-client|scepclient|stroke|\ duplicheck|error-notify|imv_policy_manager|load-tester|lookip|whitelist|\ _updown|_imv_policy) # fall through diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index ed2236e04..964a19ec8 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -258,6 +258,13 @@ if MONOLITHIC endif endif +if USE_COUNTERS + SUBDIRS += plugins/counters +if MONOLITHIC + libcharon_la_LIBADD += plugins/counters/libstrongswan-counters.la +endif +endif + if USE_STROKE SUBDIRS += plugins/stroke if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index fc6635826..d3cbb0fb6 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -169,134 +169,136 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_19 = plugins/forecast/libstrongswan-forecast.la @USE_FARP_TRUE@am__append_20 = plugins/farp @MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_21 = plugins/farp/libstrongswan-farp.la -@USE_STROKE_TRUE@am__append_22 = plugins/stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_23 = plugins/stroke/libstrongswan-stroke.la -@USE_VICI_TRUE@am__append_24 = plugins/vici -@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_25 = plugins/vici/libstrongswan-vici.la -@USE_SMP_TRUE@am__append_26 = plugins/smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_27 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_28 = plugins/sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_29 = plugins/sql/libstrongswan-sql.la -@USE_DNSCERT_TRUE@am__append_30 = plugins/dnscert -@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_31 = plugins/dnscert/libstrongswan-dnscert.la -@USE_IPSECKEY_TRUE@am__append_32 = plugins/ipseckey -@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_33 = plugins/ipseckey/libstrongswan-ipseckey.la -@USE_UPDOWN_TRUE@am__append_34 = plugins/updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_35 = plugins/updown/libstrongswan-updown.la -@USE_EXT_AUTH_TRUE@am__append_36 = plugins/ext_auth -@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_37 = plugins/ext_auth/libstrongswan-ext-auth.la -@USE_EAP_IDENTITY_TRUE@am__append_38 = plugins/eap_identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_39 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_40 = plugins/eap_sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_41 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_42 = plugins/eap_sim_file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_43 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIM_PCSC_TRUE@am__append_44 = plugins/eap_sim_pcsc -@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_45 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_46 = plugins/eap_simaka_sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_47 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_48 = plugins/eap_simaka_pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_49 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_50 = plugins/eap_simaka_reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_51 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_52 = plugins/eap_aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_53 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP_TRUE@am__append_54 = plugins/eap_aka_3gpp -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_55 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_56 = plugins/eap_aka_3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_57 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_58 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_59 = plugins/eap_md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_60 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_61 = plugins/eap_gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_62 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_63 = plugins/eap_mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_64 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_DYNAMIC_TRUE@am__append_65 = plugins/eap_dynamic -@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_66 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la -@USE_EAP_RADIUS_TRUE@am__append_67 = plugins/eap_radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_68 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_EAP_TLS_TRUE@am__append_69 = plugins/eap_tls -@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_70 = plugins/eap_tls/libstrongswan-eap-tls.la -@USE_EAP_TTLS_TRUE@am__append_71 = plugins/eap_ttls -@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_72 = plugins/eap_ttls/libstrongswan-eap-ttls.la -@USE_EAP_PEAP_TRUE@am__append_73 = plugins/eap_peap -@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_74 = plugins/eap_peap/libstrongswan-eap-peap.la -@USE_EAP_TNC_TRUE@am__append_75 = plugins/eap_tnc -@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_76 = plugins/eap_tnc/libstrongswan-eap-tnc.la -@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_77 = $(top_builddir)/src/libtls/libtls.la -@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_78 = $(top_builddir)/src/libradius/libradius.la -@USE_TNC_IFMAP_TRUE@am__append_79 = plugins/tnc_ifmap -@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_80 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la -@USE_TNC_PDP_TRUE@am__append_81 = plugins/tnc_pdp -@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_82 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la -@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_83 = $(top_builddir)/src/libtnccs/libtnccs.la -@USE_MEDSRV_TRUE@am__append_84 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_85 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_86 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_87 = plugins/medcli/libstrongswan-medcli.la -@USE_DHCP_TRUE@am__append_88 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_89 = plugins/dhcp/libstrongswan-dhcp.la -@USE_OSX_ATTR_TRUE@am__append_90 = plugins/osx_attr -@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_91 = plugins/osx_attr/libstrongswan-osx-attr.la -@USE_P_CSCF_TRUE@am__append_92 = plugins/p_cscf -@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_93 = plugins/p_cscf/libstrongswan-p-cscf.la -@USE_ANDROID_DNS_TRUE@am__append_94 = plugins/android_dns -@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_95 = plugins/android_dns/libstrongswan-android-dns.la -@USE_ANDROID_LOG_TRUE@am__append_96 = plugins/android_log -@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_97 = plugins/android_log/libstrongswan-android-log.la -@USE_HA_TRUE@am__append_98 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_99 = plugins/ha/libstrongswan-ha.la -@USE_KERNEL_PFKEY_TRUE@am__append_100 = plugins/kernel_pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_101 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_102 = plugins/kernel_pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_103 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_NETLINK_TRUE@am__append_104 = plugins/kernel_netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_105 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_KERNEL_LIBIPSEC_TRUE@am__append_106 = plugins/kernel_libipsec -@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_107 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la -@USE_KERNEL_WFP_TRUE@am__append_108 = plugins/kernel_wfp -@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_109 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la -@USE_KERNEL_IPH_TRUE@am__append_110 = plugins/kernel_iph -@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_111 = plugins/kernel_iph/libstrongswan-kernel-iph.la -@USE_WHITELIST_TRUE@am__append_112 = plugins/whitelist -@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_113 = plugins/whitelist/libstrongswan-whitelist.la -@USE_LOOKIP_TRUE@am__append_114 = plugins/lookip -@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_115 = plugins/lookip/libstrongswan-lookip.la -@USE_ERROR_NOTIFY_TRUE@am__append_116 = plugins/error_notify -@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_117 = plugins/error_notify/libstrongswan-error-notify.la -@USE_CERTEXPIRE_TRUE@am__append_118 = plugins/certexpire -@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_119 = plugins/certexpire/libstrongswan-certexpire.la -@USE_SYSTIME_FIX_TRUE@am__append_120 = plugins/systime_fix -@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_121 = plugins/systime_fix/libstrongswan-systime-fix.la -@USE_LED_TRUE@am__append_122 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_123 = plugins/led/libstrongswan-led.la -@USE_DUPLICHECK_TRUE@am__append_124 = plugins/duplicheck -@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_125 = plugins/duplicheck/libstrongswan-duplicheck.la -@USE_COUPLING_TRUE@am__append_126 = plugins/coupling -@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_127 = plugins/coupling/libstrongswan-coupling.la -@USE_RADATTR_TRUE@am__append_128 = plugins/radattr -@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_129 = plugins/radattr/libstrongswan-radattr.la -@USE_UCI_TRUE@am__append_130 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_131 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_132 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_133 = plugins/addrblock/libstrongswan-addrblock.la -@USE_UNITY_TRUE@am__append_134 = plugins/unity -@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_135 = plugins/unity/libstrongswan-unity.la -@USE_XAUTH_GENERIC_TRUE@am__append_136 = plugins/xauth_generic -@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_137 = plugins/xauth_generic/libstrongswan-xauth-generic.la -@USE_XAUTH_EAP_TRUE@am__append_138 = plugins/xauth_eap -@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_139 = plugins/xauth_eap/libstrongswan-xauth-eap.la -@USE_XAUTH_PAM_TRUE@am__append_140 = plugins/xauth_pam -@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_141 = plugins/xauth_pam/libstrongswan-xauth-pam.la -@USE_XAUTH_NOAUTH_TRUE@am__append_142 = plugins/xauth_noauth -@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_143 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la -@USE_RESOLVE_TRUE@am__append_144 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_145 = plugins/resolve/libstrongswan-resolve.la -@USE_ATTR_TRUE@am__append_146 = plugins/attr -@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_147 = plugins/attr/libstrongswan-attr.la -@USE_ATTR_SQL_TRUE@am__append_148 = plugins/attr_sql -@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_149 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_COUNTERS_TRUE@am__append_22 = plugins/counters +@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_23 = plugins/counters/libstrongswan-counters.la +@USE_STROKE_TRUE@am__append_24 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_25 = plugins/stroke/libstrongswan-stroke.la +@USE_VICI_TRUE@am__append_26 = plugins/vici +@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_27 = plugins/vici/libstrongswan-vici.la +@USE_SMP_TRUE@am__append_28 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_29 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_30 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_31 = plugins/sql/libstrongswan-sql.la +@USE_DNSCERT_TRUE@am__append_32 = plugins/dnscert +@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_33 = plugins/dnscert/libstrongswan-dnscert.la +@USE_IPSECKEY_TRUE@am__append_34 = plugins/ipseckey +@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_35 = plugins/ipseckey/libstrongswan-ipseckey.la +@USE_UPDOWN_TRUE@am__append_36 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_37 = plugins/updown/libstrongswan-updown.la +@USE_EXT_AUTH_TRUE@am__append_38 = plugins/ext_auth +@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_39 = plugins/ext_auth/libstrongswan-ext-auth.la +@USE_EAP_IDENTITY_TRUE@am__append_40 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_41 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_42 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_43 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_44 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_45 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIM_PCSC_TRUE@am__append_46 = plugins/eap_sim_pcsc +@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_47 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_48 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_49 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_50 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_52 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_53 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_54 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_55 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP_TRUE@am__append_56 = plugins/eap_aka_3gpp +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_57 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_58 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_59 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_60 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_61 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_62 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_63 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_64 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_65 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_66 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_DYNAMIC_TRUE@am__append_67 = plugins/eap_dynamic +@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_68 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la +@USE_EAP_RADIUS_TRUE@am__append_69 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_70 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_71 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_72 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_73 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_74 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_PEAP_TRUE@am__append_75 = plugins/eap_peap +@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_76 = plugins/eap_peap/libstrongswan-eap-peap.la +@USE_EAP_TNC_TRUE@am__append_77 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_78 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_79 = $(top_builddir)/src/libtls/libtls.la +@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_80 = $(top_builddir)/src/libradius/libradius.la +@USE_TNC_IFMAP_TRUE@am__append_81 = plugins/tnc_ifmap +@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_82 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la +@USE_TNC_PDP_TRUE@am__append_83 = plugins/tnc_pdp +@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_84 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la +@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_85 = $(top_builddir)/src/libtnccs/libtnccs.la +@USE_MEDSRV_TRUE@am__append_86 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_87 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_88 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_89 = plugins/medcli/libstrongswan-medcli.la +@USE_DHCP_TRUE@am__append_90 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_91 = plugins/dhcp/libstrongswan-dhcp.la +@USE_OSX_ATTR_TRUE@am__append_92 = plugins/osx_attr +@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_93 = plugins/osx_attr/libstrongswan-osx-attr.la +@USE_P_CSCF_TRUE@am__append_94 = plugins/p_cscf +@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_95 = plugins/p_cscf/libstrongswan-p-cscf.la +@USE_ANDROID_DNS_TRUE@am__append_96 = plugins/android_dns +@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_97 = plugins/android_dns/libstrongswan-android-dns.la +@USE_ANDROID_LOG_TRUE@am__append_98 = plugins/android_log +@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_99 = plugins/android_log/libstrongswan-android-log.la +@USE_HA_TRUE@am__append_100 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_101 = plugins/ha/libstrongswan-ha.la +@USE_KERNEL_PFKEY_TRUE@am__append_102 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_103 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_104 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_105 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_NETLINK_TRUE@am__append_106 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_107 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la +@USE_KERNEL_LIBIPSEC_TRUE@am__append_108 = plugins/kernel_libipsec +@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_109 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la +@USE_KERNEL_WFP_TRUE@am__append_110 = plugins/kernel_wfp +@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_111 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la +@USE_KERNEL_IPH_TRUE@am__append_112 = plugins/kernel_iph +@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_113 = plugins/kernel_iph/libstrongswan-kernel-iph.la +@USE_WHITELIST_TRUE@am__append_114 = plugins/whitelist +@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_115 = plugins/whitelist/libstrongswan-whitelist.la +@USE_LOOKIP_TRUE@am__append_116 = plugins/lookip +@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_117 = plugins/lookip/libstrongswan-lookip.la +@USE_ERROR_NOTIFY_TRUE@am__append_118 = plugins/error_notify +@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_119 = plugins/error_notify/libstrongswan-error-notify.la +@USE_CERTEXPIRE_TRUE@am__append_120 = plugins/certexpire +@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_121 = plugins/certexpire/libstrongswan-certexpire.la +@USE_SYSTIME_FIX_TRUE@am__append_122 = plugins/systime_fix +@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_123 = plugins/systime_fix/libstrongswan-systime-fix.la +@USE_LED_TRUE@am__append_124 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_125 = plugins/led/libstrongswan-led.la +@USE_DUPLICHECK_TRUE@am__append_126 = plugins/duplicheck +@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_127 = plugins/duplicheck/libstrongswan-duplicheck.la +@USE_COUPLING_TRUE@am__append_128 = plugins/coupling +@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_129 = plugins/coupling/libstrongswan-coupling.la +@USE_RADATTR_TRUE@am__append_130 = plugins/radattr +@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_131 = plugins/radattr/libstrongswan-radattr.la +@USE_UCI_TRUE@am__append_132 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_133 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_134 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_135 = plugins/addrblock/libstrongswan-addrblock.la +@USE_UNITY_TRUE@am__append_136 = plugins/unity +@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_137 = plugins/unity/libstrongswan-unity.la +@USE_XAUTH_GENERIC_TRUE@am__append_138 = plugins/xauth_generic +@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_139 = plugins/xauth_generic/libstrongswan-xauth-generic.la +@USE_XAUTH_EAP_TRUE@am__append_140 = plugins/xauth_eap +@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_141 = plugins/xauth_eap/libstrongswan-xauth-eap.la +@USE_XAUTH_PAM_TRUE@am__append_142 = plugins/xauth_pam +@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_143 = plugins/xauth_pam/libstrongswan-xauth-pam.la +@USE_XAUTH_NOAUTH_TRUE@am__append_144 = plugins/xauth_noauth +@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_145 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_RESOLVE_TRUE@am__append_146 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_147 = plugins/resolve/libstrongswan-resolve.la +@USE_ATTR_TRUE@am__append_148 = plugins/attr +@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_149 = plugins/attr/libstrongswan-attr.la +@USE_ATTR_SQL_TRUE@am__append_150 = plugins/attr_sql +@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_151 = plugins/attr_sql/libstrongswan-attr-sql.la subdir = src/libcharon ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -359,11 +361,11 @@ libcharon_la_DEPENDENCIES = \ $(am__append_41) $(am__append_43) $(am__append_45) \ $(am__append_47) $(am__append_49) $(am__append_51) \ $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_58) $(am__append_60) $(am__append_62) \ + $(am__append_59) $(am__append_60) $(am__append_62) \ $(am__append_64) $(am__append_66) $(am__append_68) \ $(am__append_70) $(am__append_72) $(am__append_74) \ - $(am__append_76) $(am__append_77) $(am__append_78) \ - $(am__append_80) $(am__append_82) $(am__append_83) \ + $(am__append_76) $(am__append_78) $(am__append_79) \ + $(am__append_80) $(am__append_82) $(am__append_84) \ $(am__append_85) $(am__append_87) $(am__append_89) \ $(am__append_91) $(am__append_93) $(am__append_95) \ $(am__append_97) $(am__append_99) $(am__append_101) \ @@ -374,7 +376,8 @@ libcharon_la_DEPENDENCIES = \ $(am__append_127) $(am__append_129) $(am__append_131) \ $(am__append_133) $(am__append_135) $(am__append_137) \ $(am__append_139) $(am__append_141) $(am__append_143) \ - $(am__append_145) $(am__append_147) $(am__append_149) + $(am__append_145) $(am__append_147) $(am__append_149) \ + $(am__append_151) am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ attributes/attributes.h attributes/attribute_provider.h \ attributes/attribute_handler.h attributes/attribute_manager.c \ @@ -744,8 +747,8 @@ CTAGS = ctags DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/socket_dynamic plugins/socket_win plugins/connmark \ plugins/bypass_lan plugins/forecast plugins/farp \ - plugins/stroke plugins/vici plugins/smp plugins/sql \ - plugins/dnscert plugins/ipseckey plugins/updown \ + plugins/counters plugins/stroke plugins/vici plugins/smp \ + plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \ plugins/ext_auth plugins/eap_identity plugins/eap_sim \ plugins/eap_sim_file plugins/eap_sim_pcsc \ plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ @@ -825,9 +828,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -1157,12 +1162,12 @@ libcharon_la_LIBADD = \ $(am__append_37) $(am__append_39) $(am__append_41) \ $(am__append_43) $(am__append_45) $(am__append_47) \ $(am__append_49) $(am__append_51) $(am__append_53) \ - $(am__append_55) $(am__append_57) $(am__append_58) \ + $(am__append_55) $(am__append_57) $(am__append_59) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_77) $(am__append_78) $(am__append_80) \ - $(am__append_82) $(am__append_83) $(am__append_85) \ + $(am__append_78) $(am__append_79) $(am__append_80) \ + $(am__append_82) $(am__append_84) $(am__append_85) \ $(am__append_87) $(am__append_89) $(am__append_91) \ $(am__append_93) $(am__append_95) $(am__append_97) \ $(am__append_99) $(am__append_101) $(am__append_103) \ @@ -1173,7 +1178,7 @@ libcharon_la_LIBADD = \ $(am__append_129) $(am__append_131) $(am__append_133) \ $(am__append_135) $(am__append_137) $(am__append_139) \ $(am__append_141) $(am__append_143) $(am__append_145) \ - $(am__append_147) $(am__append_149) + $(am__append_147) $(am__append_149) $(am__append_151) EXTRA_DIST = Android.mk @STATIC_PLUGIN_CONSTRUCTORS_TRUE@BUILT_SOURCES = $(srcdir)/plugin_constructors.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c @@ -1190,12 +1195,12 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ -@MONOLITHIC_FALSE@ $(am__append_75) $(am__append_79) \ -@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_84) \ +@MONOLITHIC_FALSE@ $(am__append_75) $(am__append_77) \ +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ @MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ @@ -1211,7 +1216,8 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_134) $(am__append_136) \ @MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \ -@MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) tests +@MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) \ +@MONOLITHIC_FALSE@ $(am__append_150) tests # build optional plugins ######################## @@ -1228,12 +1234,12 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ +@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ -@MONOLITHIC_TRUE@ $(am__append_75) $(am__append_79) \ -@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_84) \ +@MONOLITHIC_TRUE@ $(am__append_75) $(am__append_77) \ +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ @MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ @@ -1249,7 +1255,8 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_134) $(am__append_136) \ @MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \ -@MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) . tests +@MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) \ +@MONOLITHIC_TRUE@ $(am__append_150) . tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index a102c459c..93904ec71 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -310,6 +310,9 @@ enum child_cfg_option_t { /** Force 96-bit truncation for SHA-256 */ OPT_SHA256_96 = (1<<6), + + /** Set mark on inbound SAs */ + OPT_MARK_IN_SA = (1<<7), }; /** diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 93300781d..64413204b 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -580,6 +580,7 @@ bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local) host = host_create_from_string(str, 0); if (host && addr->ip_equals(addr, host)) { + host->destroy(host); found = TRUE; break; } diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 6c71f78d3..46c3c9400 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -872,9 +872,10 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) case AUTH_AES_XCBC_96: case AUTH_AES_CMAC_96: case AUTH_HMAC_SHA1_96: - case AUTH_HMAC_MD5_96: add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0); break; + case AUTH_HMAC_MD5_96: + /* no, thanks */ default: break; } @@ -908,9 +909,11 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) switch (prf) { case PRF_HMAC_SHA1: - case PRF_HMAC_MD5: add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); break; + case PRF_HMAC_MD5: + /* no, thanks */ + break; default: break; } @@ -970,6 +973,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* only for testing purposes */ break; case MODP_768_BIT: + case MODP_1024_BIT: + case MODP_1536_BIT: /* weak */ break; case MODP_1024_160: @@ -977,7 +982,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) case MODP_2048_256: /* RFC 5114 primes are of questionable source */ break; - case MODP_1536_BIT: case ECP_224_BIT: case ECP_224_BP: case ECP_192_BIT: @@ -985,7 +989,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* rarely used */ break; case MODP_2048_BIT: - case MODP_1024_BIT: add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); break; default: @@ -1017,14 +1020,11 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: @@ -1033,7 +1033,6 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; default: diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h index 2bdf3454f..0dc70f4c5 100644 --- a/src/libcharon/config/proposal.h +++ b/src/libcharon/config/proposal.h @@ -82,7 +82,7 @@ struct proposal_t { uint16_t alg, uint16_t key_size); /** - * Get an enumerator over algorithms for a specifc algo type. + * Get an enumerator over algorithms for a specific algo type. * * @param type kind of algorithm * @return enumerator over uint16_t alg, uint16_t key_size diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c index 8e7816b39..44a4d0aa8 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -294,10 +294,7 @@ METHOD(listener_t, ike_state_change_terminate, bool, switch (state) { case IKE_DESTROYING: - if (ike_sa->get_state(ike_sa) == IKE_DELETING) - { /* proper termination */ - this->status = SUCCESS; - } + this->status = SUCCESS; return listener_done(this); default: break; diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h index 834f35d60..e134aac8d 100644 --- a/src/libcharon/encoding/payloads/cert_payload.h +++ b/src/libcharon/encoding/payloads/cert_payload.h @@ -131,7 +131,7 @@ cert_payload_t *cert_payload_create_from_cert(payload_type_t type, /** * Creates an IKEv2 certificate payload with hash and URL encoding. * - * @param hash hash of the DER encoded certificate (get's cloned) + * @param hash hash of the DER encoded certificate (gets cloned) * @param url URL to the certificate * @return cert_payload_t object */ diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index 923135da9..cbf74eb73 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -441,7 +441,7 @@ eap_payload_t *eap_payload_create_nak(uint8_t identifier, eap_type_t type, added_any = TRUE; } else if (reg_vendor) - { /* found vendor specifc method, but this is not an expanded Nak */ + { /* found vendor specific method, but this is not an expanded Nak */ found_vendor = TRUE; } } diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c index 17a0417dc..52b09b663 100644 --- a/src/libcharon/encoding/payloads/nonce_payload.c +++ b/src/libcharon/encoding/payloads/nonce_payload.c @@ -86,7 +86,7 @@ static encoding_rule_t encodings[] = { { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[6]) }, /* Length of the whole nonce payload*/ { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, - /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ + /* some nonce bytes, length is defined in PAYLOAD_LENGTH */ { CHUNK_DATA, offsetof(private_nonce_payload_t, nonce) }, }; diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index e75dc27bb..cb75f1ea7 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -107,7 +107,7 @@ transform_substructure_t *transform_substructure_create(payload_type_t type); * * @param type PLV2_TRANSFORM_SUBSTRUCTURE or PLV1_TRANSFORM_SUBSTRUCTURE * @param type_or_number Type (IKEv2) or number (IKEv1) of transform - * @param id transform id specifc for the transform type + * @param id transform id specific for the transform type * @return transform_substructure_t object */ transform_substructure_t *transform_substructure_create_type(payload_type_t type, diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 6fafeb760..b75304031 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -183,7 +183,7 @@ struct kernel_ipsec_query_policy_t { * Policy information are cached in the interface. This is necessary to do * reference counting. The Linux kernel does not allow the same policy * installed twice, but we need this as CHILD_SA exist multiple times - * when rekeying. Thats why we do reference counting of policies. + * when rekeying. That's why we do reference counting of policies. */ struct kernel_ipsec_t { diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 5a76c8187..62ce323d0 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index 8f5ae6ac7..bba9591ec 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index 682fa15b9..0a5c7ec8d 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in index 61570457e..2e7170472 100644 --- a/src/libcharon/plugins/attr/Makefile.in +++ b/src/libcharon/plugins/attr/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in index 14a144c38..b8b9885f2 100644 --- a/src/libcharon/plugins/attr_sql/Makefile.in +++ b/src/libcharon/plugins/attr_sql/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/bypass_lan/Makefile.in b/src/libcharon/plugins/bypass_lan/Makefile.in index 1c1a4523a..f882f6bc0 100644 --- a/src/libcharon/plugins/bypass_lan/Makefile.in +++ b/src/libcharon/plugins/bypass_lan/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index 0ae0d28d7..cbfb07597 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in index fb432cd67..6f0a2bddf 100644 --- a/src/libcharon/plugins/connmark/Makefile.in +++ b/src/libcharon/plugins/connmark/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/counters/Makefile.am b/src/libcharon/plugins/counters/Makefile.am new file mode 100644 index 000000000..e5bde3f7a --- /dev/null +++ b/src/libcharon/plugins/counters/Makefile.am @@ -0,0 +1,19 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-counters.la +else +plugin_LTLIBRARIES = libstrongswan-counters.la +endif + +libstrongswan_counters_la_SOURCES = \ + counters_plugin.h counters_plugin.c \ + counters_listener.h counters_listener.c \ + counters_query.h + +libstrongswan_counters_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/counters/Makefile.in b/src/libcharon/plugins/counters/Makefile.in new file mode 100644 index 000000000..491ba80b3 --- /dev/null +++ b/src/libcharon/plugins/counters/Makefile.in @@ -0,0 +1,804 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/counters +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_counters_la_LIBADD = +am_libstrongswan_counters_la_OBJECTS = counters_plugin.lo \ + counters_listener.lo +libstrongswan_counters_la_OBJECTS = \ + $(am_libstrongswan_counters_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_counters_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_counters_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_counters_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_counters_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_counters_la_SOURCES) +DIST_SOURCES = $(libstrongswan_counters_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-counters.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-counters.la +libstrongswan_counters_la_SOURCES = \ + counters_plugin.h counters_plugin.c \ + counters_listener.h counters_listener.c \ + counters_query.h + +libstrongswan_counters_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/counters/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/counters/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-counters.la: $(libstrongswan_counters_la_OBJECTS) $(libstrongswan_counters_la_DEPENDENCIES) $(EXTRA_libstrongswan_counters_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_counters_la_LINK) $(am_libstrongswan_counters_la_rpath) $(libstrongswan_counters_la_OBJECTS) $(libstrongswan_counters_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/counters_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/counters_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/counters/counters_listener.c b/src/libcharon/plugins/counters/counters_listener.c new file mode 100644 index 000000000..a32614e8c --- /dev/null +++ b/src/libcharon/plugins/counters/counters_listener.c @@ -0,0 +1,464 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "counters_listener.h" +#include "counters_query.h" + +#include +#include +#include + +typedef struct private_counters_listener_t private_counters_listener_t; +typedef struct private_counters_query_t private_counters_query_t; + +/** + * Query interface + */ +struct private_counters_query_t { + + /** + * Public interface + */ + counters_query_t public; + + /** + * Reference to this + */ + private_counters_listener_t *this; +}; + +/** + * Private data + */ +struct private_counters_listener_t { + + /** + * Public interface + */ + counters_listener_t public; + + /** + * Query interface + */ + private_counters_query_t query; + + /** + * Global counter values + */ + uint64_t counters[COUNTER_MAX]; + + /** + * Counters for specific connection names, char* => entry_t + */ + hashtable_t *conns; + + /** + * Lock for counter values + */ + spinlock_t *lock; +}; + +/** + * Counters for a specific connection name + */ +typedef struct { + /** connection name */ + char *name; + /** counter values for connection */ + uint64_t counters[COUNTER_MAX]; +} entry_t; + +/** + * Destroy named entry + */ +static void destroy_entry(entry_t *this) +{ + free(this->name); + free(this); +} + +/** + * Hashtable hash function + */ +static u_int hash(char *name) +{ + return chunk_hash(chunk_from_str(name)); +} + +/** + * Hashtable equals function + */ +static bool equals(char *a, char *b) +{ + return streq(a, b); +} + +/** + * Get the name of an IKE_SA, but return NULL if it is not known yet + */ +static char *get_ike_sa_name(ike_sa_t *ike_sa) +{ + peer_cfg_t *peer_cfg; + + if (ike_sa) + { + peer_cfg = ike_sa->get_peer_cfg(ike_sa); + if (peer_cfg) + { + return peer_cfg->get_name(peer_cfg); + } + } + return NULL; +} + +/** + * Increase a counter for a named entry + */ +static void count_named(private_counters_listener_t *this, + ike_sa_t *ike_sa, counter_type_t type) +{ + entry_t *entry; + char *name; + + name = get_ike_sa_name(ike_sa); + if (name) + { + entry = this->conns->get(this->conns, name); + if (!entry) + { + INIT(entry, + .name = strdup(name), + ); + this->conns->put(this->conns, entry->name, entry); + } + entry->counters[type]++; + } +} + +METHOD(listener_t, alert, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, + alert_t alert, va_list args) +{ + counter_type_t type; + + switch (alert) + { + case ALERT_INVALID_IKE_SPI: + type = COUNTER_IN_INVALID_IKE_SPI; + break; + case ALERT_PARSE_ERROR_HEADER: + case ALERT_PARSE_ERROR_BODY: + type = COUNTER_IN_INVALID; + break; + default: + return TRUE; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, ike_sa, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_counters_listener_t *this, ike_sa_t *old, ike_sa_t *new) +{ + counter_type_t type; + ike_sa_id_t *id; + + id = new->get_id(new); + if (id->is_initiator(id)) + { + type = COUNTER_INIT_IKE_SA_REKEY; + } + else + { + type = COUNTER_RESP_IKE_SA_REKEY; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, old, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, child_rekey, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new) +{ + this->lock->lock(this->lock); + this->counters[COUNTER_CHILD_SA_REKEY]++; + count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY); + this->lock->unlock(this->lock); + + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_counters_listener_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming, bool plain) +{ + counter_type_t type; + bool request; + + if ((incoming && !plain) || (!incoming && !plain)) + { /* handle each message only once */ + return TRUE; + } + + request = message->get_request(message); + switch (message->get_exchange_type(message)) + { + case IKE_SA_INIT: + if (incoming) + { + type = request ? COUNTER_IN_IKE_SA_INIT_REQ + : COUNTER_IN_IKE_SA_INIT_RSP; + } + else + { + type = request ? COUNTER_OUT_IKE_SA_INIT_REQ + : COUNTER_OUT_IKE_SA_INIT_RES; + } + break; + case IKE_AUTH: + if (incoming) + { + type = request ? COUNTER_IN_IKE_AUTH_REQ + : COUNTER_IN_IKE_AUTH_RSP; + } + else + { + type = request ? COUNTER_OUT_IKE_AUTH_REQ + : COUNTER_OUT_IKE_AUTH_RSP; + } + break; + case CREATE_CHILD_SA: + if (incoming) + { + type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ + : COUNTER_IN_CREATE_CHILD_SA_RSP; + } + else + { + type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ + : COUNTER_OUT_CREATE_CHILD_SA_RSP; + } + break; + case INFORMATIONAL: + if (incoming) + { + type = request ? COUNTER_IN_INFORMATIONAL_REQ + : COUNTER_IN_INFORMATIONAL_RSP; + } + else + { + type = request ? COUNTER_OUT_INFORMATIONAL_REQ + : COUNTER_OUT_INFORMATIONAL_RSP; + } + break; + default: + return TRUE; + } + + this->lock->lock(this->lock); + this->counters[type]++; + count_named(this, ike_sa, type); + this->lock->unlock(this->lock); + + return TRUE; +} + +CALLBACK(free_names, void, + array_t * names) +{ + array_destroy_function(names, (void*)free, NULL); +} + +METHOD(counters_query_t, get_names, enumerator_t*, + private_counters_query_t *query) +{ + private_counters_listener_t *this = query->this; + enumerator_t *enumerator; + array_t *names; + char *name; + + this->lock->lock(this->lock); + names = array_create(0, this->conns->get_count(this->conns)); + enumerator = this->conns->create_enumerator(this->conns); + while (enumerator->enumerate(enumerator, &name, NULL)) + { + array_insert(names, ARRAY_TAIL, strdup(name)); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + array_sort(names, (void*)strcmp, NULL); + + return enumerator_create_cleaner(array_create_enumerator(names), + free_names, names); +} + +METHOD(counters_query_t, get, bool, + private_counters_query_t *query, counter_type_t type, char *name, + uint64_t *value) +{ + private_counters_listener_t *this = query->this; + uint64_t *counters = this->counters; + + this->lock->lock(this->lock); + if (name) + { + entry_t *entry; + + entry = this->conns->get(this->conns, name); + if (!entry) + { + this->lock->unlock(this->lock); + return FALSE; + } + counters = entry->counters; + } + if (value) + { + *value = counters[type]; + } + this->lock->unlock(this->lock); + return TRUE; +} + +METHOD(counters_query_t, get_all, uint64_t*, + private_counters_query_t *query, char *name) +{ + private_counters_listener_t *this = query->this; + entry_t *entry; + uint64_t *result, *counters = this->counters; + counter_type_t i; + + result = calloc(COUNTER_MAX, sizeof(uint64_t)); + + this->lock->lock(this->lock); + if (name) + { + entry = this->conns->get(this->conns, name); + if (!entry) + { + this->lock->unlock(this->lock); + free(result); + return NULL; + } + counters = &entry->counters[0]; + } + for (i = 0; i < countof(this->counters); i++) + { + result[i] = counters[i]; + } + this->lock->unlock(this->lock); + return result; +} + +METHOD(counters_query_t, reset, void, + private_counters_query_t *query, char *name) +{ + private_counters_listener_t *this = query->this; + entry_t *entry = NULL; + + this->lock->lock(this->lock); + if (name) + { + entry = this->conns->remove(this->conns, name); + } + else + { + memset(&this->counters, 0, sizeof(this->counters)); + } + this->lock->unlock(this->lock); + + if (entry) + { + destroy_entry(entry); + } +} + +METHOD(counters_query_t, reset_all, void, + private_counters_query_t *query) +{ + private_counters_listener_t *this = query->this; + hashtable_t *new_conns, *conns; + + new_conns = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 4); + + this->lock->lock(this->lock); + conns = this->conns; + this->conns = new_conns; + this->lock->unlock(this->lock); + + conns->destroy_function(conns, (void*)destroy_entry); +} + +METHOD(counters_listener_t, destroy, void, + private_counters_listener_t *this) +{ + lib->set(lib, "counters", NULL); + + this->conns->destroy_function(this->conns, (void*)destroy_entry); + this->lock->destroy(this->lock); + free(this); +} + +/* + * Described in header + */ +counters_listener_t *counters_listener_create() +{ + private_counters_listener_t *this; + + INIT(this, + .public = { + .listener = { + .alert = _alert, + .ike_rekey = _ike_rekey, + .child_rekey = _child_rekey, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .query = { + .public = { + .get_names = _get_names, + .get = _get, + .get_all = _get_all, + .reset = _reset, + .reset_all = _reset_all, + }, + }, + .conns = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 4), + .lock = spinlock_create(), + ); + this->query.this = this; + + lib->set(lib, "counters", &this->query); + + return &this->public; +} diff --git a/src/libcharon/plugins/counters/counters_listener.h b/src/libcharon/plugins/counters/counters_listener.h new file mode 100644 index 000000000..6d9168f4c --- /dev/null +++ b/src/libcharon/plugins/counters/counters_listener.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters_listener counters_listener + * @{ @ingroup counters + */ + +#ifndef COUNTERS_LISTENER_H_ +#define COUNTERS_LISTENER_H_ + +#include + +typedef struct counters_listener_t counters_listener_t; + +/** + * Collect counter values for different IKE events. + */ +struct counters_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy a counters_listener_t. + */ + void (*destroy)(counters_listener_t *this); +}; + +/** + * Create a counters_listener_t instance. + */ +counters_listener_t *counters_listener_create(); + +#endif /** COUNTERS_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/counters/counters_plugin.c b/src/libcharon/plugins/counters/counters_plugin.c new file mode 100644 index 000000000..48de92760 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_plugin.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "counters_plugin.h" + +#include +#include + +#include "counters_listener.h" + +typedef struct private_counters_plugin_t private_counters_plugin_t; + +/** + * Private data + */ +struct private_counters_plugin_t { + + /** + * Public interface + */ + counters_plugin_t public; + + /** + * Listener implementation + */ + counters_listener_t *listener; +}; + +METHOD(plugin_t, get_name, char*, + private_counters_plugin_t *this) +{ + return "counters"; +} + +/** + * Register listener + */ +static bool plugin_cb(private_counters_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_counters_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "counters"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_counters_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/* + * Described in header + */ +plugin_t *counters_plugin_create() +{ + private_counters_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .listener = counters_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/counters/counters_plugin.h b/src/libcharon/plugins/counters/counters_plugin.h new file mode 100644 index 000000000..76fe2c236 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_plugin.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters counters + * @ingroup cplugins + * + * @defgroup counters_plugin counters_plugin + * @{ @ingroup counters + */ + +#ifndef COUNTERS_PLUGIN_H_ +#define COUNTERS_PLUGIN_H_ + +#include + +typedef struct counters_plugin_t counters_plugin_t; + +/** + * Plugin collecting several IKE event counters. + * + * Interested components can query individual counters via the 'counters' + * object registered on lib that implements the counters_query.h interface. + */ +struct counters_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** COUNTERS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/counters/counters_query.h b/src/libcharon/plugins/counters/counters_query.h new file mode 100644 index 000000000..f785a68c8 --- /dev/null +++ b/src/libcharon/plugins/counters/counters_query.h @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup counters_query counters_query + * @{ @ingroup counters + */ + +#ifndef COUNTERS_QUERY_H_ +#define COUNTERS_QUERY_H_ + +#include + +typedef struct counters_query_t counters_query_t; +typedef enum counter_type_t counter_type_t; + +enum counter_type_t { + /** initiated IKE_SA rekeyings */ + COUNTER_INIT_IKE_SA_REKEY, + /** responded IKE_SA rekeyings */ + COUNTER_RESP_IKE_SA_REKEY, + /** completed CHILD_SA rekeyings */ + COUNTER_CHILD_SA_REKEY, + /** messages with invalid types, length, or a value out of range */ + COUNTER_IN_INVALID, + /** messages with an invalid IKE SPI */ + COUNTER_IN_INVALID_IKE_SPI, + /** received IKE_SA_INIT requests */ + COUNTER_IN_IKE_SA_INIT_REQ, + /** received IKE_SA_INIT responses */ + COUNTER_IN_IKE_SA_INIT_RSP, + /** sent IKE_SA_INIT requests */ + COUNTER_OUT_IKE_SA_INIT_REQ, + /** sent IKE_SA_INIT responses */ + COUNTER_OUT_IKE_SA_INIT_RES, + /** received IKE_AUTH requests */ + COUNTER_IN_IKE_AUTH_REQ, + /** received IKE_AUTH responses */ + COUNTER_IN_IKE_AUTH_RSP, + /** sent IKE_AUTH requests */ + COUNTER_OUT_IKE_AUTH_REQ, + /** sent IKE_AUTH responses */ + COUNTER_OUT_IKE_AUTH_RSP, + /** received CREATE_CHILD_SA requests */ + COUNTER_IN_CREATE_CHILD_SA_REQ, + /** received CREATE_CHILD_SA responses */ + COUNTER_IN_CREATE_CHILD_SA_RSP, + /** sent CREATE_CHILD_SA requests */ + COUNTER_OUT_CREATE_CHILD_SA_REQ, + /** sent CREATE_CHILD_SA responses */ + COUNTER_OUT_CREATE_CHILD_SA_RSP, + /** received INFORMATIONAL requests */ + COUNTER_IN_INFORMATIONAL_REQ, + /** received INFORMATIONAL responses */ + COUNTER_IN_INFORMATIONAL_RSP, + /** sent INFORMATIONAL requests */ + COUNTER_OUT_INFORMATIONAL_REQ, + /** sent INFORMATIONAL responses */ + COUNTER_OUT_INFORMATIONAL_RSP, + /** number of counter types */ + COUNTER_MAX +}; + +/** + * Query counter values for different IKE events. + */ +struct counters_query_t { + + /** + * Enumerate all connection names for which counters are currently recorded. + * + * @return enumerator over names (char *) + */ + enumerator_t *(*get_names)(counters_query_t *this); + + /** + * Get a current global or connection-specific counter value. + * + * @param type counter to query + * @param name connection name to get counter for, NULL for global + * @param[out] value counter value + * @return TRUE if value found and returned + */ + bool (*get)(counters_query_t *this, counter_type_t type, char *name, + uint64_t *value); + + /** + * Get all global or connection-specific counter values. + * + * @param name connection name to get counters for, NULL for global + * @return array of counters (has to be freed), NULL if named + * connection is not found + */ + uint64_t *(*get_all)(counters_query_t *this, char *name); + + /** + * Reset all global or connection-specific counters. + * + * @param name connection name to reset counters, NULL for global + */ + void (*reset)(counters_query_t *this, char *name); + + /** + * Reset counters for all connections, global counters are unaffected. + */ + void (*reset_all)(counters_query_t *this); +}; + +#endif /** COUNTERS_QUERY_H_ @}*/ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index 06f2592f0..5859a21ee 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index aaca1ec99..f8e2d7398 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index 42f8f1ef9..7541c3b49 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -176,7 +176,7 @@ typedef struct __attribute__((packed)) { char server_hostname[64]; char boot_filename[128]; uint32_t magic_cookie; - char options[252]; + u_char options[252]; } dhcp_t; /** @@ -438,7 +438,7 @@ METHOD(dhcp_socket_t, release, void, DBG1(DBG_CFG, "sending DHCP RELEASE for %H to %H", release, server); chunk = release->get_address(release); - memcpy(&dhcp.client_address, chunk.ptr, + memcpy((char*)&dhcp.client_address, chunk.ptr, min(chunk.len, sizeof(dhcp.client_address))); option = (dhcp_option_t*)&dhcp.options[optlen]; diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in index 0febca96d..d0a4d7fc3 100644 --- a/src/libcharon/plugins/dnscert/Makefile.in +++ b/src/libcharon/plugins/dnscert/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index db4491113..9be0c495b 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 09291aff5..dd66b65b7 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in index 2b73a57ce..2f3d0b83e 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c index 3d0e06146..650af86d9 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c +++ b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.c @@ -77,7 +77,7 @@ METHOD(plugin_t, get_name, char*, } /** - * Try to instanciate ea_aka_3gpp functions and card/provider backends + * Try to instantiate ea_aka_3gpp functions and card/provider backends */ static bool register_functions(private_eap_aka_3gpp_t *this, plugin_feature_t *feature, bool reg, void *data) diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index a14afbc55..f5fc3fb48 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c index d7d0d0507..3f9db71c6 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c @@ -55,7 +55,7 @@ METHOD(plugin_t, get_name, char*, } /** - * Try to instanciate 3gpp2 functions and card/provider backends + * Try to instantiate 3gpp2 functions and card/provider backends */ static bool register_functions(private_eap_aka_3gpp2_t *this, plugin_feature_t *feature, bool reg, void *data) diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index e6427106a..494f0a8c5 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 0075513b2..4dc68f94f 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 7481fe377..44f097ef4 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index f26a58550..3c634db82 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index abc3081b8..505d6ea52 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index 8e8597cab..20f2ecab1 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 938243394..f5100fc53 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index a2530e653..fbbf6da83 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -271,37 +272,47 @@ METHOD(eap_method_t, initiate, status_t, } /** - * Handle the Class attribute as group membership information + * Handle the Class attribute */ static void process_class(radius_message_t *msg) { enumerator_t *enumerator; + ike_sa_t *ike_sa; + identification_t *id; + auth_cfg_t *auth; chunk_t data; + bool class_group, class_send; int type; + class_group = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.class_group", FALSE, lib->ns); + class_send = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting_send_class", FALSE, lib->ns); + ike_sa = charon->bus->get_sa(charon->bus); + + if ((!class_group && !class_send) || !ike_sa) + { + return; + } + enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if (type == RAT_CLASS) { - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - - if (data.len >= 44) + if (class_group && data.len < 44) { /* quirk: ignore long class attributes, these are used for * other purposes by some RADIUS servers (such as NPS). */ - continue; - } - - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) - { auth = ike_sa->get_auth_cfg(ike_sa, FALSE); id = identification_create_from_data(data); - DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id); + DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", + id); auth->add(auth, AUTH_RULE_GROUP, id); } + if (class_send) + { + eap_radius_accounting_add_class(ike_sa, data); + } } } enumerator->destroy(enumerator); @@ -631,11 +642,7 @@ static void process_cfg_attributes(radius_message_t *msg) */ void eap_radius_process_attributes(radius_message_t *message) { - if (lib->settings->get_bool(lib->settings, - "%s.plugins.eap-radius.class_group", FALSE, lib->ns)) - { - process_class(message); - } + process_class(message); if (lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.filter_id", FALSE, lib->ns)) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index e1f5be06a..92611492b 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG @@ -160,6 +160,8 @@ typedef struct { ike_sa_id_t *id; /** RADIUS accounting session ID */ char sid[24]; + /** cached Class attributes */ + array_t *class_attrs; /** number of sent/received octets/packets for expired SAs */ usage_t usage; /** list of cached SAs, sa_entry_t (sorted by their unique ID) */ @@ -186,6 +188,7 @@ static void destroy_entry(entry_t *this) { array_destroy_function(this->cached, (void*)free, NULL); array_destroy_function(this->migrated, (void*)free, NULL); + array_destroy_function(this->class_attrs, (void*)chunk_free, NULL); this->id->destroy(this->id); free(this); } @@ -457,6 +460,23 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, enumerator->destroy(enumerator); } +/** + * Add the Class attributes received in the Access-Accept message to the + * RADIUS accounting message + */ +static void add_class_attributes(radius_message_t *message, entry_t *entry) +{ + enumerator_t *enumerator; + chunk_t *cls; + + enumerator = array_create_enumerator(entry->class_attrs); + while (enumerator->enumerate(enumerator, &cls)) + { + message->add(message, RAT_CLASS, *cls); + } + enumerator->destroy(enumerator); +} + /** * Get an existing or create a new entry from the locked session table */ @@ -585,6 +605,7 @@ static job_requeue_t send_interim(interim_data_t *data) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); value = htonl(usage.bytes.sent); @@ -704,6 +725,7 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); if (!entry->interim.interval) { @@ -766,6 +788,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); + add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); value = htonl(entry->usage.bytes.sent); @@ -1064,3 +1087,24 @@ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval) singleton->mutex->unlock(singleton->mutex); } } + +/* + * Described in header + */ +void eap_radius_accounting_add_class(ike_sa_t *ike_sa, chunk_t cls) +{ + if (singleton) + { + entry_t *entry; + chunk_t clone; + + DBG2(DBG_CFG, "cache RADIUS Class attribute %B", &cls); + singleton->mutex->lock(singleton->mutex); + entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); + clone = chunk_clone(cls); + array_insert_create_value(&entry->class_attrs, sizeof(chunk_t), + ARRAY_TAIL, &clone); + singleton->mutex->unlock(singleton->mutex); + } +} \ No newline at end of file diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h index f7a19c9b5..dc1edcf54 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -54,4 +57,12 @@ eap_radius_accounting_t *eap_radius_accounting_create(); */ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval); +/** + * Add a Class attribute for the given IKE_SA. + * + * @param ike_sa IKE_SA for which the attribute was received + * @param cls Class attribute value + */ +void eap_radius_accounting_add_class(ike_sa_t *ike_sa, chunk_t cls); + #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index f7b2d3e2d..ae25d21c2 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index a78155080..a02cbbd23 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index 28e7b4612..d9cfda351 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 98d4fe9cc..9f56b01da 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 539dc657e..9e41bf270 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 284178e13..0f6b7e95a 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index 9e69e068c..83726b645 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 6f5d3a466..1047ea0e0 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 5a9310a7d..1a779c60b 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index 7322bc036..7439befbc 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -255,9 +255,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in index 8ab170b6d..d669b5707 100644 --- a/src/libcharon/plugins/ext_auth/Makefile.in +++ b/src/libcharon/plugins/ext_auth/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 4328db1f9..dc07f34c1 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in index 15589b35d..f89ed736d 100644 --- a/src/libcharon/plugins/forecast/Makefile.in +++ b/src/libcharon/plugins/forecast/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index cdf33f61f..455108834 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index adb40765e..b212e2e33 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in index 6164f5c7b..cc4450a95 100644 --- a/src/libcharon/plugins/kernel_iph/Makefile.in +++ b/src/libcharon/plugins/kernel_iph/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in index e604be758..09c03ed33 100644 --- a/src/libcharon/plugins/kernel_libipsec/Makefile.in +++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am index 41c7304c6..0e39c0d24 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.am +++ b/src/libcharon/plugins/kernel_netlink/Makefile.am @@ -25,22 +25,22 @@ libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version -TESTS = tests +TESTS = kernel_netlink_tests check_PROGRAMS = $(TESTS) -tests_SOURCES = \ +kernel_netlink_tests_SOURCES = \ tests.h tests.c \ suites/test_socket.c \ kernel_netlink_shared.c -tests_CFLAGS = \ +kernel_netlink_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +kernel_netlink_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +kernel_netlink_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in index 8d653104e..7ec64084b 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/kernel_netlink/Makefile.in @@ -88,7 +88,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = tests$(EXEEXT) +TESTS = kernel_netlink_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libcharon/plugins/kernel_netlink ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -156,18 +156,20 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ @MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath = -am__EXEEXT_1 = tests$(EXEEXT) +am__EXEEXT_1 = kernel_netlink_tests$(EXEEXT) am__dirstamp = $(am__leading_dot)dirstamp -am_tests_OBJECTS = tests-tests.$(OBJEXT) \ - suites/tests-test_socket.$(OBJEXT) \ - tests-kernel_netlink_shared.$(OBJEXT) -tests_OBJECTS = $(am_tests_OBJECTS) -tests_DEPENDENCIES = \ +am_kernel_netlink_tests_OBJECTS = \ + kernel_netlink_tests-tests.$(OBJEXT) \ + suites/kernel_netlink_tests-test_socket.$(OBJEXT) \ + kernel_netlink_tests-kernel_netlink_shared.$(OBJEXT) +kernel_netlink_tests_OBJECTS = $(am_kernel_netlink_tests_OBJECTS) +kernel_netlink_tests_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la -tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \ - $(tests_LDFLAGS) $(LDFLAGS) -o $@ +kernel_netlink_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(kernel_netlink_tests_CFLAGS) $(CFLAGS) \ + $(kernel_netlink_tests_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -202,9 +204,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) $(tests_SOURCES) +SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \ + $(kernel_netlink_tests_SOURCES) DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \ - $(tests_SOURCES) + $(kernel_netlink_tests_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -286,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -509,19 +514,19 @@ libstrongswan_kernel_netlink_la_SOURCES = \ libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version -tests_SOURCES = \ +kernel_netlink_tests_SOURCES = \ tests.h tests.c \ suites/test_socket.c \ kernel_netlink_shared.c -tests_CFLAGS = \ +kernel_netlink_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +kernel_netlink_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +kernel_netlink_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la @@ -622,12 +627,12 @@ suites/$(am__dirstamp): suites/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) suites/$(DEPDIR) @: > suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) +suites/kernel_netlink_tests-test_socket.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) - @rm -f tests$(EXEEXT) - $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS) +kernel_netlink_tests$(EXEEXT): $(kernel_netlink_tests_OBJECTS) $(kernel_netlink_tests_DEPENDENCIES) $(EXTRA_kernel_netlink_tests_DEPENDENCIES) + @rm -f kernel_netlink_tests$(EXEEXT) + $(AM_V_CCLD)$(kernel_netlink_tests_LINK) $(kernel_netlink_tests_OBJECTS) $(kernel_netlink_tests_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -640,9 +645,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-kernel_netlink_shared.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_socket.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -668,47 +673,47 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< -tests-tests.o: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-tests.o: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-tests.o -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-tests.Tpo -c -o kernel_netlink_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-tests.Tpo $(DEPDIR)/kernel_netlink_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='kernel_netlink_tests-tests.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -tests-tests.obj: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-tests.obj: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-tests.obj -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-tests.Tpo -c -o kernel_netlink_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-tests.Tpo $(DEPDIR)/kernel_netlink_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='kernel_netlink_tests-tests.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -suites/tests-test_socket.o: suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ +suites/kernel_netlink_tests-test_socket.o: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT suites/kernel_netlink_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo -c -o suites/kernel_netlink_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/kernel_netlink_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o suites/kernel_netlink_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c -suites/tests-test_socket.obj: suites/test_socket.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ +suites/kernel_netlink_tests-test_socket.obj: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT suites/kernel_netlink_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo -c -o suites/kernel_netlink_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Tpo suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/kernel_netlink_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o suites/kernel_netlink_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` -tests-kernel_netlink_shared.o: kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-kernel_netlink_shared.o: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo -c -o kernel_netlink_tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='kernel_netlink_tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c -tests-kernel_netlink_shared.obj: kernel_netlink_shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@ +kernel_netlink_tests-kernel_netlink_shared.obj: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -MT kernel_netlink_tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo -c -o kernel_netlink_tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Tpo $(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='kernel_netlink_tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(kernel_netlink_tests_CFLAGS) $(CFLAGS) -c -o kernel_netlink_tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8ddaa71d3..4e79dfced 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -143,7 +143,7 @@ ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING, "XFRM_MSG_MAPPING" ); -ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL, +ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV, "XFRMA_UNSPEC", "XFRMA_ALG_AUTH", "XFRMA_ALG_CRYPT", @@ -168,6 +168,11 @@ ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL, "XFRMA_MARK", "XFRMA_TFCPAD", "XFRMA_REPLAY_ESN_VAL", + "XFRMA_SA_EXTRA_FLAGS", + "XFRMA_PROTO", + "XFRMA_ADDRESS_FILTER", + "XFRMA_PAD", + "XFRMA_OFFLOAD_DEV", ); /** diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index 0dd3e30cb..a21d0ae7f 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1183,13 +1183,13 @@ static void process_link(private_kernel_netlink_net_t *this, INIT(entry, .ifindex = msg->ifi_index, .addrs = linked_list_create(), - .usable = charon->kernel->is_interface_usable( - charon->kernel, name), ); this->ifaces->insert_last(this->ifaces, entry); } strncpy(entry->ifname, name, IFNAMSIZ); entry->ifname[IFNAMSIZ-1] = '\0'; + entry->usable = charon->kernel->is_interface_usable(charon->kernel, + name); if (event && entry->usable) { if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP)) diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 0ef880035..0d3d3775b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index fd1adb2ae..710107889 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1740,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, #ifdef __linux__ sa->sadb_sa_replay = min(data->replay_window, 32); #else - sa->sadb_sa_replay = (data->replay_window + 7) / 8; + sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX); #endif } sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg); @@ -1749,6 +1749,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } PFKEY_EXT_ADD(msg, sa); +#ifdef SADB_X_EXT_SA_REPLAY + if (data->inbound) + { + struct sadb_x_sa_replay *replay; + + replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); + replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY; + replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); + replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32); + PFKEY_EXT_ADD(msg, replay); + } +#endif + sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); @@ -1960,6 +1973,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t, PFKEY_EXT_COPY(msg, response.lft_soft); PFKEY_EXT_COPY(msg, response.lft_hard); +#ifndef __FreeBSD__ + /* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */ if (response.key_encr) { PFKEY_EXT_COPY(msg, response.key_encr); @@ -1969,6 +1984,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, { PFKEY_EXT_COPY(msg, response.key_auth); } +#endif #ifdef HAVE_NATT if (data->new_encap) diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in index 1f232502a..dc4d1c852 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c index da7ae472d..e1f10e93f 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -864,6 +864,11 @@ static void process_link(private_kernel_pfroute_net_t *this, .flags = msg->ifm_flags, .addrs = linked_list_create(), ); +#ifdef __APPLE__ + /* Similar to the issue described above, on 10.13 we need this delay as + * we might otherwise not be able to convert the index to a name yet. */ + usleep(50000); +#endif if (if_indextoname(iface->ifindex, iface->ifname)) { DBG1(DBG_KNL, "interface %s appeared", iface->ifname); diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in index 263ec5d64..98e147717 100644 --- a/src/libcharon/plugins/kernel_wfp/Makefile.in +++ b/src/libcharon/plugins/kernel_wfp/Makefile.in @@ -255,9 +255,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index 54a7ccf44..7abb83daa 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index b25f3a669..42ad9abf3 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -257,9 +257,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index 4db0b7dc2..b8c5d2249 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -253,9 +253,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 721edbdd5..47175b4b9 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 81d895df1..176e2a5cb 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in index e9bd93803..ec1916aba 100644 --- a/src/libcharon/plugins/osx_attr/Makefile.in +++ b/src/libcharon/plugins/osx_attr/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in index 7ccbfb102..9afed4111 100644 --- a/src/libcharon/plugins/p_cscf/Makefile.in +++ b/src/libcharon/plugins/p_cscf/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index 2e4ea256d..ee16cceb8 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in index 0db2cb187..45e2723cc 100644 --- a/src/libcharon/plugins/resolve/Makefile.in +++ b/src/libcharon/plugins/resolve/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 5f3517c25..33484587b 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 54e9ed9b9..05684706e 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 1971282a1..39558dc24 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in index 6efd3e189..bb349c0a3 100644 --- a/src/libcharon/plugins/socket_win/Makefile.in +++ b/src/libcharon/plugins/socket_win/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index e0b813d6b..96733406e 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index 26edc3dcd..9456dd908 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -1,5 +1,6 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 70374b32f..3cf95f9a9 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -454,6 +456,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c index e93fd4ef2..8eb9968e4 100644 --- a/src/libcharon/plugins/stroke/stroke_counter.c +++ b/src/libcharon/plugins/stroke/stroke_counter.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -13,10 +16,11 @@ * for more details. */ +#include + #include "stroke_counter.h" -#include -#include +#include ENUM(stroke_counter_type_names, COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP, @@ -56,277 +60,51 @@ struct private_stroke_counter_t { stroke_counter_t public; /** - * Global counter values - */ - uint64_t counter[COUNTER_MAX]; - - /** - * Counters for specific connection names, char* => entry_t - */ - hashtable_t *conns; - - /** - * Lock for counter values + * Reference to query interface */ - spinlock_t *lock; + counters_query_t *query; }; /** - * Counters for a specific connection name - */ -typedef struct { - /** connection name */ - char *name; - /** counter values for connection */ - uint64_t counter[COUNTER_MAX]; -} entry_t; - -/** - * Destroy named entry - */ -static void destroy_entry(entry_t *this) -{ - free(this->name); - free(this); -} - -/** - * Hashtable hash function - */ -static u_int hash(char *name) -{ - return chunk_hash(chunk_from_str(name)); -} - -/** - * Hashtable equals function - */ -static bool equals(char *a, char *b) -{ - return streq(a, b); -} - -/** - * Get the name of an IKE_SA, but return NULL if it is not known yet - */ -static char *get_ike_sa_name(ike_sa_t *ike_sa) -{ - peer_cfg_t *peer_cfg; - - if (ike_sa) - { - peer_cfg = ike_sa->get_peer_cfg(ike_sa); - if (peer_cfg) - { - return peer_cfg->get_name(peer_cfg); - } - } - return NULL; -} - -/** - * Increase a counter for a named entry + * Make sure we have the query interface */ -static void count_named(private_stroke_counter_t *this, - ike_sa_t *ike_sa, stroke_counter_type_t type) +static inline bool ensure_query(private_stroke_counter_t *this) { - entry_t *entry; - char *name; - - name = get_ike_sa_name(ike_sa); - if (name) + if (this->query) { - entry = this->conns->get(this->conns, name); - if (!entry) - { - INIT(entry, - .name = strdup(name), - ); - this->conns->put(this->conns, entry->name, entry); - } - entry->counter[type]++; - } -} - -METHOD(listener_t, alert, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, - alert_t alert, va_list args) -{ - stroke_counter_type_t type; - - switch (alert) - { - case ALERT_INVALID_IKE_SPI: - type = COUNTER_IN_INVALID_IKE_SPI; - break; - case ALERT_PARSE_ERROR_HEADER: - case ALERT_PARSE_ERROR_BODY: - type = COUNTER_IN_INVALID; - break; - default: - return TRUE; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, ike_sa, type); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, ike_rekey, bool, - private_stroke_counter_t *this, ike_sa_t *old, ike_sa_t *new) -{ - stroke_counter_type_t type; - ike_sa_id_t *id; - - id = new->get_id(new); - if (id->is_initiator(id)) - { - type = COUNTER_INIT_IKE_SA_REKEY; - } - else - { - type = COUNTER_RESP_IKE_SA_REKEY; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, old, type); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, child_rekey, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, - child_sa_t *old, child_sa_t *new) -{ - this->lock->lock(this->lock); - this->counter[COUNTER_CHILD_SA_REKEY]++; - count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY); - this->lock->unlock(this->lock); - - return TRUE; -} - -METHOD(listener_t, message_hook, bool, - private_stroke_counter_t *this, ike_sa_t *ike_sa, message_t *message, - bool incoming, bool plain) -{ - stroke_counter_type_t type; - bool request; - - if ((incoming && !plain) || (!incoming && !plain)) - { /* handle each message only once */ return TRUE; } - - request = message->get_request(message); - switch (message->get_exchange_type(message)) - { - case IKE_SA_INIT: - if (incoming) - { - type = request ? COUNTER_IN_IKE_SA_INIT_REQ - : COUNTER_IN_IKE_SA_INIT_RSP; - } - else - { - type = request ? COUNTER_OUT_IKE_SA_INIT_REQ - : COUNTER_OUT_IKE_SA_INIT_RES; - } - break; - case IKE_AUTH: - if (incoming) - { - type = request ? COUNTER_IN_IKE_AUTH_REQ - : COUNTER_IN_IKE_AUTH_RSP; - } - else - { - type = request ? COUNTER_OUT_IKE_AUTH_REQ - : COUNTER_OUT_IKE_AUTH_RSP; - } - break; - case CREATE_CHILD_SA: - if (incoming) - { - type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ - : COUNTER_IN_CREATE_CHILD_SA_RSP; - } - else - { - type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ - : COUNTER_OUT_CREATE_CHILD_SA_RSP; - } - break; - case INFORMATIONAL: - if (incoming) - { - type = request ? COUNTER_IN_INFORMATIONAL_REQ - : COUNTER_IN_INFORMATIONAL_RSP; - } - else - { - type = request ? COUNTER_OUT_INFORMATIONAL_REQ - : COUNTER_OUT_INFORMATIONAL_RSP; - } - break; - default: - return TRUE; - } - - this->lock->lock(this->lock); - this->counter[type]++; - count_named(this, ike_sa, type); - this->lock->unlock(this->lock); - - return TRUE; + return (this->query = lib->get(lib, "counters")) != NULL; } /** - * Print a single counter value to out - */ -static void print_counter(FILE *out, stroke_counter_type_t type, - uint64_t counter) -{ - fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter); -} - -/** - * Print IKE counters for a specific connection + * Print global or connection-specific IKE counters */ static void print_one(private_stroke_counter_t *this, FILE *out, char *name) { - uint64_t counter[COUNTER_MAX]; - entry_t *entry; - int i; + uint64_t *counters; + counter_type_t i; - this->lock->lock(this->lock); - entry = this->conns->get(this->conns, name); - if (entry) + counters = this->query->get_all(this->query, name); + if (!counters) { - for (i = 0; i < countof(this->counter); i++) - { - counter[i] = entry->counter[i]; - } + fprintf(out, "No IKE counters found for '%s'\n", name); + return; } - this->lock->unlock(this->lock); - - if (entry) + if (name) { fprintf(out, "\nList of IKE counters for '%s':\n\n", name); - for (i = 0; i < countof(this->counter); i++) - { - print_counter(out, i, counter[i]); - } } else { - fprintf(out, "No IKE counters found for '%s'\n", name); + fprintf(out, "\nList of IKE counters:\n\n"); + } + for (i = 0; i < COUNTER_MAX; i++) + { + fprintf(out, "%-18N %12"PRIu64"\n", stroke_counter_type_names, i, + counters[i]); } + free(counters); } /** @@ -335,104 +113,44 @@ static void print_one(private_stroke_counter_t *this, FILE *out, char *name) static void print_all(private_stroke_counter_t *this, FILE *out) { enumerator_t *enumerator; - entry_t *entry; - linked_list_t *list; char *name; - list = linked_list_create(); - - this->lock->lock(this->lock); - enumerator = this->conns->create_enumerator(this->conns); - while (enumerator->enumerate(enumerator, &name, &entry)) - { - list->insert_last(list, strdup(name)); - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - enumerator = list->create_enumerator(list); + enumerator = this->query->get_names(this->query); while (enumerator->enumerate(enumerator, &name)) { print_one(this, out, name); } enumerator->destroy(enumerator); - - list->destroy_function(list, free); -} - -/** - * Print global counters - */ -static void print_global(private_stroke_counter_t *this, FILE *out) -{ - uint64_t counter[COUNTER_MAX]; - int i; - - this->lock->lock(this->lock); - for (i = 0; i < countof(this->counter); i++) - { - counter[i] = this->counter[i]; - } - this->lock->unlock(this->lock); - - fprintf(out, "\nList of IKE counters:\n\n"); - - for (i = 0; i < countof(this->counter); i++) - { - print_counter(out, i, counter[i]); - } } METHOD(stroke_counter_t, print, void, private_stroke_counter_t *this, FILE *out, char *name) { - if (name) + if (!ensure_query(this)) + { + fprintf(out, "\nNo counters available (plugin missing?)\n\n"); + return; + } + if (name && streq(name, "all")) { - if (streq(name, "all")) - { - return print_all(this, out); - } - return print_one(this, out, name); + return print_all(this, out); } - return print_global(this, out); + return print_one(this, out, name); } METHOD(stroke_counter_t, reset, void, private_stroke_counter_t *this, char *name) { - this->lock->lock(this->lock); - if (name) - { - entry_t *entry; - - entry = this->conns->remove(this->conns, name); - if (entry) - { - destroy_entry(entry); - } - } - else + if (!ensure_query(this)) { - memset(&this->counter, 0, sizeof(this->counter)); + return; } - this->lock->unlock(this->lock); + this->query->reset(this->query, name); } METHOD(stroke_counter_t, destroy, void, private_stroke_counter_t *this) { - enumerator_t *enumerator; - char *name; - entry_t *entry; - - enumerator = this->conns->create_enumerator(this->conns); - while (enumerator->enumerate(enumerator, &name, &entry)) - { - destroy_entry(entry); - } - enumerator->destroy(enumerator); - this->conns->destroy(this->conns); - this->lock->destroy(this->lock); free(this); } @@ -445,19 +163,10 @@ stroke_counter_t *stroke_counter_create() INIT(this, .public = { - .listener = { - .alert = _alert, - .ike_rekey = _ike_rekey, - .child_rekey = _child_rekey, - .message = _message_hook, - }, .print = _print, .reset = _reset, .destroy = _destroy, }, - .conns = hashtable_create((hashtable_hash_t)hash, - (hashtable_equals_t)equals, 4), - .lock = spinlock_create(), ); return &this->public; diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h index fecf39f56..2ff431c88 100644 --- a/src/libcharon/plugins/stroke/stroke_counter.h +++ b/src/libcharon/plugins/stroke/stroke_counter.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -21,68 +24,15 @@ #ifndef STROKE_COUNTER_H_ #define STROKE_COUNTER_H_ -#include +#include typedef struct stroke_counter_t stroke_counter_t; -typedef enum stroke_counter_type_t stroke_counter_type_t; - -enum stroke_counter_type_t { - /** initiated IKE_SA rekeyings */ - COUNTER_INIT_IKE_SA_REKEY, - /** responded IKE_SA rekeyings */ - COUNTER_RESP_IKE_SA_REKEY, - /** completed CHILD_SA rekeyings */ - COUNTER_CHILD_SA_REKEY, - /** messages with invalid types, length, or a value out of range */ - COUNTER_IN_INVALID, - /** messages with an invalid IKE SPI */ - COUNTER_IN_INVALID_IKE_SPI, - /** received IKE_SA_INIT requests */ - COUNTER_IN_IKE_SA_INIT_REQ, - /** received IKE_SA_INIT responses */ - COUNTER_IN_IKE_SA_INIT_RSP, - /** sent IKE_SA_INIT requests */ - COUNTER_OUT_IKE_SA_INIT_REQ, - /** sent IKE_SA_INIT responses */ - COUNTER_OUT_IKE_SA_INIT_RES, - /** received IKE_AUTH requests */ - COUNTER_IN_IKE_AUTH_REQ, - /** received IKE_AUTH responses */ - COUNTER_IN_IKE_AUTH_RSP, - /** sent IKE_AUTH requests */ - COUNTER_OUT_IKE_AUTH_REQ, - /** sent IKE_AUTH responses */ - COUNTER_OUT_IKE_AUTH_RSP, - /** received CREATE_CHILD_SA requests */ - COUNTER_IN_CREATE_CHILD_SA_REQ, - /** received CREATE_CHILD_SA responses */ - COUNTER_IN_CREATE_CHILD_SA_RSP, - /** sent CREATE_CHILD_SA requests */ - COUNTER_OUT_CREATE_CHILD_SA_REQ, - /** sent CREATE_CHILD_SA responses */ - COUNTER_OUT_CREATE_CHILD_SA_RSP, - /** received INFORMATIONAL requests */ - COUNTER_IN_INFORMATIONAL_REQ, - /** received INFORMATIONAL responses */ - COUNTER_IN_INFORMATIONAL_RSP, - /** sent INFORMATIONAL requests */ - COUNTER_OUT_INFORMATIONAL_REQ, - /** sent INFORMATIONAL responses */ - COUNTER_OUT_INFORMATIONAL_RSP, - /** number of counter types */ - COUNTER_MAX -}; /** - * Collection of counter values for different IKE events. + * Interface for counter values for different IKE events. */ struct stroke_counter_t { - /** - * Implements listener_t. - */ - listener_t listener; - /** * Print counter values to an output stream. * diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 62095e368..0a34fb458 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -66,6 +66,7 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { PLUGIN_CALLBACK((plugin_feature_callback_t)register_stroke, NULL), PLUGIN_PROVIDE(CUSTOM, "stroke"), + PLUGIN_SDEPEND(CUSTOM, "counters"), PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA), PLUGIN_SDEPEND(PRIVKEY, KEY_DSA), diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 65d345db3..c568440b7 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -744,7 +744,6 @@ METHOD(stroke_socket_t, destroy, void, &this->attribute->provider); charon->attributes->remove_handler(charon->attributes, &this->handler->handler); - charon->bus->remove_listener(charon->bus, &this->counter->listener); this->cred->destroy(this->cred); this->ca->destroy(this->ca); this->config->destroy(this->config); @@ -789,7 +788,7 @@ stroke_socket_t *stroke_socket_create() &this->attribute->provider); charon->attributes->add_handler(charon->attributes, &this->handler->handler); - charon->bus->add_listener(charon->bus, &this->counter->listener); + max_concurrent = lib->settings->get_int(lib->settings, "%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT, diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 278eaa17b..0667d359c 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c index c1594b0b2..3209c91dc 100644 --- a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c +++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2013 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2013-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG @@ -54,6 +54,11 @@ struct private_systime_fix_plugin_t { */ u_int interval; + /** + * How long to wait for a valid system time, 0 to wait indefinitely + */ + time_t timeout; + /** * Timestamp where we start considering system time valid */ @@ -117,6 +122,23 @@ static bool has_invalid_certs(ike_sa_t *ike_sa) return !valid; } +/** + * Check if we reached the timeout + */ +static inline bool timeout_reached(private_systime_fix_plugin_t *this) +{ + if (this->timeout == 0) + { /* disabled */ + return FALSE; + } + if (this->timeout <= this->interval) + { + return TRUE; + } + this->timeout -= this->interval; + return FALSE; +} + /** * Check system time, reevaluate certificates */ @@ -129,15 +151,23 @@ static job_requeue_t check_systime(private_systime_fix_plugin_t *this) if (time(NULL) < this->threshold) { - DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval); - lib->scheduler->schedule_job(lib->scheduler, (job_t*) - callback_job_create((callback_job_cb_t)check_systime, this, - NULL, NULL), this->interval); - return JOB_REQUEUE_NONE; + if (!timeout_reached(this)) + { + DBG2(DBG_CFG, "system time not valid, rechecking in %us", + this->interval); + return JOB_RESCHEDULE(this->interval); + } + DBG1(DBG_CFG, "timeout reached while waiting for valid system time, " + "force rechecking certificates"); + /* force regular lifetime checks for new connections */ + lib->credmgr->remove_validator(lib->credmgr, + &this->validator->validator); + } + else + { + DBG1(DBG_CFG, "system time got valid, rechecking certificates"); } - DBG1(DBG_CFG, "system time got valid, rechecking certificates"); - enumerator = charon->ike_sa_manager->create_enumerator( charon->ike_sa_manager, TRUE); while (enumerator->enumerate(enumerator, &ike_sa)) @@ -225,7 +255,7 @@ static bool plugin_cb(private_systime_fix_plugin_t *this, lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); if (this->interval != 0) { - DBG1(DBG_CFG, "starting systime check, interval: %ds", + DBG1(DBG_CFG, "starting system time check, interval: %us", this->interval); lib->scheduler->schedule_job(lib->scheduler, (job_t*) callback_job_create((callback_job_cb_t)check_systime, @@ -275,6 +305,8 @@ plugin_t *systime_fix_plugin_create() }, .interval = lib->settings->get_int(lib->settings, "%s.plugins.%s.interval", 0, lib->ns, get_name(this)), + .timeout = lib->settings->get_time(lib->settings, + "%s.plugins.%s.timeout", 0, lib->ns, get_name(this)), .reauth = lib->settings->get_bool(lib->settings, "%s.plugins.%s.reauth", FALSE, lib->ns, get_name(this)), ); diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index 3b146e1ee..dcf2c5858 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index 3452080a8..02587d1f0 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 2c127985c..a01a5f74e 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index b82c37966..fd29de336 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 4c648fbad..0f2a055d2 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index af0b65cd0..e8bcdbaa3 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -2,6 +2,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \ -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -DSWANCTLDIR=\""${swanctldir}\"" \ -DIPSEC_PIDDIR=\"${piddir}\" diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in index cd3dafb08..d28223dca 100644 --- a/src/libcharon/plugins/vici/Makefile.in +++ b/src/libcharon/plugins/vici/Makefile.in @@ -343,9 +343,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -550,6 +552,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/plugins/pubkey \ -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libcharon/plugins/counters \ -DSWANCTLDIR=\""${swanctldir}\"" \ -DIPSEC_PIDDIR=\"${piddir}\" diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index f47f80cad..83521250d 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -682,6 +682,35 @@ List currently loaded algorithms and their implementation. } } +### get-counters() ### + +List global or connection-specific counters for several IKE events. + + { + name = + all = + } => { + counters = { + = { + + } + } + success = + errmsg = + } + +### reset-counters() ### + +Reset global or connection-specific IKE event counters. + + { + name = + all = + } => { + success = + errmsg = + } + ## Server-issued events ## Based on the packet layer, the vici plugin raises event messages using named diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in index f48eb6abb..59b0774b8 100644 --- a/src/libcharon/plugins/vici/perl/Makefile.in +++ b/src/libcharon/plugins/vici/perl/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in index 7d5944ab1..057ea88f4 100644 --- a/src/libcharon/plugins/vici/python/Makefile.in +++ b/src/libcharon/plugins/vici/python/Makefile.in @@ -183,9 +183,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index b1222765b..ff4e07d2d 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -474,8 +476,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@RUBY_GEMS_INSTALL_FALSE@install-data-local: @RUBY_GEMS_INSTALL_FALSE@uninstall-local: +@RUBY_GEMS_INSTALL_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 0c355e3a0..e0e2955e2 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -495,6 +495,7 @@ static void log_child_data(child_data_t *data, char *name) { child_cfg_create_t *cfg = &data->cfg; +#define has_opt(opt) ({ (cfg->options & (opt)) == (opt); }) DBG2(DBG_CFG, " child %s:", name); DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey); DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life); @@ -506,12 +507,12 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life); DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter); DBG2(DBG_CFG, " updown = %s", cfg->updown); - DBG2(DBG_CFG, " hostaccess = %u", cfg->options & OPT_HOSTACCESS); - DBG2(DBG_CFG, " ipcomp = %u", cfg->options & OPT_IPCOMP); + DBG2(DBG_CFG, " hostaccess = %u", has_opt(OPT_HOSTACCESS)); + DBG2(DBG_CFG, " ipcomp = %u", has_opt(OPT_IPCOMP)); DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode, - cfg->options & OPT_PROXY_MODE ? "_PROXY" : ""); + has_opt(OPT_PROXY_MODE) ? "_PROXY" : ""); DBG2(DBG_CFG, " policies = %u", data->policies); - DBG2(DBG_CFG, " policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES); + DBG2(DBG_CFG, " policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES)); if (data->replay_window != REPLAY_UNDEFINED) { DBG2(DBG_CFG, " replay_window = %u", data->replay_window); @@ -525,14 +526,15 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " interface = %s", cfg->interface); DBG2(DBG_CFG, " mark_in = %u/%u", cfg->mark_in.value, cfg->mark_in.mask); + DBG2(DBG_CFG, " mark_in_sa = %u", has_opt(OPT_MARK_IN_SA)); DBG2(DBG_CFG, " mark_out = %u/%u", cfg->mark_out.value, cfg->mark_out.mask); DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity); DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); - DBG2(DBG_CFG, " hw_offload = %u", cfg->options & OPT_HW_OFFLOAD); - DBG2(DBG_CFG, " sha256_96 = %u", cfg->options & OPT_SHA256_96); + DBG2(DBG_CFG, " hw_offload = %u", has_opt(OPT_HW_OFFLOAD)); + DBG2(DBG_CFG, " sha256_96 = %u", has_opt(OPT_SHA256_96)); } /** @@ -882,7 +884,7 @@ CALLBACK(parse_opt_fwd_out, bool, } /** - * Parse OPT_FWD_OUT_POLICIES option + * Parse OPT_IPCOMP option */ CALLBACK(parse_opt_ipcomp, bool, child_cfg_option_t *out, chunk_t v) @@ -908,6 +910,15 @@ CALLBACK(parse_opt_sha256_96, bool, return parse_option(out, OPT_SHA256_96, v); } +/** + * Parse OPT_MARK_IN_SA option + */ +CALLBACK(parse_opt_mark_in, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_MARK_IN_SA, v); +} + /** * Parse an action_t */ @@ -1562,6 +1573,7 @@ CALLBACK(child_kv, bool, { "inactivity", parse_time, &child->cfg.inactivity }, { "reqid", parse_uint32, &child->cfg.reqid }, { "mark_in", parse_mark, &child->cfg.mark_in }, + { "mark_in_sa", parse_opt_mark_in, &child->cfg.options }, { "mark_out", parse_mark, &child->cfg.mark_out }, { "tfc_padding", parse_tfc, &child->cfg.tfc }, { "priority", parse_uint32, &child->cfg.priority }, diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index 136651261..53da75e2a 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -176,6 +176,7 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { PLUGIN_CALLBACK((plugin_feature_callback_t)register_vici, NULL), PLUGIN_PROVIDE(CUSTOM, "vici"), + PLUGIN_SDEPEND(CUSTOM, "counters"), }; *features = f; return countof(f); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 2cc59591f..134ea375d 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2015 Tobias Brunner, Andreas Steffen + * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2014 Martin Willi @@ -55,6 +56,32 @@ #include #include #include +#include + +ENUM(vici_counter_type_names, + COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP, + "ike-rekey-init", + "ike-rekey-resp", + "child-rekey", + "invalid", + "invalid-spi", + "ike-init-in-req", + "ike-init-in-resp", + "ike-init-out-req", + "ike-init-out-resp", + "ike-auth-in-req", + "ike-auth-in-resp", + "ike-auth-out-req", + "ike-auth-out-resp", + "create-child-in-req", + "create-child-in-resp", + "create-child-out-req", + "create-child-out-resp", + "info-in-req", + "info-in-resp", + "info-out-req", + "info-out-resp", +); typedef struct private_vici_query_t private_vici_query_t; @@ -73,6 +100,11 @@ struct private_vici_query_t { */ vici_dispatcher_t *dispatcher; + /** + * Query interface for counters + */ + counters_query_t *counters; + /** * Daemon startup timestamp */ @@ -1223,6 +1255,131 @@ CALLBACK(get_algorithms, vici_message_t*, return b->finalize(b); } +/** + * Make sure we have the counters query interface + */ +static inline bool ensure_counters(private_vici_query_t *this) +{ + if (this->counters) + { + return TRUE; + } + return (this->counters = lib->get(lib, "counters")) != NULL; +} + +/** + * Add a single set of counters to the message + * + * Frees the array of counter values + */ +static void add_counters(vici_builder_t *b, char *name, uint64_t *counters) +{ + char buf[BUF_LEN]; + counter_type_t i; + + b->begin_section(b, name ?: ""); + for (i = 0; i < COUNTER_MAX; i++) + { + snprintf(buf, sizeof(buf), "%N", vici_counter_type_names, i); + b->add_kv(b, buf, "%"PRIu64, counters[i]); + } + b->end_section(b); + free(counters); +} + +CALLBACK(get_counters, vici_message_t*, + private_vici_query_t *this, char *name, u_int id, vici_message_t *request) +{ + vici_builder_t *b; + enumerator_t *enumerator; + uint64_t *counters; + char *conn, *errmsg = NULL; + bool all; + + b = vici_builder_create(); + + if (ensure_counters(this)) + { + conn = request->get_str(request, NULL, "name"); + all = request->get_bool(request, FALSE, "all"); + + b->begin_section(b, "counters"); + if (all) + { + enumerator = this->counters->get_names(this->counters); + while (enumerator->enumerate(enumerator, &conn)) + { + counters = this->counters->get_all(this->counters, conn); + if (counters) + { + add_counters(b, conn, counters); + } + } + enumerator->destroy(enumerator); + } + else + { + counters = this->counters->get_all(this->counters, conn); + if (counters) + { + add_counters(b, conn, counters); + } + else + { + errmsg = "no counters found for this connection"; + } + } + b->end_section(b); + } + else + { + errmsg = "no counters available (plugin missing?)"; + } + + b->add_kv(b, "success", errmsg ? "no" : "yes"); + if (errmsg) + { + b->add_kv(b, "errmsg", "%s", errmsg); + } + return b->finalize(b); +} + +CALLBACK(reset_counters, vici_message_t*, + private_vici_query_t *this, char *name, u_int id, vici_message_t *request) +{ + vici_builder_t *b; + char *conn, *errmsg = NULL; + bool all; + + b = vici_builder_create(); + + if (ensure_counters(this)) + { + conn = request->get_str(request, NULL, "name"); + all = request->get_bool(request, FALSE, "all"); + + if (all) + { + this->counters->reset_all(this->counters); + } + else + { + this->counters->reset(this->counters, conn); + } + } + else + { + errmsg = "no counters available (plugin missing?)"; + } + + b->add_kv(b, "success", errmsg ? "no" : "yes"); + if (errmsg) + { + b->add_kv(b, "errmsg", "%s", errmsg); + } + return b->finalize(b); +} + CALLBACK(version, vici_message_t*, private_vici_query_t *this, char *name, u_int id, vici_message_t *request) { @@ -1423,6 +1580,8 @@ static void manage_commands(private_vici_query_t *this, bool reg) manage_command(this, "list-conns", list_conns, reg); manage_command(this, "list-certs", list_certs, reg); manage_command(this, "get-algorithms", get_algorithms, reg); + manage_command(this, "get-counters", get_counters, reg); + manage_command(this, "reset-counters", reset_counters, reg); manage_command(this, "version", version, reg); manage_command(this, "stats", stats, reg); } diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index 50c790af5..ad9a092cc 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index 7d3dc897b..d702a01a6 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index 8b937bb8d..eeeb4190a 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index ff2e6e9ab..87a6c872a 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index 0f320dfeb..a224ffba4 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 4133d9182..91da4d3e6 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -254,7 +254,7 @@ struct private_child_sa_t { }; /** - * convert an IKEv2 specific protocol identifier to the IP protocol identifier. + * Convert an IKEv2 specific protocol identifier to the IP protocol identifier */ static inline uint8_t proto_ike2ip(protocol_id_t protocol) { @@ -269,6 +269,18 @@ static inline uint8_t proto_ike2ip(protocol_id_t protocol) } } +/** + * Returns the mark to use on the inbound SA + */ +static inline mark_t mark_in_sa(private_child_sa_t *this) +{ + if (this->config->has_option(this->config, OPT_MARK_IN_SA)) + { + return this->mark_in; + } + return (mark_t){}; +} + METHOD(child_sa_t, get_name, char*, private_child_sa_t *this) { @@ -525,6 +537,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_query_sa_t query = {}; @@ -857,7 +870,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, .dst = dst, .spi = spi, .proto = proto_ike2ip(this->protocol), - .mark = inbound ? (mark_t){} : this->mark_out, + .mark = inbound ? mark_in_sa(this) : this->mark_out, }; sa = (kernel_ipsec_add_sa_t){ .reqid = this->reqid, @@ -1475,6 +1488,7 @@ METHOD(child_sa_t, update, status_t, .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_update_sa_t sa = { .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, @@ -1660,6 +1674,7 @@ METHOD(child_sa_t, destroy, void, .dst = this->my_addr, .spi = this->my_spi, .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), }; kernel_ipsec_del_sa_t sa = { .cpi = this->my_cpi, diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 045858792..823cf2579 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -914,9 +914,15 @@ METHOD(ike_sa_t, set_state, void, } METHOD(ike_sa_t, reset, void, - private_ike_sa_t *this) + private_ike_sa_t *this, bool new_spi) { - /* the responder ID is reset, as peer may choose another one */ + /* reset the initiator SPI if requested */ + if (new_spi) + { + charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager, + &this->public); + } + /* the responder ID is reset, as peer may choose another one */ if (this->ike_sa_id->is_initiator(this->ike_sa_id)) { this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0); @@ -1849,7 +1855,7 @@ METHOD(ike_sa_t, reauth, status_t, { DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]", get_name(this), this->unique_id); - reset(this); + reset(this, TRUE); return this->task_manager->initiate(this->task_manager); } /* we can't reauthenticate as responder when we use EAP or virtual IPs. @@ -2222,7 +2228,7 @@ static bool redirect_connecting(private_ike_sa_t *this, identification_t *to) { return FALSE; } - reset(this); + reset(this, TRUE); DESTROY_IF(this->redirected_from); this->redirected_from = this->other_host->clone(this->other_host); DESTROY_IF(this->remote_host); @@ -2351,7 +2357,7 @@ METHOD(ike_sa_t, retransmit, status_t, { DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", this->keyingtry + 1, tries); - reset(this); + reset(this, TRUE); resolve_hosts(this); return this->task_manager->initiate(this->task_manager); } diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c8ba2fd2a..fbc367292 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Tobias Brunner + * Copyright (C) 2006-2017 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -1014,7 +1014,7 @@ struct ike_sa_t { /** * Rekey the IKE_SA. * - * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. + * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA. * * @return - SUCCESS, if IKE_SA rekeying initiated */ @@ -1169,9 +1169,11 @@ struct ike_sa_t { void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); /** - * Reset the IKE_SA, useable when initiating fails + * Reset the IKE_SA, useable when initiating fails. + * + * @param new_spi TRUE to allocate a new initiator SPI */ - void (*reset) (ike_sa_t *this); + void (*reset) (ike_sa_t *this, bool new_spi); /** * Destroys a ike_sa_t object. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c0bfebb83..101d98678 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,9 +1,10 @@ /* * Copyright (C) 2005-2011 Martin Willi * Copyright (C) 2011 revosec AG - * Copyright (C) 2008-2016 Tobias Brunner + * + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1572,6 +1573,88 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, return ike_sa; } +METHOD(ike_sa_manager_t, new_initiator_spi, bool, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +{ + ike_sa_state_t state; + ike_sa_id_t *ike_sa_id; + entry_t *entry; + u_int segment; + uint64_t new_spi, spi; + + state = ike_sa->get_state(ike_sa); + if (state != IKE_CONNECTING) + { + DBG1(DBG_MGR, "unable to change initiator SPI for IKE_SA in state " + "%N", ike_sa_state_names, state); + return FALSE; + } + + ike_sa_id = ike_sa->get_id(ike_sa); + if (!ike_sa_id->is_initiator(ike_sa_id)) + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA as responder"); + return FALSE; + } + + if (ike_sa != charon->bus->get_sa(charon->bus)) + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA not checked " + "out by current thread"); + return FALSE; + } + + new_spi = get_spi(this); + if (!new_spi) + { + DBG1(DBG_MGR, "unable to allocate new initiator SPI for IKE_SA"); + return FALSE; + } + + if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) + { + if (entry->driveout_waiting_threads && entry->driveout_new_threads) + { /* it looks like flush() has been called and the SA is being deleted + * anyway, no need for a new SPI */ + DBG2(DBG_MGR, "ignored change of initiator SPI during shutdown"); + unlock_single_segment(this, segment); + return FALSE; + } + /* threads waiting for this entry do so using the (soon) wrong IKE_SA + * ID and, therefore, likely on the wrong segment, so drive them out */ + entry->driveout_waiting_threads = TRUE; + entry->driveout_new_threads = TRUE; + while (entry->waiting_threads) + { + entry->condvar->broadcast(entry->condvar); + entry->condvar->wait(entry->condvar, this->segments[segment].mutex); + } + remove_entry(this, entry); + unlock_single_segment(this, segment); + } + else + { + DBG1(DBG_MGR, "unable to change initiator SPI of IKE_SA, not found"); + return FALSE; + } + + spi = ike_sa_id->get_initiator_spi(ike_sa_id); + + DBG2(DBG_MGR, "change initiator SPI of IKE_SA %s[%u] from %.16"PRIx64" to " + "%.16"PRIx64, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), + be64toh(spi), be64toh(new_spi)); + + ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); + entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa_id); + + entry->driveout_waiting_threads = FALSE; + entry->driveout_new_threads = FALSE; + + segment = put_entry(this, entry); + unlock_single_segment(this, segment); + return TRUE; +} + CALLBACK(enumerator_filter_wait, bool, private_ike_sa_manager_t *this, enumerator_t *orig, va_list args) { @@ -2277,6 +2360,7 @@ ike_sa_manager_t *ike_sa_manager_create() .checkout_by_config = _checkout_by_config, .checkout_by_id = _checkout_by_id, .checkout_by_name = _checkout_by_name, + .new_initiator_spi = _new_initiator_spi, .check_uniqueness = _check_uniqueness, .has_contact = _has_contact, .create_enumerator = _create_enumerator, diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index 4298c54e2..efad2e4d6 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -108,6 +108,17 @@ struct ike_sa_manager_t { ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this, peer_cfg_t *peer_cfg); + /** + * Reset initiator SPI. + * + * Allocate a new initiator SPI for the given IKE_SA in state IKE_CONNECTING + * and update internal data. + * + * @param ike_sa IKE_SA to update + * @return TRUE if SPI successfully changed + */ + bool (*new_initiator_spi)(ike_sa_manager_t* this, ike_sa_t *ike_sa); + /** * Check for duplicates of the given IKE_SA. * diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 344c1bf5d..41be15a08 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -110,7 +110,7 @@ METHOD(authenticator_t, build, status_t, } free(dh.ptr); - if (private->sign(private, scheme, hash, &sig)) + if (private->sign(private, scheme, NULL, hash, &sig)) { sig_payload = hash_payload_create(PLV1_SIGNATURE); sig_payload->set_hash(sig_payload, sig); @@ -176,7 +176,7 @@ METHOD(authenticator_t, process, status_t, id, auth, TRUE); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, hash, sig)) + if (public->verify(public, scheme, NULL, hash, sig)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, signature_scheme_names, scheme); diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c index c9f737ccd..2a6e5c04f 100644 --- a/src/libcharon/sa/ikev1/iv_manager.c +++ b/src/libcharon/sa/ikev1/iv_manager.c @@ -15,6 +15,7 @@ #include "iv_manager.h" +#include #include /** diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 628ea0de8..4c16adba3 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -221,8 +221,7 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); if (idr && !idr->contains_wildcards(idr)) { - if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && - this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) + if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) { host = this->ike_sa->get_other_host(this->ike_sa); if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 19ea72d0b..65baf8771 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -61,10 +61,9 @@ struct private_pubkey_authenticator_t { * Parse authentication data used for Signature Authentication as per RFC 7427 */ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, - signature_scheme_t *scheme) + signature_params_t *params) { uint8_t len; - int oid; if (!auth_data->len) { @@ -72,14 +71,11 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, } len = auth_data->ptr[0]; *auth_data = chunk_skip(*auth_data, 1); - /* we currently don't support schemes that require parameters */ - oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL); - *scheme = signature_scheme_from_oid(oid); - if (*scheme == SIGN_UNKNOWN) + if (!signature_params_parse(*auth_data, 1, params)) { return FALSE; } - *key_type = key_type_from_signature_scheme(*scheme); + *key_type = key_type_from_signature_scheme(params->scheme); *auth_data = chunk_skip(*auth_data, len); return TRUE; } @@ -88,18 +84,16 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, * Build authentication data used for Signature Authentication as per RFC 7427 */ static bool build_signature_auth_data(chunk_t *auth_data, - signature_scheme_t scheme) + signature_params_t *params) { chunk_t data; uint8_t len; - int oid; - oid = signature_scheme_to_oid(scheme); - if (oid == OID_UNKNOWN) + if (!signature_params_build(params, &data)) { + chunk_free(auth_data); return FALSE; } - data = asn1_algorithmIdentifier(oid); len = data.len; *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data); return TRUE; @@ -114,13 +108,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, { enumerator_t *enumerator; signature_scheme_t scheme; - uintptr_t config; + signature_params_t *config; auth_rule_t rule; key_type_t key_type; bool have_config = FALSE; array_t *selected; - selected = array_create(sizeof(signature_scheme_t), 0); + selected = array_create(0, 0); key_type = private->get_type(private); enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &config)) @@ -130,12 +124,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, continue; } have_config = TRUE; - if (key_type == key_type_from_signature_scheme(config) && + if (key_type == key_type_from_signature_scheme(config->scheme) && keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(config))) + hasher_from_signature_scheme(config->scheme, + config->params))) { - scheme = config; - array_insert(selected, ARRAY_TAIL, &scheme); + array_insert(selected, ARRAY_TAIL, signature_params_clone(config)); } } enumerator->destroy(enumerator); @@ -146,24 +140,30 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, * and supported by the other peer */ enumerator = signature_schemes_for_key(key_type, private->get_keysize(private)); - while (enumerator->enumerate(enumerator, &scheme)) + while (enumerator->enumerate(enumerator, &config)) { + if (config->scheme == SIGN_RSA_EMSA_PSS && + !lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns)) + { + continue; + } if (keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(scheme))) + hasher_from_signature_scheme(config->scheme, + config->params))) { - array_insert(selected, ARRAY_TAIL, &scheme); + array_insert(selected, ARRAY_TAIL, + signature_params_clone(config)); } } enumerator->destroy(enumerator); - /* for RSA we tried at least SHA-512, also try other schemes down to - * what we'd use with classic authentication */ + /* for RSA we tried at least SHA-512, also try other schemes */ if (key_type == KEY_RSA) { signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_256, - SIGN_RSA_EMSA_PKCS1_SHA1, }, contained; bool found; int i, j; @@ -182,9 +182,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, } } if (!found && keymat->hash_algorithm_supported(keymat, - hasher_from_signature_scheme(scheme))) + hasher_from_signature_scheme(scheme, + NULL))) { - array_insert(selected, ARRAY_TAIL, &scheme); + INIT(config, + .scheme = scheme, + ) + array_insert(selected, ARRAY_TAIL, config); } } } @@ -192,6 +196,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, return selected; } +CALLBACK(destroy_scheme, void, + signature_params_t *params, int idx, void *user) +{ + signature_params_destroy(params); +} + /** * Create a signature using RFC 7427 signature authentication */ @@ -201,7 +211,7 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, { enumerator_t *enumerator; keymat_v2_t *keymat; - signature_scheme_t scheme = SIGN_UNKNOWN, *schemep; + signature_params_t *params = NULL; array_t *schemes; chunk_t octets = chunk_empty; status_t status = FAILED; @@ -221,11 +231,11 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, schemes)) { enumerator = array_create_enumerator(schemes); - while (enumerator->enumerate(enumerator, &schemep)) + while (enumerator->enumerate(enumerator, ¶ms)) { - scheme = *schemep; - if (private->sign(private, scheme, octets, auth_data) && - build_signature_auth_data(auth_data, scheme)) + if (private->sign(private, params->scheme, params->params, octets, + auth_data) && + build_signature_auth_data(auth_data, params)) { status = SUCCESS; break; @@ -233,16 +243,34 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, else { DBG2(DBG_IKE, "unable to create %N signature for %N key", - signature_scheme_names, scheme, key_type_names, + signature_scheme_names, params->scheme, key_type_names, private->get_type(private)); } } enumerator->destroy(enumerator); } - DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, - signature_scheme_names, scheme, - status == SUCCESS ? "successful" : "failed"); - array_destroy(schemes); + if (params) + { + if (params->scheme == SIGN_RSA_EMSA_PSS) + { + rsa_pss_params_t *pss = params->params; + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id, + signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash, + status == SUCCESS ? "successful" : "failed"); + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, + signature_scheme_names, params->scheme, + status == SUCCESS ? "successful" : "failed"); + } + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id); + } + array_destroy_function(schemes, destroy_scheme, NULL); chunk_free(&octets); return status; } @@ -253,23 +281,27 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, */ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, bool verify, identification_t *id, - chunk_t *octets, signature_scheme_t *scheme) + chunk_t *octets, signature_params_t **scheme) { keymat_v2_t *keymat; array_t *schemes; bool success = FALSE; - schemes = array_create(sizeof(signature_scheme_t), 0); - array_insert(schemes, ARRAY_TAIL, scheme); + schemes = array_create(0, 0); + array_insert(schemes, ARRAY_TAIL, *scheme); keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce, id, this->reserved, octets, schemes) && - array_get(schemes, 0, &scheme)) + array_remove(schemes, 0, scheme)) { success = TRUE; } - array_destroy(schemes); + else + { + *scheme = NULL; + } + array_destroy_function(schemes, destroy_scheme, NULL); return success; } @@ -282,6 +314,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, chunk_t *auth_data) { signature_scheme_t scheme; + signature_params_t *params; chunk_t octets = chunk_empty; status_t status = FAILED; @@ -319,11 +352,18 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, return FAILED; } - if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) && - private->sign(private, scheme, octets, auth_data)) + INIT(params, + .scheme = scheme, + ); + if (get_auth_octets_scheme(this, FALSE, id, &octets, ¶ms) && + private->sign(private, params->scheme, NULL, octets, auth_data)) { status = SUCCESS; } + if (params) + { + signature_params_destroy(params); + } DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, auth_method_names, *auth_method, status == SUCCESS ? "successful" : "failed"); @@ -385,7 +425,7 @@ METHOD(authenticator_t, process, status_t, auth_cfg_t *auth, *current_auth; enumerator_t *enumerator; key_type_t key_type = KEY_ECDSA; - signature_scheme_t scheme; + signature_params_t *params; status_t status = NOT_FOUND; const char *reason = "unsupported"; bool online; @@ -395,25 +435,26 @@ METHOD(authenticator_t, process, status_t, { return FAILED; } + INIT(params); auth_method = auth_payload->get_auth_method(auth_payload); auth_data = auth_payload->get_data(auth_payload); switch (auth_method) { case AUTH_RSA: key_type = KEY_RSA; - scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1; break; case AUTH_ECDSA_256: - scheme = SIGN_ECDSA_256; + params->scheme = SIGN_ECDSA_256; break; case AUTH_ECDSA_384: - scheme = SIGN_ECDSA_384; + params->scheme = SIGN_ECDSA_384; break; case AUTH_ECDSA_521: - scheme = SIGN_ECDSA_521; + params->scheme = SIGN_ECDSA_521; break; case AUTH_DS: - if (parse_signature_auth_data(&auth_data, &key_type, &scheme)) + if (parse_signature_auth_data(&auth_data, &key_type, params)) { break; } @@ -422,10 +463,11 @@ METHOD(authenticator_t, process, status_t, default: DBG1(DBG_IKE, "%N authentication %s", auth_method_names, auth_method, reason); + signature_params_destroy(params); return INVALID_ARG; } id = this->ike_sa->get_other_id(this->ike_sa); - if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme)) + if (!get_auth_octets_scheme(this, TRUE, id, &octets, ¶ms)) { return FAILED; } @@ -436,15 +478,31 @@ METHOD(authenticator_t, process, status_t, key_type, id, auth, online); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, octets, auth_data)) + if (public->verify(public, params->scheme, params->params, octets, + auth_data)) { - DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, - auth_method == AUTH_DS ? signature_scheme_names : auth_method_names, - auth_method == AUTH_DS ? scheme : auth_method); + if (auth_method != AUTH_DS) + { + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, + auth_method_names, auth_method); + } + else if (params->scheme == SIGN_RSA_EMSA_PSS) + { + rsa_pss_params_t *pss = params->params; + DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful", + id, signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash); + } + else + { + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, + signature_scheme_names, params->scheme); + } status = SUCCESS; auth->merge(auth, current_auth, FALSE); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); - auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme); + auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, + signature_params_clone(params)); if (!online) { auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE); @@ -459,6 +517,7 @@ METHOD(authenticator_t, process, status_t, } enumerator->destroy(enumerator); chunk_free(&octets); + signature_params_destroy(params); if (status == NOT_FOUND) { DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 36bf149fe..084ed40f0 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -101,8 +101,9 @@ struct keymat_v2_t { * @param id identity * @param reserved reserved bytes of id_payload * @param octests chunk receiving allocated auth octets - * @param schemes array containing signature schemes in case they - * need to be modified by the keymat implementation + * @param schemes array containing signature schemes + * (signature_params_t*) in case they need to be + * modified by the keymat implementation * @return TRUE if octets created successfully */ bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index c2ddbc588..361eb0fe1 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -131,7 +131,7 @@ struct private_task_manager_t { array_t *queued_tasks; /** - * Array of active tasks, initiated by ourselve + * Array of active tasks, initiated by ourselves */ array_t *active_tasks; @@ -1780,9 +1780,11 @@ static void trigger_mbb_reauth(private_task_manager_t *this) enumerator_t *enumerator; child_sa_t *child_sa; child_cfg_t *cfg; + peer_cfg_t *peer; ike_sa_t *new; host_t *host; queued_task_t *queued; + bool children = FALSE; new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, this->ike_sa->get_version(this->ike_sa), TRUE); @@ -1791,7 +1793,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this) return; } - new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa)); + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + new->set_peer_cfg(new, peer); host = this->ike_sa->get_other_host(this->ike_sa); new->set_other_host(new, host->clone(host)); host = this->ike_sa->get_my_host(this->ike_sa); @@ -1809,6 +1812,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this) cfg = child_sa->get_config(child_sa); new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), FALSE, NULL, NULL)->task); + children = TRUE; } enumerator->destroy(enumerator); @@ -1821,10 +1825,24 @@ static void trigger_mbb_reauth(private_task_manager_t *this) new->queue_task(new, queued->task); array_remove_at(this->queued_tasks, enumerator); free(queued); + children = TRUE; } } enumerator->destroy(enumerator); + if (!children +#ifdef ME + /* allow reauth of mediation connections without CHILD_SAs */ + && !peer->is_mediation(peer) +#endif /* ME */ + ) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); + DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " + "to recreate"); + return; + } + /* suspend online revocation checking until the SA is established */ new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index cac3bc0a2..4d4d72e0b 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1377,7 +1377,6 @@ METHOD(task_t, build_r, status_t, uint16_t group = htons(this->dh_group); message->add_notify(message, FALSE, INVALID_KE_PAYLOAD, chunk_from_thing(group)); - handle_child_sa_failure(this, message); return SUCCESS; } case FAILED: diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 2217295b6..164f8fc03 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -349,7 +349,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_sa->get_unique_id(child_sa)), delay); continue; } - else if (expire) + else if (now < expire) { /* let it expire naturally */ continue; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 53daaf2ad..aeaa701c9 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -471,7 +471,6 @@ METHOD(task_t, build_i, status_t, if (idr && !idr->contains_wildcards(idr) && message->get_message_id(message) == 1 && - this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) { host_t *host; diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 58b710616..d75d21715 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -158,7 +158,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this, peer_cfg_t *peer; auth_cfg_t *auth; auth_rule_t rule; - uintptr_t config; + signature_params_t *config; int written; size_t len = BUF_LEN; char buf[len]; @@ -177,7 +177,8 @@ static void send_supported_hash_algorithms(private_ike_init_t *this, { if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME) { - hash = hasher_from_signature_scheme(config); + hash = hasher_from_signature_scheme(config->scheme, + config->params); if (hasher_algorithm_for_ikev2(hash)) { algos->add(algos, hash); @@ -502,7 +503,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message) this->dh = this->keymat->keymat.create_dh( &this->keymat->keymat, this->dh_group); } - if (this->dh) + else if (this->dh) + { + this->dh_failed = this->dh->get_dh_group(this->dh) != this->dh_group; + } + if (this->dh && !this->dh_failed) { this->dh_failed = !this->dh->set_other_public_value(this->dh, ke_payload->get_key_exchange_data(ke_payload)); @@ -811,7 +816,7 @@ METHOD(task_t, process_i, status_t, if (this->old_sa == NULL) { /* reset the IKE_SA if we are not rekeying */ - this->ike_sa->reset(this->ike_sa); + this->ike_sa->reset(this->ike_sa, FALSE); } enumerator->destroy(enumerator); @@ -829,7 +834,7 @@ METHOD(task_t, process_i, status_t, { chunk_free(&this->cookie); this->cookie = chunk_clone(notify->get_notification_data(notify)); - this->ike_sa->reset(this->ike_sa); + this->ike_sa->reset(this->ike_sa, FALSE); enumerator->destroy(enumerator); DBG2(DBG_IKE, "received %N notify", notify_type_names, type); this->retry++; diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index e85b276e8..f72fbc437 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -97,6 +97,8 @@ static vid_data_t vids[] = { "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"}, { "Cisco Delete Reason", 0, NULL, 0, "CISCO-DELETE-REASON" }, + { "Cisco FlexVPN Supported", 0, NULL, 0, + "FLEXVPN-SUPPORTED" }, { "Cisco Copyright (c) 2009", 0, NULL, 0, "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." }, { "FRAGMENTATION", 0, NULL, 16, diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index ad12f0579..3a254cea5 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -96,6 +96,7 @@ static bool install_shunt_policy(child_cfg_t *child) status_t status = SUCCESS; uint32_t manual_prio; char *interface; + bool fwd_out; ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) @@ -122,6 +123,7 @@ static bool install_shunt_policy(child_cfg_t *child) manual_prio = child->get_manual_prio(child); interface = child->get_interface(child); + fwd_out = child->has_option(child, OPT_FWD_OUT_POLICIES); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -157,9 +159,11 @@ static bool install_shunt_policy(child_cfg_t *child) .sa = &sa, }; status |= charon->kernel->add_policy(charon->kernel, &id, &policy); - /* install "outbound" forward policy */ - id.dir = POLICY_FWD; - status |= charon->kernel->add_policy(charon->kernel, &id, &policy); + if (fwd_out) + { /* install "outbound" forward policy */ + id.dir = POLICY_FWD; + status |= charon->kernel->add_policy(charon->kernel, &id, &policy); + } /* install in policy */ id = (kernel_ipsec_policy_id_t){ .dir = POLICY_IN, @@ -255,6 +259,7 @@ static void uninstall_shunt_policy(child_cfg_t *child) status_t status = SUCCESS; uint32_t manual_prio; char *interface; + bool fwd_out; ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) @@ -281,6 +286,7 @@ static void uninstall_shunt_policy(child_cfg_t *child) manual_prio = child->get_manual_prio(child); interface = child->get_interface(child); + fwd_out = child->has_option(child, OPT_FWD_OUT_POLICIES); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -316,9 +322,12 @@ static void uninstall_shunt_policy(child_cfg_t *child) .sa = &sa, }; status |= charon->kernel->del_policy(charon->kernel, &id, &policy); - /* uninstall "outbound" forward policy */ - id.dir = POLICY_FWD; - status |= charon->kernel->del_policy(charon->kernel, &id, &policy); + if (fwd_out) + { + /* uninstall "outbound" forward policy */ + id.dir = POLICY_FWD; + status |= charon->kernel->del_policy(charon->kernel, &id, &policy); + } /* uninstall in policy */ id = (kernel_ipsec_policy_id_t){ .dir = POLICY_IN, diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 8a2775bc0..66d2431c9 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -269,9 +269,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index d147b27d8..604899b5a 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c index 66a2ee514..4b422f077 100644 --- a/src/libfast/fast_dispatcher.c +++ b/src/libfast/fast_dispatcher.c @@ -136,7 +136,7 @@ typedef struct { } session_entry_t; /** - * create a session and instanciate controllers + * create a session and instantiate controllers */ static fast_session_t* load_session(private_fast_dispatcher_t *this) { diff --git a/src/libfast/fast_dispatcher.h b/src/libfast/fast_dispatcher.h index 6546385c6..21708a744 100644 --- a/src/libfast/fast_dispatcher.h +++ b/src/libfast/fast_dispatcher.h @@ -25,11 +25,11 @@ * The application has a global context and a session context. The global * context is accessed from all sessions simultaneously and therefore * needs to be threadsave. Often a database wrapper is the global context. - * The session context is instanciated per session. Sessions are managed + * The session context is instantiated per session. Sessions are managed * automatically through session cookies. The session context is kept alive * until the session times out. It must implement the context_t interface and * a #fast_context_constructor_t is needed to create instances. To each session, - * a set of controllers gets instanciated. The controller instances are per + * a set of controllers gets instantiated. The controller instances are per * session, so you can hold private data for each user. * Controllers need to implement the controller_t interface and need a * #fast_controller_constructor_t function to create instances. @@ -72,7 +72,7 @@ typedef struct fast_dispatcher_t fast_dispatcher_t; * * The dispatcher creates a session for each client (using SID cookies). In * each session, a session context is created using the context constructor. - * Each controller is instanciated in the session using the controller + * Each controller is instantiated in the session using the controller * constructor added with add_controller. */ struct fast_dispatcher_t { @@ -102,7 +102,7 @@ struct fast_dispatcher_t { /** * Start with dispatching. * - * Instanciate a constant thread pool and start dispatching requests. + * Instantiate a constant thread pool and start dispatching requests. * * @param threads number of dispatching threads */ diff --git a/src/libfast/fast_session.h b/src/libfast/fast_session.h index 2ff450b93..3fca3673e 100644 --- a/src/libfast/fast_session.h +++ b/src/libfast/fast_session.h @@ -28,7 +28,7 @@ typedef struct fast_session_t fast_session_t; /** - * Session handling class, instanciated for each user session. + * Session handling class, instantiated for each user session. */ struct fast_session_t { diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk index 4df3dcb64..9f3172074 100644 --- a/src/libimcv/Android.mk +++ b/src/libimcv/Android.mk @@ -79,6 +79,8 @@ libimcv_la_SOURCES := \ swid/swid_inventory.h swid/swid_inventory.c \ swid/swid_tag.h swid/swid_tag.c \ swid/swid_tag_id.h swid/swid_tag_id.c \ + swid_gen/swid_gen.h swid_gen/swid_gen.c \ + swid_gen/swid_gen_info.h swid_gen/swid_gen_info.c \ swima/swima_data_model.h swima/swima_data_model.c \ swima/swima_record.h swima/swima_record.c \ swima/swima_event.h swima/swima_event.c \ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 246ffe29d..ef2c9c35b 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -440,9 +440,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c index 9e3e83d4d..44e0ef24f 100644 --- a/src/libimcv/ietf/ietf_attr.c +++ b/src/libimcv/ietf/ietf_attr.c @@ -47,10 +47,10 @@ ENUM_BEGIN(ietf_attr_names, IETF_ATTR_TESTING, "Forwarding Enabled", "Factory Default Password Enabled", ); -ENUM_NEXT(ietf_attr_names, IETF_ATTR_SW_REQUEST, +ENUM_NEXT(ietf_attr_names, IETF_ATTR_SWIMA_REQUEST, IETF_ATTR_SRC_METADATA_RESP, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED, - "SW Request", + "SWIMA Request", "SW Identifier Inventory", "SW Identifier Events", "SW Inventory", @@ -97,7 +97,7 @@ pa_tnc_attr_t* ietf_attr_create_from_data(uint32_t type, size_t length, case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: return generic_attr_bool_create_from_data(length, value, pen_type_create(PEN_IETF, type)); - case IETF_ATTR_SW_REQUEST: + case IETF_ATTR_SWIMA_REQUEST: return ietf_swima_attr_req_create_from_data(length, value); case IETF_ATTR_SW_ID_INVENTORY: return ietf_swima_attr_sw_inv_create_from_data(length, value, TRUE); diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h index d2ea98201..cbf4a49a2 100644 --- a/src/libimcv/ietf/ietf_attr.h +++ b/src/libimcv/ietf/ietf_attr.h @@ -48,7 +48,7 @@ enum ietf_attr_t { IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED = 12, /* draft-ietf-sacm-nea-swid-patnc */ - IETF_ATTR_SW_REQUEST = 17, + IETF_ATTR_SWIMA_REQUEST = 17, IETF_ATTR_SW_ID_INVENTORY = 18, IETF_ATTR_SW_ID_EVENTS = 19, IETF_ATTR_SW_INVENTORY = 20, diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index 966c095e2..75f279298 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -27,16 +27,16 @@ ENUM_BEGIN(pa_tnc_error_code_names, PA_ERROR_RESERVED, "Version Not Supported", "Attribute Type Not Supported" ); -ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SW, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE, +ENUM_NEXT(pa_tnc_error_code_names, PA_ERROR_SWIMA, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE, PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, - "SW Error", - "SW Subscription Denied", - "SW Response Too Large", - "SW Subscription Fulfillment Error", - "SW Subscription ID Reuse" + "SWIMA Error", + "SWIMA Subscription Denied", + "SWIMA Response Too Large", + "SWIMA Subscription Fulfillment Error", + "SWIMA Subscription ID Reuse" ); -ENUM_END(pa_tnc_error_code_names, PA_ERROR_SW_SUBSCRIPTION_ID_REUSE); +ENUM_END(pa_tnc_error_code_names, PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE); typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t; diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index 7dbc33828..dd0be72ff 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -33,18 +33,18 @@ typedef enum pa_tnc_error_code_t pa_tnc_error_code_t; enum pa_tnc_error_code_t { /* RFC 5792 PA-TNC */ - PA_ERROR_RESERVED = 0, - PA_ERROR_INVALID_PARAMETER = 1, - PA_ERROR_VERSION_NOT_SUPPORTED = 2, - PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, - PA_ERROR_PA_TNC_MSG_ROOF = 3, + PA_ERROR_RESERVED = 0, + PA_ERROR_INVALID_PARAMETER = 1, + PA_ERROR_VERSION_NOT_SUPPORTED = 2, + PA_ERROR_ATTR_TYPE_NOT_SUPPORTED = 3, + PA_ERROR_PA_TNC_MSG_ROOF = 3, /* draft-ietf-sacm-nea-swid-patnc (SWIMA) */ - PA_ERROR_SW = 32, - PA_ERROR_SW_SUBSCRIPTION_DENIED = 33, - PA_ERROR_SW_RESPONSE_TOO_LARGE = 34, - PA_ERROR_SW_SUBSCRIPTION_FULFILLMENT = 35, - PA_ERROR_SW_SUBSCRIPTION_ID_REUSE = 36 + PA_ERROR_SWIMA = 32, + PA_ERROR_SWIMA_SUBSCRIPTION_DENIED = 33, + PA_ERROR_SWIMA_RESPONSE_TOO_LARGE = 34, + PA_ERROR_SWIMA_SUBSCRIPTION_FULFILLMENT = 35, + PA_ERROR_SWIMA_SUBSCRIPTION_ID_REUSE = 36 }; /** diff --git a/src/libimcv/ietf/swima/ietf_swima_attr_req.c b/src/libimcv/ietf/swima/ietf_swima_attr_req.c index 07d0b0c5f..d67497373 100644 --- a/src/libimcv/ietf/swima/ietf_swima_attr_req.c +++ b/src/libimcv/ietf/swima/ietf_swima_attr_req.c @@ -274,7 +274,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create(uint8_t flags, uint32_t request_id) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .flags = flags & SW_REQ_RESERVED_MASK, .request_id = request_id, .targets = swima_inventory_create(), @@ -309,7 +309,7 @@ pa_tnc_attr_t *ietf_swima_attr_req_create_from_data(size_t length, chunk_t data) .set_targets = _set_targets, .get_targets = _get_targets, }, - .type = { PEN_IETF, IETF_ATTR_SW_REQUEST }, + .type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }, .length = length, .value = chunk_clone(data), .targets = swima_inventory_create(), diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index a872499d2..40a0f5eeb 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -484,30 +484,66 @@ INSERT INTO products ( /* 81 */ 'Android 6.0.1' ); -INSERT INTO products ( /* 82 */ +INSERT INTO products ( /* 82 */ name ) VALUES ( 'Debian 8.5 i686' ); -INSERT INTO products ( /* 83 */ +INSERT INTO products ( /* 83 */ name ) VALUES ( 'Debian 8.5 x86_64' ); -INSERT INTO products ( /* 84 */ +INSERT INTO products ( /* 84 */ name ) VALUES ( 'Debian 8.6 i686' ); -INSERT INTO products ( /* 85 */ +INSERT INTO products ( /* 85 */ name ) VALUES ( 'Debian 8.6 x86_64' ); +INSERT INTO products ( /* 86 */ + name +) VALUES ( + 'Debian 8.7 i686' +); + +INSERT INTO products ( /* 87 */ + name +) VALUES ( + 'Debian 8.7 x86_64' +); + +INSERT INTO products ( /* 88 */ + name +) VALUES ( + 'Debian 8.8 i686' +); + +INSERT INTO products ( /* 89 */ + name +) VALUES ( + 'Debian 8.8 x86_64' +); + +INSERT INTO products ( /* 90 */ + name +) VALUES ( + 'Debian 8.9 i686' +); + +INSERT INTO products ( /* 91 */ + name +) VALUES ( + 'Debian 8.9 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -1036,6 +1072,36 @@ INSERT INTO groups_product_defaults ( 4, 76 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 82 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 84 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 86 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 88 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 90 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1126,6 +1192,24 @@ INSERT INTO groups_product_defaults ( 5, 85 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 87 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 89 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 91 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index e96faa77e..bb0b3b75b 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -685,9 +685,9 @@ METHOD(imv_agent_t, create_language_enumerator, enumerator_t*, ); if (!this->get_attribute || - !this->get_attribute(this->id, state->get_connection_id(state), + this->get_attribute(this->id, state->get_connection_id(state), TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN, - e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS || + e->lang_buf, &e->lang_len) != TNC_RESULT_SUCCESS || e->lang_len >= BUF_LEN) { e->lang_len = 0; diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index 8bde8898f..b50c6ed12 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -253,24 +253,30 @@ CREATE INDEX "swid_entityroles_entity_id" ON "swid_entityroles" ( DROP TABLE IF EXISTS "swid_tags"; CREATE TABLE "swid_tags" ( "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "version_id" INTEGER REFERENCES "versions" ("id"), "package_name" VARCHAR(255) NOT NULL, - "version" VARCHAR(255) NOT NULL, + "version_str" VARCHAR(255) NOT NULL, "unique_id" VARCHAR(255) NOT NULL, "swid_xml" TEXT NOT NULL, "software_id" VARCHAR(255) NOT NULL ); +DROP INDEX IF EXISTS "swid_tags_software_id"; DROP INDEX if EXISTS "swid_tags_unique_id"; +DROP INDEX IF EXISTS "swid_tags_version"; DROP INDEX IF EXISTS "swid_tags_package_name"; -DROP INDEX IF EXISTS "swid_tags_software_id"; + +CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( + "software_id" +); CREATE INDEX "swid_tags_unique_id" ON "swid_tags" ( "unique_id" ); +CREATE INDEX "swid_tags_version_id" ON "swid_tags" ( + "version_id" +); CREATE INDEX "swid_tags_package_name" ON "swid_tags" ( "package_name" ); -CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( - "software_id" -); DROP TABLE IF EXISTS "swid_tags_files"; CREATE TABLE "swid_tags_files" ( diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in index 1600d4d2f..bc079ff12 100644 --- a/src/libimcv/plugins/imc_attestation/Makefile.in +++ b/src/libimcv/plugins/imc_attestation/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in index b12499d82..1b71b26d0 100644 --- a/src/libimcv/plugins/imc_hcd/Makefile.in +++ b/src/libimcv/plugins/imc_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 14c6e02a0..e62c04bea 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index 664ffdff6..a054a475b 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in index b6a77dda4..f58935f2e 100644 --- a/src/libimcv/plugins/imc_swid/Makefile.in +++ b/src/libimcv/plugins/imc_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag deleted file mode 100644 index 644c0989c..000000000 --- a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-0.swidtag +++ /dev/null @@ -1,11 +0,0 @@ - - - - diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag new file mode 100644 index 000000000..f10740d60 --- /dev/null +++ b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag @@ -0,0 +1,11 @@ + + + + diff --git a/src/libimcv/plugins/imc_swima/Makefile.in b/src/libimcv/plugins/imc_swima/Makefile.in index ae1d024af..ed2191921 100644 --- a/src/libimcv/plugins/imc_swima/Makefile.in +++ b/src/libimcv/plugins/imc_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imc_swima/imc_swima.c b/src/libimcv/plugins/imc_swima/imc_swima.c index e120cf7fc..67080e050 100644 --- a/src/libimcv/plugins/imc_swima/imc_swima.c +++ b/src/libimcv/plugins/imc_swima/imc_swima.c @@ -35,7 +35,7 @@ static const char imc_name[] = "SWIMA"; static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; static imc_agent_t *imc_swima; @@ -180,7 +180,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s events, " "fallback to SW%s inventory", id_str, id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); msg->add_attribute(msg, attr); } else { @@ -207,7 +207,7 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg, { snprintf(error_msg, msg_len, "failed to collect SW%s inventory", id_str); - attr = swima_error_create(PA_ERROR_SW, request_id, 0, error_msg); + attr = swima_error_create(PA_ERROR_SWIMA, request_id, 0, error_msg); } else { @@ -258,7 +258,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) type = attr->get_type(attr); - if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SW_REQUEST) + if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SWIMA_REQUEST) { continue; } @@ -270,7 +270,7 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) if (flags & (IETF_SWIMA_ATTR_REQ_FLAG_S | IETF_SWIMA_ATTR_REQ_FLAG_C)) { - attr = swima_error_create(PA_ERROR_SW_SUBSCRIPTION_DENIED, + attr = swima_error_create(PA_ERROR_SWIMA_SUBSCRIPTION_DENIED, request_id, 0, "no subscription available yet"); out_msg->add_attribute(out_msg, attr); break; diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag deleted file mode 100644 index 644c0989c..000000000 --- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-0.swidtag +++ /dev/null @@ -1,11 +0,0 @@ - - - - diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag new file mode 100644 index 000000000..f10740d60 --- /dev/null +++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag @@ -0,0 +1,11 @@ + + + + diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index a002f0baf..fc6d2f6fb 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in index 3872b9a57..f9eb9d6ed 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.in +++ b/src/libimcv/plugins/imv_attestation/Makefile.in @@ -256,9 +256,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index b1ee16bf8..60a9edc0f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -318,15 +318,24 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, enumerator_t *e; char *filename; chunk_t measurement; + int vid; + + if (!pts_db->get_product_version(pts_db, + pts->get_platform_id(pts), &vid)) + { + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + break; + } e = measurements->create_enumerator(measurements); while (e->enumerate(e, &filename, &measurement)) { - if (pts_db->add_file_measurement(pts_db, - pts->get_platform_id(pts), algo, measurement, - filename, is_dir, arg_int) != SUCCESS) + if (!pts_db->add_file_measurement(pts_db, vid, algo, + measurement, filename, is_dir, arg_int)) { eval = TNC_IMV_EVALUATION_RESULT_ERROR; + e->destroy(e); + break; } } e->destroy(e); diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in index fda666b06..99bf6d916 100644 --- a/src/libimcv/plugins/imv_hcd/Makefile.in +++ b/src/libimcv/plugins/imv_hcd/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am index f5bc9010c..50a87d877 100644 --- a/src/libimcv/plugins/imv_os/Makefile.am +++ b/src/libimcv/plugins/imv_os/Makefile.am @@ -18,12 +18,3 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined - -if !USE_WINDOWS -ipsec_PROGRAMS = pacman -pacman_SOURCES = pacman.c -pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -pacman.o : $(top_builddir)/config.status - -EXTRA_DIST = pacman.sh -endif diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index a8d80b3f8..d5a6f07f1 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -14,7 +14,6 @@ @SET_MAKE@ - VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -89,7 +88,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@USE_WINDOWS_FALSE@ipsec_PROGRAMS = pacman$(EXEEXT) subdir = src/libimcv/plugins/imv_os ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -136,7 +134,7 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" +am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -150,11 +148,6 @@ am__v_lt_1 = imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(ipsec_PROGRAMS) -am__pacman_SOURCES_DIST = pacman.c -@USE_WINDOWS_FALSE@am_pacman_OBJECTS = pacman.$(OBJEXT) -pacman_OBJECTS = $(am_pacman_OBJECTS) -@USE_WINDOWS_FALSE@pacman_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -189,8 +182,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES) -DIST_SOURCES = $(imv_os_la_SOURCES) $(am__pacman_SOURCES_DIST) +SOURCES = $(imv_os_la_SOURCES) +DIST_SOURCES = $(imv_os_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -250,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -472,9 +467,6 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined -@USE_WINDOWS_FALSE@pacman_SOURCES = pacman.c -@USE_WINDOWS_FALSE@pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -@USE_WINDOWS_FALSE@EXTRA_DIST = pacman.sh all: all-am .SUFFIXES: @@ -546,59 +538,6 @@ clean-imcvLTLIBRARIES: imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) $(AM_V_CCLD)$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS) -install-ipsecPROGRAMS: $(ipsec_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-ipsecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files - -clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) - @rm -f pacman$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -610,7 +549,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -726,9 +664,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) installdirs: - for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \ + for dir in "$(DESTDIR)$(imcvdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -763,8 +701,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \ - clean-libtool mostlyclean-am +clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \ + mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -784,7 +722,7 @@ info: info-am info-am: -install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS +install-data-am: install-imcvLTLIBRARIES install-dvi: install-dvi-am @@ -830,29 +768,27 @@ ps: ps-am ps-am: -uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS +uninstall-am: uninstall-imcvLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ + clean-imcvLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ install-imcvLTLIBRARIES install-info install-info-am \ - install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-imcvLTLIBRARIES \ - uninstall-ipsecPROGRAMS + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-imcvLTLIBRARIES .PRECIOUS: Makefile -@USE_WINDOWS_FALSE@pacman.o : $(top_builddir)/config.status # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index 4bf6c7e21..3fa3d0965 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -705,8 +705,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR : TNC_IMV_EVALUATION_RESULT_COMPLIANT; snprintf(result_str, BUF_LEN, "processed %d packages: " - "%d not updated, %d blacklisted, %d ok, " - "%d unknown", + "%d vulnerable, %d blacklisted, %d ok, %d unknown", count, count_update, count_blacklist, count_ok, count - count_update - count_blacklist - count_ok); break; diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index 31b889b74..049c844bc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -51,7 +51,7 @@ METHOD(imv_os_database_t, check_packages, status_t, char *product, *package, *release, *cur_release; chunk_t name, version; int pid, gid, security, blacklist; - int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; + int count = 0, count_ok = 0, count_security = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; bool found, match; @@ -103,11 +103,8 @@ METHOD(imv_os_database_t, check_packages, status_t, if (!e->enumerate(e, &gid)) { /* package not present in database for any product - skip */ - if (os_type == OS_TYPE_ANDROID) - { - DBG2(DBG_IMV, "package '%s' (%.*s) not found", - package, version.len, version.ptr); - } + DBG2(DBG_IMV, "package '%s' (%.*s) not found", + package, version.len, version.ptr); free(package); e->destroy(e); continue; @@ -148,36 +145,41 @@ METHOD(imv_os_database_t, check_packages, status_t, { if (blacklist) { - DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", + DBG1(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; os_state->add_bad_package(os_state, package, OS_PACKAGE_STATE_BLACKLIST); } + else if (security) + { + DBG1(DBG_IMV, "package '%s' (%s) is vulnerable", + package, release); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_SECURITY); + count_security++; + } else { - DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release, - security ? " [s]" : ""); + DBG2(DBG_IMV, "package '%s' (%s) is ok", + package, release); count_ok++; } } else { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); - count_no_match++; - os_state->add_bad_package(os_state, package, - OS_PACKAGE_STATE_SECURITY); } } else { - /* package not present in database for this product - skip */ + DBG2(DBG_IMV, "package '%s' (%s) unknown", package, release); } free(package); free(release); } - os_state->set_count(os_state, count, count_no_match, - count_blacklist, count_ok); + os_state->set_count(os_state, count, count_security, count_blacklist, + count_ok); return status; } diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c index ac826a77c..af5daf0fc 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.c +++ b/src/libimcv/plugins/imv_os/imv_os_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -121,9 +121,9 @@ struct private_imv_os_state_t { int count; /** - * Number of not updated packages + * Number of vulnerable packages */ - int count_update; + int count_security; /** * Number of blacklisted packages @@ -372,7 +372,7 @@ METHOD(imv_state_t, get_reason_string, bool, private_imv_os_state_t *this, enumerator_t *language_enumerator, chunk_t *reason_string, char **reason_language) { - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -383,7 +383,7 @@ METHOD(imv_state_t, get_reason_string, bool, DESTROY_IF(this->reason_string); this->reason_string = imv_reason_string_create(*reason_language, "\n"); - if (this->count_update || this->count_blacklist) + if (this->count_security || this->count_blacklist) { this->reason_string->add_reason(this->reason_string, reason_packages); } @@ -403,7 +403,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, imv_os_info_t *os_info; bool as_xml = FALSE; - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -430,7 +430,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, } /* List of packages in need of an update, if any */ - if (this->count_update) + if (this->count_security) { this->remediation_string->add_instruction(this->remediation_string, instr_update_packages_title, @@ -492,26 +492,26 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t, METHOD(imv_os_state_t, set_count, void, - private_imv_os_state_t *this, int count, int count_update, + private_imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok) { this->count += count; - this->count_update += count_update; + this->count_security += count_security; this->count_blacklist += count_blacklist; this->count_ok += count_ok; } METHOD(imv_os_state_t, get_count, void, - private_imv_os_state_t *this, int *count, int *count_update, + private_imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok) { if (count) { *count = this->count; } - if (count_update) + if (count_security) { - *count_update = this->count_update; + *count_security = this->count_security; } if (count_blacklist) { diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index aa9b64076..d73a47412 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -81,22 +81,22 @@ struct imv_os_state_t { * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*set_count)(imv_os_state_t *this, int count, int count_update, + void (*set_count)(imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok); /** * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*get_count)(imv_os_state_t *this, int *count, int *count_update, + void (*get_count)(imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok); /** diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c deleted file mode 100644 index fbcab5eba..000000000 --- a/src/libimcv/plugins/imv_os/pacman.c +++ /dev/null @@ -1,499 +0,0 @@ -/* - * Copyright (C) 2012 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include - -#include "imv_os_state.h" - -#include -#include - -typedef enum pacman_state_t pacman_state_t; - -enum pacman_state_t { - PACMAN_STATE_BEGIN_PACKAGE, - PACMAN_STATE_VERSION, - PACMAN_STATE_END_PACKAGE -}; - -typedef struct stats_t stats_t; - -struct stats_t { - time_t release; - int product; - int packages; - int new_packages; - int new_versions; - int updated_versions; - int deleted_versions; -}; - -/** - * global debug output variables - */ -static int debug_level = 1; -static bool stderr_quiet = TRUE; - -/** - * pacman dbg function - */ -static void pacman_dbg(debug_t group, level_t level, char *fmt, ...) -{ - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -} - -/** - * atexit handler to close everything on shutdown - */ -static void cleanup(void) -{ - closelog(); - library_deinit(); -} - -static void usage(void) -{ - printf("Parses package information files from Debian/Ubuntu repositories and\n"); - printf("stores the extracted information in the database used by the OS IMV.\n\n"); - printf("ipsec pacman --product --file [--security]\n\n"); - printf(" --help print usage information\n"); - printf(" --product name of the Debian/Ubuntu release, as stored in the DB\n"); - printf(" --file package information file to parse\n"); - printf(" --security set this when parsing a file with security updates\n"); - printf("\n"); -} - -/** - * Update the package database - */ -static bool update_database(database_t *db, char *package, char *version, - bool security, stats_t *stats) -{ - char *cur_version, *version_update = NULL, *version_delete = NULL; - int cur_security, security_update = 0, security_delete = 0; - int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0; - u_int cur_time; - bool add_version = TRUE; - enumerator_t *e; - - /* increment package count */ - stats->packages++; - - /* check if package is already in database */ - e = db->query(db, "SELECT id FROM packages WHERE name = ?", - DB_TEXT, package, DB_INT); - if (!e) - { - return FALSE; - } - if (!e->enumerate(e, &pac_id)) - { - pac_id = 0; - } - e->destroy(e); - - if (!pac_id && security) - { - if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)", - DB_TEXT, package) != 1) - { - fprintf(stderr, "could not store package '%s' to database\n", - package); - return FALSE; - } - stats->new_packages++; - } - - /* check for package versions already in database */ - e = db->query(db, - "SELECT id, release, security, time FROM versions " - "WHERE package = ? AND product = ?", DB_INT, pac_id, - DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT); - if (!e) - { - return FALSE; - } - - while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time)) - { - if (streq(version, cur_version)) - { - /* already in data base */ - add_version = FALSE; - break; - } - else if (stats->release >= cur_time) - { - if (security) - { - if (cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - else - { - vid_delete = vid; - version_delete = strdup(cur_version); - security_delete = cur_security; - } - } - else - { - if (!cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - } - } - else - { - if (security == cur_security) - { - add_version = FALSE; - } - } - } - e->destroy(e); - - if ((!vid && !security) || (vid && !add_version)) - { - free(version_update); - free(version_delete); - return TRUE; - } - - if ((!vid && security) || (vid && !vid_update)) - { - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, &vid, - "INSERT INTO versions " - "(package, product, release, security, time) " - "VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product, - DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1) - { - fprintf(stderr, "could not store version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->new_versions++; - } - else - { - printf("%s (%s) %s updated by\n", - package, version_update, security_update ? "[s]" : ""); - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, NULL, - "UPDATE versions SET release = ?, time = ? WHERE id = ?", - DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0) - { - fprintf(stderr, "could not update version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->updated_versions++; - } - - if (vid_delete) - { - printf("%s (%s) %s deleted\n", - package, version_delete, security_delete ? "[s]" : ""); - if (db->execute(db, NULL, - "DELETE FROM versions WHERE id = ?", - DB_INT, vid_delete) <= 0) - { - fprintf(stderr, "could not delete version '%s' from database\n", - version_delete); - free(version_update); - free(version_delete); - return FALSE; - } - stats->deleted_versions++; - } - free(version_update); - free(version_delete); - - return TRUE; -} - -/** - * Process a package file and store updates in the database - */ -static void process_packages(char *filename, char *product, bool security) -{ - char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL; - pacman_state_t pacman_state; - enumerator_t *e; - database_t *db; - int pid; - FILE *file; - stats_t stats; - bool success; - - /* initialize statistics */ - memset(&stats, 0x00, sizeof(stats_t)); - - /* Set release date to current time */ - stats.release = time(NULL); - - /* opening package file */ - printf("loading\"%s\"\n", filename); - file = fopen(filename, "r"); - if (!file) - { - fprintf(stderr, "could not open \"%s\"\n", filename); - exit(EXIT_FAILURE); - } - - /* connect package database */ - uri = lib->settings->get_str(lib->settings, "pacman.database", NULL); - if (!uri) - { - fprintf(stderr, "database URI pacman.database not set\n"); - fclose(file); - exit(EXIT_FAILURE); - } - db = lib->db->create(lib->db, uri); - if (!db) - { - fprintf(stderr, "could not connect to database '%s'\n", uri); - fclose(file); - exit(EXIT_FAILURE); - } - - /* check if product is already in database */ - e = db->query(db, "SELECT id FROM products WHERE name = ?", - DB_TEXT, product, DB_INT); - if (e) - { - if (e->enumerate(e, &pid)) - { - stats.product = pid; - } - e->destroy(e); - } - if (!stats.product) - { - if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", - DB_TEXT, product) != 1) - { - fprintf(stderr, "could not store product '%s' to database\n", - product); - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - stats.product = pid; - } - - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - - while (fgets(line, sizeof(line), file)) - { - /* set read pointer to beginning of line */ - pos = line; - - switch (pacman_state) - { - case PACMAN_STATE_BEGIN_PACKAGE: - pos = strstr(pos, "Package: "); - if (!pos) - { - continue; - } - pos += 9; - package = pos; - pos = strchr(pos, '\n'); - if (pos) - { - package = strndup(package, pos - package); - pacman_state = PACMAN_STATE_VERSION; - } - break; - case PACMAN_STATE_VERSION: - pos = strstr(pos, "Version: "); - if (!pos) - { - continue; - } - pos += 9; - version = pos; - pos = strchr(pos, '\n'); - if (pos) - { - version = strndup(version, pos - version); - pacman_state = PACMAN_STATE_END_PACKAGE; - } - break; - case PACMAN_STATE_END_PACKAGE: - if (*pos != '\n') - { - continue; - } - success = update_database(db, package, version, security, &stats); - free(package); - free(version); - if (!success) - { - fclose(file); - db->destroy(db); - exit(EXIT_FAILURE); - } - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; - } - } - switch (pacman_state) - { - case PACMAN_STATE_END_PACKAGE: - free(version); - /* fall-through */ - case PACMAN_STATE_VERSION: - free(package); - break; - default: - break; - } - fclose(file); - db->destroy(db); - - printf("processed %d packages, %d new packages, %d new versions, " - "%d updated versions, %d deleted versions\n", - stats.packages, stats.new_packages, stats.new_versions, - stats.updated_versions, stats.deleted_versions); -} - -static void do_args(int argc, char *argv[]) -{ - char *filename = NULL, *product = NULL; - bool security = FALSE; - - /* reinit getopt state */ - optind = 0; - - while (TRUE) - { - int c; - - struct option long_opts[] = { - { "help", no_argument, NULL, 'h' }, - { "file", required_argument, NULL, 'f' }, - { "product", required_argument, NULL, 'p' }, - { "security", no_argument, NULL, 's' }, - { 0,0,0,0 } - }; - - c = getopt_long(argc, argv, "", long_opts, NULL); - switch (c) - { - case EOF: - break; - case 'h': - usage(); - exit(EXIT_SUCCESS); - case 'f': - filename = optarg; - continue; - case 'p': - product = optarg; - continue; - case 's': - security = TRUE; - continue; - } - break; - } - - if (filename && product) - { - process_packages(filename, product, security); - } - else - { - usage(); - exit(EXIT_FAILURE); - } -} - -int main(int argc, char *argv[]) -{ - /* enable attest debugging hook */ - dbg = pacman_dbg; - openlog("pacman", 0, LOG_DEBUG); - - atexit(cleanup); - - /* initialize library */ - if (!library_init(NULL, "pacman")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "pacman.load", "sqlite"))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - do_args(argc, argv); - - exit(EXIT_SUCCESS); -} - diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh deleted file mode 100755 index fcf35b644..000000000 --- a/src/libimcv/plugins/imv_os/pacman.sh +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh - -DIR="/etc/pts" -DATE=`date +%Y%m%d-%H%M` -UBUNTU="http://security.ubuntu.com/ubuntu/dists" -UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid" -UBUNTU_DIRS="main multiverse restricted universe" -UBUNTU_ARCH="binary-amd64 binary-i386" -DEBIAN="http://security.debian.org/dists" -DEBIAN_VERSIONS="jessie wheezy squeeze" -DEBIAN_DIRS="main contrib non-free" -DEBIAN_ARCH="binary-amd64 binary-i386" -PACMAN=/usr/libexec/ipsec/pacman -PACMAN_LOG="$DIR/$DATE-pacman.log" - -mkdir -p $DIR/dists -cd $DIR/dists - -for v in $UBUNTU_VERSIONS -do - for a in $UBUNTU_ARCH - do - mkdir -p $v-security/$a $v-updates/$a - for d in $UBUNTU_DIRS - do - wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2 - bunzip2 -f $v-security/$a/Packages-$d.bz2 - wget $UBUNTU/$v-updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for v in $DEBIAN_VERSIONS -do - for a in $DEBIAN_ARCH - do - mkdir -p $v-updates/$a - for d in $DEBIAN_DIRS - do - wget $DEBIAN/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for f in trusty-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in trusty-security/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in saucy-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in saucy-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in raring-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in raring-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in quantal-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in quantal-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in precise-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in precise-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in lucid-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in lucid-security/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in jessie-updates/binary-amd64/* -do - $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in jessie-updates/binary-i386/* -do - $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in wheezy-updates/binary-amd64/* -do - $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in wheezy-updates/binary-i386/* -do - $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in squeeze-updates/binary-amd64/* -do - $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in squeeze-updates/binary-i386/* -do - $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG -done - -cp $DIR/config.db $DIR/config.db-$DATE diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index b851f84e7..2649f499d 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in index c745b4597..faccb683e 100644 --- a/src/libimcv/plugins/imv_swid/Makefile.in +++ b/src/libimcv/plugins/imv_swid/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/Makefile.in b/src/libimcv/plugins/imv_swima/Makefile.in index 56eafa5ad..e2132b576 100644 --- a/src/libimcv/plugins/imv_swima/Makefile.in +++ b/src/libimcv/plugins/imv_swima/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/plugins/imv_swima/imv_swima_agent.c b/src/libimcv/plugins/imv_swima/imv_swima_agent.c index efa2b1105..1d9944200 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_agent.c +++ b/src/libimcv/plugins/imv_swima/imv_swima_agent.c @@ -44,7 +44,7 @@ typedef struct private_imv_swima_agent_t private_imv_swima_agent_t; /* Subscribed PA-TNC message subtypes */ static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_SW } + { PEN_IETF, PA_SUBTYPE_IETF_SWIMA } }; /** @@ -175,7 +175,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, reader->destroy(reader); continue; } - if (error_code.type == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (error_code.type == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { if (!reader->read_uint32(reader, &max_attr_size)) { diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 8a6b9ed15..b583a32c2 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c index d771d07ed..09ffd7160 100644 --- a/src/libimcv/pts/pts.c +++ b/src/libimcv/pts/pts.c @@ -762,7 +762,7 @@ METHOD(pts_t, verify_quote_signature, bool, return FALSE; } - if (!aik_pubkey->verify(aik_pubkey, scheme, digest, signature)) + if (!aik_pubkey->verify(aik_pubkey, scheme, NULL, digest, signature)) { DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); DESTROY_IF(aik_pubkey); diff --git a/src/libimcv/pts/pts_database.c b/src/libimcv/pts/pts_database.c index 4a47b06f0..8b99d689b 100644 --- a/src/libimcv/pts/pts_database.c +++ b/src/libimcv/pts/pts_database.c @@ -121,15 +121,69 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*, return e; } -METHOD(pts_database_t, add_file_measurement, status_t, - private_pts_database_t *this, int pid, pts_meas_algorithms_t algo, + +METHOD(pts_database_t, get_product_version, bool, + private_pts_database_t *this, int pid, int *vid) +{ + enumerator_t *e; + int pkg_id; + + /* does empty package name already exist? */ + e = this->db->query(this->db, + "SELECT id FROM packages WHERE name = ''", DB_INT); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, &pkg_id)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, &pkg_id, + "INSERT INTO packages (name) VALUES ('')") != 1) + { + DBG1(DBG_PTS, "could not insert package into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + /* does generic product version already exist? */ + e = this->db->query(this->db, + "SELECT id FROM versions WHERE product = ? AND package = ?", + DB_INT, pid, DB_INT, pkg_id); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, vid)) + { + /* create generic product version entry */ + if (this->db->execute(this->db, vid, + "INSERT INTO versions (product, package) VALUES (?, ?)", + DB_INT, pid, DB_INT, pkg_id) != 1) + { + DBG1(DBG_PTS, "could not insert version into database"); + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + return TRUE; +} + +METHOD(pts_database_t, add_file_measurement, bool, + private_pts_database_t *this, int vid, pts_meas_algorithms_t algo, chunk_t measurement, char *filename, bool is_dir, int id) { enumerator_t *e; char *name; - chunk_t hash_value; + uint8_t hash_buf[HASH_SIZE_SHA512]; + uint8_t hex_meas_buf[2*HASH_SIZE_SHA512+1], *hex_hash_buf; + chunk_t hash, hex_hash, hex_meas; int hash_id, fid; - status_t status = SUCCESS; + bool success = TRUE; if (is_dir) { @@ -139,7 +193,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id, DB_INT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &fid)) { @@ -149,7 +203,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, DB_TEXT, filename, DB_INT, id) != 1) { DBG1(DBG_PTS, "could not insert filename into database"); - status = FAILED; + success = FALSE; } } e->destroy(e); @@ -163,58 +217,63 @@ METHOD(pts_database_t, add_file_measurement, status_t, "SELECT name FROM files WHERE id = ?", DB_INT, fid, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } if (!e->enumerate(e, &name) || !streq(name, filename)) { DBG1(DBG_PTS, "filename of reference measurement does not match"); - status = FAILED; + success = FALSE; } e->destroy(e); } - if (status != SUCCESS) + if (!success) { - return status; + return FALSE; } /* does hash measurement value already exist? */ e = this->db->query(this->db, - "SELECT fh.id, fh.hash FROM file_hashes AS fh " - "JOIN versions AS v ON v.id = fh.version " - "WHERE v.product = ? AND fh.algo = ? AND fh.file = ?", - DB_INT, pid, DB_INT, algo, DB_INT, fid, DB_INT, DB_BLOB); + "SELECT id, hash FROM file_hashes " + "WHERE algo = ? AND file = ? AND version = ?", + DB_INT, algo, DB_INT, fid, DB_INT, vid, DB_INT, DB_TEXT); if (!e) { - return FAILED; + return FALSE; } - if (e->enumerate(e, &hash_id, &hash_value)) + if (e->enumerate(e, &hash_id, &hex_hash_buf)) { - if (!chunk_equals_const(measurement, hash_value)) + hex_hash = chunk_from_str(hex_hash_buf); + hash = chunk_from_hex(hex_hash, hash_buf); + + if (!chunk_equals(measurement, hash)) { /* update hash measurement value */ if (this->db->execute(this->db, &hash_id, "UPDATE file_hashes SET hash = ? WHERE id = ?", DB_BLOB, measurement, DB_INT, hash_id) != 1) { - status = FAILED; + success = FALSE; } } } else { + hex_meas = chunk_to_hex(measurement, hex_meas_buf, FALSE); + hex_meas_buf[hex_meas.len] = '\0'; + /* insert hash measurement value */ if (this->db->execute(this->db, &hash_id, - "INSERT INTO file_hashes (file, product, algo, hash) " - "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, pid, - DB_INT, algo, DB_BLOB, measurement) != 1) + "INSERT INTO file_hashes (file, version, algo, hash) " + "VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, vid, + DB_INT, algo, DB_TEXT, hex_meas_buf) != 1) { - status = FAILED; + success = FALSE; } } e->destroy(e); - return status; + return success; } METHOD(pts_database_t, create_file_meas_enumerator, enumerator_t*, @@ -296,7 +355,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, while (e->enumerate(e, &hash)) { - if (chunk_equals_const(hash, measurement)) + if (chunk_equals(hash, measurement)) { status = SUCCESS; break; @@ -424,6 +483,7 @@ pts_database_t *pts_database_create(imv_database_t *imv_db) .public = { .get_pathname = _get_pathname, .create_file_hash_enumerator = _create_file_hash_enumerator, + .get_product_version = _get_product_version, .add_file_measurement = _add_file_measurement, .create_file_meas_enumerator = _create_file_meas_enumerator, .check_comp_measurement = _check_comp_measurement, diff --git a/src/libimcv/pts/pts_database.h b/src/libimcv/pts/pts_database.h index a6c9fb3b6..3a5ff5992 100644 --- a/src/libimcv/pts/pts_database.h +++ b/src/libimcv/pts/pts_database.h @@ -60,18 +60,27 @@ struct pts_database_t { /** * Add PTS file measurement reference value * - * @param pid Primary key of software product in database + * @param pid Primary key of platform product + * @param vid Primary key of generic product version + * @return TRUE if successful + */ + bool (*get_product_version)(pts_database_t *this, int pid, int *vid); + + /** + * Add PTS file measurement reference value + * + * @param vid Primary key of generic product version * @param algo File measurement hash algorithm used * @param measurement File measurement hash * @param filename Optional name of the file to be checked * @param is_dir TRUE if part of directory measurement * @param id Primary key into direcories/files table - * @return Status + * @return TRUE if successful */ - status_t (*add_file_measurement)(pts_database_t *this, int pid, - pts_meas_algorithms_t algo, - chunk_t measurement, char *filename, - bool is_dir, int id); + bool (*add_file_measurement)(pts_database_t *this, int vid, + pts_meas_algorithms_t algo, + chunk_t measurement, char *filename, + bool is_dir, int id); /** * Get PTS measurement[s] for a given filename stored in database diff --git a/src/libimcv/pts/pts_file_meas.c b/src/libimcv/pts/pts_file_meas.c index 92f513a2d..2f8935a87 100644 --- a/src/libimcv/pts/pts_file_meas.c +++ b/src/libimcv/pts/pts_file_meas.c @@ -140,7 +140,7 @@ METHOD(pts_file_meas_t, check, bool, { while (e->enumerate(e, &hash)) { - if (chunk_equals_const(entry->measurement, hash)) + if (chunk_equals(entry->measurement, hash)) { status = SUCCESS; break; @@ -193,12 +193,13 @@ METHOD(pts_file_meas_t, verify, bool, { int fid, fid_last = 0; char *filename; - chunk_t measurement; + uint8_t measurement_buf[HASH_SIZE_SHA512], *hex_meas_buf; + chunk_t measurement, hex_meas; entry_t *entry; enumerator_t *enumerator = NULL; bool found = FALSE, match = FALSE, success = TRUE; - while (e_hash->enumerate(e_hash, &fid, &filename, &measurement)) + while (e_hash->enumerate(e_hash, &fid, &filename, &hex_meas_buf)) { if (fid != fid_last) { @@ -241,7 +242,10 @@ METHOD(pts_file_meas_t, verify, bool, if (found && !match) { - if (chunk_equals_const(measurement, entry->measurement)) + hex_meas = chunk_from_str(hex_meas_buf); + measurement = chunk_from_hex(hex_meas, measurement_buf); + + if (chunk_equals(measurement, entry->measurement)) { match = TRUE; DBG2(DBG_PTS, " %#B for '%s' is ok", diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 5245be9fa..fdb03b8ae 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -88,7 +88,7 @@ START_TEST(test_imcv_seg_env) { /* create first segment */ attr = seg_env->first_segment(seg_env, 0); - + seg_env_attr = (tcg_seg_attr_seg_env_t*)attr; segment = seg_env_attr->get_segment(seg_env_attr, &flags); if (max_seg_size > 12) @@ -108,8 +108,8 @@ START_TEST(test_imcv_seg_env) segment = seg_env_attr->get_segment(seg_env_attr, &flags); seg = chunk_create(command + n * max_seg_size - 12, seg_size); ck_assert(chunk_equals(seg, segment)); - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); } /* check built segment envelope attribute */ @@ -137,8 +137,8 @@ START_TEST(test_imcv_seg_env) } else { - ck_assert(flags == last_seg ? SEG_ENV_FLAG_NONE : - SEG_ENV_FLAG_MORE); + ck_assert(flags == (last_seg ? SEG_ENV_FLAG_NONE : + SEG_ENV_FLAG_MORE)); seg_env1->add_segment(seg_env1, segment, &error); } attr1->destroy(attr1); @@ -341,7 +341,7 @@ START_TEST(test_imcv_seg_contract) ita_attr = (ita_attr_command_t*)base_attr_i; ck_assert(streq(ita_attr->get_command(ita_attr), command)); base_attr_i->destroy(base_attr_i); - } + } contract_i->destroy(contract_i); contract_r->destroy(contract_r); base_attr_r->destroy(base_attr_r); @@ -389,7 +389,7 @@ START_TEST(test_imcv_seg_contract_special) contract_i->get_info_string(contract_i, info, sizeof(info), TRUE); ck_assert(max_attr_size == 1000 && max_seg_size == 47); ck_assert(!contract_i->is_null(contract_i)); - + /* create a null responder contract*/ contract_r = seg_contract_create(msg_type, SEG_CONTRACT_MAX_SIZE_VALUE, SEG_CONTRACT_MAX_SIZE_VALUE, @@ -594,7 +594,7 @@ START_TEST(test_imcv_seg_contract_invalid) TRUE, issuer_id, FALSE); base_attr = contract->add_segment(contract, attr_f, &error, &more); ck_assert(base_attr == NULL); - + if (contract_invalid_tests[_i].err_f) { ck_assert(error); @@ -641,18 +641,18 @@ START_TEST(test_imcv_seg_contract_mgr) contracts = seg_contract_manager_create(); /* add contract template as issuer */ - c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c1 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, TRUE, 1, FALSE); c1->get_info_string(c1, buf, BUF_LEN, TRUE); contracts->add_contract(contracts, c1); - + /* received contract request for msg_type1 as responder */ cx = contracts->get_contract(contracts, msg_type1, FALSE, 2); ck_assert(cx == NULL); /* add directed contract as responder */ - c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, + c2 = seg_contract_create(msg_type1, max_attr_size, max_seg_size, FALSE, 2, FALSE); c2->set_responder(c2, 1); c2->get_info_string(c2, buf, BUF_LEN, TRUE); @@ -685,7 +685,7 @@ START_TEST(test_imcv_seg_contract_mgr) ck_assert(cx == NULL); /* add directed contract as responder */ - c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, + c4 = seg_contract_create(msg_type2, max_attr_size, max_seg_size, FALSE, 2, FALSE); c4->set_responder(c4, 1); contracts->add_contract(contracts, c4); diff --git a/src/libimcv/suites/test_imcv_swima.c b/src/libimcv/suites/test_imcv_swima.c index c54669d1d..a579f7378 100644 --- a/src/libimcv/suites/test_imcv_swima.c +++ b/src/libimcv/suites/test_imcv_swima.c @@ -124,7 +124,7 @@ static req_data_t req_data[] = { START_TEST(test_imcv_swima_sw_req) { pen_type_t type; - pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SW_REQUEST }; + pen_type_t pen_type = { PEN_IETF, IETF_ATTR_SWIMA_REQUEST }; pa_tnc_attr_t *attr, *attr1, *attr2; ietf_swima_attr_req_t *c_attr; swima_record_t *target; diff --git a/src/libimcv/swid_gen/swid_gen.h b/src/libimcv/swid_gen/swid_gen.h index c143f292d..3a69b984a 100644 --- a/src/libimcv/swid_gen/swid_gen.h +++ b/src/libimcv/swid_gen/swid_gen.h @@ -44,7 +44,7 @@ struct swid_gen_t { char *version, bool full, bool pretty); /** - * Generate a SWID tag + * Generate SWID tags or software identifiers for all installed packages * * @param sw_id_only Return software identifier only * @param full Generate full SWID tags with file information diff --git a/src/libimcv/swima/swima_error.c b/src/libimcv/swima/swima_error.c index 2aed2966b..bce4645f0 100644 --- a/src/libimcv/swima/swima_error.c +++ b/src/libimcv/swima/swima_error.c @@ -59,7 +59,7 @@ pa_tnc_attr_t* swima_error_create(pa_tnc_error_code_t code, uint32_t request_id, writer = bio_writer_create(4); writer->write_uint32(writer, request_id); - if (code == PA_ERROR_SW_RESPONSE_TOO_LARGE) + if (code == PA_ERROR_SWIMA_RESPONSE_TOO_LARGE) { writer->write_uint32(writer, max_attr_size); } diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index e4f0c4411..834be0eeb 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -287,9 +287,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c index 78b4c407a..904f118fd 100644 --- a/src/libipsec/ip_packet.c +++ b/src/libipsec/ip_packet.c @@ -52,7 +52,15 @@ struct ip6_hdr { uint8_t ip6_hlim; struct in6_addr ip6_src, ip6_dst; } __attribute__((packed)); -#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */ +struct ip6_ext { + uint8_t ip6e_nxt; + uint8_t ip6e_len; +} __attribute__((packed)); +#define HAVE_NETINET_IP6_H /* not really, but we only need the structs above */ +#endif + +#ifndef IP_OFFMASK +#define IP_OFFMASK 0x1fff #endif /** @@ -219,6 +227,56 @@ static bool parse_transport_header(chunk_t packet, uint8_t proto, return TRUE; } +#ifdef HAVE_NETINET_IP6_H +/** + * Skip to the actual payload and parse the transport header. + */ +static bool parse_transport_header_v6(struct ip6_hdr *ip, chunk_t packet, + chunk_t *payload, uint8_t *proto, + uint16_t *sport, uint16_t *dport) +{ + struct ip6_ext *ext; + bool fragment = FALSE; + + *proto = ip->ip6_nxt; + *payload = chunk_skip(packet, 40); + while (payload->len >= sizeof(struct ip6_ext)) + { + switch (*proto) + { + case 44: /* Fragment Header */ + fragment = TRUE; + /* skip the header */ + case 0: /* Hop-by-Hop Options Header */ + case 43: /* Routing Header */ + case 60: /* Destination Options Header */ + case 135: /* Mobility Header */ + case 139: /* HIP */ + case 140: /* Shim6 */ + /* simply skip over these headers for now */ + ext = (struct ip6_ext*)payload->ptr; + *proto = ext->ip6e_nxt; + *payload = chunk_skip(*payload, 8 * (ext->ip6e_len + 1)); + continue; + default: + /* assume anything else is an upper layer protocol but only + * attempt to parse the transport header for non-fragmented + * packets as there is no guarantee that initial fragments + * contain the transport header, depending on the number and + * type of extension headers */ + if (!fragment && + !parse_transport_header(*payload, *proto, sport, dport)) + { + return FALSE; + } + break; + } + break; + } + return TRUE; +} +#endif /* HAVE_NETINET_IP6_H */ + /** * Described in header. */ @@ -253,7 +311,8 @@ ip_packet_t *ip_packet_create(chunk_t packet) /* remove any RFC 4303 TFC extra padding */ packet.len = min(packet.len, untoh16(&ip->ip_len)); payload = chunk_skip(packet, ip->ip_hl * 4); - if (!parse_transport_header(payload, ip->ip_p, &sport, &dport)) + if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && + !parse_transport_header(payload, ip->ip_p, &sport, &dport)) { goto failed; } @@ -277,10 +336,8 @@ ip_packet_t *ip_packet_create(chunk_t packet) ip = (struct ip6_hdr*)packet.ptr; /* remove any RFC 4303 TFC extra padding */ packet.len = min(packet.len, 40 + untoh16(&ip->ip6_plen)); - /* we only handle packets without extension headers, just skip the - * basic IPv6 header */ - payload = chunk_skip(packet, 40); - if (!parse_transport_header(payload, ip->ip6_nxt, &sport, &dport)) + if (!parse_transport_header_v6(ip, packet, &payload, &next_header, + &sport, &dport)) { goto failed; } @@ -288,7 +345,6 @@ ip_packet_t *ip_packet_create(chunk_t packet) chunk_from_thing(ip->ip6_src), sport); dst = host_create_from_chunk(AF_INET6, chunk_from_thing(ip->ip6_dst), dport); - next_header = ip->ip6_nxt; break; } #endif /* HAVE_NETINET_IP6_H */ diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 957d930f2..44d35244a 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -106,6 +106,11 @@ typedef struct { */ ipsec_sa_entry_t *entry; + /** + * SPI of the expired entry + */ + uint32_t spi; + /** * 0 if this is a hard expire, otherwise the offset in s (soft->hard) */ @@ -314,8 +319,9 @@ static job_requeue_t sa_expired(ipsec_sa_expired_t *expired) private_ipsec_sa_mgr_t *this = expired->manager; this->mutex->lock(this->mutex); - if (this->sas->find_first(this->sas, NULL, (void**)&expired->entry)) - { + if (this->sas->find_first(this->sas, NULL, (void**)&expired->entry) && + expired->spi == expired->entry->sa->get_spi(expired->entry->sa)) + { /* only if we find the right SA at this pointer location */ uint32_t hard_offset; hard_offset = expired->hard_offset; @@ -355,6 +361,7 @@ static void schedule_expiration(private_ipsec_sa_mgr_t *this, INIT(expired, .manager = this, .entry = entry, + .spi = entry->sa->get_spi(entry->sa), ); /* schedule a rekey first, a hard timeout will be scheduled then, if any */ diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in index 5b6c53075..ab5af4634 100644 --- a/src/libipsec/tests/Makefile.in +++ b/src/libipsec/tests/Makefile.in @@ -240,9 +240,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index 0185a3961..c0119f12b 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in index 794b4b447..4e5936ffc 100644 --- a/src/libradius/Makefile.in +++ b/src/libradius/Makefile.in @@ -240,9 +240,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index df1da70f4..edd978d78 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -243,9 +243,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index afca13428..0247add96 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -20,6 +20,7 @@ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ +credentials/keys/signature_params.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ credentials/certificates/certificate_printer.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b4d8452f1..a9759aeee 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -18,6 +18,7 @@ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ +credentials/keys/signature_params.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ credentials/certificates/certificate_printer.c \ @@ -79,6 +80,7 @@ crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ +credentials/keys/signature_params.h \ credentials/certificates/certificate.h credentials/certificates/x509.h \ credentials/certificates/ac.h credentials/certificates/crl.h \ credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ @@ -96,6 +98,7 @@ fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \ networking/host.h networking/host_resolver.h networking/packet.h \ networking/tun_device.h networking/streams/stream.h \ networking/streams/stream_unix.h networking/streams/stream_service_unix.h \ +networking/streams/stream_service_systemd.h \ networking/streams/stream_tcp.h networking/streams/stream_service_tcp.h \ networking/streams/stream_service.h networking/streams/stream_manager.h \ resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \ @@ -192,19 +195,28 @@ if USE_LIBCAP libstrongswan_la_LIBADD += -lcap endif +if USE_SYSTEMD + AM_CPPFLAGS += $(systemd_CFLAGS) -DUSE_SYSTEMD + libstrongswan_la_SOURCES += networking/streams/stream_service_systemd.c + libstrongswan_la_LIBADD += $(systemd_LIBS) +endif + EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ +crypto/proposal/proposal_keywords_static.h.in \ plugins/plugin_constructors.py \ Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c \ settings/settings_parser.h MAINTAINERCLEANFILES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c $(srcdir)/asn1/oid.c : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt @@ -215,6 +227,12 @@ $(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt $(AM_V_GEN) \ (cd $(srcdir)/asn1/ && $(PERL) oid.pl) +$(srcdir)/crypto/proposal/proposal_keywords_static.h: $(srcdir)/crypto/proposal/proposal_keywords_static.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + $(srcdir)/crypto/proposal/proposal_keywords_static.c: $(srcdir)/crypto/proposal/proposal_keywords_static.txt \ $(srcdir)/crypto/proposal/proposal_keywords_static.h $(AM_V_GEN) \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 16e585654..356670dad 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -123,129 +123,132 @@ host_triplet = @host@ @USE_BUILTIN_PRINTF_TRUE@am__append_15 = -lm @USE_BUILTIN_PRINTF_FALSE@@USE_VSTR_FALSE@am__append_16 = utils/printf_hook/printf_hook_glibc.c @USE_LIBCAP_TRUE@am__append_17 = -lcap -@STATIC_PLUGIN_CONSTRUCTORS_TRUE@am__append_18 = $(srcdir)/plugin_constructors.c +@USE_SYSTEMD_TRUE@am__append_18 = $(systemd_CFLAGS) -DUSE_SYSTEMD +@USE_SYSTEMD_TRUE@am__append_19 = networking/streams/stream_service_systemd.c +@USE_SYSTEMD_TRUE@am__append_20 = $(systemd_LIBS) +@STATIC_PLUGIN_CONSTRUCTORS_TRUE@am__append_21 = $(srcdir)/plugin_constructors.c # build libnttfft used by some plugins ###################################### -@USE_LIBNTTFFT_TRUE@am__append_19 = math/libnttfft +@USE_LIBNTTFFT_TRUE@am__append_22 = math/libnttfft # build plugins with their own Makefile ####################################### -@USE_AF_ALG_TRUE@am__append_20 = plugins/af_alg -@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_21 = plugins/af_alg/libstrongswan-af-alg.la -@USE_AES_TRUE@am__append_22 = plugins/aes -@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_23 = plugins/aes/libstrongswan-aes.la -@USE_DES_TRUE@am__append_24 = plugins/des -@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_25 = plugins/des/libstrongswan-des.la -@USE_BLOWFISH_TRUE@am__append_26 = plugins/blowfish -@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_27 = plugins/blowfish/libstrongswan-blowfish.la -@USE_RC2_TRUE@am__append_28 = plugins/rc2 -@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_29 = plugins/rc2/libstrongswan-rc2.la -@USE_MD4_TRUE@am__append_30 = plugins/md4 -@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_31 = plugins/md4/libstrongswan-md4.la -@USE_MD5_TRUE@am__append_32 = plugins/md5 -@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_33 = plugins/md5/libstrongswan-md5.la -@USE_SHA1_TRUE@am__append_34 = plugins/sha1 -@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_35 = plugins/sha1/libstrongswan-sha1.la -@USE_SHA2_TRUE@am__append_36 = plugins/sha2 -@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_37 = plugins/sha2/libstrongswan-sha2.la -@USE_SHA3_TRUE@am__append_38 = plugins/sha3 -@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_39 = plugins/sha3/libstrongswan-sha3.la -@USE_GMP_TRUE@am__append_40 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_41 = plugins/gmp/libstrongswan-gmp.la -@USE_CURVE25519_TRUE@am__append_42 = plugins/curve25519 -@MONOLITHIC_TRUE@@USE_CURVE25519_TRUE@am__append_43 = plugins/curve25519/libstrongswan-curve25519.la -@USE_RDRAND_TRUE@am__append_44 = plugins/rdrand -@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_45 = plugins/rdrand/libstrongswan-rdrand.la -@USE_AESNI_TRUE@am__append_46 = plugins/aesni -@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_47 = plugins/aesni/libstrongswan-aesni.la -@USE_RANDOM_TRUE@am__append_48 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_49 = plugins/random/libstrongswan-random.la -@USE_NONCE_TRUE@am__append_50 = plugins/nonce -@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_51 = plugins/nonce/libstrongswan-nonce.la -@USE_HMAC_TRUE@am__append_52 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_53 = plugins/hmac/libstrongswan-hmac.la -@USE_CMAC_TRUE@am__append_54 = plugins/cmac -@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_55 = plugins/cmac/libstrongswan-cmac.la -@USE_XCBC_TRUE@am__append_56 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_57 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_58 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_59 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_60 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_61 = plugins/revocation/libstrongswan-revocation.la -@USE_CONSTRAINTS_TRUE@am__append_62 = plugins/constraints -@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_63 = plugins/constraints/libstrongswan-constraints.la -@USE_ACERT_TRUE@am__append_64 = plugins/acert -@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_65 = plugins/acert/libstrongswan-acert.la -@USE_PUBKEY_TRUE@am__append_66 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_67 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_68 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_69 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_70 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_71 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_72 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_73 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_74 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_75 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_76 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_77 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_78 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_79 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_80 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_81 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_82 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_83 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_84 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_85 = plugins/curl/libstrongswan-curl.la -@USE_FILES_TRUE@am__append_86 = plugins/files -@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_87 = plugins/files/libstrongswan-files.la -@USE_WINHTTP_TRUE@am__append_88 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_89 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_90 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_91 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_92 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_93 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_94 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_95 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_96 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_97 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_98 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_99 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_100 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_101 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_102 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_103 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_104 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_105 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_106 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_107 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_108 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_109 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_110 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_111 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_112 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_113 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CHAPOLY_TRUE@am__append_114 = plugins/chapoly -@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_115 = plugins/chapoly/libstrongswan-chapoly.la -@USE_CTR_TRUE@am__append_116 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_117 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_118 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_119 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_120 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_121 = plugins/gcm/libstrongswan-gcm.la -@USE_MGF1_TRUE@am__append_122 = plugins/mgf1 -@MONOLITHIC_TRUE@@USE_MGF1_TRUE@am__append_123 = plugins/mgf1/libstrongswan-mgf1.la -@USE_NTRU_TRUE@am__append_124 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_125 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_126 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_127 = plugins/bliss/libstrongswan-bliss.la -@USE_NEWHOPE_TRUE@am__append_128 = plugins/newhope -@MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE@am__append_129 = plugins/newhope/libstrongswan-newhope.la -@USE_TEST_VECTORS_TRUE@am__append_130 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_131 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_LIBNTTFFT_TRUE@am__append_132 = math/libnttfft/tests -@USE_BLISS_TRUE@am__append_133 = plugins/bliss/tests -@USE_NEWHOPE_TRUE@am__append_134 = plugins/newhope/tests +@USE_AF_ALG_TRUE@am__append_23 = plugins/af_alg +@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_24 = plugins/af_alg/libstrongswan-af-alg.la +@USE_AES_TRUE@am__append_25 = plugins/aes +@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_26 = plugins/aes/libstrongswan-aes.la +@USE_DES_TRUE@am__append_27 = plugins/des +@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_28 = plugins/des/libstrongswan-des.la +@USE_BLOWFISH_TRUE@am__append_29 = plugins/blowfish +@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_30 = plugins/blowfish/libstrongswan-blowfish.la +@USE_RC2_TRUE@am__append_31 = plugins/rc2 +@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_32 = plugins/rc2/libstrongswan-rc2.la +@USE_MD4_TRUE@am__append_33 = plugins/md4 +@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_34 = plugins/md4/libstrongswan-md4.la +@USE_MD5_TRUE@am__append_35 = plugins/md5 +@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_36 = plugins/md5/libstrongswan-md5.la +@USE_SHA1_TRUE@am__append_37 = plugins/sha1 +@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_38 = plugins/sha1/libstrongswan-sha1.la +@USE_SHA2_TRUE@am__append_39 = plugins/sha2 +@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_40 = plugins/sha2/libstrongswan-sha2.la +@USE_SHA3_TRUE@am__append_41 = plugins/sha3 +@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_42 = plugins/sha3/libstrongswan-sha3.la +@USE_GMP_TRUE@am__append_43 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_44 = plugins/gmp/libstrongswan-gmp.la +@USE_CURVE25519_TRUE@am__append_45 = plugins/curve25519 +@MONOLITHIC_TRUE@@USE_CURVE25519_TRUE@am__append_46 = plugins/curve25519/libstrongswan-curve25519.la +@USE_RDRAND_TRUE@am__append_47 = plugins/rdrand +@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_48 = plugins/rdrand/libstrongswan-rdrand.la +@USE_AESNI_TRUE@am__append_49 = plugins/aesni +@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_50 = plugins/aesni/libstrongswan-aesni.la +@USE_RANDOM_TRUE@am__append_51 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_52 = plugins/random/libstrongswan-random.la +@USE_NONCE_TRUE@am__append_53 = plugins/nonce +@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_54 = plugins/nonce/libstrongswan-nonce.la +@USE_HMAC_TRUE@am__append_55 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_56 = plugins/hmac/libstrongswan-hmac.la +@USE_CMAC_TRUE@am__append_57 = plugins/cmac +@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_58 = plugins/cmac/libstrongswan-cmac.la +@USE_XCBC_TRUE@am__append_59 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_60 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_61 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_62 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_63 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_64 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_65 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_66 = plugins/constraints/libstrongswan-constraints.la +@USE_ACERT_TRUE@am__append_67 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_68 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_69 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_70 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_71 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_72 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_73 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_74 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_75 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_76 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_77 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_78 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_79 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_80 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_81 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_82 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_83 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_84 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_85 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_86 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_87 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_88 = plugins/curl/libstrongswan-curl.la +@USE_FILES_TRUE@am__append_89 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_90 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_91 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_92 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_93 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_94 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_95 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_96 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_97 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_98 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_99 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_100 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_101 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_102 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_103 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_104 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_105 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_106 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_107 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_108 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_109 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_110 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_111 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_112 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_113 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_114 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_115 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_116 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CHAPOLY_TRUE@am__append_117 = plugins/chapoly +@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_118 = plugins/chapoly/libstrongswan-chapoly.la +@USE_CTR_TRUE@am__append_119 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_120 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_121 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_122 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_123 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_124 = plugins/gcm/libstrongswan-gcm.la +@USE_MGF1_TRUE@am__append_125 = plugins/mgf1 +@MONOLITHIC_TRUE@@USE_MGF1_TRUE@am__append_126 = plugins/mgf1/libstrongswan-mgf1.la +@USE_NTRU_TRUE@am__append_127 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_128 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_129 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_130 = plugins/bliss/libstrongswan-bliss.la +@USE_NEWHOPE_TRUE@am__append_131 = plugins/newhope +@MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE@am__append_132 = plugins/newhope/libstrongswan-newhope.la +@USE_TEST_VECTORS_TRUE@am__append_133 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_134 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_LIBNTTFFT_TRUE@am__append_135 = math/libnttfft/tests +@USE_BLISS_TRUE@am__append_136 = plugins/bliss/tests +@USE_NEWHOPE_TRUE@am__append_137 = plugins/newhope/tests subdir = src/libstrongswan ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -299,32 +302,33 @@ am__installdirs = "$(DESTDIR)$(ipseclibdir)" \ LTLIBRARIES = $(ipseclib_LTLIBRARIES) am__DEPENDENCIES_1 = @USE_WINDOWS_FALSE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) +@USE_SYSTEMD_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1) libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_21) \ - $(am__append_23) $(am__append_25) $(am__append_27) \ - $(am__append_29) $(am__append_31) $(am__append_33) \ - $(am__append_35) $(am__append_37) $(am__append_39) \ - $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_61) $(am__append_63) \ - $(am__append_65) $(am__append_67) $(am__append_69) \ - $(am__append_71) $(am__append_73) $(am__append_75) \ - $(am__append_77) $(am__append_79) $(am__append_81) \ - $(am__append_83) $(am__append_85) $(am__append_87) \ - $(am__append_89) $(am__append_91) $(am__append_93) \ - $(am__append_95) $(am__append_97) $(am__append_99) \ - $(am__append_101) $(am__append_103) $(am__append_105) \ - $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) $(am__append_123) \ - $(am__append_125) $(am__append_127) $(am__append_129) \ - $(am__append_131) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_3) $(am__append_24) $(am__append_26) \ + $(am__append_28) $(am__append_30) $(am__append_32) \ + $(am__append_34) $(am__append_36) $(am__append_38) \ + $(am__append_40) $(am__append_42) $(am__append_44) \ + $(am__append_46) $(am__append_48) $(am__append_50) \ + $(am__append_52) $(am__append_54) $(am__append_56) \ + $(am__append_58) $(am__append_60) $(am__append_62) \ + $(am__append_64) $(am__append_66) $(am__append_68) \ + $(am__append_70) $(am__append_72) $(am__append_74) \ + $(am__append_76) $(am__append_78) $(am__append_80) \ + $(am__append_82) $(am__append_84) $(am__append_86) \ + $(am__append_88) $(am__append_90) $(am__append_92) \ + $(am__append_94) $(am__append_96) $(am__append_98) \ + $(am__append_100) $(am__append_102) $(am__append_104) \ + $(am__append_106) $(am__append_108) $(am__append_110) \ + $(am__append_112) $(am__append_114) $(am__append_116) \ + $(am__append_118) $(am__append_120) $(am__append_122) \ + $(am__append_124) $(am__append_126) $(am__append_128) \ + $(am__append_130) $(am__append_132) $(am__append_134) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -344,6 +348,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ + credentials/keys/signature_params.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -390,7 +395,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ utils/compat/windows.c utils/leak_detective.c \ utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \ utils/printf_hook/printf_hook_builtin.c \ - utils/printf_hook/printf_hook_glibc.c + utils/printf_hook/printf_hook_glibc.c \ + networking/streams/stream_service_systemd.c am__dirstamp = $(am__leading_dot)dirstamp @USE_WINDOWS_FALSE@am__objects_1 = threading/thread.lo \ @USE_WINDOWS_FALSE@ threading/thread_value.lo \ @@ -411,6 +417,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @USE_VSTR_TRUE@am__objects_5 = utils/printf_hook/printf_hook_vstr.lo @USE_BUILTIN_PRINTF_TRUE@am__objects_6 = utils/printf_hook/printf_hook_builtin.lo @USE_BUILTIN_PRINTF_FALSE@@USE_VSTR_FALSE@am__objects_7 = utils/printf_hook/printf_hook_glibc.lo +@USE_SYSTEMD_TRUE@am__objects_8 = networking/streams/stream_service_systemd.lo am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ asn1/asn1_parser.lo asn1/oid.lo bio/bio_reader.lo \ bio/bio_writer.lo collections/blocking_queue.lo \ @@ -431,6 +438,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ credentials/credential_factory.lo credentials/builder.lo \ credentials/cred_encoding.lo credentials/keys/private_key.lo \ credentials/keys/public_key.lo credentials/keys/shared_key.lo \ + credentials/keys/signature_params.lo \ credentials/certificates/certificate.lo \ credentials/certificates/crl.lo \ credentials/certificates/ocsp_response.lo \ @@ -469,7 +477,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ utils/utils/status.lo utils/utils/time.lo utils/utils/align.lo \ $(am__objects_1) $(am__objects_2) $(am__objects_3) \ $(am__objects_4) $(am__objects_5) $(am__objects_6) \ - $(am__objects_7) + $(am__objects_7) $(am__objects_8) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -561,6 +569,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ + credentials/keys/signature_params.h \ credentials/certificates/certificate.h \ credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h \ @@ -584,6 +593,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ networking/tun_device.h networking/streams/stream.h \ networking/streams/stream_unix.h \ networking/streams/stream_service_unix.h \ + networking/streams/stream_service_systemd.h \ networking/streams/stream_tcp.h \ networking/streams/stream_service_tcp.h \ networking/streams/stream_service.h \ @@ -720,9 +730,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -942,6 +954,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ + credentials/keys/signature_params.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -979,7 +992,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ utils/utils/path.c utils/utils/status.c utils/utils/time.c \ utils/utils/align.c $(am__append_1) $(am__append_3) \ $(am__append_8) $(am__append_11) $(am__append_12) \ - $(am__append_14) $(am__append_16) + $(am__append_14) $(am__append_16) $(am__append_19) # private header files noinst_HEADERS = \ @@ -1003,6 +1016,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \ @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \ @USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \ +@USE_DEV_HEADERS_TRUE@credentials/keys/signature_params.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/certificate.h credentials/certificates/x509.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/ac.h credentials/certificates/crl.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ @@ -1020,6 +1034,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \ @USE_DEV_HEADERS_TRUE@networking/tun_device.h networking/streams/stream.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_unix.h networking/streams/stream_service_unix.h \ +@USE_DEV_HEADERS_TRUE@networking/streams/stream_service_systemd.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_tcp.h networking/streams/stream_service_tcp.h \ @USE_DEV_HEADERS_TRUE@networking/streams/stream_service.h networking/streams/stream_manager.h \ @USE_DEV_HEADERS_TRUE@resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \ @@ -1044,31 +1059,32 @@ settings/settings_types.h libstrongswan_la_LIBADD = $(DLLIB) $(ATOMICLIB) $(BTLIB) $(SOCKLIB) \ $(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_2) \ $(am__append_4) $(am__append_5) $(am__append_13) \ - $(am__append_15) $(am__append_17) $(am__append_21) \ - $(am__append_23) $(am__append_25) $(am__append_27) \ - $(am__append_29) $(am__append_31) $(am__append_33) \ - $(am__append_35) $(am__append_37) $(am__append_39) \ - $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_61) $(am__append_63) \ - $(am__append_65) $(am__append_67) $(am__append_69) \ - $(am__append_71) $(am__append_73) $(am__append_75) \ - $(am__append_77) $(am__append_79) $(am__append_81) \ - $(am__append_83) $(am__append_85) $(am__append_87) \ - $(am__append_89) $(am__append_91) $(am__append_93) \ - $(am__append_95) $(am__append_97) $(am__append_99) \ - $(am__append_101) $(am__append_103) $(am__append_105) \ - $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) $(am__append_123) \ - $(am__append_125) $(am__append_127) $(am__append_129) \ - $(am__append_131) + $(am__append_15) $(am__append_17) $(am__append_20) \ + $(am__append_24) $(am__append_26) $(am__append_28) \ + $(am__append_30) $(am__append_32) $(am__append_34) \ + $(am__append_36) $(am__append_38) $(am__append_40) \ + $(am__append_42) $(am__append_44) $(am__append_46) \ + $(am__append_48) $(am__append_50) $(am__append_52) \ + $(am__append_54) $(am__append_56) $(am__append_58) \ + $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) \ + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) $(am__append_86) $(am__append_88) \ + $(am__append_90) $(am__append_92) $(am__append_94) \ + $(am__append_96) $(am__append_98) $(am__append_100) \ + $(am__append_102) $(am__append_104) $(am__append_106) \ + $(am__append_108) $(am__append_110) $(am__append_112) \ + $(am__append_114) $(am__append_116) $(am__append_118) \ + $(am__append_120) $(am__append_122) $(am__append_124) \ + $(am__append_126) $(am__append_128) $(am__append_130) \ + $(am__append_132) $(am__append_134) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_6) \ - $(am__append_7) $(am__append_9) $(am__append_10) + $(am__append_7) $(am__append_9) $(am__append_10) \ + $(am__append_18) AM_CFLAGS = \ @COVERAGE_CFLAGS@ @@ -1079,83 +1095,86 @@ AM_YFLAGS = -v -d EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ +crypto/proposal/proposal_keywords_static.h.in \ plugins/plugin_constructors.py \ Android.mk BUILT_SOURCES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ + $(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c \ - settings/settings_parser.h $(am__append_18) + settings/settings_parser.h $(am__append_21) MAINTAINERCLEANFILES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ +$(srcdir)/crypto/proposal/proposal_keywords_static.h \ $(srcdir)/crypto/proposal/proposal_keywords_static.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c # build unit tests ################## -@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_19) $(am__append_20) \ -@MONOLITHIC_FALSE@ $(am__append_22) $(am__append_24) \ -@MONOLITHIC_FALSE@ $(am__append_26) $(am__append_28) \ -@MONOLITHIC_FALSE@ $(am__append_30) $(am__append_32) \ -@MONOLITHIC_FALSE@ $(am__append_34) $(am__append_36) \ -@MONOLITHIC_FALSE@ $(am__append_38) $(am__append_40) \ -@MONOLITHIC_FALSE@ $(am__append_42) $(am__append_44) \ -@MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ -@MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_60) \ -@MONOLITHIC_FALSE@ $(am__append_62) $(am__append_64) \ -@MONOLITHIC_FALSE@ $(am__append_66) $(am__append_68) \ -@MONOLITHIC_FALSE@ $(am__append_70) $(am__append_72) \ -@MONOLITHIC_FALSE@ $(am__append_74) $(am__append_76) \ -@MONOLITHIC_FALSE@ $(am__append_78) $(am__append_80) \ -@MONOLITHIC_FALSE@ $(am__append_82) $(am__append_84) \ -@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ -@MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ -@MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ -@MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \ -@MONOLITHIC_FALSE@ $(am__append_102) $(am__append_104) \ -@MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \ -@MONOLITHIC_FALSE@ $(am__append_122) $(am__append_124) \ -@MONOLITHIC_FALSE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_FALSE@ $(am__append_130) tests $(am__append_132) \ -@MONOLITHIC_FALSE@ $(am__append_133) $(am__append_134) +@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_22) $(am__append_23) \ +@MONOLITHIC_FALSE@ $(am__append_25) $(am__append_27) \ +@MONOLITHIC_FALSE@ $(am__append_29) $(am__append_31) \ +@MONOLITHIC_FALSE@ $(am__append_33) $(am__append_35) \ +@MONOLITHIC_FALSE@ $(am__append_37) $(am__append_39) \ +@MONOLITHIC_FALSE@ $(am__append_41) $(am__append_43) \ +@MONOLITHIC_FALSE@ $(am__append_45) $(am__append_47) \ +@MONOLITHIC_FALSE@ $(am__append_49) $(am__append_51) \ +@MONOLITHIC_FALSE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_FALSE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_FALSE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_FALSE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ +@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_87) \ +@MONOLITHIC_FALSE@ $(am__append_89) $(am__append_91) \ +@MONOLITHIC_FALSE@ $(am__append_93) $(am__append_95) \ +@MONOLITHIC_FALSE@ $(am__append_97) $(am__append_99) \ +@MONOLITHIC_FALSE@ $(am__append_101) $(am__append_103) \ +@MONOLITHIC_FALSE@ $(am__append_105) $(am__append_107) \ +@MONOLITHIC_FALSE@ $(am__append_109) $(am__append_111) \ +@MONOLITHIC_FALSE@ $(am__append_113) $(am__append_115) \ +@MONOLITHIC_FALSE@ $(am__append_117) $(am__append_119) \ +@MONOLITHIC_FALSE@ $(am__append_121) $(am__append_123) \ +@MONOLITHIC_FALSE@ $(am__append_125) $(am__append_127) \ +@MONOLITHIC_FALSE@ $(am__append_129) $(am__append_131) \ +@MONOLITHIC_FALSE@ $(am__append_133) tests $(am__append_135) \ +@MONOLITHIC_FALSE@ $(am__append_136) $(am__append_137) # build unit tests ################## -@MONOLITHIC_TRUE@SUBDIRS = $(am__append_19) $(am__append_20) \ -@MONOLITHIC_TRUE@ $(am__append_22) $(am__append_24) \ -@MONOLITHIC_TRUE@ $(am__append_26) $(am__append_28) \ -@MONOLITHIC_TRUE@ $(am__append_30) $(am__append_32) \ -@MONOLITHIC_TRUE@ $(am__append_34) $(am__append_36) \ -@MONOLITHIC_TRUE@ $(am__append_38) $(am__append_40) \ -@MONOLITHIC_TRUE@ $(am__append_42) $(am__append_44) \ -@MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ -@MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_60) \ -@MONOLITHIC_TRUE@ $(am__append_62) $(am__append_64) \ -@MONOLITHIC_TRUE@ $(am__append_66) $(am__append_68) \ -@MONOLITHIC_TRUE@ $(am__append_70) $(am__append_72) \ -@MONOLITHIC_TRUE@ $(am__append_74) $(am__append_76) \ -@MONOLITHIC_TRUE@ $(am__append_78) $(am__append_80) \ -@MONOLITHIC_TRUE@ $(am__append_82) $(am__append_84) \ -@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ -@MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ -@MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ -@MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \ -@MONOLITHIC_TRUE@ $(am__append_102) $(am__append_104) \ -@MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \ -@MONOLITHIC_TRUE@ $(am__append_122) $(am__append_124) \ -@MONOLITHIC_TRUE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_TRUE@ $(am__append_130) . tests $(am__append_132) \ -@MONOLITHIC_TRUE@ $(am__append_133) $(am__append_134) +@MONOLITHIC_TRUE@SUBDIRS = $(am__append_22) $(am__append_23) \ +@MONOLITHIC_TRUE@ $(am__append_25) $(am__append_27) \ +@MONOLITHIC_TRUE@ $(am__append_29) $(am__append_31) \ +@MONOLITHIC_TRUE@ $(am__append_33) $(am__append_35) \ +@MONOLITHIC_TRUE@ $(am__append_37) $(am__append_39) \ +@MONOLITHIC_TRUE@ $(am__append_41) $(am__append_43) \ +@MONOLITHIC_TRUE@ $(am__append_45) $(am__append_47) \ +@MONOLITHIC_TRUE@ $(am__append_49) $(am__append_51) \ +@MONOLITHIC_TRUE@ $(am__append_53) $(am__append_55) \ +@MONOLITHIC_TRUE@ $(am__append_57) $(am__append_59) \ +@MONOLITHIC_TRUE@ $(am__append_61) $(am__append_63) \ +@MONOLITHIC_TRUE@ $(am__append_65) $(am__append_67) \ +@MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ +@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ +@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ +@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_87) \ +@MONOLITHIC_TRUE@ $(am__append_89) $(am__append_91) \ +@MONOLITHIC_TRUE@ $(am__append_93) $(am__append_95) \ +@MONOLITHIC_TRUE@ $(am__append_97) $(am__append_99) \ +@MONOLITHIC_TRUE@ $(am__append_101) $(am__append_103) \ +@MONOLITHIC_TRUE@ $(am__append_105) $(am__append_107) \ +@MONOLITHIC_TRUE@ $(am__append_109) $(am__append_111) \ +@MONOLITHIC_TRUE@ $(am__append_113) $(am__append_115) \ +@MONOLITHIC_TRUE@ $(am__append_117) $(am__append_119) \ +@MONOLITHIC_TRUE@ $(am__append_121) $(am__append_123) \ +@MONOLITHIC_TRUE@ $(am__append_125) $(am__append_127) \ +@MONOLITHIC_TRUE@ $(am__append_129) $(am__append_131) \ +@MONOLITHIC_TRUE@ $(am__append_133) . tests $(am__append_135) \ +@MONOLITHIC_TRUE@ $(am__append_136) $(am__append_137) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1384,6 +1403,9 @@ credentials/keys/public_key.lo: credentials/keys/$(am__dirstamp) \ credentials/keys/$(DEPDIR)/$(am__dirstamp) credentials/keys/shared_key.lo: credentials/keys/$(am__dirstamp) \ credentials/keys/$(DEPDIR)/$(am__dirstamp) +credentials/keys/signature_params.lo: \ + credentials/keys/$(am__dirstamp) \ + credentials/keys/$(DEPDIR)/$(am__dirstamp) credentials/certificates/$(am__dirstamp): @$(MKDIR_P) credentials/certificates @: > credentials/certificates/$(am__dirstamp) @@ -1700,6 +1722,9 @@ utils/printf_hook/printf_hook_builtin.lo: \ utils/printf_hook/printf_hook_glibc.lo: \ utils/printf_hook/$(am__dirstamp) \ utils/printf_hook/$(DEPDIR)/$(am__dirstamp) +networking/streams/stream_service_systemd.lo: \ + networking/streams/$(am__dirstamp) \ + networking/streams/$(DEPDIR)/$(am__dirstamp) libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS) @@ -1808,6 +1833,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/shared_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/signature_params.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/callback_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/sets/$(DEPDIR)/cert_cache.Plo@am__quote@ @@ -1849,6 +1875,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_systemd.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_tcp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_service_unix.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@networking/streams/$(DEPDIR)/stream_tcp.Plo@am__quote@ @@ -2384,6 +2411,12 @@ $(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt $(AM_V_GEN) \ (cd $(srcdir)/asn1/ && $(PERL) oid.pl) +$(srcdir)/crypto/proposal/proposal_keywords_static.h: $(srcdir)/crypto/proposal/proposal_keywords_static.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + $(srcdir)/crypto/proposal/proposal_keywords_static.c: $(srcdir)/crypto/proposal/proposal_keywords_static.txt \ $(srcdir)/crypto/proposal/proposal_keywords_static.h $(AM_V_GEN) \ diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 8b9dc1c48..3f3a5c587 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -33,7 +33,15 @@ const chunk_t ASN1_INTEGER_1 = chunk_from_chars(0x02, 0x01, 0x01); const chunk_t ASN1_INTEGER_2 = chunk_from_chars(0x02, 0x01, 0x02); /* - * Defined in header. + * Described in header + */ +chunk_t asn1_algorithmIdentifier_params(int oid, chunk_t params) +{ + return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(oid), params); +} + +/* + * Described in header */ chunk_t asn1_algorithmIdentifier(int oid) { @@ -55,7 +63,7 @@ chunk_t asn1_algorithmIdentifier(int oid) parameters = asn1_simple_object(ASN1_NULL, chunk_empty); break; } - return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(oid), parameters); + return asn1_algorithmIdentifier_params(oid, parameters); } /* @@ -609,6 +617,26 @@ uint64_t asn1_parse_integer_uint64(chunk_t blob) return val; } +/* + * Described in header + */ +chunk_t asn1_integer_from_uint64(uint64_t val) +{ + u_char buf[sizeof(val)]; + chunk_t enc = chunk_empty; + + if (val < 0x100) + { + buf[0] = (u_char)val; + return chunk_clone(chunk_create(buf, 1)); + } + for (enc.ptr = buf + sizeof(val); val; enc.len++, val >>= 8) + { /* fill the buffer from the end */ + *(--enc.ptr) = val & 0xff; + } + return chunk_clone(enc); +} + /** * ASN.1 definition of an algorithmIdentifier */ diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index f0b3e17e8..3c7389e5c 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -1,8 +1,8 @@ /* + * Copyright (C) 2011-2017 Tobias Brunner * Copyright (C) 2006 Martin Will * Copyright (C) 2000-2008 Andreas Steffen - * - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -92,13 +92,22 @@ extern const chunk_t ASN1_INTEGER_2; /** Some ASN.1 analysis functions */ /** - * Build an algorithmIdentifier from a known OID. + * Build an algorithmIdentifier from a known OID with empty parameters. * * @param oid known OID index - * @return body of the corresponding OID, allocated + * @return body of the corresponding ASN.1 structure, allocated */ chunk_t asn1_algorithmIdentifier(int oid); +/** + * Build an algorithmIdentifier from a known OID and the given prameters. + * + * @param oid known OID index + * @param params parameters to encode in the algorithmIdentifier (adopted) + * @return body of the corresponding ASN.1 structure, allocated + */ +chunk_t asn1_algorithmIdentifier_params(int oid, chunk_t params); + /** * Converts an ASN.1 OID into a known OID index * @@ -180,6 +189,14 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level0, */ uint64_t asn1_parse_integer_uint64(chunk_t blob); +/** + * Converts an uint64_t to an ASN.1 INTEGER object. + * + * @param val integer to convert + * @return body of an ASN.1 coded integer object + */ +chunk_t asn1_integer_from_uint64(uint64_t val); + /** * Print the value of an ASN.1 simple object * diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index bb423dcac..6d9f98ee4 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -28,478 +28,482 @@ const oid_t oid_names[] = { { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, 9, "UID" }, /* 16 */ { 0x19, 0, 0, 9, "DC" }, /* 17 */ - {0x55, 67, 1, 0, "X.500" }, /* 18 */ - { 0x04, 39, 1, 1, "X.509" }, /* 19 */ + {0x55, 70, 1, 0, "X.500" }, /* 18 */ + { 0x04, 42, 1, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, 2, "CN" }, /* 20 */ { 0x04, 22, 0, 2, "S" }, /* 21 */ { 0x05, 23, 0, 2, "SN" }, /* 22 */ { 0x06, 24, 0, 2, "C" }, /* 23 */ { 0x07, 25, 0, 2, "L" }, /* 24 */ { 0x08, 26, 0, 2, "ST" }, /* 25 */ - { 0x0A, 27, 0, 2, "O" }, /* 26 */ - { 0x0B, 28, 0, 2, "OU" }, /* 27 */ - { 0x0C, 29, 0, 2, "T" }, /* 28 */ - { 0x0D, 30, 0, 2, "D" }, /* 29 */ - { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ - { 0x29, 32, 0, 2, "N" }, /* 31 */ - { 0x2A, 33, 0, 2, "G" }, /* 32 */ - { 0x2B, 34, 0, 2, "I" }, /* 33 */ - { 0x2D, 35, 0, 2, "ID" }, /* 34 */ - { 0x2E, 36, 0, 2, "dnQualifier" }, /* 35 */ - { 0x36, 37, 0, 2, "dmdName" }, /* 36 */ - { 0x41, 38, 0, 2, "pseudonym" }, /* 37 */ - { 0x48, 0, 0, 2, "role" }, /* 38 */ - { 0x1D, 0, 1, 1, "id-ce" }, /* 39 */ - { 0x09, 41, 0, 2, "subjectDirectoryAttrs" }, /* 40 */ - { 0x0E, 42, 0, 2, "subjectKeyIdentifier" }, /* 41 */ - { 0x0F, 43, 0, 2, "keyUsage" }, /* 42 */ - { 0x10, 44, 0, 2, "privateKeyUsagePeriod" }, /* 43 */ - { 0x11, 45, 0, 2, "subjectAltName" }, /* 44 */ - { 0x12, 46, 0, 2, "issuerAltName" }, /* 45 */ - { 0x13, 47, 0, 2, "basicConstraints" }, /* 46 */ - { 0x14, 48, 0, 2, "crlNumber" }, /* 47 */ - { 0x15, 49, 0, 2, "reasonCode" }, /* 48 */ - { 0x17, 50, 0, 2, "holdInstructionCode" }, /* 49 */ - { 0x18, 51, 0, 2, "invalidityDate" }, /* 50 */ - { 0x1B, 52, 0, 2, "deltaCrlIndicator" }, /* 51 */ - { 0x1C, 53, 0, 2, "issuingDistributionPoint" }, /* 52 */ - { 0x1D, 54, 0, 2, "certificateIssuer" }, /* 53 */ - { 0x1E, 55, 0, 2, "nameConstraints" }, /* 54 */ - { 0x1F, 56, 0, 2, "crlDistributionPoints" }, /* 55 */ - { 0x20, 58, 1, 2, "certificatePolicies" }, /* 56 */ - { 0x00, 0, 0, 3, "anyPolicy" }, /* 57 */ - { 0x21, 59, 0, 2, "policyMappings" }, /* 58 */ - { 0x23, 60, 0, 2, "authorityKeyIdentifier" }, /* 59 */ - { 0x24, 61, 0, 2, "policyConstraints" }, /* 60 */ - { 0x25, 63, 1, 2, "extendedKeyUsage" }, /* 61 */ - { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 62 */ - { 0x2E, 64, 0, 2, "freshestCRL" }, /* 63 */ - { 0x36, 65, 0, 2, "inhibitAnyPolicy" }, /* 64 */ - { 0x37, 66, 0, 2, "targetInformation" }, /* 65 */ - { 0x38, 0, 0, 2, "noRevAvail" }, /* 66 */ - {0x2A, 191, 1, 0, "" }, /* 67 */ - { 0x83, 80, 1, 1, "" }, /* 68 */ - { 0x08, 0, 1, 2, "jp" }, /* 69 */ - { 0x8C, 0, 1, 3, "" }, /* 70 */ - { 0x9A, 0, 1, 4, "" }, /* 71 */ - { 0x4B, 0, 1, 5, "" }, /* 72 */ - { 0x3D, 0, 1, 6, "" }, /* 73 */ - { 0x01, 0, 1, 7, "security" }, /* 74 */ - { 0x01, 0, 1, 8, "algorithm" }, /* 75 */ - { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 76 */ - { 0x02, 78, 0, 10, "camellia128-cbc" }, /* 77 */ - { 0x03, 79, 0, 10, "camellia192-cbc" }, /* 78 */ - { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 79 */ - { 0x86, 0, 1, 1, "" }, /* 80 */ - { 0x48, 0, 1, 2, "us" }, /* 81 */ - { 0x86, 150, 1, 3, "" }, /* 82 */ - { 0xF6, 88, 1, 4, "" }, /* 83 */ - { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 84 */ - { 0x07, 0, 1, 6, "Entrust" }, /* 85 */ - { 0x41, 0, 1, 7, "nsn-ce" }, /* 86 */ - { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 87 */ - { 0xF7, 0, 1, 4, "" }, /* 88 */ - { 0x0D, 0, 1, 5, "RSADSI" }, /* 89 */ - { 0x01, 145, 1, 6, "PKCS" }, /* 90 */ - { 0x01, 103, 1, 7, "PKCS-1" }, /* 91 */ - { 0x01, 93, 0, 8, "rsaEncryption" }, /* 92 */ - { 0x02, 94, 0, 8, "md2WithRSAEncryption" }, /* 93 */ - { 0x04, 95, 0, 8, "md5WithRSAEncryption" }, /* 94 */ - { 0x05, 96, 0, 8, "sha-1WithRSAEncryption" }, /* 95 */ - { 0x07, 97, 0, 8, "id-RSAES-OAEP" }, /* 96 */ - { 0x08, 98, 0, 8, "id-mgf1" }, /* 97 */ - { 0x09, 99, 0, 8, "id-pSpecified" }, /* 98 */ - { 0x0B, 100, 0, 8, "sha256WithRSAEncryption" }, /* 99 */ - { 0x0C, 101, 0, 8, "sha384WithRSAEncryption" }, /* 100 */ - { 0x0D, 102, 0, 8, "sha512WithRSAEncryption" }, /* 101 */ - { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 102 */ - { 0x05, 108, 1, 7, "PKCS-5" }, /* 103 */ - { 0x03, 105, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 104 */ - { 0x0A, 106, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 105 */ - { 0x0C, 107, 0, 8, "id-PBKDF2" }, /* 106 */ - { 0x0D, 0, 0, 8, "id-PBES2" }, /* 107 */ - { 0x07, 115, 1, 7, "PKCS-7" }, /* 108 */ - { 0x01, 110, 0, 8, "data" }, /* 109 */ - { 0x02, 111, 0, 8, "signedData" }, /* 110 */ - { 0x03, 112, 0, 8, "envelopedData" }, /* 111 */ - { 0x04, 113, 0, 8, "signedAndEnvelopedData" }, /* 112 */ - { 0x05, 114, 0, 8, "digestedData" }, /* 113 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 114 */ - { 0x09, 129, 1, 7, "PKCS-9" }, /* 115 */ - { 0x01, 117, 0, 8, "E" }, /* 116 */ - { 0x02, 118, 0, 8, "unstructuredName" }, /* 117 */ - { 0x03, 119, 0, 8, "contentType" }, /* 118 */ - { 0x04, 120, 0, 8, "messageDigest" }, /* 119 */ - { 0x05, 121, 0, 8, "signingTime" }, /* 120 */ - { 0x06, 122, 0, 8, "counterSignature" }, /* 121 */ - { 0x07, 123, 0, 8, "challengePassword" }, /* 122 */ - { 0x08, 124, 0, 8, "unstructuredAddress" }, /* 123 */ - { 0x0E, 125, 0, 8, "extensionRequest" }, /* 124 */ - { 0x0F, 126, 0, 8, "S/MIME Capabilities" }, /* 125 */ - { 0x16, 0, 1, 8, "certTypes" }, /* 126 */ - { 0x01, 128, 0, 9, "X.509" }, /* 127 */ - { 0x02, 0, 0, 9, "SDSI" }, /* 128 */ - { 0x0c, 0, 1, 7, "PKCS-12" }, /* 129 */ - { 0x01, 137, 1, 8, "pbeIds" }, /* 130 */ - { 0x01, 132, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 131 */ - { 0x02, 133, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 132 */ - { 0x03, 134, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC" }, /* 133 */ - { 0x04, 135, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC" }, /* 134 */ - { 0x05, 136, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 135 */ - { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 136 */ - { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 137 */ - { 0x01, 0, 1, 9, "bagIds" }, /* 138 */ - { 0x01, 140, 0, 10, "keyBag" }, /* 139 */ - { 0x02, 141, 0, 10, "pkcs8ShroudedKeyBag" }, /* 140 */ - { 0x03, 142, 0, 10, "certBag" }, /* 141 */ - { 0x04, 143, 0, 10, "crlBag" }, /* 142 */ - { 0x05, 144, 0, 10, "secretBag" }, /* 143 */ - { 0x06, 0, 0, 10, "safeContentsBag" }, /* 144 */ - { 0x02, 148, 1, 6, "digestAlgorithm" }, /* 145 */ - { 0x02, 147, 0, 7, "md2" }, /* 146 */ - { 0x05, 0, 0, 7, "md5" }, /* 147 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 148 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 149 */ - { 0xCE, 0, 1, 3, "" }, /* 150 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 151 */ - { 0x02, 154, 1, 5, "id-publicKeyType" }, /* 152 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 153 */ - { 0x03, 184, 1, 5, "ellipticCurve" }, /* 154 */ - { 0x00, 176, 1, 6, "c-TwoCurve" }, /* 155 */ - { 0x01, 157, 0, 7, "c2pnb163v1" }, /* 156 */ - { 0x02, 158, 0, 7, "c2pnb163v2" }, /* 157 */ - { 0x03, 159, 0, 7, "c2pnb163v3" }, /* 158 */ - { 0x04, 160, 0, 7, "c2pnb176w1" }, /* 159 */ - { 0x05, 161, 0, 7, "c2tnb191v1" }, /* 160 */ - { 0x06, 162, 0, 7, "c2tnb191v2" }, /* 161 */ - { 0x07, 163, 0, 7, "c2tnb191v3" }, /* 162 */ - { 0x08, 164, 0, 7, "c2onb191v4" }, /* 163 */ - { 0x09, 165, 0, 7, "c2onb191v5" }, /* 164 */ - { 0x0A, 166, 0, 7, "c2pnb208w1" }, /* 165 */ - { 0x0B, 167, 0, 7, "c2tnb239v1" }, /* 166 */ - { 0x0C, 168, 0, 7, "c2tnb239v2" }, /* 167 */ - { 0x0D, 169, 0, 7, "c2tnb239v3" }, /* 168 */ - { 0x0E, 170, 0, 7, "c2onb239v4" }, /* 169 */ - { 0x0F, 171, 0, 7, "c2onb239v5" }, /* 170 */ - { 0x10, 172, 0, 7, "c2pnb272w1" }, /* 171 */ - { 0x11, 173, 0, 7, "c2pnb304w1" }, /* 172 */ - { 0x12, 174, 0, 7, "c2tnb359v1" }, /* 173 */ - { 0x13, 175, 0, 7, "c2pnb368w1" }, /* 174 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 175 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 176 */ - { 0x01, 178, 0, 7, "prime192v1" }, /* 177 */ - { 0x02, 179, 0, 7, "prime192v2" }, /* 178 */ - { 0x03, 180, 0, 7, "prime192v3" }, /* 179 */ - { 0x04, 181, 0, 7, "prime239v1" }, /* 180 */ - { 0x05, 182, 0, 7, "prime239v2" }, /* 181 */ - { 0x06, 183, 0, 7, "prime239v3" }, /* 182 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 183 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 184 */ - { 0x01, 186, 0, 6, "ecdsa-with-SHA1" }, /* 185 */ - { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 186 */ - { 0x01, 188, 0, 7, "ecdsa-with-SHA224" }, /* 187 */ - { 0x02, 189, 0, 7, "ecdsa-with-SHA256" }, /* 188 */ - { 0x03, 190, 0, 7, "ecdsa-with-SHA384" }, /* 189 */ - { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 190 */ - {0x2B, 421, 1, 0, "" }, /* 191 */ - { 0x06, 332, 1, 1, "dod" }, /* 192 */ - { 0x01, 0, 1, 2, "internet" }, /* 193 */ - { 0x04, 283, 1, 3, "private" }, /* 194 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 195 */ - { 0x82, 233, 1, 5, "" }, /* 196 */ - { 0x37, 209, 1, 6, "Microsoft" }, /* 197 */ - { 0x0A, 202, 1, 7, "" }, /* 198 */ - { 0x03, 0, 1, 8, "" }, /* 199 */ - { 0x03, 201, 0, 9, "msSGC" }, /* 200 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 201 */ - { 0x14, 206, 1, 7, "msEnrollmentInfrastructure" }, /* 202 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 203 */ - { 0x02, 205, 0, 9, "msSmartcardLogon" }, /* 204 */ - { 0x03, 0, 0, 9, "msUPN" }, /* 205 */ - { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 206 */ - { 0x07, 208, 0, 8, "msCertTemplate" }, /* 207 */ - { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 208 */ - { 0xA0, 0, 1, 6, "" }, /* 209 */ - { 0x2A, 0, 1, 7, "ITA" }, /* 210 */ - { 0x01, 212, 0, 8, "strongSwan" }, /* 211 */ - { 0x02, 213, 0, 8, "cps" }, /* 212 */ - { 0x03, 214, 0, 8, "e-voting" }, /* 213 */ - { 0x05, 0, 1, 8, "BLISS" }, /* 214 */ - { 0x01, 217, 1, 9, "keyType" }, /* 215 */ - { 0x01, 0, 0, 10, "blissPublicKey" }, /* 216 */ - { 0x02, 226, 1, 9, "parameters" }, /* 217 */ - { 0x01, 219, 0, 10, "BLISS-I" }, /* 218 */ - { 0x02, 220, 0, 10, "BLISS-II" }, /* 219 */ - { 0x03, 221, 0, 10, "BLISS-III" }, /* 220 */ - { 0x04, 222, 0, 10, "BLISS-IV" }, /* 221 */ - { 0x05, 223, 0, 10, "BLISS-B-I" }, /* 222 */ - { 0x06, 224, 0, 10, "BLISS-B-II" }, /* 223 */ - { 0x07, 225, 0, 10, "BLISS-B-III" }, /* 224 */ - { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 225 */ - { 0x03, 0, 1, 9, "blissSigType" }, /* 226 */ - { 0x01, 228, 0, 10, "BLISS-with-SHA2-512" }, /* 227 */ - { 0x02, 229, 0, 10, "BLISS-with-SHA2-384" }, /* 228 */ - { 0x03, 230, 0, 10, "BLISS-with-SHA2-256" }, /* 229 */ - { 0x04, 231, 0, 10, "BLISS-with-SHA3-512" }, /* 230 */ - { 0x05, 232, 0, 10, "BLISS-with-SHA3-384" }, /* 231 */ - { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 232 */ - { 0x89, 240, 1, 5, "" }, /* 233 */ - { 0x31, 0, 1, 6, "" }, /* 234 */ - { 0x01, 0, 1, 7, "" }, /* 235 */ - { 0x01, 0, 1, 8, "" }, /* 236 */ - { 0x02, 0, 1, 9, "" }, /* 237 */ - { 0x02, 0, 1, 10, "" }, /* 238 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 239 */ - { 0x97, 244, 1, 5, "" }, /* 240 */ - { 0x55, 0, 1, 6, "" }, /* 241 */ - { 0x01, 0, 1, 7, "" }, /* 242 */ - { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 243 */ - { 0xC1, 0, 1, 5, "" }, /* 244 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 245 */ - { 0x01, 0, 1, 7, "eess" }, /* 246 */ - { 0x01, 0, 1, 8, "eess1" }, /* 247 */ - { 0x01, 252, 1, 9, "eess1-algs" }, /* 248 */ - { 0x01, 250, 0, 10, "ntru-EESS1v1-SVES" }, /* 249 */ - { 0x02, 251, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 250 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 251 */ - { 0x02, 282, 1, 9, "eess1-params" }, /* 252 */ - { 0x01, 254, 0, 10, "ees251ep1" }, /* 253 */ - { 0x02, 255, 0, 10, "ees347ep1" }, /* 254 */ - { 0x03, 256, 0, 10, "ees503ep1" }, /* 255 */ - { 0x07, 257, 0, 10, "ees251sp2" }, /* 256 */ - { 0x0C, 258, 0, 10, "ees251ep4" }, /* 257 */ - { 0x0D, 259, 0, 10, "ees251ep5" }, /* 258 */ - { 0x0E, 260, 0, 10, "ees251sp3" }, /* 259 */ - { 0x0F, 261, 0, 10, "ees251sp4" }, /* 260 */ - { 0x10, 262, 0, 10, "ees251sp5" }, /* 261 */ - { 0x11, 263, 0, 10, "ees251sp6" }, /* 262 */ - { 0x12, 264, 0, 10, "ees251sp7" }, /* 263 */ - { 0x13, 265, 0, 10, "ees251sp8" }, /* 264 */ - { 0x14, 266, 0, 10, "ees251sp9" }, /* 265 */ - { 0x22, 267, 0, 10, "ees401ep1" }, /* 266 */ - { 0x23, 268, 0, 10, "ees449ep1" }, /* 267 */ - { 0x24, 269, 0, 10, "ees677ep1" }, /* 268 */ - { 0x25, 270, 0, 10, "ees1087ep2" }, /* 269 */ - { 0x26, 271, 0, 10, "ees541ep1" }, /* 270 */ - { 0x27, 272, 0, 10, "ees613ep1" }, /* 271 */ - { 0x28, 273, 0, 10, "ees887ep1" }, /* 272 */ - { 0x29, 274, 0, 10, "ees1171ep1" }, /* 273 */ - { 0x2A, 275, 0, 10, "ees659ep1" }, /* 274 */ - { 0x2B, 276, 0, 10, "ees761ep1" }, /* 275 */ - { 0x2C, 277, 0, 10, "ees1087ep1" }, /* 276 */ - { 0x2D, 278, 0, 10, "ees1499ep1" }, /* 277 */ - { 0x2E, 279, 0, 10, "ees401ep2" }, /* 278 */ - { 0x2F, 280, 0, 10, "ees439ep1" }, /* 279 */ - { 0x30, 281, 0, 10, "ees593ep1" }, /* 280 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 281 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 282 */ - { 0x05, 0, 1, 3, "security" }, /* 283 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 284 */ - { 0x07, 329, 1, 5, "id-pkix" }, /* 285 */ - { 0x01, 290, 1, 6, "id-pe" }, /* 286 */ - { 0x01, 288, 0, 7, "authorityInfoAccess" }, /* 287 */ - { 0x03, 289, 0, 7, "qcStatements" }, /* 288 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 289 */ - { 0x02, 293, 1, 6, "id-qt" }, /* 290 */ - { 0x01, 292, 0, 7, "cps" }, /* 291 */ - { 0x02, 0, 0, 7, "unotice" }, /* 292 */ - { 0x03, 303, 1, 6, "id-kp" }, /* 293 */ - { 0x01, 295, 0, 7, "serverAuth" }, /* 294 */ - { 0x02, 296, 0, 7, "clientAuth" }, /* 295 */ - { 0x03, 297, 0, 7, "codeSigning" }, /* 296 */ - { 0x04, 298, 0, 7, "emailProtection" }, /* 297 */ - { 0x05, 299, 0, 7, "ipsecEndSystem" }, /* 298 */ - { 0x06, 300, 0, 7, "ipsecTunnel" }, /* 299 */ - { 0x07, 301, 0, 7, "ipsecUser" }, /* 300 */ - { 0x08, 302, 0, 7, "timeStamping" }, /* 301 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 302 */ - { 0x08, 311, 1, 6, "id-otherNames" }, /* 303 */ - { 0x01, 305, 0, 7, "personalData" }, /* 304 */ - { 0x02, 306, 0, 7, "userGroup" }, /* 305 */ - { 0x03, 307, 0, 7, "id-on-permanentIdentifier" }, /* 306 */ - { 0x04, 308, 0, 7, "id-on-hardwareModuleName" }, /* 307 */ - { 0x05, 309, 0, 7, "xmppAddr" }, /* 308 */ - { 0x06, 310, 0, 7, "id-on-SIM" }, /* 309 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 310 */ - { 0x0A, 316, 1, 6, "id-aca" }, /* 311 */ - { 0x01, 313, 0, 7, "authenticationInfo" }, /* 312 */ - { 0x02, 314, 0, 7, "accessIdentity" }, /* 313 */ - { 0x03, 315, 0, 7, "chargingIdentity" }, /* 314 */ - { 0x04, 0, 0, 7, "group" }, /* 315 */ - { 0x0B, 317, 0, 6, "subjectInfoAccess" }, /* 316 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 317 */ - { 0x01, 326, 1, 7, "ocsp" }, /* 318 */ - { 0x01, 320, 0, 8, "basic" }, /* 319 */ - { 0x02, 321, 0, 8, "nonce" }, /* 320 */ - { 0x03, 322, 0, 8, "crl" }, /* 321 */ - { 0x04, 323, 0, 8, "response" }, /* 322 */ - { 0x05, 324, 0, 8, "noCheck" }, /* 323 */ - { 0x06, 325, 0, 8, "archiveCutoff" }, /* 324 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 325 */ - { 0x02, 327, 0, 7, "caIssuers" }, /* 326 */ - { 0x03, 328, 0, 7, "timeStamping" }, /* 327 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 328 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 329 */ - { 0x02, 0, 1, 6, "certificate" }, /* 330 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 331 */ - { 0x0E, 338, 1, 1, "oiw" }, /* 332 */ - { 0x03, 0, 1, 2, "secsig" }, /* 333 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 334 */ - { 0x07, 336, 0, 4, "des-cbc" }, /* 335 */ - { 0x1A, 337, 0, 4, "sha-1" }, /* 336 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 337 */ - { 0x24, 384, 1, 1, "TeleTrusT" }, /* 338 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 339 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 340 */ - { 0x01, 345, 1, 4, "rsaSignature" }, /* 341 */ - { 0x02, 343, 0, 5, "rsaSigWithripemd160" }, /* 342 */ - { 0x03, 344, 0, 5, "rsaSigWithripemd128" }, /* 343 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 344 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 345 */ - { 0x01, 347, 0, 5, "ecSignWithsha1" }, /* 346 */ - { 0x02, 348, 0, 5, "ecSignWithripemd160" }, /* 347 */ - { 0x03, 349, 0, 5, "ecSignWithmd2" }, /* 348 */ - { 0x04, 350, 0, 5, "ecSignWithmd5" }, /* 349 */ - { 0x05, 367, 1, 5, "ttt-ecg" }, /* 350 */ - { 0x01, 355, 1, 6, "fieldType" }, /* 351 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 352 */ - { 0x01, 0, 1, 8, "basisType" }, /* 353 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 354 */ - { 0x02, 357, 1, 6, "keyType" }, /* 355 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 356 */ - { 0x03, 358, 0, 6, "curve" }, /* 357 */ - { 0x04, 365, 1, 6, "signatures" }, /* 358 */ - { 0x01, 360, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 359 */ - { 0x02, 361, 0, 7, "ecgdsa-with-SHA1" }, /* 360 */ - { 0x03, 362, 0, 7, "ecgdsa-with-SHA224" }, /* 361 */ - { 0x04, 363, 0, 7, "ecgdsa-with-SHA256" }, /* 362 */ - { 0x05, 364, 0, 7, "ecgdsa-with-SHA384" }, /* 363 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 364 */ - { 0x05, 0, 1, 6, "module" }, /* 365 */ - { 0x01, 0, 0, 7, "1" }, /* 366 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 367 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 368 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 369 */ - { 0x01, 371, 0, 8, "brainpoolP160r1" }, /* 370 */ - { 0x02, 372, 0, 8, "brainpoolP160t1" }, /* 371 */ - { 0x03, 373, 0, 8, "brainpoolP192r1" }, /* 372 */ - { 0x04, 374, 0, 8, "brainpoolP192t1" }, /* 373 */ - { 0x05, 375, 0, 8, "brainpoolP224r1" }, /* 374 */ - { 0x06, 376, 0, 8, "brainpoolP224t1" }, /* 375 */ - { 0x07, 377, 0, 8, "brainpoolP256r1" }, /* 376 */ - { 0x08, 378, 0, 8, "brainpoolP256t1" }, /* 377 */ - { 0x09, 379, 0, 8, "brainpoolP320r1" }, /* 378 */ - { 0x0A, 380, 0, 8, "brainpoolP320t1" }, /* 379 */ - { 0x0B, 381, 0, 8, "brainpoolP384r1" }, /* 380 */ - { 0x0C, 382, 0, 8, "brainpoolP384t1" }, /* 381 */ - { 0x0D, 383, 0, 8, "brainpoolP512r1" }, /* 382 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 383 */ - { 0x65, 387, 1, 1, "Thawte" }, /* 384 */ - { 0x70, 386, 0, 2, "id-Ed25519" }, /* 385 */ - { 0x71, 0, 0, 2, "id-Ed448" }, /* 386 */ - { 0x81, 0, 1, 1, "" }, /* 387 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 388 */ - { 0x00, 0, 1, 3, "curve" }, /* 389 */ - { 0x01, 391, 0, 4, "sect163k1" }, /* 390 */ - { 0x02, 392, 0, 4, "sect163r1" }, /* 391 */ - { 0x03, 393, 0, 4, "sect239k1" }, /* 392 */ - { 0x04, 394, 0, 4, "sect113r1" }, /* 393 */ - { 0x05, 395, 0, 4, "sect113r2" }, /* 394 */ - { 0x06, 396, 0, 4, "secp112r1" }, /* 395 */ - { 0x07, 397, 0, 4, "secp112r2" }, /* 396 */ - { 0x08, 398, 0, 4, "secp160r1" }, /* 397 */ - { 0x09, 399, 0, 4, "secp160k1" }, /* 398 */ - { 0x0A, 400, 0, 4, "secp256k1" }, /* 399 */ - { 0x0F, 401, 0, 4, "sect163r2" }, /* 400 */ - { 0x10, 402, 0, 4, "sect283k1" }, /* 401 */ - { 0x11, 403, 0, 4, "sect283r1" }, /* 402 */ - { 0x16, 404, 0, 4, "sect131r1" }, /* 403 */ - { 0x17, 405, 0, 4, "sect131r2" }, /* 404 */ - { 0x18, 406, 0, 4, "sect193r1" }, /* 405 */ - { 0x19, 407, 0, 4, "sect193r2" }, /* 406 */ - { 0x1A, 408, 0, 4, "sect233k1" }, /* 407 */ - { 0x1B, 409, 0, 4, "sect233r1" }, /* 408 */ - { 0x1C, 410, 0, 4, "secp128r1" }, /* 409 */ - { 0x1D, 411, 0, 4, "secp128r2" }, /* 410 */ - { 0x1E, 412, 0, 4, "secp160r2" }, /* 411 */ - { 0x1F, 413, 0, 4, "secp192k1" }, /* 412 */ - { 0x20, 414, 0, 4, "secp224k1" }, /* 413 */ - { 0x21, 415, 0, 4, "secp224r1" }, /* 414 */ - { 0x22, 416, 0, 4, "secp384r1" }, /* 415 */ - { 0x23, 417, 0, 4, "secp521r1" }, /* 416 */ - { 0x24, 418, 0, 4, "sect409k1" }, /* 417 */ - { 0x25, 419, 0, 4, "sect409r1" }, /* 418 */ - { 0x26, 420, 0, 4, "sect571k1" }, /* 419 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 420 */ - {0x60, 484, 1, 0, "" }, /* 421 */ - { 0x86, 0, 1, 1, "" }, /* 422 */ - { 0x48, 0, 1, 2, "" }, /* 423 */ - { 0x01, 0, 1, 3, "organization" }, /* 424 */ - { 0x65, 460, 1, 4, "gov" }, /* 425 */ - { 0x03, 0, 1, 5, "csor" }, /* 426 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 427 */ - { 0x01, 438, 1, 7, "aes" }, /* 428 */ - { 0x02, 430, 0, 8, "id-aes128-CBC" }, /* 429 */ - { 0x06, 431, 0, 8, "id-aes128-GCM" }, /* 430 */ - { 0x07, 432, 0, 8, "id-aes128-CCM" }, /* 431 */ - { 0x16, 433, 0, 8, "id-aes192-CBC" }, /* 432 */ - { 0x1A, 434, 0, 8, "id-aes192-GCM" }, /* 433 */ - { 0x1B, 435, 0, 8, "id-aes192-CCM" }, /* 434 */ - { 0x2A, 436, 0, 8, "id-aes256-CBC" }, /* 435 */ - { 0x2E, 437, 0, 8, "id-aes256-GCM" }, /* 436 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 437 */ - { 0x02, 451, 1, 7, "hashAlgs" }, /* 438 */ - { 0x01, 440, 0, 8, "id-sha256" }, /* 439 */ - { 0x02, 441, 0, 8, "id-sha384" }, /* 440 */ - { 0x03, 442, 0, 8, "id-sha512" }, /* 441 */ - { 0x04, 443, 0, 8, "id-sha224" }, /* 442 */ - { 0x05, 444, 0, 8, "id-sha512-224" }, /* 443 */ - { 0x06, 445, 0, 8, "id-sha512-256" }, /* 444 */ - { 0x07, 446, 0, 8, "id-sha3-224" }, /* 445 */ - { 0x08, 447, 0, 8, "id-sha3-256" }, /* 446 */ - { 0x09, 448, 0, 8, "id-sha3-384" }, /* 447 */ - { 0x0A, 449, 0, 8, "id-sha3-512" }, /* 448 */ - { 0x0B, 450, 0, 8, "id-shake128" }, /* 449 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 450 */ - { 0x03, 0, 1, 7, "sigAlgs" }, /* 451 */ - { 0x09, 453, 0, 8, "id-ecdsa-with-sha3-224" }, /* 452 */ - { 0x0A, 454, 0, 8, "id-ecdsa-with-sha3-256" }, /* 453 */ - { 0x0B, 455, 0, 8, "id-ecdsa-with-sha3-384" }, /* 454 */ - { 0x0C, 456, 0, 8, "id-ecdsa-with-sha3-512" }, /* 455 */ - { 0x0D, 457, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 456 */ - { 0x0E, 458, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 457 */ - { 0x0F, 459, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 458 */ - { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 459 */ - { 0x86, 0, 1, 4, "" }, /* 460 */ - { 0xf8, 0, 1, 5, "" }, /* 461 */ - { 0x42, 474, 1, 6, "netscape" }, /* 462 */ - { 0x01, 469, 1, 7, "" }, /* 463 */ - { 0x01, 465, 0, 8, "nsCertType" }, /* 464 */ - { 0x03, 466, 0, 8, "nsRevocationUrl" }, /* 465 */ - { 0x04, 467, 0, 8, "nsCaRevocationUrl" }, /* 466 */ - { 0x08, 468, 0, 8, "nsCaPolicyUrl" }, /* 467 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 468 */ - { 0x03, 472, 1, 7, "directory" }, /* 469 */ - { 0x01, 0, 1, 8, "" }, /* 470 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 471 */ - { 0x04, 0, 1, 7, "policy" }, /* 472 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 473 */ - { 0x45, 0, 1, 6, "verisign" }, /* 474 */ - { 0x01, 0, 1, 7, "pki" }, /* 475 */ - { 0x09, 0, 1, 8, "attributes" }, /* 476 */ - { 0x02, 478, 0, 9, "messageType" }, /* 477 */ - { 0x03, 479, 0, 9, "pkiStatus" }, /* 478 */ - { 0x04, 480, 0, 9, "failInfo" }, /* 479 */ - { 0x05, 481, 0, 9, "senderNonce" }, /* 480 */ - { 0x06, 482, 0, 9, "recipientNonce" }, /* 481 */ - { 0x07, 483, 0, 9, "transID" }, /* 482 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 483 */ - {0x67, 0, 1, 0, "" }, /* 484 */ - { 0x81, 0, 1, 1, "" }, /* 485 */ - { 0x05, 0, 1, 2, "" }, /* 486 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 487 */ - { 0x01, 489, 0, 4, "tcg-at-tpmManufacturer" }, /* 488 */ - { 0x02, 490, 0, 4, "tcg-at-tpmModel" }, /* 489 */ - { 0x03, 491, 0, 4, "tcg-at-tpmVersion" }, /* 490 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 491 */ + { 0x09, 27, 0, 2, "STREET" }, /* 26 */ + { 0x0A, 28, 0, 2, "O" }, /* 27 */ + { 0x0B, 29, 0, 2, "OU" }, /* 28 */ + { 0x0C, 30, 0, 2, "T" }, /* 29 */ + { 0x0D, 31, 0, 2, "D" }, /* 30 */ + { 0x10, 32, 0, 2, "postalAddress" }, /* 31 */ + { 0x11, 33, 0, 2, "postalCode" }, /* 32 */ + { 0x24, 34, 0, 2, "userCertificate" }, /* 33 */ + { 0x29, 35, 0, 2, "N" }, /* 34 */ + { 0x2A, 36, 0, 2, "G" }, /* 35 */ + { 0x2B, 37, 0, 2, "I" }, /* 36 */ + { 0x2D, 38, 0, 2, "ID" }, /* 37 */ + { 0x2E, 39, 0, 2, "dnQualifier" }, /* 38 */ + { 0x36, 40, 0, 2, "dmdName" }, /* 39 */ + { 0x41, 41, 0, 2, "pseudonym" }, /* 40 */ + { 0x48, 0, 0, 2, "role" }, /* 41 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 42 */ + { 0x09, 44, 0, 2, "subjectDirectoryAttrs" }, /* 43 */ + { 0x0E, 45, 0, 2, "subjectKeyIdentifier" }, /* 44 */ + { 0x0F, 46, 0, 2, "keyUsage" }, /* 45 */ + { 0x10, 47, 0, 2, "privateKeyUsagePeriod" }, /* 46 */ + { 0x11, 48, 0, 2, "subjectAltName" }, /* 47 */ + { 0x12, 49, 0, 2, "issuerAltName" }, /* 48 */ + { 0x13, 50, 0, 2, "basicConstraints" }, /* 49 */ + { 0x14, 51, 0, 2, "crlNumber" }, /* 50 */ + { 0x15, 52, 0, 2, "reasonCode" }, /* 51 */ + { 0x17, 53, 0, 2, "holdInstructionCode" }, /* 52 */ + { 0x18, 54, 0, 2, "invalidityDate" }, /* 53 */ + { 0x1B, 55, 0, 2, "deltaCrlIndicator" }, /* 54 */ + { 0x1C, 56, 0, 2, "issuingDistributionPoint" }, /* 55 */ + { 0x1D, 57, 0, 2, "certificateIssuer" }, /* 56 */ + { 0x1E, 58, 0, 2, "nameConstraints" }, /* 57 */ + { 0x1F, 59, 0, 2, "crlDistributionPoints" }, /* 58 */ + { 0x20, 61, 1, 2, "certificatePolicies" }, /* 59 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 60 */ + { 0x21, 62, 0, 2, "policyMappings" }, /* 61 */ + { 0x23, 63, 0, 2, "authorityKeyIdentifier" }, /* 62 */ + { 0x24, 64, 0, 2, "policyConstraints" }, /* 63 */ + { 0x25, 66, 1, 2, "extendedKeyUsage" }, /* 64 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 65 */ + { 0x2E, 67, 0, 2, "freshestCRL" }, /* 66 */ + { 0x36, 68, 0, 2, "inhibitAnyPolicy" }, /* 67 */ + { 0x37, 69, 0, 2, "targetInformation" }, /* 68 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 69 */ + {0x2A, 195, 1, 0, "" }, /* 70 */ + { 0x83, 83, 1, 1, "" }, /* 71 */ + { 0x08, 0, 1, 2, "jp" }, /* 72 */ + { 0x8C, 0, 1, 3, "" }, /* 73 */ + { 0x9A, 0, 1, 4, "" }, /* 74 */ + { 0x4B, 0, 1, 5, "" }, /* 75 */ + { 0x3D, 0, 1, 6, "" }, /* 76 */ + { 0x01, 0, 1, 7, "security" }, /* 77 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 78 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 79 */ + { 0x02, 81, 0, 10, "camellia128-cbc" }, /* 80 */ + { 0x03, 82, 0, 10, "camellia192-cbc" }, /* 81 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 82 */ + { 0x86, 0, 1, 1, "" }, /* 83 */ + { 0x48, 0, 1, 2, "us" }, /* 84 */ + { 0x86, 154, 1, 3, "" }, /* 85 */ + { 0xF6, 91, 1, 4, "" }, /* 86 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 87 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 88 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 89 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 90 */ + { 0xF7, 0, 1, 4, "" }, /* 91 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 92 */ + { 0x01, 149, 1, 6, "PKCS" }, /* 93 */ + { 0x01, 107, 1, 7, "PKCS-1" }, /* 94 */ + { 0x01, 96, 0, 8, "rsaEncryption" }, /* 95 */ + { 0x02, 97, 0, 8, "md2WithRSAEncryption" }, /* 96 */ + { 0x04, 98, 0, 8, "md5WithRSAEncryption" }, /* 97 */ + { 0x05, 99, 0, 8, "sha-1WithRSAEncryption" }, /* 98 */ + { 0x07, 100, 0, 8, "id-RSAES-OAEP" }, /* 99 */ + { 0x08, 101, 0, 8, "id-mgf1" }, /* 100 */ + { 0x09, 102, 0, 8, "id-pSpecified" }, /* 101 */ + { 0x0A, 103, 0, 8, "RSASSA-PSS" }, /* 102 */ + { 0x0B, 104, 0, 8, "sha256WithRSAEncryption" }, /* 103 */ + { 0x0C, 105, 0, 8, "sha384WithRSAEncryption" }, /* 104 */ + { 0x0D, 106, 0, 8, "sha512WithRSAEncryption" }, /* 105 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 106 */ + { 0x05, 112, 1, 7, "PKCS-5" }, /* 107 */ + { 0x03, 109, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 108 */ + { 0x0A, 110, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 109 */ + { 0x0C, 111, 0, 8, "id-PBKDF2" }, /* 110 */ + { 0x0D, 0, 0, 8, "id-PBES2" }, /* 111 */ + { 0x07, 119, 1, 7, "PKCS-7" }, /* 112 */ + { 0x01, 114, 0, 8, "data" }, /* 113 */ + { 0x02, 115, 0, 8, "signedData" }, /* 114 */ + { 0x03, 116, 0, 8, "envelopedData" }, /* 115 */ + { 0x04, 117, 0, 8, "signedAndEnvelopedData" }, /* 116 */ + { 0x05, 118, 0, 8, "digestedData" }, /* 117 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 118 */ + { 0x09, 133, 1, 7, "PKCS-9" }, /* 119 */ + { 0x01, 121, 0, 8, "E" }, /* 120 */ + { 0x02, 122, 0, 8, "unstructuredName" }, /* 121 */ + { 0x03, 123, 0, 8, "contentType" }, /* 122 */ + { 0x04, 124, 0, 8, "messageDigest" }, /* 123 */ + { 0x05, 125, 0, 8, "signingTime" }, /* 124 */ + { 0x06, 126, 0, 8, "counterSignature" }, /* 125 */ + { 0x07, 127, 0, 8, "challengePassword" }, /* 126 */ + { 0x08, 128, 0, 8, "unstructuredAddress" }, /* 127 */ + { 0x0E, 129, 0, 8, "extensionRequest" }, /* 128 */ + { 0x0F, 130, 0, 8, "S/MIME Capabilities" }, /* 129 */ + { 0x16, 0, 1, 8, "certTypes" }, /* 130 */ + { 0x01, 132, 0, 9, "X.509" }, /* 131 */ + { 0x02, 0, 0, 9, "SDSI" }, /* 132 */ + { 0x0c, 0, 1, 7, "PKCS-12" }, /* 133 */ + { 0x01, 141, 1, 8, "pbeIds" }, /* 134 */ + { 0x01, 136, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 135 */ + { 0x02, 137, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 136 */ + { 0x03, 138, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC" }, /* 137 */ + { 0x04, 139, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC" }, /* 138 */ + { 0x05, 140, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 139 */ + { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 140 */ + { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 141 */ + { 0x01, 0, 1, 9, "bagIds" }, /* 142 */ + { 0x01, 144, 0, 10, "keyBag" }, /* 143 */ + { 0x02, 145, 0, 10, "pkcs8ShroudedKeyBag" }, /* 144 */ + { 0x03, 146, 0, 10, "certBag" }, /* 145 */ + { 0x04, 147, 0, 10, "crlBag" }, /* 146 */ + { 0x05, 148, 0, 10, "secretBag" }, /* 147 */ + { 0x06, 0, 0, 10, "safeContentsBag" }, /* 148 */ + { 0x02, 152, 1, 6, "digestAlgorithm" }, /* 149 */ + { 0x02, 151, 0, 7, "md2" }, /* 150 */ + { 0x05, 0, 0, 7, "md5" }, /* 151 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 152 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 153 */ + { 0xCE, 0, 1, 3, "" }, /* 154 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 155 */ + { 0x02, 158, 1, 5, "id-publicKeyType" }, /* 156 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 157 */ + { 0x03, 188, 1, 5, "ellipticCurve" }, /* 158 */ + { 0x00, 180, 1, 6, "c-TwoCurve" }, /* 159 */ + { 0x01, 161, 0, 7, "c2pnb163v1" }, /* 160 */ + { 0x02, 162, 0, 7, "c2pnb163v2" }, /* 161 */ + { 0x03, 163, 0, 7, "c2pnb163v3" }, /* 162 */ + { 0x04, 164, 0, 7, "c2pnb176w1" }, /* 163 */ + { 0x05, 165, 0, 7, "c2tnb191v1" }, /* 164 */ + { 0x06, 166, 0, 7, "c2tnb191v2" }, /* 165 */ + { 0x07, 167, 0, 7, "c2tnb191v3" }, /* 166 */ + { 0x08, 168, 0, 7, "c2onb191v4" }, /* 167 */ + { 0x09, 169, 0, 7, "c2onb191v5" }, /* 168 */ + { 0x0A, 170, 0, 7, "c2pnb208w1" }, /* 169 */ + { 0x0B, 171, 0, 7, "c2tnb239v1" }, /* 170 */ + { 0x0C, 172, 0, 7, "c2tnb239v2" }, /* 171 */ + { 0x0D, 173, 0, 7, "c2tnb239v3" }, /* 172 */ + { 0x0E, 174, 0, 7, "c2onb239v4" }, /* 173 */ + { 0x0F, 175, 0, 7, "c2onb239v5" }, /* 174 */ + { 0x10, 176, 0, 7, "c2pnb272w1" }, /* 175 */ + { 0x11, 177, 0, 7, "c2pnb304w1" }, /* 176 */ + { 0x12, 178, 0, 7, "c2tnb359v1" }, /* 177 */ + { 0x13, 179, 0, 7, "c2pnb368w1" }, /* 178 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 179 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 180 */ + { 0x01, 182, 0, 7, "prime192v1" }, /* 181 */ + { 0x02, 183, 0, 7, "prime192v2" }, /* 182 */ + { 0x03, 184, 0, 7, "prime192v3" }, /* 183 */ + { 0x04, 185, 0, 7, "prime239v1" }, /* 184 */ + { 0x05, 186, 0, 7, "prime239v2" }, /* 185 */ + { 0x06, 187, 0, 7, "prime239v3" }, /* 186 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 187 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 188 */ + { 0x01, 190, 0, 6, "ecdsa-with-SHA1" }, /* 189 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 190 */ + { 0x01, 192, 0, 7, "ecdsa-with-SHA224" }, /* 191 */ + { 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */ + { 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */ + {0x2B, 425, 1, 0, "" }, /* 195 */ + { 0x06, 336, 1, 1, "dod" }, /* 196 */ + { 0x01, 0, 1, 2, "internet" }, /* 197 */ + { 0x04, 287, 1, 3, "private" }, /* 198 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 199 */ + { 0x82, 237, 1, 5, "" }, /* 200 */ + { 0x37, 213, 1, 6, "Microsoft" }, /* 201 */ + { 0x0A, 206, 1, 7, "" }, /* 202 */ + { 0x03, 0, 1, 8, "" }, /* 203 */ + { 0x03, 205, 0, 9, "msSGC" }, /* 204 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 205 */ + { 0x14, 210, 1, 7, "msEnrollmentInfrastructure" }, /* 206 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 207 */ + { 0x02, 209, 0, 9, "msSmartcardLogon" }, /* 208 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 209 */ + { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 210 */ + { 0x07, 212, 0, 8, "msCertTemplate" }, /* 211 */ + { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 212 */ + { 0xA0, 0, 1, 6, "" }, /* 213 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 214 */ + { 0x01, 216, 0, 8, "strongSwan" }, /* 215 */ + { 0x02, 217, 0, 8, "cps" }, /* 216 */ + { 0x03, 218, 0, 8, "e-voting" }, /* 217 */ + { 0x05, 0, 1, 8, "BLISS" }, /* 218 */ + { 0x01, 221, 1, 9, "keyType" }, /* 219 */ + { 0x01, 0, 0, 10, "blissPublicKey" }, /* 220 */ + { 0x02, 230, 1, 9, "parameters" }, /* 221 */ + { 0x01, 223, 0, 10, "BLISS-I" }, /* 222 */ + { 0x02, 224, 0, 10, "BLISS-II" }, /* 223 */ + { 0x03, 225, 0, 10, "BLISS-III" }, /* 224 */ + { 0x04, 226, 0, 10, "BLISS-IV" }, /* 225 */ + { 0x05, 227, 0, 10, "BLISS-B-I" }, /* 226 */ + { 0x06, 228, 0, 10, "BLISS-B-II" }, /* 227 */ + { 0x07, 229, 0, 10, "BLISS-B-III" }, /* 228 */ + { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 229 */ + { 0x03, 0, 1, 9, "blissSigType" }, /* 230 */ + { 0x01, 232, 0, 10, "BLISS-with-SHA2-512" }, /* 231 */ + { 0x02, 233, 0, 10, "BLISS-with-SHA2-384" }, /* 232 */ + { 0x03, 234, 0, 10, "BLISS-with-SHA2-256" }, /* 233 */ + { 0x04, 235, 0, 10, "BLISS-with-SHA3-512" }, /* 234 */ + { 0x05, 236, 0, 10, "BLISS-with-SHA3-384" }, /* 235 */ + { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 236 */ + { 0x89, 244, 1, 5, "" }, /* 237 */ + { 0x31, 0, 1, 6, "" }, /* 238 */ + { 0x01, 0, 1, 7, "" }, /* 239 */ + { 0x01, 0, 1, 8, "" }, /* 240 */ + { 0x02, 0, 1, 9, "" }, /* 241 */ + { 0x02, 0, 1, 10, "" }, /* 242 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 243 */ + { 0x97, 248, 1, 5, "" }, /* 244 */ + { 0x55, 0, 1, 6, "" }, /* 245 */ + { 0x01, 0, 1, 7, "" }, /* 246 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 247 */ + { 0xC1, 0, 1, 5, "" }, /* 248 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 249 */ + { 0x01, 0, 1, 7, "eess" }, /* 250 */ + { 0x01, 0, 1, 8, "eess1" }, /* 251 */ + { 0x01, 256, 1, 9, "eess1-algs" }, /* 252 */ + { 0x01, 254, 0, 10, "ntru-EESS1v1-SVES" }, /* 253 */ + { 0x02, 255, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 254 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 255 */ + { 0x02, 286, 1, 9, "eess1-params" }, /* 256 */ + { 0x01, 258, 0, 10, "ees251ep1" }, /* 257 */ + { 0x02, 259, 0, 10, "ees347ep1" }, /* 258 */ + { 0x03, 260, 0, 10, "ees503ep1" }, /* 259 */ + { 0x07, 261, 0, 10, "ees251sp2" }, /* 260 */ + { 0x0C, 262, 0, 10, "ees251ep4" }, /* 261 */ + { 0x0D, 263, 0, 10, "ees251ep5" }, /* 262 */ + { 0x0E, 264, 0, 10, "ees251sp3" }, /* 263 */ + { 0x0F, 265, 0, 10, "ees251sp4" }, /* 264 */ + { 0x10, 266, 0, 10, "ees251sp5" }, /* 265 */ + { 0x11, 267, 0, 10, "ees251sp6" }, /* 266 */ + { 0x12, 268, 0, 10, "ees251sp7" }, /* 267 */ + { 0x13, 269, 0, 10, "ees251sp8" }, /* 268 */ + { 0x14, 270, 0, 10, "ees251sp9" }, /* 269 */ + { 0x22, 271, 0, 10, "ees401ep1" }, /* 270 */ + { 0x23, 272, 0, 10, "ees449ep1" }, /* 271 */ + { 0x24, 273, 0, 10, "ees677ep1" }, /* 272 */ + { 0x25, 274, 0, 10, "ees1087ep2" }, /* 273 */ + { 0x26, 275, 0, 10, "ees541ep1" }, /* 274 */ + { 0x27, 276, 0, 10, "ees613ep1" }, /* 275 */ + { 0x28, 277, 0, 10, "ees887ep1" }, /* 276 */ + { 0x29, 278, 0, 10, "ees1171ep1" }, /* 277 */ + { 0x2A, 279, 0, 10, "ees659ep1" }, /* 278 */ + { 0x2B, 280, 0, 10, "ees761ep1" }, /* 279 */ + { 0x2C, 281, 0, 10, "ees1087ep1" }, /* 280 */ + { 0x2D, 282, 0, 10, "ees1499ep1" }, /* 281 */ + { 0x2E, 283, 0, 10, "ees401ep2" }, /* 282 */ + { 0x2F, 284, 0, 10, "ees439ep1" }, /* 283 */ + { 0x30, 285, 0, 10, "ees593ep1" }, /* 284 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 285 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */ + { 0x05, 0, 1, 3, "security" }, /* 287 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 288 */ + { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */ + { 0x01, 294, 1, 6, "id-pe" }, /* 290 */ + { 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */ + { 0x03, 293, 0, 7, "qcStatements" }, /* 292 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */ + { 0x02, 297, 1, 6, "id-qt" }, /* 294 */ + { 0x01, 296, 0, 7, "cps" }, /* 295 */ + { 0x02, 0, 0, 7, "unotice" }, /* 296 */ + { 0x03, 307, 1, 6, "id-kp" }, /* 297 */ + { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */ + { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */ + { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */ + { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */ + { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */ + { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */ + { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */ + { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */ + { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */ + { 0x01, 309, 0, 7, "personalData" }, /* 308 */ + { 0x02, 310, 0, 7, "userGroup" }, /* 309 */ + { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */ + { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */ + { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */ + { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */ + { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */ + { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */ + { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */ + { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */ + { 0x04, 0, 0, 7, "group" }, /* 319 */ + { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 321 */ + { 0x01, 330, 1, 7, "ocsp" }, /* 322 */ + { 0x01, 324, 0, 8, "basic" }, /* 323 */ + { 0x02, 325, 0, 8, "nonce" }, /* 324 */ + { 0x03, 326, 0, 8, "crl" }, /* 325 */ + { 0x04, 327, 0, 8, "response" }, /* 326 */ + { 0x05, 328, 0, 8, "noCheck" }, /* 327 */ + { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */ + { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */ + { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 332 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 333 */ + { 0x02, 0, 1, 6, "certificate" }, /* 334 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */ + { 0x0E, 342, 1, 1, "oiw" }, /* 336 */ + { 0x03, 0, 1, 2, "secsig" }, /* 337 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 338 */ + { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */ + { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */ + { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 343 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */ + { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */ + { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */ + { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 349 */ + { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */ + { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */ + { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */ + { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */ + { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */ + { 0x01, 359, 1, 6, "fieldType" }, /* 355 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */ + { 0x01, 0, 1, 8, "basisType" }, /* 357 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */ + { 0x02, 361, 1, 6, "keyType" }, /* 359 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */ + { 0x03, 362, 0, 6, "curve" }, /* 361 */ + { 0x04, 369, 1, 6, "signatures" }, /* 362 */ + { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */ + { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */ + { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */ + { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */ + { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */ + { 0x05, 0, 1, 6, "module" }, /* 369 */ + { 0x01, 0, 0, 7, "1" }, /* 370 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 373 */ + { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */ + { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */ + { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */ + { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */ + { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */ + { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */ + { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */ + { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */ + { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */ + { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */ + { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */ + { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */ + { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */ + { 0x65, 391, 1, 1, "Thawte" }, /* 388 */ + { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */ + { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */ + { 0x81, 0, 1, 1, "" }, /* 391 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 392 */ + { 0x00, 0, 1, 3, "curve" }, /* 393 */ + { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */ + { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */ + { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */ + { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */ + { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */ + { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */ + { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */ + { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */ + { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */ + { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */ + { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */ + { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */ + { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */ + { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */ + { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */ + { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */ + { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */ + { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */ + { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */ + { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */ + { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */ + { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */ + { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */ + { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */ + { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */ + { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */ + { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */ + { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */ + { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */ + { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */ + {0x60, 488, 1, 0, "" }, /* 425 */ + { 0x86, 0, 1, 1, "" }, /* 426 */ + { 0x48, 0, 1, 2, "" }, /* 427 */ + { 0x01, 0, 1, 3, "organization" }, /* 428 */ + { 0x65, 464, 1, 4, "gov" }, /* 429 */ + { 0x03, 0, 1, 5, "csor" }, /* 430 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */ + { 0x01, 442, 1, 7, "aes" }, /* 432 */ + { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */ + { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */ + { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */ + { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */ + { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */ + { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */ + { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */ + { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */ + { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */ + { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */ + { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */ + { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */ + { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */ + { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */ + { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */ + { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */ + { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */ + { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */ + { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */ + { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */ + { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */ + { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */ + { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */ + { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */ + { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */ + { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */ + { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */ + { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */ + { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */ + { 0x86, 0, 1, 4, "" }, /* 464 */ + { 0xf8, 0, 1, 5, "" }, /* 465 */ + { 0x42, 478, 1, 6, "netscape" }, /* 466 */ + { 0x01, 473, 1, 7, "" }, /* 467 */ + { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */ + { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */ + { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */ + { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */ + { 0x03, 476, 1, 7, "directory" }, /* 473 */ + { 0x01, 0, 1, 8, "" }, /* 474 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */ + { 0x04, 0, 1, 7, "policy" }, /* 476 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */ + { 0x45, 0, 1, 6, "verisign" }, /* 478 */ + { 0x01, 0, 1, 7, "pki" }, /* 479 */ + { 0x09, 0, 1, 8, "attributes" }, /* 480 */ + { 0x02, 482, 0, 9, "messageType" }, /* 481 */ + { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */ + { 0x04, 484, 0, 9, "failInfo" }, /* 483 */ + { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */ + { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */ + { 0x07, 487, 0, 9, "transID" }, /* 486 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */ + {0x67, 0, 1, 0, "" }, /* 488 */ + { 0x81, 0, 1, 1, "" }, /* 489 */ + { 0x05, 0, 1, 2, "" }, /* 490 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */ + { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */ + { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */ + { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index f316c0c78..0e9b7ea24 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -30,242 +30,247 @@ extern const oid_t oid_names[]; #define OID_COUNTRY 23 #define OID_LOCALITY 24 #define OID_STATE_OR_PROVINCE 25 -#define OID_ORGANIZATION 26 -#define OID_ORGANIZATION_UNIT 27 -#define OID_TITLE 28 -#define OID_DESCRIPTION 29 -#define OID_USER_CERTIFICATE 30 -#define OID_NAME 31 -#define OID_GIVEN_NAME 32 -#define OID_INITIALS 33 -#define OID_UNIQUE_IDENTIFIER 34 -#define OID_DN_QUALIFIER 35 -#define OID_DMD_NAME 36 -#define OID_PSEUDONYM 37 -#define OID_ROLE 38 -#define OID_SUBJECT_KEY_ID 41 -#define OID_KEY_USAGE 42 -#define OID_SUBJECT_ALT_NAME 44 -#define OID_BASIC_CONSTRAINTS 46 -#define OID_CRL_NUMBER 47 -#define OID_CRL_REASON_CODE 48 -#define OID_DELTA_CRL_INDICATOR 51 -#define OID_ISSUING_DIST_POINT 52 -#define OID_NAME_CONSTRAINTS 54 -#define OID_CRL_DISTRIBUTION_POINTS 55 -#define OID_CERTIFICATE_POLICIES 56 -#define OID_ANY_POLICY 57 -#define OID_POLICY_MAPPINGS 58 -#define OID_AUTHORITY_KEY_ID 59 -#define OID_POLICY_CONSTRAINTS 60 -#define OID_EXTENDED_KEY_USAGE 61 -#define OID_FRESHEST_CRL 63 -#define OID_INHIBIT_ANY_POLICY 64 -#define OID_TARGET_INFORMATION 65 -#define OID_NO_REV_AVAIL 66 -#define OID_CAMELLIA128_CBC 77 -#define OID_CAMELLIA192_CBC 78 -#define OID_CAMELLIA256_CBC 79 -#define OID_RSA_ENCRYPTION 92 -#define OID_MD2_WITH_RSA 93 -#define OID_MD5_WITH_RSA 94 -#define OID_SHA1_WITH_RSA 95 -#define OID_RSAES_OAEP 96 -#define OID_SHA256_WITH_RSA 99 -#define OID_SHA384_WITH_RSA 100 -#define OID_SHA512_WITH_RSA 101 -#define OID_SHA224_WITH_RSA 102 -#define OID_PBE_MD5_DES_CBC 104 -#define OID_PBE_SHA1_DES_CBC 105 -#define OID_PBKDF2 106 -#define OID_PBES2 107 -#define OID_PKCS7_DATA 109 -#define OID_PKCS7_SIGNED_DATA 110 -#define OID_PKCS7_ENVELOPED_DATA 111 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 112 -#define OID_PKCS7_DIGESTED_DATA 113 -#define OID_PKCS7_ENCRYPTED_DATA 114 -#define OID_EMAIL_ADDRESS 116 -#define OID_UNSTRUCTURED_NAME 117 -#define OID_PKCS9_CONTENT_TYPE 118 -#define OID_PKCS9_MESSAGE_DIGEST 119 -#define OID_PKCS9_SIGNING_TIME 120 -#define OID_CHALLENGE_PASSWORD 122 -#define OID_UNSTRUCTURED_ADDRESS 123 -#define OID_EXTENSION_REQUEST 124 -#define OID_X509_CERTIFICATE 127 -#define OID_PBE_SHA1_RC4_128 131 -#define OID_PBE_SHA1_RC4_40 132 -#define OID_PBE_SHA1_3DES_CBC 133 -#define OID_PBE_SHA1_3DES_2KEY_CBC 134 -#define OID_PBE_SHA1_RC2_CBC_128 135 -#define OID_PBE_SHA1_RC2_CBC_40 136 -#define OID_P12_KEY_BAG 139 -#define OID_P12_PKCS8_KEY_BAG 140 -#define OID_P12_CERT_BAG 141 -#define OID_P12_CRL_BAG 142 -#define OID_MD2 146 -#define OID_MD5 147 -#define OID_3DES_EDE_CBC 149 -#define OID_EC_PUBLICKEY 153 -#define OID_C2PNB163V1 156 -#define OID_C2PNB163V2 157 -#define OID_C2PNB163V3 158 -#define OID_C2PNB176W1 159 -#define OID_C2PNB191V1 160 -#define OID_C2PNB191V2 161 -#define OID_C2PNB191V3 162 -#define OID_C2PNB191V4 163 -#define OID_C2PNB191V5 164 -#define OID_C2PNB208W1 165 -#define OID_C2PNB239V1 166 -#define OID_C2PNB239V2 167 -#define OID_C2PNB239V3 168 -#define OID_C2PNB239V4 169 -#define OID_C2PNB239V5 170 -#define OID_C2PNB272W1 171 -#define OID_C2PNB304W1 172 -#define OID_C2PNB359V1 173 -#define OID_C2PNB368W1 174 -#define OID_C2PNB431R1 175 -#define OID_PRIME192V1 177 -#define OID_PRIME192V2 178 -#define OID_PRIME192V3 179 -#define OID_PRIME239V1 180 -#define OID_PRIME239V2 181 -#define OID_PRIME239V3 182 -#define OID_PRIME256V1 183 -#define OID_ECDSA_WITH_SHA1 185 -#define OID_ECDSA_WITH_SHA224 187 -#define OID_ECDSA_WITH_SHA256 188 -#define OID_ECDSA_WITH_SHA384 189 -#define OID_ECDSA_WITH_SHA512 190 -#define OID_MS_SMARTCARD_LOGON 204 -#define OID_USER_PRINCIPAL_NAME 205 -#define OID_STRONGSWAN 211 -#define OID_BLISS_PUBLICKEY 216 -#define OID_BLISS_I 218 -#define OID_BLISS_II 219 -#define OID_BLISS_III 220 -#define OID_BLISS_IV 221 -#define OID_BLISS_B_I 222 -#define OID_BLISS_B_II 223 -#define OID_BLISS_B_III 224 -#define OID_BLISS_B_IV 225 -#define OID_BLISS_WITH_SHA2_512 227 -#define OID_BLISS_WITH_SHA2_384 228 -#define OID_BLISS_WITH_SHA2_256 229 -#define OID_BLISS_WITH_SHA3_512 230 -#define OID_BLISS_WITH_SHA3_384 231 -#define OID_BLISS_WITH_SHA3_256 232 -#define OID_TCGID 239 -#define OID_BLOWFISH_CBC 243 -#define OID_AUTHORITY_INFO_ACCESS 287 -#define OID_IP_ADDR_BLOCKS 289 -#define OID_POLICY_QUALIFIER_CPS 291 -#define OID_POLICY_QUALIFIER_UNOTICE 292 -#define OID_SERVER_AUTH 294 -#define OID_CLIENT_AUTH 295 -#define OID_OCSP_SIGNING 302 -#define OID_XMPP_ADDR 308 -#define OID_AUTHENTICATION_INFO 312 -#define OID_ACCESS_IDENTITY 313 -#define OID_CHARGING_IDENTITY 314 -#define OID_GROUP 315 -#define OID_OCSP 318 -#define OID_BASIC 319 -#define OID_NONCE 320 -#define OID_CRL 321 -#define OID_RESPONSE 322 -#define OID_NO_CHECK 323 -#define OID_ARCHIVE_CUTOFF 324 -#define OID_SERVICE_LOCATOR 325 -#define OID_CA_ISSUERS 326 -#define OID_IKE_INTERMEDIATE 331 -#define OID_DES_CBC 335 -#define OID_SHA1 336 -#define OID_SHA1_WITH_RSA_OIW 337 -#define OID_ECGDSA_PUBKEY 356 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 359 -#define OID_ECGDSA_SIG_WITH_SHA1 360 -#define OID_ECGDSA_SIG_WITH_SHA224 361 -#define OID_ECGDSA_SIG_WITH_SHA256 362 -#define OID_ECGDSA_SIG_WITH_SHA384 363 -#define OID_ECGDSA_SIG_WITH_SHA512 364 -#define OID_ED25519 385 -#define OID_ED448 386 -#define OID_SECT163K1 390 -#define OID_SECT163R1 391 -#define OID_SECT239K1 392 -#define OID_SECT113R1 393 -#define OID_SECT113R2 394 -#define OID_SECT112R1 395 -#define OID_SECT112R2 396 -#define OID_SECT160R1 397 -#define OID_SECT160K1 398 -#define OID_SECT256K1 399 -#define OID_SECT163R2 400 -#define OID_SECT283K1 401 -#define OID_SECT283R1 402 -#define OID_SECT131R1 403 -#define OID_SECT131R2 404 -#define OID_SECT193R1 405 -#define OID_SECT193R2 406 -#define OID_SECT233K1 407 -#define OID_SECT233R1 408 -#define OID_SECT128R1 409 -#define OID_SECT128R2 410 -#define OID_SECT160R2 411 -#define OID_SECT192K1 412 -#define OID_SECT224K1 413 -#define OID_SECT224R1 414 -#define OID_SECT384R1 415 -#define OID_SECT521R1 416 -#define OID_SECT409K1 417 -#define OID_SECT409R1 418 -#define OID_SECT571K1 419 -#define OID_SECT571R1 420 -#define OID_AES128_CBC 429 -#define OID_AES128_GCM 430 -#define OID_AES128_CCM 431 -#define OID_AES192_CBC 432 -#define OID_AES192_GCM 433 -#define OID_AES192_CCM 434 -#define OID_AES256_CBC 435 -#define OID_AES256_GCM 436 -#define OID_AES256_CCM 437 -#define OID_SHA256 439 -#define OID_SHA384 440 -#define OID_SHA512 441 -#define OID_SHA224 442 -#define OID_SHA3_224 445 -#define OID_SHA3_256 446 -#define OID_SHA3_384 447 -#define OID_SHA3_512 448 -#define OID_ECDSA_WITH_SHA3_224 452 -#define OID_ECDSA_WITH_SHA3_256 453 -#define OID_ECDSA_WITH_SHA3_384 454 -#define OID_ECDSA_WITH_SHA3_512 455 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 456 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 457 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 458 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 459 -#define OID_NS_REVOCATION_URL 465 -#define OID_NS_CA_REVOCATION_URL 466 -#define OID_NS_CA_POLICY_URL 467 -#define OID_NS_COMMENT 468 -#define OID_EMPLOYEE_NUMBER 471 -#define OID_PKI_MESSAGE_TYPE 477 -#define OID_PKI_STATUS 478 -#define OID_PKI_FAIL_INFO 479 -#define OID_PKI_SENDER_NONCE 480 -#define OID_PKI_RECIPIENT_NONCE 481 -#define OID_PKI_TRANS_ID 482 -#define OID_TPM_MANUFACTURER 488 -#define OID_TPM_MODEL 489 -#define OID_TPM_VERSION 490 -#define OID_TPM_ID_LABEL 491 +#define OID_STREET_ADDRESS 26 +#define OID_ORGANIZATION 27 +#define OID_ORGANIZATION_UNIT 28 +#define OID_TITLE 29 +#define OID_DESCRIPTION 30 +#define OID_POSTAL_ADDRESS 31 +#define OID_POSTAL_CODE 32 +#define OID_USER_CERTIFICATE 33 +#define OID_NAME 34 +#define OID_GIVEN_NAME 35 +#define OID_INITIALS 36 +#define OID_UNIQUE_IDENTIFIER 37 +#define OID_DN_QUALIFIER 38 +#define OID_DMD_NAME 39 +#define OID_PSEUDONYM 40 +#define OID_ROLE 41 +#define OID_SUBJECT_KEY_ID 44 +#define OID_KEY_USAGE 45 +#define OID_SUBJECT_ALT_NAME 47 +#define OID_BASIC_CONSTRAINTS 49 +#define OID_CRL_NUMBER 50 +#define OID_CRL_REASON_CODE 51 +#define OID_DELTA_CRL_INDICATOR 54 +#define OID_ISSUING_DIST_POINT 55 +#define OID_NAME_CONSTRAINTS 57 +#define OID_CRL_DISTRIBUTION_POINTS 58 +#define OID_CERTIFICATE_POLICIES 59 +#define OID_ANY_POLICY 60 +#define OID_POLICY_MAPPINGS 61 +#define OID_AUTHORITY_KEY_ID 62 +#define OID_POLICY_CONSTRAINTS 63 +#define OID_EXTENDED_KEY_USAGE 64 +#define OID_FRESHEST_CRL 66 +#define OID_INHIBIT_ANY_POLICY 67 +#define OID_TARGET_INFORMATION 68 +#define OID_NO_REV_AVAIL 69 +#define OID_CAMELLIA128_CBC 80 +#define OID_CAMELLIA192_CBC 81 +#define OID_CAMELLIA256_CBC 82 +#define OID_RSA_ENCRYPTION 95 +#define OID_MD2_WITH_RSA 96 +#define OID_MD5_WITH_RSA 97 +#define OID_SHA1_WITH_RSA 98 +#define OID_RSAES_OAEP 99 +#define OID_MGF1 100 +#define OID_RSASSA_PSS 102 +#define OID_SHA256_WITH_RSA 103 +#define OID_SHA384_WITH_RSA 104 +#define OID_SHA512_WITH_RSA 105 +#define OID_SHA224_WITH_RSA 106 +#define OID_PBE_MD5_DES_CBC 108 +#define OID_PBE_SHA1_DES_CBC 109 +#define OID_PBKDF2 110 +#define OID_PBES2 111 +#define OID_PKCS7_DATA 113 +#define OID_PKCS7_SIGNED_DATA 114 +#define OID_PKCS7_ENVELOPED_DATA 115 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 116 +#define OID_PKCS7_DIGESTED_DATA 117 +#define OID_PKCS7_ENCRYPTED_DATA 118 +#define OID_EMAIL_ADDRESS 120 +#define OID_UNSTRUCTURED_NAME 121 +#define OID_PKCS9_CONTENT_TYPE 122 +#define OID_PKCS9_MESSAGE_DIGEST 123 +#define OID_PKCS9_SIGNING_TIME 124 +#define OID_CHALLENGE_PASSWORD 126 +#define OID_UNSTRUCTURED_ADDRESS 127 +#define OID_EXTENSION_REQUEST 128 +#define OID_X509_CERTIFICATE 131 +#define OID_PBE_SHA1_RC4_128 135 +#define OID_PBE_SHA1_RC4_40 136 +#define OID_PBE_SHA1_3DES_CBC 137 +#define OID_PBE_SHA1_3DES_2KEY_CBC 138 +#define OID_PBE_SHA1_RC2_CBC_128 139 +#define OID_PBE_SHA1_RC2_CBC_40 140 +#define OID_P12_KEY_BAG 143 +#define OID_P12_PKCS8_KEY_BAG 144 +#define OID_P12_CERT_BAG 145 +#define OID_P12_CRL_BAG 146 +#define OID_MD2 150 +#define OID_MD5 151 +#define OID_3DES_EDE_CBC 153 +#define OID_EC_PUBLICKEY 157 +#define OID_C2PNB163V1 160 +#define OID_C2PNB163V2 161 +#define OID_C2PNB163V3 162 +#define OID_C2PNB176W1 163 +#define OID_C2PNB191V1 164 +#define OID_C2PNB191V2 165 +#define OID_C2PNB191V3 166 +#define OID_C2PNB191V4 167 +#define OID_C2PNB191V5 168 +#define OID_C2PNB208W1 169 +#define OID_C2PNB239V1 170 +#define OID_C2PNB239V2 171 +#define OID_C2PNB239V3 172 +#define OID_C2PNB239V4 173 +#define OID_C2PNB239V5 174 +#define OID_C2PNB272W1 175 +#define OID_C2PNB304W1 176 +#define OID_C2PNB359V1 177 +#define OID_C2PNB368W1 178 +#define OID_C2PNB431R1 179 +#define OID_PRIME192V1 181 +#define OID_PRIME192V2 182 +#define OID_PRIME192V3 183 +#define OID_PRIME239V1 184 +#define OID_PRIME239V2 185 +#define OID_PRIME239V3 186 +#define OID_PRIME256V1 187 +#define OID_ECDSA_WITH_SHA1 189 +#define OID_ECDSA_WITH_SHA224 191 +#define OID_ECDSA_WITH_SHA256 192 +#define OID_ECDSA_WITH_SHA384 193 +#define OID_ECDSA_WITH_SHA512 194 +#define OID_MS_SMARTCARD_LOGON 208 +#define OID_USER_PRINCIPAL_NAME 209 +#define OID_STRONGSWAN 215 +#define OID_BLISS_PUBLICKEY 220 +#define OID_BLISS_I 222 +#define OID_BLISS_II 223 +#define OID_BLISS_III 224 +#define OID_BLISS_IV 225 +#define OID_BLISS_B_I 226 +#define OID_BLISS_B_II 227 +#define OID_BLISS_B_III 228 +#define OID_BLISS_B_IV 229 +#define OID_BLISS_WITH_SHA2_512 231 +#define OID_BLISS_WITH_SHA2_384 232 +#define OID_BLISS_WITH_SHA2_256 233 +#define OID_BLISS_WITH_SHA3_512 234 +#define OID_BLISS_WITH_SHA3_384 235 +#define OID_BLISS_WITH_SHA3_256 236 +#define OID_TCGID 243 +#define OID_BLOWFISH_CBC 247 +#define OID_AUTHORITY_INFO_ACCESS 291 +#define OID_IP_ADDR_BLOCKS 293 +#define OID_POLICY_QUALIFIER_CPS 295 +#define OID_POLICY_QUALIFIER_UNOTICE 296 +#define OID_SERVER_AUTH 298 +#define OID_CLIENT_AUTH 299 +#define OID_OCSP_SIGNING 306 +#define OID_XMPP_ADDR 312 +#define OID_AUTHENTICATION_INFO 316 +#define OID_ACCESS_IDENTITY 317 +#define OID_CHARGING_IDENTITY 318 +#define OID_GROUP 319 +#define OID_OCSP 322 +#define OID_BASIC 323 +#define OID_NONCE 324 +#define OID_CRL 325 +#define OID_RESPONSE 326 +#define OID_NO_CHECK 327 +#define OID_ARCHIVE_CUTOFF 328 +#define OID_SERVICE_LOCATOR 329 +#define OID_CA_ISSUERS 330 +#define OID_IKE_INTERMEDIATE 335 +#define OID_DES_CBC 339 +#define OID_SHA1 340 +#define OID_SHA1_WITH_RSA_OIW 341 +#define OID_ECGDSA_PUBKEY 360 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 363 +#define OID_ECGDSA_SIG_WITH_SHA1 364 +#define OID_ECGDSA_SIG_WITH_SHA224 365 +#define OID_ECGDSA_SIG_WITH_SHA256 366 +#define OID_ECGDSA_SIG_WITH_SHA384 367 +#define OID_ECGDSA_SIG_WITH_SHA512 368 +#define OID_ED25519 389 +#define OID_ED448 390 +#define OID_SECT163K1 394 +#define OID_SECT163R1 395 +#define OID_SECT239K1 396 +#define OID_SECT113R1 397 +#define OID_SECT113R2 398 +#define OID_SECT112R1 399 +#define OID_SECT112R2 400 +#define OID_SECT160R1 401 +#define OID_SECT160K1 402 +#define OID_SECT256K1 403 +#define OID_SECT163R2 404 +#define OID_SECT283K1 405 +#define OID_SECT283R1 406 +#define OID_SECT131R1 407 +#define OID_SECT131R2 408 +#define OID_SECT193R1 409 +#define OID_SECT193R2 410 +#define OID_SECT233K1 411 +#define OID_SECT233R1 412 +#define OID_SECT128R1 413 +#define OID_SECT128R2 414 +#define OID_SECT160R2 415 +#define OID_SECT192K1 416 +#define OID_SECT224K1 417 +#define OID_SECT224R1 418 +#define OID_SECT384R1 419 +#define OID_SECT521R1 420 +#define OID_SECT409K1 421 +#define OID_SECT409R1 422 +#define OID_SECT571K1 423 +#define OID_SECT571R1 424 +#define OID_AES128_CBC 433 +#define OID_AES128_GCM 434 +#define OID_AES128_CCM 435 +#define OID_AES192_CBC 436 +#define OID_AES192_GCM 437 +#define OID_AES192_CCM 438 +#define OID_AES256_CBC 439 +#define OID_AES256_GCM 440 +#define OID_AES256_CCM 441 +#define OID_SHA256 443 +#define OID_SHA384 444 +#define OID_SHA512 445 +#define OID_SHA224 446 +#define OID_SHA3_224 449 +#define OID_SHA3_256 450 +#define OID_SHA3_384 451 +#define OID_SHA3_512 452 +#define OID_ECDSA_WITH_SHA3_224 456 +#define OID_ECDSA_WITH_SHA3_256 457 +#define OID_ECDSA_WITH_SHA3_384 458 +#define OID_ECDSA_WITH_SHA3_512 459 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463 +#define OID_NS_REVOCATION_URL 469 +#define OID_NS_CA_REVOCATION_URL 470 +#define OID_NS_CA_POLICY_URL 471 +#define OID_NS_COMMENT 472 +#define OID_EMPLOYEE_NUMBER 475 +#define OID_PKI_MESSAGE_TYPE 481 +#define OID_PKI_STATUS 482 +#define OID_PKI_FAIL_INFO 483 +#define OID_PKI_SENDER_NONCE 484 +#define OID_PKI_RECIPIENT_NONCE 485 +#define OID_PKI_TRANS_ID 486 +#define OID_TPM_MANUFACTURER 492 +#define OID_TPM_MODEL 493 +#define OID_TPM_VERSION 494 +#define OID_TPM_ID_LABEL 495 -#define OID_MAX 492 +#define OID_MAX 496 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index a0c2aada3..9583baa5e 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -24,10 +24,13 @@ 0x06 "C" OID_COUNTRY 0x07 "L" OID_LOCALITY 0x08 "ST" OID_STATE_OR_PROVINCE + 0x09 "STREET" OID_STREET_ADDRESS 0x0A "O" OID_ORGANIZATION 0x0B "OU" OID_ORGANIZATION_UNIT 0x0C "T" OID_TITLE 0x0D "D" OID_DESCRIPTION + 0x10 "postalAddress" OID_POSTAL_ADDRESS + 0x11 "postalCode" OID_POSTAL_CODE 0x24 "userCertificate" OID_USER_CERTIFICATE 0x29 "N" OID_NAME 0x2A "G" OID_GIVEN_NAME @@ -95,8 +98,9 @@ 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA 0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA 0x07 "id-RSAES-OAEP" OID_RSAES_OAEP - 0x08 "id-mgf1" + 0x08 "id-mgf1" OID_MGF1 0x09 "id-pSpecified" + 0x0A "RSASSA-PSS" OID_RSASSA_PSS 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 07da596e4..d1be7b401 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -216,8 +216,6 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -232,6 +230,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -267,8 +267,6 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { return e1->value == e2->value; @@ -301,6 +299,11 @@ static bool entry_equals(entry_t *e1, entry_t *e2) return id1->equals(id1, id2); } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + return signature_params_equal(e1->value, e2->value); + } case AUTH_RULE_CERT_POLICY: case AUTH_RULE_XAUTH_BACKEND: case AUTH_HELPER_IM_HASH_URL: @@ -351,6 +354,12 @@ static void destroy_entry_value(entry_t *entry) free(entry->value); break; } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + signature_params_destroy(entry->value); + break; + } case AUTH_RULE_IDENTITY_LOOSE: case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: @@ -360,8 +369,6 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_RULE_MAX: break; @@ -394,8 +401,6 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -410,6 +415,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -472,9 +479,6 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: return (void*)0; - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: - return (void*)HASH_UNKNOWN; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: return (void*)VALIDATION_FAILED; @@ -491,6 +495,8 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -526,18 +532,46 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) } } +/** + * Create a constraint for RSA/PSS signatures + */ +static signature_params_t *create_rsa_pss_constraint(char *token) +{ + signature_params_t *params = NULL; + hash_algorithm_t hash; + + if (enum_from_name(hash_algorithm_short_names, token, &hash)) + { + rsa_pss_params_t pss = { + .hash = hash, + .mgf1_hash = hash, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, + }; + signature_params_t pss_params = { + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss, + }; + params = signature_params_clone(&pss_params); + } + return params; +} + METHOD(auth_cfg_t, add_pubkey_constraints, void, private_auth_cfg_t *this, char* constraints, bool ike) { enumerator_t *enumerator; - bool is_ike = FALSE, ike_added = FALSE; + bool ike_added = FALSE, rsa_pss; key_type_t expected_type = -1; auth_rule_t expected_strength = AUTH_RULE_MAX; + signature_params_t *params; int strength; - char *token; + char *token, *key_token = NULL; auth_rule_t type; void *value; + rsa_pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); + enumerator = enumerator_create_token(constraints, "-", ""); while (enumerator->enumerate(enumerator, &token)) { @@ -583,67 +617,117 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, } if (streq(token, "rsa") || streq(token, "ike:rsa")) { + key_token = token; + expected_type = KEY_RSA; + expected_strength = AUTH_RULE_RSA_STRENGTH; + continue; + } + if (streq(token, "rsa/pss") || streq(token, "ike:rsa/pss")) + { + key_token = token; expected_type = KEY_RSA; expected_strength = AUTH_RULE_RSA_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ecdsa") || streq(token, "ike:ecdsa")) { + key_token = token; expected_type = KEY_ECDSA; expected_strength = AUTH_RULE_ECDSA_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ed25519") || streq(token, "ike:ed25519")) { + key_token = token; expected_type = KEY_ED25519; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "ed448") || streq(token, "ike:ed448")) { + key_token = token; expected_type = KEY_ED448; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "bliss") || streq(token, "ike:bliss")) { + key_token = token; expected_type = KEY_BLISS; expected_strength = AUTH_RULE_BLISS_STRENGTH; - is_ike = strpfx(token, "ike:"); continue; } if (streq(token, "pubkey") || streq(token, "ike:pubkey")) { + key_token = token; expected_type = KEY_ANY; - is_ike = strpfx(token, "ike:"); continue; } - if (is_ike && !ike) + if (key_token && strpfx(key_token, "ike:") && !ike) { continue; } - for (i = 0; i < countof(schemes); i++) + if (key_token && streq(key_token + strlen(key_token) - 3, "pss")) + { + params = create_rsa_pss_constraint(token); + if (params) + { + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } + found = TRUE; + } + } + else { - if (streq(schemes[i].name, token)) + if (rsa_pss) { - if (expected_type == KEY_ANY || expected_type == schemes[i].key) + if (expected_type == KEY_ANY || + expected_type == KEY_RSA) { - if (is_ike) + params = create_rsa_pss_constraint(token); + if (params) { - add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, - (uintptr_t)schemes[i].scheme); - ike_added = TRUE; + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } + found = TRUE; } - else + } + } + for (i = 0; i < countof(schemes); i++) + { + if (streq(schemes[i].name, token)) + { + if (expected_type == KEY_ANY || + expected_type == schemes[i].key) { - add(this, AUTH_RULE_SIGNATURE_SCHEME, - (uintptr_t)schemes[i].scheme); + INIT(params, + .scheme = schemes[i].scheme, + ); + if (strpfx(key_token, "ike:")) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, params); + } } + found = TRUE; } - found = TRUE; } } if (!found) @@ -666,7 +750,7 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, if (type == AUTH_RULE_SIGNATURE_SCHEME) { add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, - (uintptr_t)value); + signature_params_clone(value)); } } enumerator->destroy(enumerator); @@ -681,20 +765,20 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, { enumerator_t *e1, *e2; auth_rule_t t1, t2; - signature_scheme_t scheme; - void *value; + signature_params_t *params, *constraint; bool success = TRUE; e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &scheme)) + while (e2->enumerate(e2, &t2, ¶ms)) { if (t2 == type) { success = FALSE; e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) + while (e1->enumerate(e1, &t1, &constraint)) { - if (t1 == type && (uintptr_t)value == scheme) + if (t1 == type && + signature_params_comply(constraint, params)) { success = TRUE; break; @@ -707,7 +791,7 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, { DBG1(DBG_CFG, "%s signature scheme %N not acceptable", AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE", - signature_scheme_names, (int)scheme); + signature_scheme_names, params->scheme); } break; } @@ -725,7 +809,7 @@ METHOD(auth_cfg_t, complies, bool, bool ca_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; certificate_t *require_ca = NULL, *require_cert = NULL; - signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN; + signature_params_t *ike_scheme = NULL, *scheme = NULL; u_int strength = 0; auth_rule_t t1, t2; char *key_type; @@ -928,12 +1012,12 @@ METHOD(auth_cfg_t, complies, bool, } case AUTH_RULE_IKE_SIGNATURE_SCHEME: { - ike_scheme = (uintptr_t)value; + ike_scheme = value; break; } case AUTH_RULE_SIGNATURE_SCHEME: { - scheme = (uintptr_t)value; + scheme = value; break; } case AUTH_RULE_CERT_POLICY: @@ -983,12 +1067,12 @@ METHOD(auth_cfg_t, complies, bool, /* Check if we have a matching constraint (or none at all) for used * signature schemes. */ - if (success && scheme != SIGN_UNKNOWN) + if (success && scheme) { success = complies_scheme(this, constraints, AUTH_RULE_SIGNATURE_SCHEME, log_error); } - if (success && ike_scheme != SIGN_UNKNOWN) + if (success && ike_scheme) { success = complies_scheme(this, constraints, AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error); @@ -1114,8 +1198,6 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { add(this, type, (uintptr_t)value); @@ -1132,6 +1214,12 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + add(this, type, signature_params_clone(value)); + break; + } case AUTH_RULE_XAUTH_BACKEND: case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: @@ -1286,11 +1374,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: - case AUTH_RULE_SIGNATURE_SCHEME: - case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_RULE_CERT_VALIDATION_SUSPENDED: clone->add(clone, type, (uintptr_t)value); break; + case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + clone->add(clone, type, signature_params_clone(value)); + break; + } case AUTH_RULE_MAX: break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 7191dc1bc..2eb448546 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -106,9 +106,9 @@ enum auth_rule_t { AUTH_RULE_ECDSA_STRENGTH, /** required BLISS public key strength, u_int in bits */ AUTH_RULE_BLISS_STRENGTH, - /** required signature scheme, signature_scheme_t */ + /** required signature scheme, signature_params_t* */ AUTH_RULE_SIGNATURE_SCHEME, - /** required signature scheme for IKE authentication, signature_scheme_t */ + /** required signature scheme for IKE authentication, signature_params_t* */ AUTH_RULE_IKE_SIGNATURE_SCHEME, /** certificatePolicy constraint, numerical OID as char* */ AUTH_RULE_CERT_POLICY, diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index baa17c47d..0239ee17e 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -37,6 +37,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_NOT_BEFORE_TIME", "BUILD_NOT_AFTER_TIME", "BUILD_SERIAL", + "BUILD_SIGNATURE_SCHEME", "BUILD_DIGEST_ALG", "BUILD_ENCRYPTION_ALG", "BUILD_AC_GROUP_STRINGS", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 1c6f5001b..7928ef487 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -56,7 +56,7 @@ enum builder_part_t { BUILD_BLOB_PEM, /** OpenPGP key blob, chunk_t */ BUILD_BLOB_PGP, - /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */ + /** DNS public key blob (RFC 4034, RSA specific RFC 3110), chunk_t */ BUILD_BLOB_DNSKEY, /** SSH public key blob (RFC 4253), chunk_t */ BUILD_BLOB_SSHKEY, @@ -84,6 +84,8 @@ enum builder_part_t { BUILD_NOT_AFTER_TIME, /** a serial number in binary form, chunk_t */ BUILD_SERIAL, + /** signature scheme and parameters for signature, signature_params_t* */ + BUILD_SIGNATURE_SCHEME, /** digest algorithm to be used for signature, hash_algorithm_t */ BUILD_DIGEST_ALG, /** encryption algorithm to use, encryption_algorithm_t */ diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index d59126bd5..6dc5c7694 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -25,9 +25,9 @@ typedef struct certificate_t certificate_t; typedef enum certificate_type_t certificate_type_t; typedef enum cert_validation_t cert_validation_t; -#include #include #include +#include #include /** @@ -139,11 +139,12 @@ struct certificate_t { * Check if this certificate is issued and signed by a specific issuer. * * @param issuer issuer's certificate - * @param scheme receives signature scheme used during verification + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if certificate issued by issuer and trusted */ bool (*issued_by)(certificate_t *this, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Get the public key associated to this certificate. diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c index 5eefa0bb4..d39ba1997 100644 --- a/src/libstrongswan/credentials/certificates/x509.c +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -25,3 +25,12 @@ ENUM_NEXT(x509_flag_names, X509_ANY, X509_ANY, X509_OCSP_SIGNER, "ANY"); ENUM_END(x509_flag_names, X509_ANY); +/* + * Described in header + */ +void x509_cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 601c034ef..2c640e2da 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -210,8 +210,11 @@ struct x509_t { * @return enumerator over x509_policy_mapping */ enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); - - }; +/** + * Destroy an x509_cdp_t instance. + */ +void x509_cdp_destroy(x509_cdp_t *this); + #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c index 9e7815d04..8cc6a6c63 100644 --- a/src/libstrongswan/credentials/containers/pkcs12.c +++ b/src/libstrongswan/credentials/containers/pkcs12.c @@ -15,6 +15,7 @@ #include "pkcs12.h" +#include #include /** diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h index 0b6536430..1129357ba 100644 --- a/src/libstrongswan/credentials/cred_encoding.h +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -25,7 +25,7 @@ typedef struct cred_encoding_t cred_encoding_t; typedef enum cred_encoding_type_t cred_encoding_type_t; typedef enum cred_encoding_part_t cred_encoding_part_t; -#include +#include /** * Credential encoder function implementing encoding/fingerprinting. diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 9be7407ef..21b23f543 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -488,7 +488,7 @@ METHOD(credential_manager_t, remove_local_set, void, METHOD(credential_manager_t, issued_by, bool, private_credential_manager_t *this, certificate_t *subject, - certificate_t *issuer, signature_scheme_t *scheme) + certificate_t *issuer, signature_params_t **scheme) { if (this->cache) { @@ -661,7 +661,7 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, */ static certificate_t *get_issuer_cert(private_credential_manager_t *this, certificate_t *subject, bool trusted, - signature_scheme_t *scheme) + signature_params_t **scheme) { enumerator_t *enumerator; certificate_t *issuer = NULL, *candidate; @@ -723,7 +723,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, { certificate_t *current, *issuer; auth_cfg_t *auth; - signature_scheme_t scheme; + signature_params_t *scheme; int pathlen; auth = auth_cfg_create(); diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 022ca566c..d99f29b85 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -241,12 +241,13 @@ struct credential_manager_t { * * @param subject subject certificate to check * @param issuer issuer certificate that potentially has signed subject - * @param scheme receives used signature scheme, if given + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if issuer signed subject */ bool (*issued_by)(credential_manager_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Register a credential set to the manager. diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index b9f7dad55..d7cfdd74d 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -42,11 +43,12 @@ struct private_key_t { * Create a signature over a chunk of data. * * @param scheme signature scheme to use + * @param params optional parameters required by the specified scheme * @param data chunk of data to sign * @param signature where to allocate created signature * @return TRUE if signature created */ - bool (*sign)(private_key_t *this, signature_scheme_t scheme, + bool (*sign)(private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature); /** * Decrypt a chunk of data. diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index 87f7e6664..89fa9b348 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2014-2016 Andreas Steffen + * Copyright (C) 2007 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,6 +18,7 @@ #include #include "public_key.h" +#include "signature_params.h" ENUM(key_type_names, KEY_ANY, KEY_BLISS, "ANY", @@ -42,6 +43,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512, "RSA_EMSA_PKCS1_SHA3_256", "RSA_EMSA_PKCS1_SHA3_384", "RSA_EMSA_PKCS1_SHA3_512", + "RSA_EMSA_PSS", "ECDSA_WITH_SHA1_DER", "ECDSA_WITH_SHA256_DER", "ECDSA_WITH_SHA384_DER", @@ -146,6 +148,8 @@ signature_scheme_t signature_scheme_from_oid(int oid) return SIGN_RSA_EMSA_PKCS1_SHA3_384; case OID_RSASSA_PKCS1V15_WITH_SHA3_512: return SIGN_RSA_EMSA_PKCS1_SHA3_512; + case OID_RSASSA_PSS: + return SIGN_RSA_EMSA_PSS; case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: return SIGN_ECDSA_WITH_SHA1_DER; @@ -210,6 +214,8 @@ int signature_scheme_to_oid(signature_scheme_t scheme) return OID_RSASSA_PKCS1V15_WITH_SHA3_384; case SIGN_RSA_EMSA_PKCS1_SHA3_512: return OID_RSASSA_PKCS1V15_WITH_SHA3_384; + case SIGN_RSA_EMSA_PSS: + return OID_RSASSA_PSS; case SIGN_ECDSA_WITH_SHA1_DER: return OID_ECDSA_WITH_SHA1; case SIGN_ECDSA_WITH_SHA256_DER: @@ -238,27 +244,43 @@ int signature_scheme_to_oid(signature_scheme_t scheme) return OID_UNKNOWN; } +/** + * Parameters for RSA/PSS signature schemes + */ +#define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \ + .hash = HASH_SHA##bits, \ + .mgf1_hash = HASH_SHA##bits, \ + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, \ +} + +PSS_PARAMS(256); +PSS_PARAMS(384); +PSS_PARAMS(512); + /** * Map for signature schemes to the key type and maximum key size allowed. * We only cover schemes with hash algorithms supported by IKEv2 signature * authentication. */ static struct { - signature_scheme_t scheme; key_type_t type; int max_keysize; + signature_params_t params; } scheme_map[] = { - { SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 }, - { SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 }, - { SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 }, - { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 }, - { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 }, - { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 }, - { SIGN_ED25519, KEY_ED25519, 0 }, - { SIGN_ED448, KEY_ED448, 0 }, - { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 }, - { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 }, - { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 } + { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha256, }}, + { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha384, }}, + { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params_sha512, }}, + { KEY_RSA, 3072, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }}, + { KEY_RSA, 7680, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384 }}, + { KEY_RSA, 0, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 }}, + { KEY_ECDSA, 256, { .scheme = SIGN_ECDSA_WITH_SHA256_DER }}, + { KEY_ECDSA, 384, { .scheme = SIGN_ECDSA_WITH_SHA384_DER }}, + { KEY_ECDSA, 0, { .scheme = SIGN_ECDSA_WITH_SHA512_DER }}, + { KEY_ED25519, 0, { .scheme = SIGN_ED25519 }}, + { KEY_ED448, 0, { .scheme = SIGN_ED448 }}, + { KEY_BLISS, 128, { .scheme = SIGN_BLISS_WITH_SHA2_256 }}, + { KEY_BLISS, 192, { .scheme = SIGN_BLISS_WITH_SHA2_384 }}, + { KEY_BLISS, 0, { .scheme = SIGN_BLISS_WITH_SHA2_512 }}, }; /** @@ -274,9 +296,9 @@ typedef struct { METHOD(enumerator_t, signature_schemes_enumerate, bool, private_enumerator_t *this, va_list args) { - signature_scheme_t *scheme; + signature_params_t **params; - VA_ARGS_VGET(args, scheme); + VA_ARGS_VGET(args, params); while (++this->index < countof(scheme_map)) { @@ -284,7 +306,7 @@ METHOD(enumerator_t, signature_schemes_enumerate, bool, (this->size <= scheme_map[this->index].max_keysize || !scheme_map[this->index].max_keysize)) { - *scheme = scheme_map[this->index].scheme; + *params = &scheme_map[this->index].params; return TRUE; } } @@ -332,6 +354,7 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_SHA3_256: case SIGN_RSA_EMSA_PKCS1_SHA3_384: case SIGN_RSA_EMSA_PKCS1_SHA3_512: + case SIGN_RSA_EMSA_PSS: return KEY_RSA; case SIGN_ECDSA_WITH_SHA1_DER: case SIGN_ECDSA_WITH_SHA256_DER: diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index 06c1aa488..877ed20a2 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -1,7 +1,7 @@ /* - * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2014-2017 Andreas Steffen + * Copyright (C) 2007 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ typedef enum key_type_t key_type_t; typedef enum signature_scheme_t signature_scheme_t; typedef enum encryption_scheme_t encryption_scheme_t; -#include #include #include @@ -89,6 +88,8 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_SHA3_384, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-3_512 */ SIGN_RSA_EMSA_PKCS1_SHA3_512, + /** EMSA-PSS signature as in PKCS#1 using RSA */ + SIGN_RSA_EMSA_PSS, /** ECDSA with SHA-1 using DER encoding as in RFC 3279 */ SIGN_ECDSA_WITH_SHA1_DER, /** ECDSA with SHA-256 using DER encoding as in RFC 3279 */ @@ -168,12 +169,13 @@ struct public_key_t { /** * Verifies a signature against a chunk of data. * - * @param scheme signature scheme to use for verification, may be default + * @param scheme signature scheme to use for verification + * @param params optional parameters required by the specified scheme * @param data data to check signature against * @param signature signature to check * @return TRUE if signature matches */ - bool (*verify)(public_key_t *this, signature_scheme_t scheme, + bool (*verify)(public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature); /** @@ -279,11 +281,11 @@ int signature_scheme_to_oid(signature_scheme_t scheme); /** * Enumerate signature schemes that are appropriate for a key of the given type - * and size|strength. + * and size|strength ordered by increasing strength. * * @param type type of the key * @param size size or strength of the key - * @return enumerator over signature_scheme_t (increasing strength) + * @return enumerator over signature_params_t* (by strength) */ enumerator_t *signature_schemes_for_key(key_type_t type, int size); diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c new file mode 100644 index 000000000..6b4d22e7b --- /dev/null +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "signature_params.h" + +#include +#include + +/** + * Determine the salt length in case it is not configured + */ +static ssize_t rsa_pss_salt_length(rsa_pss_params_t *pss) +{ + ssize_t salt_len = pss->salt_len; + + if (salt_len <= RSA_PSS_SALT_LEN_DEFAULT) + { + salt_len = hasher_hash_size(pss->hash); + if (!salt_len) + { + return -1; + } + } + return salt_len; +} + +/** + * Compare two signature schemes and their parameters + */ +static bool compare_params(signature_params_t *a, signature_params_t *b, + bool strict) +{ + if (!a && !b) + { + return TRUE; + } + if (!a || !b) + { + return FALSE; + } + if (a->scheme != b->scheme) + { + return FALSE; + } + if (!a->params && !b->params) + { + return TRUE; + } + if (a->params && b->params) + { + switch (a->scheme) + { + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss_a = a->params, *pss_b = b->params; + + return pss_a->hash == pss_b->hash && + pss_a->mgf1_hash == pss_b->mgf1_hash && + (!strict || + rsa_pss_salt_length(pss_a) == rsa_pss_salt_length(pss_b)); + } + default: + break; + } + } + return FALSE; +} + +/* + * Described in header + */ +bool signature_params_equal(signature_params_t *a, signature_params_t *b) +{ + return compare_params(a, b, TRUE); +} + +/* + * Described in header + */ +bool signature_params_comply(signature_params_t *c, signature_params_t *s) +{ /* the salt is variable, so it does not necessarily have to be the same */ + return compare_params(c, s, FALSE); +} + +/* + * Described in header + */ +signature_params_t *signature_params_clone(signature_params_t *this) +{ + signature_params_t *clone; + + if (!this) + { + return NULL; + } + + INIT(clone, + .scheme = this->scheme, + ); + if (this->params) + { + switch (this->scheme) + { + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss, *pss_clone; + + pss = this->params; + INIT(pss_clone, + .hash = pss->hash, + .mgf1_hash = pss->mgf1_hash, + .salt_len = pss->salt_len, + /* ignore salt as only used for unit tests */ + ); + clone->params = pss_clone; + break; + } + default: + break; + } + } + return clone; +} + +/* + * Described in header + */ +void signature_params_destroy(signature_params_t *this) +{ + if (this) + { + free(this->params); + free(this); + } +} + +/* + * Described in header + */ +void signature_params_clear(signature_params_t *this) +{ + if (this) + { + free(this->params); + this->params = NULL; + this->scheme = SIGN_UNKNOWN; + } +} + +/* + * Described in header + */ +bool signature_params_parse(chunk_t asn1, int level0, + signature_params_t *params) +{ + chunk_t parameters = chunk_empty; + int oid; + + oid = asn1_parse_algorithmIdentifier(asn1, level0, ¶meters); + params->scheme = signature_scheme_from_oid(oid); + switch (params->scheme) + { + case SIGN_UNKNOWN: + return FALSE; + case SIGN_RSA_EMSA_PSS: + { + rsa_pss_params_t *pss = malloc_thing(rsa_pss_params_t); + + if (!rsa_pss_params_parse(parameters, level0+1, pss)) + { + DBG1(DBG_IKE, "failed parsing RSASSA-PSS parameters"); + free(pss); + return FALSE; + } + params->params = pss; + break; + } + default: + params->params = NULL; + break; + } + return TRUE; +} + +/* + * Described in header + */ +bool signature_params_build(signature_params_t *params, chunk_t *asn1) +{ + chunk_t parameters = chunk_empty; + int oid; + + oid = signature_scheme_to_oid(params->scheme); + if (oid == OID_UNKNOWN) + { + return FALSE; + } + if (params->scheme == SIGN_RSA_EMSA_PSS && + !rsa_pss_params_build(params->params, ¶meters)) + { + return FALSE; + } + if (parameters.len) + { + *asn1 = asn1_algorithmIdentifier_params(oid, parameters); + } + else + { + *asn1 = asn1_algorithmIdentifier(oid); + } + return TRUE; +} + +/** + * ASN.1 definition of RSASSA-PSS-params + */ +static const asn1Object_t RSASSAPSSParamsObjects[] = { + { 0, "RSASSA-PSS-params", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "DEFAULT SHA-1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 1 */ + { 2, "hashAlgorithm", ASN1_EOC, ASN1_RAW }, /* 2 */ + { 1, "DEFAULT MGF1SHA1", ASN1_CONTEXT_C_1, ASN1_DEF }, /* 3 */ + { 2, "maskGenAlgorithm",ASN1_EOC, ASN1_RAW }, /* 4 */ + { 1, "DEFAULT 20", ASN1_CONTEXT_C_2, ASN1_DEF }, /* 5 */ + { 2, "saltLength", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 1, "DEFAULT 1", ASN1_CONTEXT_C_3, ASN1_DEF }, /* 7 */ + { 2, "trailerField", ASN1_INTEGER, ASN1_BODY }, /* 8 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define RSASSA_PSS_PARAMS_HASH_ALG 2 +#define RSASSA_PSS_PARAMS_MGF_ALG 4 +#define RSASSA_PSS_PARAMS_SALT_LEN 6 +#define RSASSA_PSS_PARAMS_TRAILER 8 + +/* + * Described in header + */ +bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID, alg; + bool success = FALSE; + + params->hash = HASH_SHA1; + params->mgf1_hash = HASH_SHA1; + params->salt_len = HASH_SIZE_SHA1; + + parser = asn1_parser_create(RSASSAPSSParamsObjects, asn1); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + u_int level = parser->get_level(parser)+1; + + switch (objectID) + { + case RSASSA_PSS_PARAMS_HASH_ALG: + if (object.len) + { + alg = asn1_parse_algorithmIdentifier(object, level, NULL); + params->hash = hasher_algorithm_from_oid(alg); + if (params->hash == HASH_UNKNOWN) + { + goto end; + } + } + break; + case RSASSA_PSS_PARAMS_MGF_ALG: + if (object.len) + { + chunk_t hash; + + alg = asn1_parse_algorithmIdentifier(object, level, &hash); + if (alg != OID_MGF1) + { + goto end; + } + alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL); + params->mgf1_hash = hasher_algorithm_from_oid(alg); + if (params->mgf1_hash == HASH_UNKNOWN) + { + goto end; + } + } + break; + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { + params->salt_len = (size_t)asn1_parse_integer_uint64(object); + } + break; + case RSASSA_PSS_PARAMS_TRAILER: + if (object.len && (object.len != 1 || *object.ptr != 1)) + { + goto end; + } + break; + default: + break; + } + } + success = parser->success(parser); + +end: + parser->destroy(parser); + return success; +} + +/* + * Described in header + */ +bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1) +{ + chunk_t hash = chunk_empty, mgf = chunk_empty, slen = chunk_empty; + ssize_t salt_len; + int alg; + + if (params->hash != HASH_SHA1) + { /* with SHA-1 we MUST omit the field */ + alg = hasher_algorithm_to_oid(params->hash); + if (alg == OID_UNKNOWN) + { + return FALSE; + } + hash = asn1_algorithmIdentifier(alg); + } + if (params->mgf1_hash != HASH_SHA1) + { /* with MGF1-SHA1 we MUST omit the field */ + alg = hasher_algorithm_to_oid(params->mgf1_hash); + if (alg == OID_UNKNOWN) + { + chunk_free(&hash); + return FALSE; + } + mgf = asn1_algorithmIdentifier_params(OID_MGF1, + asn1_algorithmIdentifier(alg)); + } + salt_len = rsa_pss_salt_length(params); + if (salt_len < 0) + { + chunk_free(&hash); + chunk_free(&mgf); + return FALSE; + } + else if (salt_len != HASH_SIZE_SHA1) + { + slen = asn1_integer("m", asn1_integer_from_uint64(salt_len)); + } + *asn1 = asn1_wrap(ASN1_SEQUENCE, "mmm", + hash.len ? asn1_wrap(ASN1_CONTEXT_C_0, "m", hash) : chunk_empty, + mgf.len ? asn1_wrap(ASN1_CONTEXT_C_1, "m", mgf) : chunk_empty, + slen.len ? asn1_wrap(ASN1_CONTEXT_C_2, "m", slen) : chunk_empty); + return TRUE; +} diff --git a/src/libstrongswan/credentials/keys/signature_params.h b/src/libstrongswan/credentials/keys/signature_params.h new file mode 100644 index 000000000..6934c5e88 --- /dev/null +++ b/src/libstrongswan/credentials/keys/signature_params.h @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup signature_params signature_params + * @{ @ingroup keys + */ + +#ifndef SIGNATURE_PARAMS_H_ +#define SIGNATURE_PARAMS_H_ + +typedef struct signature_params_t signature_params_t; +typedef struct rsa_pss_params_t rsa_pss_params_t; + +#include + +/** + * Signature scheme with parameters + */ +struct signature_params_t { + /** Signature scheme */ + signature_scheme_t scheme; + /** Parameters, depending on scheme */ + void *params; +}; + +/** + * Compare two signature schemes and their parameters + * + * @param a first scheme + * @param b second scheme + * @return TRUE if schemes and parameters are equal + */ +bool signature_params_equal(signature_params_t *a, signature_params_t *b); + +/** + * Compare two signature schemes and their parameters + * + * @param c constraint + * @param s scheme + * @return TRUE if scheme complies to constraint + */ +bool signature_params_comply(signature_params_t *c, signature_params_t *s); + +/** + * Clone the given scheme and parameters, if any + * + * @return cloned object + */ +signature_params_t *signature_params_clone(signature_params_t *this); + +/** + * Destroy the given scheme and parameters, if any + */ +void signature_params_destroy(signature_params_t *this); + +/** + * Clear the given parameters, if any, sets the scheme to SIGN_UNKNOWN + */ +void signature_params_clear(signature_params_t *this); + +/** + * Parse an ASN.1 algorithmIdentifier with parameters denoting a signature + * scheme. + * + * @param asn1 ASN.1 encoded RSASSA-PSS-params + * @param level0 current level of the ASN.1 parser + * @param params parsed parameters + * @return TRUE if successfully parsed + */ +bool signature_params_parse(chunk_t asn1, int level0, + signature_params_t *params); + +/** + * Build ASN.1 algorithmIdentifier with parameters denoting a signature scheme. + * + * @param params signature scheme and parameters to encode + * @param asn1 ASN.1 encoded algorithmIdentifier (allocated) + * @return TRUE if successfully built + */ +bool signature_params_build(signature_params_t *params, chunk_t *asn1); + +/** + * Parameters for SIGN_RSA_EMSA_PSS signature scheme + */ +struct rsa_pss_params_t { + /** Hash algorithm */ + hash_algorithm_t hash; + /** Hash for the MGF1 function */ + hash_algorithm_t mgf1_hash; + /** Salt length, use RSA_PSS_SALT_LEN_DEFAULT for length equal to hash */ + ssize_t salt_len; + /** Salt value, for unit tests (not all implementations support this) */ + chunk_t salt; +#define RSA_PSS_SALT_LEN_DEFAULT -1 +}; + +/** + * Parse the given ASN.1 algorithm identifier params + * + * @param asn1 ASN.1 encoded RSASSA-PSS-params + * @param level0 current level of the ASN.1 parser + * @param params parsed parameters + * @return TRUE if successfully parsed + */ +bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params); + +/** + * Build ASN.1 algorithm identifier params + * + * @param params parameters to encode + * @param asn1 ASN.1 encoded RSASSA-PSS-params (allocated) + * @return TRUE if successfully built + */ +bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1); + +#endif /** SIGNATURE_PARAMS_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 92d5efdc6..0e64f0350 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -48,9 +48,9 @@ struct relation_t { certificate_t *issuer; /** - * Signature scheme used to sign this relation + * Signature scheme and parameters used to sign this relation */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * Cache hits @@ -84,7 +84,7 @@ struct private_cert_cache_t { */ static void cache(private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t scheme) + signature_params_t *scheme) { relation_t *rel; int i, offset, try; @@ -118,7 +118,8 @@ static void cache(private_cert_cache_t *this, { rel->subject->destroy(rel->subject); rel->subject = subject->get_ref(subject); - rel->scheme = scheme; + signature_params_destroy(rel->scheme); + rel->scheme = signature_params_clone(scheme); return rel->lock->unlock(rel->lock); } } @@ -139,7 +140,7 @@ static void cache(private_cert_cache_t *this, { rel->subject = subject->get_ref(subject); rel->issuer = issuer->get_ref(issuer); - rel->scheme = scheme; + rel->scheme = signature_params_clone(scheme); return rel->lock->unlock(rel->lock); } rel->lock->unlock(rel->lock); @@ -165,10 +166,11 @@ static void cache(private_cert_cache_t *this, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); } rel->subject = subject->get_ref(subject); rel->issuer = issuer->get_ref(issuer); - rel->scheme = scheme; + rel->scheme = signature_params_clone(scheme); rel->hits = 0; return rel->lock->unlock(rel->lock); } @@ -180,11 +182,11 @@ static void cache(private_cert_cache_t *this, METHOD(cert_cache_t, issued_by, bool, private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **schemep) { certificate_t *cached_issuer = NULL; relation_t *found = NULL, *current; - signature_scheme_t scheme; + signature_params_t *scheme; int i; for (i = 0; i < CACHE_SIZE; i++) @@ -202,7 +204,7 @@ METHOD(cert_cache_t, issued_by, bool, found = current; if (schemep) { - *schemep = current->scheme; + *schemep = signature_params_clone(current->scheme); } } else if (!cached_issuer) @@ -225,6 +227,10 @@ METHOD(cert_cache_t, issued_by, bool, { *schemep = scheme; } + else + { + signature_params_destroy(scheme); + } DESTROY_IF(cached_issuer); return TRUE; } @@ -383,8 +389,10 @@ METHOD(cert_cache_t, flush, void, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); rel->subject = NULL; rel->issuer = NULL; + rel->scheme = NULL; rel->hits = 0; } } @@ -405,6 +413,7 @@ METHOD(cert_cache_t, destroy, void, { rel->subject->destroy(rel->subject); rel->issuer->destroy(rel->issuer); + signature_params_destroy(rel->scheme); } rel->lock->destroy(rel->lock); } @@ -438,6 +447,7 @@ cert_cache_t *cert_cache_create() { this->relations[i].subject = NULL; this->relations[i].issuer = NULL; + this->relations[i].scheme = NULL; this->relations[i].hits = 0; this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); } diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h index 2bcdbe464..2235bc30d 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.h +++ b/src/libstrongswan/credentials/sets/cert_cache.h @@ -45,12 +45,13 @@ struct cert_cache_t { * * @param subject certificate to verify * @param issuer issuing certificate to verify subject - * @param scheme receives used signature scheme, if given + * @param scheme receives used signature scheme and parameters, if + * given (allocated) * @return TRUE if subject issued by issuer */ bool (*issued_by)(cert_cache_t *this, certificate_t *subject, certificate_t *issuer, - signature_scheme_t *scheme); + signature_params_t **scheme); /** * Flush the certificate cache. diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 26aab0ccc..2bd55ad2e 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -19,19 +19,20 @@ #include "hasher.h" #include +#include ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY, "HASH_SHA1", - "HASH_SHA256", - "HASH_SHA384", - "HASH_SHA512", + "HASH_SHA2_256", + "HASH_SHA2_384", + "HASH_SHA2_512", "HASH_IDENTITY"); ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, "HASH_UNKNOWN", "HASH_MD2", "HASH_MD4", "HASH_MD5", - "HASH_SHA224", + "HASH_SHA2_224", "HASH_SHA3_224", "HASH_SHA3_256", "HASH_SHA3_384", @@ -56,6 +57,62 @@ ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY "sha3_512"); ENUM_END(hash_algorithm_short_names, HASH_SHA3_512); +ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY, + "SHA1", + "SHA2_256", + "SHA2_384", + "SHA2_512", + "IDENTITY"); +ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, + "UNKNOWN", + "MD2", + "MD4", + "MD5", + "SHA2_224", + "SHA3_224", + "SHA3_256", + "SHA3_384", + "SHA3_512"); +ENUM_END(hash_algorithm_short_names_upper, HASH_SHA3_512); + +/* + * Described in header + */ +size_t hasher_hash_size(hash_algorithm_t alg) +{ + switch (alg) + { + case HASH_SHA1: + return HASH_SIZE_SHA1; + case HASH_SHA256: + return HASH_SIZE_SHA256; + case HASH_SHA384: + return HASH_SIZE_SHA384; + case HASH_SHA512: + return HASH_SIZE_SHA512; + case HASH_MD2: + return HASH_SIZE_MD2; + case HASH_MD4: + return HASH_SIZE_MD4; + case HASH_MD5: + return HASH_SIZE_MD5; + case HASH_SHA224: + return HASH_SIZE_SHA224; + case HASH_SHA3_224: + return HASH_SIZE_SHA224; + case HASH_SHA3_256: + return HASH_SIZE_SHA256; + case HASH_SHA3_384: + return HASH_SIZE_SHA384; + case HASH_SHA3_512: + return HASH_SIZE_SHA512; + case HASH_IDENTITY: + case HASH_UNKNOWN: + break; + } + return 0; +} + /* * Described in header. */ @@ -287,7 +344,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) switch (alg) { case HASH_IDENTITY: - case HASH_SHA1: case HASH_SHA256: case HASH_SHA384: case HASH_SHA512: @@ -296,6 +352,7 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) case HASH_MD2: case HASH_MD4: case HASH_MD5: + case HASH_SHA1: case HASH_SHA224: case HASH_SHA3_224: case HASH_SHA3_256: @@ -445,7 +502,8 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) /* * Defined in header. */ -hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme, + void *params) { switch (scheme) { @@ -453,6 +511,13 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_NULL: case SIGN_ECDSA_WITH_NULL: break; + case SIGN_RSA_EMSA_PSS: + if (params) + { + rsa_pss_params_t *pss = params; + return pss->hash; + } + break; case SIGN_ED25519: case SIGN_ED448: return HASH_IDENTITY; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index ec0c6320b..41654553d 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -27,7 +27,6 @@ typedef enum hash_algorithm_t hash_algorithm_t; typedef struct hasher_t hasher_t; -#include #include #include #include @@ -74,6 +73,11 @@ extern enum_name_t *hash_algorithm_names; */ extern enum_name_t *hash_algorithm_short_names; +/** + * Uppercase short names for hash_algorithm_names + */ +extern enum_name_t *hash_algorithm_short_names_upper; + /** * Generic interface for all hash functions. */ @@ -130,6 +134,14 @@ struct hasher_t { void (*destroy)(hasher_t *this); }; +/** + * Returns the size of the hash for the given algorithm. + * + * @param alg hash algorithm + * @return size of hash or 0 if unknown + */ +size_t hasher_hash_size(hash_algorithm_t alg); + /** * Conversion of ASN.1 OID to hash algorithm. * @@ -199,8 +211,10 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key); * Determine the hash algorithm associated with a given signature scheme. * * @param scheme signature scheme + * @param params optional parameters * @return hash algorithm (could be HASH_UNKNOWN) */ -hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme); +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme, + void *params); #endif /** HASHER_H_ @}*/ diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h index bf443e5f4..fe9ffc2dd 100644 --- a/src/libstrongswan/crypto/prfs/prf.h +++ b/src/libstrongswan/crypto/prfs/prf.h @@ -25,7 +25,8 @@ typedef enum pseudo_random_function_t pseudo_random_function_t; typedef struct prf_t prf_t; -#include +#include +#include /** * Pseudo random function, as in IKEv2 RFC 3.3.2. diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h index bc421dcc5..e28f46513 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h @@ -19,7 +19,7 @@ #include "proposal_keywords.h" const proposal_token_t* proposal_get_token_static(register const char *str, - register unsigned int len); + register unsigned len); #endif /* PROPOSAL_KEYWORDS_STATIC_H_ */ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in new file mode 100644 index 000000000..ee9f7b9da --- /dev/null +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PROPOSAL_KEYWORDS_STATIC_H_ +#define PROPOSAL_KEYWORDS_STATIC_H_ + +#include "proposal_keywords.h" + +const proposal_token_t* proposal_get_token_static(register const char *str, + register @GPERF_LEN_TYPE@ len); + +#endif /* PROPOSAL_KEYWORDS_STATIC_H_ */ + diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h index 01b702da1..8958e66e9 100644 --- a/src/libstrongswan/crypto/signers/signer.h +++ b/src/libstrongswan/crypto/signers/signer.h @@ -25,7 +25,8 @@ typedef enum integrity_algorithm_t integrity_algorithm_t; typedef struct signer_t signer_t; -#include +#include +#include /** * Integrity algorithm, as in IKEv2 RFC 3.3.2. diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c index 1e9c2834b..2b866ae5b 100644 --- a/src/libstrongswan/crypto/xofs/xof.c +++ b/src/libstrongswan/crypto/xofs/xof.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -18,10 +19,42 @@ ENUM(ext_out_function_names, XOF_UNDEFINED, XOF_CHACHA20, "XOF_UNDEFINED", "XOF_MGF1_SHA1", + "XOF_MGF1_SHA224", "XOF_MGF1_SHA256", + "XOF_MGF1_SHA384", "XOF_MGF1_SHA512", "XOF_SHAKE128", "XOF_SHAKE256", "XOF_CHACHA20" ); +/* + * Described in header + */ +ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg) +{ + switch (alg) + { + case HASH_SHA1: + return XOF_MGF1_SHA1; + case HASH_SHA224: + return XOF_MGF1_SHA224; + case HASH_SHA256: + return XOF_MGF1_SHA256; + case HASH_SHA384: + return XOF_MGF1_SHA384; + case HASH_SHA512: + return XOF_MGF1_SHA512; + case HASH_IDENTITY: + case HASH_UNKNOWN: + case HASH_MD2: + case HASH_MD4: + case HASH_MD5: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: + break; + } + return XOF_UNDEFINED; +} diff --git a/src/libstrongswan/crypto/xofs/xof.h b/src/libstrongswan/crypto/xofs/xof.h index 8c9ae0131..934a1ee35 100644 --- a/src/libstrongswan/crypto/xofs/xof.h +++ b/src/libstrongswan/crypto/xofs/xof.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -31,11 +32,15 @@ typedef struct xof_t xof_t; */ enum ext_out_function_t { XOF_UNDEFINED, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA1, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ + XOF_MGF1_SHA224, + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA256, - /** RFC 2437 PKCS#1 */ + /** RFC 8017 PKCS#1 */ + XOF_MGF1_SHA384, + /** RFC 8017 PKCS#1 */ XOF_MGF1_SHA512, /** FIPS 202 */ XOF_SHAKE_128, @@ -111,4 +116,12 @@ struct xof_t { void (*destroy)(xof_t *this); }; +/** + * Determine an MGF1 XOF type for the given hash algorithm. + * + * @param alg hash algorithm to map + * @return MGF1 XOF type if available, XOF_UNDEFINED otherwise + */ +ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg); + #endif /** XOF_H_ @}*/ diff --git a/src/libstrongswan/math/libnttfft/Makefile.in b/src/libstrongswan/math/libnttfft/Makefile.in index 439c0f32d..02175a926 100644 --- a/src/libstrongswan/math/libnttfft/Makefile.in +++ b/src/libstrongswan/math/libnttfft/Makefile.in @@ -238,9 +238,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/math/libnttfft/tests/Makefile.in b/src/libstrongswan/math/libnttfft/tests/Makefile.in index 1f3ee6d60..8d0e02bb6 100644 --- a/src/libstrongswan/math/libnttfft/tests/Makefile.in +++ b/src/libstrongswan/math/libnttfft/tests/Makefile.in @@ -242,9 +242,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/networking/streams/stream_manager.c b/src/libstrongswan/networking/streams/stream_manager.c index 8de243daa..32856dee8 100644 --- a/src/libstrongswan/networking/streams/stream_manager.c +++ b/src/libstrongswan/networking/streams/stream_manager.c @@ -21,6 +21,9 @@ # include "stream_unix.h" # include "stream_service_unix.h" #endif +#ifdef USE_SYSTEMD +# include "stream_service_systemd.h" +#endif #include @@ -206,6 +209,9 @@ METHOD(stream_manager_t, destroy, void, remove_stream(this, stream_create_unix); remove_service(this, stream_service_create_unix); #endif +#ifdef USE_SYSTEMD + remove_service(this, stream_service_create_systemd); +#endif this->streams->destroy(this->streams); this->services->destroy(this->services); @@ -241,6 +247,9 @@ stream_manager_t *stream_manager_create() add_stream(this, "unix://", stream_create_unix); add_service(this, "unix://", stream_service_create_unix); #endif +#ifdef USE_SYSTEMD + add_service(this, "systemd://", stream_service_create_systemd); +#endif return &this->public; } diff --git a/src/libstrongswan/networking/streams/stream_service_systemd.c b/src/libstrongswan/networking/streams/stream_service_systemd.c new file mode 100644 index 000000000..5c6b3f690 --- /dev/null +++ b/src/libstrongswan/networking/streams/stream_service_systemd.c @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2017 aszlig + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +#include + +#include + +/** + * See header + */ +stream_service_t *stream_service_create_systemd(char *uri, int backlog) +{ +#ifndef HAVE_SD_LISTEN_FDS_WITH_NAMES + DBG1(DBG_NET, "unable to open stream URI '%s': named systemd sockets not " + "supported", uri); + return NULL; +#else + int i, num_fds, fd; + char **fdmap; + + if (!strpfx(uri, "systemd://")) + { + DBG1(DBG_NET, "invalid stream URI: '%s'", uri); + return NULL; + } + uri += strlen("systemd://"); + + num_fds = sd_listen_fds_with_names(0, &fdmap); + if (num_fds <= 0) + { + DBG1(DBG_NET, "no systemd sockets for '%s'", uri); + return NULL; + } + + for (i = 0, fd = -1; i < num_fds; i++) + { + if (fd == -1 && streq(fdmap[i], uri)) + { + fd = SD_LISTEN_FDS_START + i; + } + free(fdmap[i]); + } + free(fdmap); + + if (fd == -1) + { + DBG1(DBG_NET, "unable to find systemd FD for '%s'", uri); + return NULL; + } + return stream_service_create_from_fd(fd); +#endif +} diff --git a/src/libstrongswan/networking/streams/stream_service_systemd.h b/src/libstrongswan/networking/streams/stream_service_systemd.h new file mode 100644 index 000000000..e61e54f5b --- /dev/null +++ b/src/libstrongswan/networking/streams/stream_service_systemd.h @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2017 aszlig + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +/** + * @defgroup stream_service_systemd stream_service_systemd + * @{ @ingroup stream + */ + +#ifndef STREAM_SERVICE_SYSTEMD_H_ +#define STREAM_SERVICE_SYSTEMD_H_ + +/** + * Create a service instance for systemd sockets. + * + * @param uri URI with FD identifier, must start with "systemd://" + * @param backlog size of the backlog queue (ignored) + * @return stream_service instance, NULL on failure + */ +stream_service_t *stream_service_create_systemd(char *uri, int backlog); + +#endif /** STREAM_SERVICE_SYSTEMD_H_ @}*/ diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in index 10e6fa460..36067a3ff 100644 --- a/src/libstrongswan/plugins/acert/Makefile.in +++ b/src/libstrongswan/plugins/acert/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 08f965596..d3817e12a 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in index fbc7d9230..fdcfc099e 100644 --- a/src/libstrongswan/plugins/aesni/Makefile.in +++ b/src/libstrongswan/plugins/aesni/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index 2c45ce5ba..6b4a7fe5f 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 8183de939..12a44870c 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index bb55c45c0..cf2c5ea85 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -233,7 +233,7 @@ static bool scheme_supported(private_agent_private_key_t *this, } METHOD(private_key_t, sign, bool, - private_agent_private_key_t *this, signature_scheme_t scheme, + private_agent_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { uint32_t len, flags; diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in index eb8eaecb0..b98d367f1 100644 --- a/src/libstrongswan/plugins/bliss/Makefile.in +++ b/src/libstrongswan/plugins/bliss/Makefile.in @@ -269,9 +269,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c index 25253ed37..964edcd93 100644 --- a/src/libstrongswan/plugins/bliss/bliss_private_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -512,7 +512,7 @@ end: } METHOD(private_key_t, sign, bool, - private_bliss_private_key_t *this, signature_scheme_t scheme, + private_bliss_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { switch (scheme) diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c index f7ddbbfd2..945840cdc 100644 --- a/src/libstrongswan/plugins/bliss/bliss_public_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -194,7 +194,7 @@ end: } METHOD(public_key_t, verify, bool, - private_bliss_public_key_t *this, signature_scheme_t scheme, + private_bliss_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { switch (scheme) diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in index a2d56cdd1..015f40a00 100644 --- a/src/libstrongswan/plugins/bliss/tests/Makefile.in +++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c index a3e4420a9..908ea910d 100644 --- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c @@ -118,9 +118,9 @@ START_TEST(test_bliss_sign_all) /* generate and verify 1000 BLISS signatures */ while (verify_count--) { - ck_assert(privkey->sign(privkey, signature_scheme, msg, + ck_assert(privkey->sign(privkey, signature_scheme, NULL, msg, &signature)); - ck_assert(pubkey->verify(pubkey, signature_scheme, msg, + ck_assert(pubkey->verify(pubkey, signature_scheme, NULL, msg, signature)); free(signature.ptr); } @@ -134,7 +134,7 @@ START_TEST(test_bliss_sign_fail) { private_key_t *privkey; public_key_t *pubkey; - chunk_t msg, signature, encoding, fp; + chunk_t msg = chunk_empty, signature, encoding, fp; /* generate non-supported BLISS-II private key */ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, @@ -172,18 +172,18 @@ START_TEST(test_bliss_sign_fail) ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL)); /* sign with invalid signature scheme */ - ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature)); + ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, NULL, msg, &signature)); /* generate valid signature */ msg = chunk_from_str("Hello Dolly!"); - ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature)); + ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, &signature)); /* verify with invalid signature scheme */ - ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, NULL, msg, signature)); /* corrupt signature */ signature.ptr[signature.len - 1] ^= 0x80; - ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, NULL, msg, signature)); free(signature.ptr); privkey->destroy(privkey); diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 0d091d196..2f122b5a8 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 008407097..07eb457d5 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in index 0b2998c95..09cbddee7 100644 --- a/src/libstrongswan/plugins/chapoly/Makefile.in +++ b/src/libstrongswan/plugins/chapoly/Makefile.in @@ -259,9 +259,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index 2586d77c4..234a54cc2 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index 25632d745..82f82ca2d 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 275a76273..7c3012301 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 0dbcca895..0928dee1c 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curve25519/Makefile.in b/src/libstrongswan/plugins/curve25519/Makefile.in index 21b0e75f7..cb8bb3405 100644 --- a/src/libstrongswan/plugins/curve25519/Makefile.in +++ b/src/libstrongswan/plugins/curve25519/Makefile.in @@ -251,9 +251,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c index 2a7303c4b..878be4ca5 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c @@ -63,7 +63,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_curve25519_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { uint8_t r[HASH_SIZE_SHA512], k[HASH_SIZE_SHA512], sig[HASH_SIZE_SHA512]; hasher_t *hasher; diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c index d07776354..1d4dec565 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c @@ -50,7 +50,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_curve25519_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { hasher_t *hasher; uint8_t d = 0, k[HASH_SIZE_SHA512], r[32], *sig; diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 89b279875..5ffa778cd 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 385749a11..37799583a 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in index 7708f9551..87b66df04 100644 --- a/src/libstrongswan/plugins/files/Makefile.in +++ b/src/libstrongswan/plugins/files/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 478ae818e..aa0bd5fa8 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index 91ea7c673..da118ce57 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 2212be0e2..3ed4a910f 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index cee25ea74..5519125ba 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -289,11 +289,13 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group) /* * Described in header. */ -gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, - chunk_t g, chunk_t p) +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, ...) { if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_generic(group, p.len, g, p); } return NULL; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h index a70958dc4..c6259f7ac 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h @@ -48,12 +48,10 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group); * Creates a new gcrypt_dh_t object for MODP_CUSTOM. * * @param group MODP_CUSTOM - * @param g generator - * @param p prime + * @param ... expects generator and prime as chunk_t * @return gcrypt_dh_t object, NULL if not supported */ -gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, - chunk_t g, chunk_t p); +gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group, ...); #endif /** GCRYPT_DH_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 7ecba8fa9..8a3de1e01 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -118,6 +118,28 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), PLUGIN_REGISTER(PRIVKEY_GEN, gcrypt_rsa_private_key_gen, FALSE), PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA), + /* signature schemes, private */ +#if GCRYPT_VERSION_NUMBER >= 0x010700 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), +#endif + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5), + /* signature verification schemes */ +#if GCRYPT_VERSION_NUMBER >= 0x010700 + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), +#endif + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5), /* random numbers */ PLUGIN_REGISTER(RNG, gcrypt_rng_create), PLUGIN_PROVIDE(RNG, RNG_WEAK), diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 15b876b3f..c06f43348 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -21,6 +22,7 @@ #include #include #include +#include typedef struct private_gcrypt_rsa_private_key_t private_gcrypt_rsa_private_key_t; @@ -147,51 +149,100 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this, } /** - * Sign a chunk of data using hashing and PKCS#1 encoding + * Sign a chunk of data using hashing and PKCS#1v1.5/EMSA-PSS encoding */ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, - hash_algorithm_t hash_algorithm, char *hash_name, + hash_algorithm_t hash_algorithm, rsa_pss_params_t *pss, chunk_t data, chunk_t *signature) { hasher_t *hasher; chunk_t hash; gcry_error_t err; gcry_sexp_t in, out; - int hash_oid; + char *hash_name = enum_to_name(hash_algorithm_short_names, hash_algorithm); - hash_oid = hasher_algorithm_to_oid(hash_algorithm); - if (hash_oid == OID_UNKNOWN) + hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); + if (!hasher) { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, hash_algorithm); return FALSE; } - hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); - if (!hasher || !hasher->allocate_hash(hasher, data, &hash)) + if (!hasher->allocate_hash(hasher, data, &hash)) { - DESTROY_IF(hasher); + hasher->destroy(hasher); return FALSE; } hasher->destroy(hasher); - err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", - hash_name, hash.len, hash.ptr); + if (pss) + { + if (pss->salt.len) + { + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)" + "(random-override %b)(hash %s %b))", + pss->salt.len, pss->salt.len, pss->salt.ptr, + hash_name, hash.len, hash.ptr); + } + else + { + u_int slen = hasher_hash_size(hash_algorithm); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)(hash %s %b))", + slen, hash_name, hash.len, hash.ptr); + } + } + else + { + err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", + hash_name, hash.len, hash.ptr); + } chunk_free(&hash); if (err) { - DBG1(DBG_LIB, "building signature S-expression failed: %s", gpg_strerror(err)); + DBG1(DBG_LIB, "building signature S-expression failed: %s", + gpg_strerror(err)); return FALSE; } err = gcry_pk_sign(&out, in, this->key); gcry_sexp_release(in); if (err) { - DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", gpg_strerror(err)); + DBG1(DBG_LIB, "creating pkcs1 signature failed: %s", + gpg_strerror(err)); return FALSE; } + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } +#if GCRYPT_VERSION_NUMBER >= 0x010700 +/** + * Sign a chunk of data using hashing and EMSA-PSS encoding + */ +static bool sign_pss(private_gcrypt_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, chunk_t *signature) +{ + if (!params) + { + return FALSE; + } + if (params->mgf1_hash != params->hash) + { + DBG1(DBG_LIB, "unable to use a different MGF1 hash for RSA-PSS"); + return FALSE; + } + return sign_pkcs1(this, params->hash, params, data, signature); +} +#endif + METHOD(private_key_t, get_type, key_type_t, private_gcrypt_rsa_private_key_t *this) { @@ -200,24 +251,28 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *sig) + void *params, chunk_t data, chunk_t *sig) { switch (scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return sign_raw(this, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_224: - return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig); + return sign_pkcs1(this, HASH_SHA224, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_256: - return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig); + return sign_pkcs1(this, HASH_SHA256, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_384: - return sign_pkcs1(this, HASH_SHA384, "sha384", data, sig); + return sign_pkcs1(this, HASH_SHA384, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA2_512: - return sign_pkcs1(this, HASH_SHA512, "sha512", data, sig); + return sign_pkcs1(this, HASH_SHA512, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA1: - return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig); + return sign_pkcs1(this, HASH_SHA1, NULL, data, sig); case SIGN_RSA_EMSA_PKCS1_MD5: - return sign_pkcs1(this, HASH_MD5, "md5", data, sig); + return sign_pkcs1(this, HASH_MD5, NULL, data, sig); +#if GCRYPT_VERSION_NUMBER >= 0x010700 + case SIGN_RSA_EMSA_PSS: + return sign_pss(this, params, data, sig); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -497,6 +552,121 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type, return &this->public; } +/** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pqu(chunk_t cn, chunk_t ce, chunk_t cd, chunk_t *cp, + chunk_t *cq, chunk_t *cu) +{ + gcry_mpi_t n, e, d, p, q, u, k, r, g, y, n1, x, two; + int i, t, j; + gcry_error_t err; + bool success = FALSE; + + n = e = d = p = q = u = k = r = g = y = n1 = x = two = NULL; + err = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, cn.ptr, cn.len, NULL) + | gcry_mpi_scan(&e, GCRYMPI_FMT_USG, ce.ptr, ce.len, NULL) + | gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL); + if (err) + { + goto error; + } + /* k = (d * e) - 1 */ + k = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_mul(k, d, e); + gcry_mpi_sub_ui(k, k, 1); + if (gcry_mpi_test_bit(k, 0)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + r = gcry_mpi_copy(k); + for (t = 0; !gcry_mpi_test_bit(r, 0); t++) + { /* r = r/2 */ + gcry_mpi_rshift(r, r, 1); + } + /* we need n-1 below */ + n1 = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_sub_ui(n1, n, 1); + y = gcry_mpi_new(gcry_mpi_get_nbits(n)); + g = gcry_mpi_new(gcry_mpi_get_nbits(n)); + x = gcry_mpi_new(gcry_mpi_get_nbits(n)); + two = gcry_mpi_set_ui(NULL, 2); + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + do + { + gcry_mpi_randomize(g, gcry_mpi_get_nbits(n), GCRY_WEAK_RANDOM); + } + while (gcry_mpi_cmp(n, g) <= 0); + /* y = g^r mod n */ + gcry_mpi_powm(y, g, r, n); + /* try again if y == 1 or y == n-1 */ + if (gcry_mpi_cmp_ui(y, 1) == 0 || gcry_mpi_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + gcry_mpi_powm(x, y, two, n); + /* stop if x == 1 */ + if (gcry_mpi_cmp_ui(x, 1) == 0) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (gcry_mpi_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + gcry_mpi_set(y, x); + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + gcry_mpi_sub_ui(y, y, 1); + p = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_gcd(p, y, n); + /* q = n/p */ + q = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_div(q, NULL, n, p, 0); + if (gcry_mpi_cmp(p, q) > 0) + { /* gcrypt expects q < p */ + gcry_mpi_swap(p, q); + } + /* u = q^-1 mod p */ + u = gcry_mpi_new(gcry_mpi_get_nbits(n)); + gcry_mpi_invm(u, p, q); + err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cp->ptr, &cp->len, p) + | gcry_mpi_aprint(GCRYMPI_FMT_USG, &cq->ptr, &cq->len, q) + | gcry_mpi_aprint(GCRYMPI_FMT_USG, &cu->ptr, &cu->len, u); + if (err) + { + goto error; + } + success = TRUE; + +error: + gcry_mpi_release(n); + gcry_mpi_release(e); + gcry_mpi_release(d); + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(u); + gcry_mpi_release(k); + gcry_mpi_release(r); + gcry_mpi_release(g); + gcry_mpi_release(y); + gcry_mpi_release(n1); + gcry_mpi_release(x); + gcry_mpi_release(two); + return success; +} + /** * See header. */ @@ -504,10 +674,10 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type, va_list args) { private_gcrypt_rsa_private_key_t *this; - chunk_t n, e, d, p, q, u; + chunk_t n, e, d, p, q, u, np, nq, nu; gcry_error_t err; - n = e = d = p = q = u = chunk_empty; + n = e = d = p = q = u = np = nq = nu = chunk_empty; while (TRUE) { switch (va_arg(args, builder_part_t)) @@ -543,12 +713,25 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type, } break; } - + if (!p.len || !q.len || !u.len) + { + if (!calculate_pqu(n, e, d, &np, &nq, &nu)) + { + return NULL; + } + p = np; + q = nq; + u = nu; + } this = create_empty(); err = gcry_sexp_build(&this->key, NULL, "(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))", n.len, n.ptr, e.len, e.ptr, d.len, d.ptr, p.len, p.ptr, q.len, q.ptr, u.len, u.ptr); + + chunk_clear(&np); + chunk_clear(&nq); + chunk_clear(&nu); if (err) { DBG1(DBG_LIB, "loading private key failed: %s", gpg_strerror(err)); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 90829e052..9e2ac1287 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -22,6 +23,7 @@ #include #include #include +#include typedef struct private_gcrypt_rsa_public_key_t private_gcrypt_rsa_public_key_t; @@ -109,27 +111,48 @@ static bool verify_raw(private_gcrypt_rsa_public_key_t *this, } /** - * Verification of an EMSA PKCS1 signature described in PKCS#1 + * Verification of an EMSA PKCS1v1.5 / EMSA-PSS signature described in PKCS#1 */ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, - hash_algorithm_t algorithm, char *hash_name, + hash_algorithm_t algorithm, rsa_pss_params_t *pss, chunk_t data, chunk_t signature) { hasher_t *hasher; chunk_t hash; gcry_error_t err; gcry_sexp_t in, sig; + char *hash_name = enum_to_name(hash_algorithm_short_names, algorithm); hasher = lib->crypto->create_hasher(lib->crypto, algorithm); - if (!hasher || !hasher->allocate_hash(hasher, data, &hash)) + if (!hasher) { - DESTROY_IF(hasher); + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, algorithm); + return FALSE; + } + if (!hasher->allocate_hash(hasher, data, &hash)) + { + hasher->destroy(hasher); return FALSE; } hasher->destroy(hasher); - err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", - hash_name, hash.len, hash.ptr); + if (pss) + { + u_int slen = hasher_hash_size(algorithm); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + err = gcry_sexp_build(&in, NULL, + "(data(flags pss)(salt-length %u)(hash %s %b))", + slen, hash_name, hash.len, hash.ptr); + } + else + { + err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))", + hash_name, hash.len, hash.ptr); + } chunk_free(&hash); if (err) { @@ -159,6 +182,26 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, return TRUE; } +#if GCRYPT_VERSION_NUMBER >= 0x010700 +/** + * Verification of an EMSA-PSS signature described in PKCS#1 + */ +static bool verify_pss(private_gcrypt_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, chunk_t sig) +{ + if (!params) + { + return FALSE; + } + if (params->mgf1_hash != params->hash) + { + DBG1(DBG_LIB, "unable to use a different MGF1 hash for RSA-PSS"); + return FALSE; + } + return verify_pkcs1(this, params->hash, params, data, sig); +} +#endif + METHOD(public_key_t, get_type, key_type_t, private_gcrypt_rsa_public_key_t *this) { @@ -167,24 +210,28 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: return verify_raw(this, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_224: - return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature); + return verify_pkcs1(this, HASH_SHA224, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_256: - return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature); + return verify_pkcs1(this, HASH_SHA256, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_384: - return verify_pkcs1(this, HASH_SHA384, "sha384", data, signature); + return verify_pkcs1(this, HASH_SHA384, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_512: - return verify_pkcs1(this, HASH_SHA512, "sha512", data, signature); + return verify_pkcs1(this, HASH_SHA512, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: - return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature); + return verify_pkcs1(this, HASH_SHA1, NULL, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: - return verify_pkcs1(this, HASH_MD5, "md5", data, signature); + return verify_pkcs1(this, HASH_MD5, NULL, data, signature); +#if GCRYPT_VERSION_NUMBER >= 0x010700 + case SIGN_RSA_EMSA_PSS: + return verify_pss(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 39a2bcabb..11aef42f0 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index b7ee94ee0..b01adfe01 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -272,7 +272,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group, } /* - * Described in header. + * Described in header */ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) { @@ -287,12 +287,17 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group) params->generator, params->prime); } - +/* + * Described in header + */ gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p) + diffie_hellman_group_t group, ...) { if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_generic(MODP_CUSTOM, p.len, g, p); } return NULL; diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h index 6d73c0863..a8cde7bca 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h @@ -49,12 +49,11 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group); * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM. * * @param group MODP_CUSTOM - * @param g generator - * @param p prime + * @param ... expects generator and prime as chunk_t * @return gmp_diffie_hellman_t object, NULL if not supported */ gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p); + diffie_hellman_group_t group, ...); #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index c75975301..700e29bf6 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -79,6 +79,14 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PUBKEY, gmp_rsa_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_RSA), /* signature schemes, private */ + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), + PLUGIN_SDEPEND(HASHER, HASH_SHA1), + PLUGIN_SDEPEND(HASHER, HASH_SHA256), + PLUGIN_SDEPEND(HASHER, HASH_SHA512), + PLUGIN_SDEPEND(RNG, RNG_STRONG), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA1), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA256), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA512), PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA2_224), PLUGIN_DEPENDS(HASHER, HASH_SHA224), @@ -101,6 +109,13 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5), PLUGIN_DEPENDS(HASHER, HASH_MD5), /* signature verification schemes */ + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), + PLUGIN_SDEPEND(HASHER, HASH_SHA1), + PLUGIN_SDEPEND(HASHER, HASH_SHA256), + PLUGIN_SDEPEND(HASHER, HASH_SHA512), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA1), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA256), + PLUGIN_SDEPEND(XOF, XOF_MGF1_SHA512), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_224), PLUGIN_DEPENDS(HASHER, HASH_SHA224), diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index 21b420866..aca232c86 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005 Jan Hutter * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2012 Andreas Steffen @@ -27,6 +28,7 @@ #include #include #include +#include #ifdef HAVE_MPZ_POWM_SEC # undef mpz_powm @@ -333,6 +335,120 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, return TRUE; } +/** + * Build a signature using the PKCS#1 EMSA PSS scheme + */ +static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t *signature) +{ + ext_out_function_t xof; + hasher_t *hasher = NULL; + rng_t *rng = NULL; + xof_t *mgf = NULL; + chunk_t hash, salt = chunk_empty, m, ps, db, dbmask, em; + size_t embits, emlen, maskbits; + bool success = FALSE; + + if (!params) + { + return FALSE; + } + xof = xof_mgf1_from_hash_algorithm(params->mgf1_hash); + if (xof == XOF_UNDEFINED) + { + DBG1(DBG_LIB, "%N is not supported for MGF1", hash_algorithm_names, + params->mgf1_hash); + return FALSE; + } + /* emBits = modBits - 1 */ + embits = mpz_sizeinbase(this->n, 2) - 1; + /* emLen = ceil(emBits/8) */ + emlen = (embits + 7) / BITS_PER_BYTE; + /* mHash = Hash(M) */ + hasher = lib->crypto->create_hasher(lib->crypto, params->hash); + if (!hasher) + { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, params->hash); + return FALSE; + } + hash = chunk_alloca(hasher->get_hash_size(hasher)); + if (!hasher->get_hash(hasher, data, hash.ptr)) + { + goto error; + } + + salt.len = hash.len; + if (params->salt.len) + { + salt = params->salt; + } + else if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + salt.len = params->salt_len; + } + if (emlen < (hash.len + salt.len + 2)) + { /* too long */ + goto error; + } + if (salt.len && !params->salt.len) + { + salt = chunk_alloca(salt.len); + rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (!rng || !rng->get_bytes(rng, salt.len, salt.ptr)) + { + goto error; + } + } + /* M' = 0x0000000000000000 | mHash | salt */ + m = chunk_cata("ccc", + chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00), + hash, salt); + /* H = Hash(M') */ + if (!hasher->get_hash(hasher, m, hash.ptr)) + { + goto error; + } + /* PS = 00... */ + ps = chunk_alloca(emlen - salt.len - hash.len - 2); + memset(ps.ptr, 0, ps.len); + /* DB = PS | 0x01 | salt */ + db = chunk_cata("ccc", ps, chunk_from_chars(0x01), salt); + /* dbMask = MGF(H, emLen - hLen - 1) */ + mgf = lib->crypto->create_xof(lib->crypto, xof); + dbmask = chunk_alloca(db.len); + if (!mgf) + { + DBG1(DBG_LIB, "%N not supported", ext_out_function_names, xof); + goto error; + } + if (!mgf->set_seed(mgf, hash) || + !mgf->get_bytes(mgf, dbmask.len, dbmask.ptr)) + { + goto error; + } + /* maskedDB = DB xor dbMask */ + memxor(db.ptr, dbmask.ptr, db.len); + /* zero out unused bits */ + maskbits = (8 * emlen) - embits; + if (maskbits) + { + db.ptr[0] &= (0xff >> maskbits); + } + /* EM = maskedDB | H | 0xbc */ + em = chunk_cata("ccc", db, hash, chunk_from_chars(0xbc)); + /* S = RSASP1(K, EM) */ + *signature = rsasp1(this, em); + success = TRUE; + +error: + DESTROY_IF(hasher); + DESTROY_IF(rng); + DESTROY_IF(mgf); + return success; +} + METHOD(private_key_t, get_type, key_type_t, private_gmp_rsa_private_key_t *this) { @@ -341,7 +457,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -367,6 +483,8 @@ METHOD(private_key_t, sign, bool, return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return build_emsa_pkcs1_signature(this, HASH_MD5, data, signature); + case SIGN_RSA_EMSA_PSS: + return build_emsa_pss_signature(this, params, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -806,6 +924,82 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args) return &this->public; } +/** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pq(private_gmp_rsa_private_key_t *this) +{ + gmp_randstate_t rstate; + mpz_t k, r, g, y, n1, x; + int i, t, j; + bool success = FALSE; + + gmp_randinit_default(rstate); + mpz_inits(k, r, g, y, n1, x, NULL); + /* k = (d * e) - 1 */ + mpz_mul(k, *this->d, this->e); + mpz_sub_ui(k, k, 1); + if (mpz_odd_p(k)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + mpz_set(r, k); + for (t = 0; !mpz_odd_p(r); t++) + { /* r = r/2 */ + mpz_divexact_ui(r, r, 2); + } + /* we need n-1 below */ + mpz_sub_ui(n1, this->n, 1); + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + mpz_urandomm(g, rstate, this->n); + /* y = g^r mod n */ + mpz_powm_sec(y, g, r, this->n); + /* try again if y == 1 or y == n-1 */ + if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + mpz_powm_ui(x, y, 2, this->n); + /* stop if x == 1 */ + if (mpz_cmp_ui(x, 1) == 0) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (mpz_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + mpz_set(y, x); + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + mpz_sub_ui(y, y, 1); + mpz_gcd(this->p, y, this->n); + /* q = n/p */ + mpz_divexact(this->q, this->n, this->p); + success = TRUE; + +error: + mpz_clear_sensitive(k); + mpz_clear_sensitive(r); + mpz_clear_sensitive(g); + mpz_clear_sensitive(y); + mpz_clear_sensitive(x); + mpz_clear(n1); + gmp_randclear(rstate); + return success; +} + /** * See header. */ @@ -868,9 +1062,30 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr); mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr); mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr); - mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr); - mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr); - mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr); + if (p.len) + { + mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr); + } + if (q.len) + { + mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr); + } + if (!p.len && !q.len) + { /* p and q missing in key, recalculate from n, e and d */ + if (!calculate_pq(this)) + { + destroy(this); + return NULL; + } + } + else if (!p.len) + { /* p missing in key, recalculate: p = n / q */ + mpz_divexact(this->p, this->n, this->q); + } + else if (!q.len) + { /* q missing in key, recalculate: q = n / p */ + mpz_divexact(this->q, this->n, this->p); + } if (!exp1.len) { /* exp1 missing in key, recalculate: exp1 = d mod (p-1) */ mpz_sub_ui(this->exp1, this->p, 1); @@ -889,6 +1104,14 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) { mpz_import(this->exp2, exp2.len, 1, 1, 1, 0, exp2.ptr); } + if (!coeff.len) + { /* coeff missing in key, recalculate: coeff = q^-1 mod p */ + mpz_invert(this->coeff, this->q, this->p); + } + else + { + mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr); + } this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; if (check(this) != SUCCESS) { @@ -897,4 +1120,3 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args) } return &this->public; } - diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 065c88903..52bc9fb38 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -1,7 +1,8 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -27,6 +28,7 @@ #include #include #include +#include #ifdef HAVE_MPZ_POWM_SEC # undef mpz_powm @@ -126,7 +128,7 @@ static const asn1Object_t digestInfoObjects[] = { #define DIGEST_INFO_DIGEST 2 /** - * Verification of an EMPSA PKCS1 signature described in PKCS#1 + * Verification of an EMSA PKCS1 signature described in PKCS#1 */ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, hash_algorithm_t algorithm, @@ -283,6 +285,124 @@ end: return success; } +/** + * Verification of an EMSA PSS signature described in PKCS#1 + */ +static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t signature) +{ + ext_out_function_t xof; + hasher_t *hasher = NULL; + xof_t *mgf = NULL; + chunk_t em, hash, salt, db, h, dbmask, m; + size_t embits, maskbits; + int i; + bool success = FALSE; + + if (!params) + { + return FALSE; + } + xof = xof_mgf1_from_hash_algorithm(params->mgf1_hash); + if (xof == XOF_UNDEFINED) + { + DBG1(DBG_LIB, "%N is not supported for MGF1", hash_algorithm_names, + params->mgf1_hash); + return FALSE; + } + chunk_skip_zero(signature); + if (signature.len == 0 || signature.len > this->k) + { + return FALSE; + } + /* EM = RSAVP1((n, e), S) */ + em = rsavp1(this, signature); + if (!em.len) + { + goto error; + } + /* emBits = modBits - 1 */ + embits = mpz_sizeinbase(this->n, 2) - 1; + /* mHash = Hash(M) */ + hasher = lib->crypto->create_hasher(lib->crypto, params->hash); + if (!hasher) + { + DBG1(DBG_LIB, "hash algorithm %N not supported", + hash_algorithm_names, params->hash); + goto error; + } + hash = chunk_alloca(hasher->get_hash_size(hasher)); + if (!hasher->get_hash(hasher, data, hash.ptr)) + { + goto error; + } + /* determine salt length */ + salt.len = hash.len; + if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + salt.len = params->salt_len; + } + /* verify general structure of EM */ + maskbits = (8 * em.len) - embits; + if (em.len < (hash.len + salt.len + 2) || em.ptr[em.len-1] != 0xbc || + (em.ptr[0] & (0xff << (8-maskbits)))) + { /* inconsistent */ + goto error; + } + /* split EM in maskedDB and H */ + db = chunk_create(em.ptr, em.len - hash.len - 1); + h = chunk_create(em.ptr + db.len, hash.len); + /* dbMask = MGF(H, emLen - hLen - 1) */ + mgf = lib->crypto->create_xof(lib->crypto, xof); + if (!mgf) + { + DBG1(DBG_LIB, "%N not supported", ext_out_function_names, xof); + goto error; + } + dbmask = chunk_alloca(db.len); + if (!mgf->set_seed(mgf, h) || + !mgf->get_bytes(mgf, dbmask.len, dbmask.ptr)) + { + DBG1(DBG_LIB, "%N not supported or failed", ext_out_function_names, xof); + goto error; + } + /* DB = maskedDB xor dbMask */ + memxor(db.ptr, dbmask.ptr, db.len); + if (maskbits) + { + db.ptr[0] &= (0xff >> maskbits); + } + /* check DB = PS | 0x01 | salt */ + for (i = 0; i < (db.len - salt.len - 1); i++) + { + if (db.ptr[i]) + { /* padding not 0 */ + goto error; + } + } + if (db.ptr[i++] != 0x01) + { /* 0x01 not found */ + goto error; + } + salt.ptr = &db.ptr[i]; + /* M' = 0x0000000000000000 | mHash | salt */ + m = chunk_cata("ccc", + chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00), + hash, salt); + if (!hasher->get_hash(hasher, m, hash.ptr)) + { + goto error; + } + success = memeq_const(h.ptr, hash.ptr, hash.len); + +error: + DESTROY_IF(hasher); + DESTROY_IF(mgf); + free(em.ptr); + return success; +} + METHOD(public_key_t, get_type, key_type_t, private_gmp_rsa_public_key_t *this) { @@ -290,7 +410,7 @@ METHOD(public_key_t, get_type, key_type_t, } METHOD(public_key_t, verify, bool, - private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, + private_gmp_rsa_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) { switch (scheme) @@ -317,6 +437,8 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature); + case SIGN_RSA_EMSA_PSS: + return verify_emsa_pss_signature(this, params, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index cddeace7f..8de79663e 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in index e072c9225..6573b311d 100644 --- a/src/libstrongswan/plugins/keychain/Makefile.in +++ b/src/libstrongswan/plugins/keychain/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 229a0cad0..324157bc0 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index d135c291f..111f53239 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index e81213c2a..1a41f73ea 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/mgf1/Makefile.in b/src/libstrongswan/plugins/mgf1/Makefile.in index 8a2788319..fd69f4042 100644 --- a/src/libstrongswan/plugins/mgf1/Makefile.in +++ b/src/libstrongswan/plugins/mgf1/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/mgf1/mgf1_plugin.c b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c index 8df3ac261..a78d2f254 100644 --- a/src/libstrongswan/plugins/mgf1/mgf1_plugin.c +++ b/src/libstrongswan/plugins/mgf1/mgf1_plugin.c @@ -44,8 +44,12 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(XOF, mgf1_xof_create), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA1), PLUGIN_DEPENDS(HASHER, HASH_SHA1), + PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA224), + PLUGIN_DEPENDS(HASHER, HASH_SHA224), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), + PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA384), + PLUGIN_DEPENDS(HASHER, HASH_SHA384), PLUGIN_PROVIDE(XOF, XOF_MGF1_SHA512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), }; diff --git a/src/libstrongswan/plugins/mgf1/mgf1_xof.c b/src/libstrongswan/plugins/mgf1/mgf1_xof.c index 0f5fda952..8f5a18f87 100644 --- a/src/libstrongswan/plugins/mgf1/mgf1_xof.c +++ b/src/libstrongswan/plugins/mgf1/mgf1_xof.c @@ -244,9 +244,15 @@ mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm) case XOF_MGF1_SHA1: hash_alg = HASH_SHA1; break; + case XOF_MGF1_SHA224: + hash_alg = HASH_SHA224; + break; case XOF_MGF1_SHA256: hash_alg = HASH_SHA256; break; + case XOF_MGF1_SHA384: + hash_alg = HASH_SHA384; + break; case XOF_MGF1_SHA512: hash_alg = HASH_SHA512; break; @@ -261,7 +267,7 @@ mgf1_xof_t *mgf1_xof_create(ext_out_function_t algorithm) hash_algorithm_names, hash_alg); return NULL; } - + INIT(this, .public = { .mgf1_interface = { diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index c99e4f806..114507eeb 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/newhope/Makefile.in b/src/libstrongswan/plugins/newhope/Makefile.in index 786337420..81c10d5c9 100644 --- a/src/libstrongswan/plugins/newhope/Makefile.in +++ b/src/libstrongswan/plugins/newhope/Makefile.in @@ -253,9 +253,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/newhope/tests/Makefile.in b/src/libstrongswan/plugins/newhope/tests/Makefile.in index be6ffef28..114035a4a 100644 --- a/src/libstrongswan/plugins/newhope/tests/Makefile.in +++ b/src/libstrongswan/plugins/newhope/tests/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index fca8309e5..0e24d4861 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index 2ef9aa8dc..cdfee525b 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index dcf4c2c8a..856055c6a 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -254,9 +254,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 61cf3e884..88f7a67c2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -47,14 +50,13 @@ #include #if OPENSSL_VERSION_NUMBER < 0x10100000L -static inline void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, const X509_CRL *crl) { +static inline void X509_CRL_get0_signature(const X509_CRL *crl, ASN1_BIT_STRING **psig, X509_ALGOR **palg) { if (psig) { *psig = crl->signature; } if (palg) { *palg = crl->sig_alg; } } #define X509_REVOKED_get0_serialNumber(r) ({ (r)->serialNumber; }) #define X509_REVOKED_get0_revocationDate(r) ({ (r)->revocationDate; }) #define X509_CRL_get0_extensions(c) ({ (c)->crl->extensions; }) -#define X509_ALGOR_get0(oid, ppt, ppv, alg) ({ *(oid) = (alg)->algorithm; }) #endif typedef struct private_openssl_crl_t private_openssl_crl_t; @@ -84,6 +86,16 @@ struct private_openssl_crl_t { */ chunk_t serial; + /** + * Number of base CRL (deltaCrlIndicator), if a delta CRL + */ + chunk_t base; + + /** + * List of Freshest CRL distribution points + */ + linked_list_t *crl_uris; + /** * AuthorityKeyIdentifier of the issuing CA */ @@ -107,7 +119,7 @@ struct private_openssl_crl_t { /** * Signature scheme used in this CRL */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * References to this CRL @@ -140,6 +152,11 @@ typedef struct { int i; } crl_enumerator_t; +/** + * from openssl_x509 + */ +bool openssl_parse_crlDistributionPoints(X509_EXTENSION *ext, + linked_list_t *list); METHOD(enumerator_t, crl_enumerate, bool, crl_enumerator_t *this, va_list args) @@ -215,6 +232,26 @@ METHOD(crl_t, get_serial, chunk_t, return this->serial; } +METHOD(crl_t, is_delta_crl, bool, + private_openssl_crl_t *this, chunk_t *base_crl) +{ + if (this->base.len) + { + if (base_crl) + { + *base_crl = this->base; + } + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, + private_openssl_crl_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + METHOD(crl_t, get_authKeyIdentifier, chunk_t, private_openssl_crl_t *this) { @@ -246,7 +283,7 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_crl_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { chunk_t fingerprint, tbs; public_key_t *key; @@ -283,23 +320,20 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } } - if (this->scheme == SIGN_UNKNOWN) - { - return FALSE; - } /* i2d_re_X509_CRL_tbs() was added with 1.1.0 when X509_CRL became opaque */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L tbs = openssl_i2chunk(re_X509_CRL_tbs, this->crl); #else tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl); #endif - X509_CRL_get0_signature(&sig, NULL, this->crl); - valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig)); + X509_CRL_get0_signature(this->crl, &sig, NULL); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, tbs, + openssl_asn1_str2chunk(sig)); free(tbs.ptr); key->destroy(key); if (valid && scheme) { - *scheme = this->scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -379,8 +413,12 @@ METHOD(certificate_t, destroy, void, { X509_CRL_free(this->crl); } + signature_params_destroy(this->scheme); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); + free(this->base.ptr); free(this->serial.ptr); free(this->encoding.ptr); free(this); @@ -413,11 +451,12 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, - .is_delta_crl = (void*)return_false, - .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, + .is_delta_crl = _is_delta_crl, + .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, .create_enumerator = _create_enumerator, }, }, + .crl_uris = linked_list_create(), .ref = 1, ); return this; @@ -444,21 +483,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this, } /** - * Parse the crlNumber extension + * Quick and dirty INTEGER unwrap for crlNumber/deltaCrlIndicator extensions */ -static bool parse_crlNumber_ext(private_openssl_crl_t *this, - X509_EXTENSION *ext) +static bool parse_integer_ext(X509_EXTENSION *ext, chunk_t *out) { chunk_t chunk; chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)); - /* quick and dirty INTEGER unwrap */ if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER && chunk.ptr[1] == chunk.len - 2) { chunk = chunk_skip(chunk, 2); - free(this->serial.ptr); - this->serial = chunk_clone(chunk); + free(out->ptr); + *out = chunk_clone(chunk); return TRUE; } return FALSE; @@ -488,7 +525,13 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_authKeyIdentifier_ext(this, ext); break; case NID_crl_number: - ok = parse_crlNumber_ext(this, ext); + ok = parse_integer_ext(ext, &this->serial); + break; + case NID_delta_crl: + ok = parse_integer_ext(ext, &this->base); + break; + case NID_freshest_crl: + ok = openssl_parse_crlDistributionPoints(ext, this->crl_uris); break; case NID_issuing_distribution_point: /* TODO support of IssuingDistributionPoints */ @@ -520,7 +563,7 @@ static bool parse_extensions(private_openssl_crl_t *this) static bool parse_crl(private_openssl_crl_t *this) { const unsigned char *ptr = this->encoding.ptr; - ASN1_OBJECT *oid; + chunk_t sig_scheme; X509_ALGOR *alg; this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len); @@ -529,28 +572,16 @@ static bool parse_crl(private_openssl_crl_t *this) return FALSE; } - X509_CRL_get0_signature(NULL, &alg, this->crl); - X509_ALGOR_get0(&oid, NULL, NULL, alg); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (!chunk_equals( - openssl_asn1_obj2chunk(this->crl->crl->sig_alg->algorithm), - openssl_asn1_obj2chunk(this->crl->sig_alg->algorithm))) + X509_CRL_get0_signature(this->crl, NULL, &alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, alg); + INIT(this->scheme); + if (!signature_params_parse(sig_scheme, 0, this->scheme)) { + DBG1(DBG_ASN, "unable to parse signature algorithm"); + free(sig_scheme.ptr); return FALSE; } -#elif 0 - /* FIXME: we currently can't do this if X509_CRL is opaque (>= 1.1.0) as - * X509_CRL_get0_tbs_sigalg() does not exist and there does not seem to be - * another easy way to get the algorithm from the tbsCertList of the CRL */ - alg = X509_CRL_get0_tbs_sigalg(this->crl); - X509_ALGOR_get0(&oid_tbs, NULL, NULL, alg); - if (!chunk_equals(openssl_asn1_obj2chunk(oid), - openssl_asn1_obj2chunk(oid_tbs))) - { - return FALSE; - } -#endif - this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(oid)); + free(sig_scheme.ptr); this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl)); if (!this->issuer) diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index f08dfff7e..8e9c1183f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -193,7 +193,7 @@ METHOD(diffie_hellman_t, destroy, void, * Described in header. */ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - diffie_hellman_group_t group, chunk_t g, chunk_t p) + diffie_hellman_group_t group, ...) { private_openssl_diffie_hellman_t *this; const BIGNUM *privkey; @@ -225,6 +225,9 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( if (group == MODP_CUSTOM) { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); if (!DH_set0_pqg(this->dh, BN_bin2bn(p.ptr, p.len, NULL), NULL, BN_bin2bn(g.ptr, g.len, NULL))) { diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h index 53dc59c78..5de5520b5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h @@ -40,12 +40,11 @@ struct openssl_diffie_hellman_t { * Creates a new openssl_diffie_hellman_t object. * * @param group Diffie Hellman group number to use - * @param g custom generator, if MODP_CUSTOM - * @param p custom prime, if MODP_CUSTOM + * @param ... expects generator and prime as chunk_t if MODP_CUSTOM * @return openssl_diffie_hellman_t object, NULL if not supported */ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - diffie_hellman_group_t group, chunk_t g, chunk_t p); + diffie_hellman_group_t group, ...); #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 22bbf6dc7..364190758 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -48,6 +48,11 @@ struct private_openssl_ec_private_key_t { */ EC_KEY *ec; + /** + * TRUE if the key is from an OpenSSL ENGINE and might not be readable + */ + bool engine; + /** * reference count */ @@ -146,7 +151,7 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this, METHOD(private_key_t, sign, bool, private_openssl_ec_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -226,6 +231,11 @@ METHOD(private_key_t, get_encoding, bool, { u_char *p; + if (this->engine) + { + return FALSE; + } + switch (type) { case PRIVKEY_ASN1_DER: @@ -307,7 +317,7 @@ static private_openssl_ec_private_key_t *create_empty(void) /* * See header. */ -private_key_t *openssl_ec_private_key_create(EVP_PKEY *key) +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key, bool engine) { private_openssl_ec_private_key_t *this; EC_KEY *ec; @@ -320,6 +330,7 @@ private_key_t *openssl_ec_private_key_create(EVP_PKEY *key) } this = create_empty(); this->ec = ec; + this->engine = engine; return &this->public.key; } diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h index 84314f671..56c59cfc8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h @@ -67,8 +67,9 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, * Wrap an EVP_PKEY object of type EVP_PKEY_EC * * @param key EVP_PKEY_EC key object (adopted) + * @param engine whether the key was loaded via an engine * @return loaded key, NULL on failure */ -private_key_t *openssl_ec_private_key_create(EVP_PKEY *key); +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key, bool engine); #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index a1e56fc5e..faa940839 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -151,7 +151,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_openssl_ec_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index 96ee230c9..eb6c50508 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -91,16 +91,24 @@ METHOD(hasher_t, destroy, void, /* * Described in header */ -openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) +const EVP_MD *openssl_get_md(hash_algorithm_t hash) { - private_openssl_hasher_t *this; - char* name; + char *name; - name = enum_to_name(hash_algorithm_short_names, algo); + name = enum_to_name(hash_algorithm_short_names, hash); if (!name) { return NULL; } + return EVP_get_digestbyname(name); +} + +/* + * Described in header + */ +openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) +{ + private_openssl_hasher_t *this; INIT(this, .public = { @@ -114,7 +122,7 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo) }, ); - this->hasher = EVP_get_digestbyname(name); + this->hasher = openssl_get_md(algo); if (!this->hasher) { /* OpenSSL does not support the requested algo */ diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h index b03f6891b..66b9b505e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.h +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -25,6 +25,8 @@ typedef struct openssl_hasher_t openssl_hasher_t; #include +#include + /** * Implementation of hashers using OpenSSL. */ @@ -36,6 +38,14 @@ struct openssl_hasher_t { hasher_t hasher; }; +/** + * Determine EVP_MD for the given hash algorithm + * + * @param hash hash algorithm + * @return EVP_MD or NULL if not found/supported + */ +const EVP_MD *openssl_get_md(hash_algorithm_t hash); + /** * Constructor to create openssl_hasher_t. * diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c index 83ac8df5b..f94767cf5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c +++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c @@ -256,7 +256,7 @@ static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid) key = cert->get_public_key(cert); if (key) { - if (key->verify(key, signature_scheme_from_oid(hash_oid), + if (key->verify(key, signature_scheme_from_oid(hash_oid), NULL, attrs, sig)) { found = auth->clone(auth); diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index ab73d718f..8b0a7c5c7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -301,11 +301,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args) { #ifndef OPENSSL_NO_RSA case EVP_PKEY_RSA: - return openssl_rsa_private_key_create(key); + return openssl_rsa_private_key_create(key, FALSE); #endif #ifndef OPENSSL_NO_ECDSA case EVP_PKEY_EC: - return openssl_ec_private_key_create(key); + return openssl_ec_private_key_create(key, FALSE); #endif default: EVP_PKEY_free(key); @@ -316,6 +316,152 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args) return NULL; } +#ifndef OPENSSL_NO_ENGINE +/** + * Login to engine with a PIN specified for a keyid + */ +static bool login(ENGINE *engine, chunk_t keyid) +{ + enumerator_t *enumerator; + shared_key_t *shared; + identification_t *id; + chunk_t key; + char pin[64]; + bool found = FALSE, success = FALSE; + + id = identification_create_from_encoding(ID_KEY_ID, keyid); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_PIN, id, NULL); + while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) + { + found = TRUE; + key = shared->get_key(shared); + if (snprintf(pin, sizeof(pin), + "%.*s", (int)key.len, key.ptr) >= sizeof(pin)) + { + continue; + } + if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + { + success = TRUE; + break; + } + else + { + DBG1(DBG_CFG, "setting PIN on engine failed"); + } + } + enumerator->destroy(enumerator); + id->destroy(id); + if (!found) + { + DBG1(DBG_CFG, "no PIN found for %#B", &keyid); + } + return success; +} +#endif /* OPENSSL_NO_ENGINE */ + +/** + * Load private key via engine + */ +static private_key_t *openssl_private_key_connect(key_type_t type, + va_list args) +{ +#ifndef OPENSSL_NO_ENGINE + char *engine_id = NULL; + char keyname[BUF_LEN]; + chunk_t keyid = chunk_empty;; + EVP_PKEY *key; + ENGINE *engine; + int slot = -1; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_PKCS11_KEYID: + keyid = va_arg(args, chunk_t); + continue; + case BUILD_PKCS11_SLOT: + slot = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + engine_id = va_arg(args, char*); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (!keyid.len || keyid.len > 40) + { + return NULL; + } + + memset(keyname, 0, sizeof(keyname)); + if (slot != -1) + { + snprintf(keyname, sizeof(keyname), "%d:", slot); + } + if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) + { + return NULL; + } + chunk_to_hex(keyid, keyname + strlen(keyname), FALSE); + + if (!engine_id) + { + engine_id = lib->settings->get_str(lib->settings, + "%s.plugins.openssl.engine_id", "pkcs11", lib->ns); + } + engine = ENGINE_by_id(engine_id); + if (!engine) + { + DBG2(DBG_LIB, "engine '%s' is not available", engine_id); + return NULL; + } + if (!ENGINE_init(engine)) + { + DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id); + ENGINE_free(engine); + return NULL; + } + if (!login(engine, keyid)) + { + DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); + ENGINE_free(engine); + return NULL; + } + key = ENGINE_load_private_key(engine, keyname, NULL, NULL); + if (!key) + { + DBG1(DBG_LIB, "failed to load private key with ID '%s' from " + "engine '%s'", keyname, engine_id); + ENGINE_free(engine); + return NULL; + } + ENGINE_free(engine); + + switch (EVP_PKEY_base_id(key)) + { +#ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: + return openssl_rsa_private_key_create(key, TRUE); +#endif +#ifndef OPENSSL_NO_ECDSA + case EVP_PKEY_EC: + return openssl_ec_private_key_create(key, TRUE); +#endif + default: + EVP_PKEY_free(key); + break; + } +#endif /* OPENSSL_NO_ENGINE */ + return NULL; +} + METHOD(plugin_t, get_name, char*, private_openssl_plugin_t *this) { @@ -469,8 +615,6 @@ METHOD(plugin_t, get_features, int, /* RSA private/public key loading */ PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), - PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE), - PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE), PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA), PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE), @@ -480,6 +624,10 @@ METHOD(plugin_t, get_features, int, /* signature/encryption schemes */ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL), +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS), +#endif #ifndef OPENSSL_NO_SHA1 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1), @@ -554,6 +702,8 @@ METHOD(plugin_t, get_features, int, /* generic key loader */ PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), + PLUGIN_REGISTER(PRIVKEY, openssl_private_key_connect, FALSE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(RNG, openssl_rng_create), PLUGIN_PROVIDE(RNG, RNG_STRONG), PLUGIN_PROVIDE(RNG, RNG_WEAK), diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 54ecf2542..401a51a0b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -20,16 +20,15 @@ #include "openssl_rsa_private_key.h" #include "openssl_rsa_public_key.h" +#include "openssl_hasher.h" #include "openssl_util.h" #include +#include #include #include #include -#ifndef OPENSSL_NO_ENGINE -#include -#endif /* OPENSSL_NO_ENGINE */ /** * Public exponent to use for key generation. @@ -40,6 +39,7 @@ OPENSSL_KEY_FALLBACK(RSA, key, n, e, d) OPENSSL_KEY_FALLBACK(RSA, factors, p, q) OPENSSL_KEY_FALLBACK(RSA, crt_params, dmp1, dmq1, iqmp) +#define BN_secure_new() BN_new() #endif typedef struct private_openssl_rsa_private_key_t private_openssl_rsa_private_key_t; @@ -72,8 +72,126 @@ struct private_openssl_rsa_private_key_t { /* implemented in rsa public key */ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + /** - * Build an EMPSA PKCS1 signature described in PKCS#1 + * Build RSA signature + */ +static bool build_signature(private_openssl_rsa_private_key_t *this, + const EVP_MD *md, rsa_pss_params_t *pss, + chunk_t data, chunk_t *sig) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = NULL; + EVP_PKEY *key; + bool success = FALSE; + + mctx = EVP_MD_CTX_create(); + key = EVP_PKEY_new(); + if (!mctx || !key) + { + goto error; + } + if (!EVP_PKEY_set1_RSA(key, this->rsa)) + { + goto error; + } + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, key) <= 0) + { + goto error; + } + if (pss) + { + const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); + int slen = EVP_MD_size(md); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) + { + goto error; + } + } + if (EVP_DigestSignUpdate(mctx, data.ptr, data.len) <= 0) + { + goto error; + } + success = (EVP_DigestSignFinal(mctx, sig->ptr, &sig->len) == 1); + +error: + if (key) + { + EVP_PKEY_free(key); + } + if (mctx) + { + EVP_MD_CTX_destroy(mctx); + } + return success; +} + +/** + * Build an EMSA PKCS1 signature described in PKCS#1 + */ +static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, + int type, chunk_t data, chunk_t *sig) +{ + const EVP_MD *md; + + *sig = chunk_alloc(RSA_size(this->rsa)); + + if (type == NID_undef) + { + if (RSA_private_encrypt(data.len, data.ptr, sig->ptr, this->rsa, + RSA_PKCS1_PADDING) == sig->len) + { + return TRUE; + } + } + else + { + md = EVP_get_digestbynid(type); + if (md && build_signature(this, md, NULL, data, sig)) + { + return TRUE; + } + } + chunk_free(sig); + return FALSE; +} + +/** + * Build an EMSA PSS signature described in PKCS#1 + */ +static bool build_emsa_pss_signature(private_openssl_rsa_private_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t *sig) +{ + const EVP_MD *md; + + if (!params) + { + return FALSE; + } + + *sig = chunk_alloc(RSA_size(this->rsa)); + + md = openssl_get_md(params->hash); + if (md && build_signature(this, md, params, data, sig)) + { + return TRUE; + } + chunk_free(sig); + return FALSE; +} + +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ + +/** + * Build an EMSA PKCS1 signature described in PKCS#1 */ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, int type, chunk_t data, chunk_t *sig) @@ -92,15 +210,15 @@ static bool build_emsa_pkcs1_signature(private_openssl_rsa_private_key_t *this, } else { - EVP_MD_CTX *ctx; - EVP_PKEY *key; + EVP_MD_CTX *ctx = NULL; + EVP_PKEY *key = NULL; const EVP_MD *hasher; u_int len; hasher = EVP_get_digestbynid(type); if (!hasher) { - return FALSE; + goto error; } ctx = EVP_MD_CTX_create(); @@ -142,7 +260,7 @@ error: } return success; } - +#endif /* OPENSSL_VERSION_NUMBER < 1.0 */ METHOD(private_key_t, get_type, key_type_t, private_openssl_rsa_private_key_t *this) @@ -152,7 +270,7 @@ METHOD(private_key_t, get_type, key_type_t, METHOD(private_key_t, sign, bool, private_openssl_rsa_private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) + void *params, chunk_t data, chunk_t *signature) { switch (scheme) { @@ -170,6 +288,10 @@ METHOD(private_key_t, sign, bool, return build_emsa_pkcs1_signature(this, NID_sha1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return build_emsa_pkcs1_signature(this, NID_md5, data, signature); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + case SIGN_RSA_EMSA_PSS: + return build_emsa_pss_signature(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); @@ -386,7 +508,7 @@ error: /* * See header */ -private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key) +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key, bool engine) { private_openssl_rsa_private_key_t *this; RSA *rsa; @@ -399,9 +521,199 @@ private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key) } this = create_empty(); this->rsa = rsa; + this->engine = engine; return &this->public.key; } +/** + * Recover the primes from n, e and d using the algorithm described in + * Appendix C of NIST SP 800-56B. + */ +static bool calculate_pq(BIGNUM *n, BIGNUM *e, BIGNUM *d, + BIGNUM **p, BIGNUM **q) +{ + BN_CTX *ctx; + BIGNUM *k, *r, *g, *y, *n1, *x; + int i, t, j; + bool success = FALSE; + + ctx = BN_CTX_new(); + if (!ctx) + { + return FALSE; + } + BN_CTX_start(ctx); + k = BN_CTX_get(ctx); + r = BN_CTX_get(ctx); + g = BN_CTX_get(ctx); + y = BN_CTX_get(ctx); + n1 = BN_CTX_get(ctx); + x = BN_CTX_get(ctx); + if (!x) + { + goto error; + } + /* k = (d * e) - 1 */ + if (!BN_mul(k, d, e, ctx) || !BN_sub(k, k, BN_value_one())) + { + goto error; + } + /* k must be even */ + if (BN_is_odd(k)) + { + goto error; + } + /* k = 2^t * r, where r is the largest odd integer dividing k, and t >= 1 */ + if (!BN_copy(r, k)) + { + goto error; + } + for (t = 0; !BN_is_odd(r); t++) + { /* r = r/2 */ + if (!BN_rshift(r, r, 1)) + { + goto error; + } + } + /* we need n-1 below */ + if (!BN_sub(n1, n, BN_value_one())) + { + goto error; + } + for (i = 0; i < 100; i++) + { /* generate random integer g in [0, n-1] */ + if (!BN_pseudo_rand_range(g, n)) + { + goto error; + } + /* y = g^r mod n */ + if (!BN_mod_exp(y, g, r, n, ctx)) + { + goto error; + } + /* try again if y == 1 or y == n-1 */ + if (BN_is_one(y) || BN_cmp(y, n1) == 0) + { + continue; + } + for (j = 0; j < t; j++) + { /* x = y^2 mod n */ + if (!BN_mod_sqr(x, y, n, ctx)) + { + goto error; + } + /* stop if x == 1 */ + if (BN_is_one(x)) + { + goto done; + } + /* retry with new g if x = n-1 */ + if (BN_cmp(x, n1) == 0) + { + break; + } + /* y = x */ + if (!BN_copy(y, x)) + { + goto error; + } + } + } + goto error; + +done: + /* p = gcd(y-1, n) */ + if (!BN_sub(y, y, BN_value_one())) + { + goto error; + } + *p = BN_secure_new(); + if (!BN_gcd(*p, y, n, ctx)) + { + BN_clear_free(*p); + goto error; + } + /* q = n/p */ + *q = BN_secure_new(); + if (!BN_div(*q, NULL, n, *p, ctx)) + { + BN_clear_free(*p); + BN_clear_free(*q); + goto error; + } + success = TRUE; + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return success; +} + +/** + * Calculates dp = d (mod p-1) or dq = d (mod q-1) for the Chinese remainder + * algorithm. + */ +static BIGNUM *dmodpq1(BIGNUM *d, BIGNUM *pq) +{ + BN_CTX *ctx; + BIGNUM *res = NULL, *pq1; + + ctx = BN_CTX_new(); + if (!ctx) + { + return NULL; + } + BN_CTX_start(ctx); + pq1 = BN_CTX_get(ctx); + /* p|q - 1 */ + if (!BN_sub(pq1, pq, BN_value_one())) + { + goto error; + } + /* d (mod p|q -1) */ + res = BN_secure_new(); + if (!BN_mod(res, d, pq1, ctx)) + { + BN_clear_free(res); + res = NULL; + goto error; + } + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return res; +} + +/** + * Calculates qinv = q^-1 (mod p) for the Chinese remainder algorithm. + */ +static BIGNUM *qinv(BIGNUM *q, BIGNUM *p) +{ + BN_CTX *ctx; + BIGNUM *res = NULL; + + ctx = BN_CTX_new(); + if (!ctx) + { + return NULL; + } + BN_CTX_start(ctx); + /* q^-1 (mod p) */ + res = BN_secure_new(); + if (!BN_mod_inverse(res, q, p, ctx)) + { + BN_clear_free(res); + res = NULL; + goto error; + } + +error: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return res; +} + /* * See header */ @@ -460,7 +772,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, return &this->public; } } - else if (n.ptr && e.ptr && d.ptr && p.ptr && q.ptr && coeff.ptr) + else if (n.ptr && e.ptr && d.ptr) { BIGNUM *bn_n, *bn_e, *bn_d, *bn_p, *bn_q; BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; @@ -472,178 +784,58 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, bn_d = BN_bin2bn((const u_char*)d.ptr, d.len, NULL); if (!RSA_set0_key(this->rsa, bn_n, bn_e, bn_d)) { - destroy(this); - return NULL; + goto error; } - bn_p = BN_bin2bn((const u_char*)p.ptr, p.len, NULL); - bn_q = BN_bin2bn((const u_char*)q.ptr, q.len, NULL); + if (p.ptr && q.ptr) + { + bn_p = BN_bin2bn((const u_char*)p.ptr, p.len, NULL); + bn_q = BN_bin2bn((const u_char*)q.ptr, q.len, NULL); + } + else + { + if (!calculate_pq(bn_n, bn_e, bn_d, &bn_p, &bn_q)) + { + goto error; + } + } if (!RSA_set0_factors(this->rsa, bn_p, bn_q)) { - destroy(this); - return NULL; + goto error; } if (exp1.ptr) { dmp1 = BN_bin2bn((const u_char*)exp1.ptr, exp1.len, NULL); } - if (exp2.ptr) + else { - dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL); + dmp1 = dmodpq1(bn_d, bn_p); } - iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL); - if (RSA_set0_crt_params(this->rsa, dmp1, dmq1, iqmp) && - RSA_check_key(this->rsa) == 1) + if (exp2.ptr) { - return &this->public; + dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL); } - } - destroy(this); - return NULL; -} - -#ifndef OPENSSL_NO_ENGINE -/** - * Login to engine with a PIN specified for a keyid - */ -static bool login(ENGINE *engine, chunk_t keyid) -{ - enumerator_t *enumerator; - shared_key_t *shared; - identification_t *id; - chunk_t key; - char pin[64]; - bool found = FALSE, success = FALSE; - - id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, id, NULL); - while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) - { - found = TRUE; - key = shared->get_key(shared); - if (snprintf(pin, sizeof(pin), - "%.*s", (int)key.len, key.ptr) >= sizeof(pin)) + else { - continue; + dmq1 = dmodpq1(bn_d, bn_q); } - if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0)) + if (coeff.ptr) { - success = TRUE; - break; + iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL); } else { - DBG1(DBG_CFG, "setting PIN on engine failed"); + iqmp = qinv(bn_q, bn_p); } - } - enumerator->destroy(enumerator); - id->destroy(id); - if (!found) - { - DBG1(DBG_CFG, "no PIN found for %#B", &keyid); - } - return success; -} -#endif /* OPENSSL_NO_ENGINE */ - -/* - * See header. - */ -openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, - va_list args) -{ -#ifndef OPENSSL_NO_ENGINE - private_openssl_rsa_private_key_t *this; - char *engine_id = NULL; - char keyname[64]; - chunk_t keyid = chunk_empty;; - EVP_PKEY *key; - ENGINE *engine; - int slot = -1; - - while (TRUE) - { - switch (va_arg(args, builder_part_t)) + if (RSA_set0_crt_params(this->rsa, dmp1, dmq1, iqmp) && + RSA_check_key(this->rsa) == 1) { - case BUILD_PKCS11_KEYID: - keyid = va_arg(args, chunk_t); - continue; - case BUILD_PKCS11_SLOT: - slot = va_arg(args, int); - continue; - case BUILD_PKCS11_MODULE: - engine_id = va_arg(args, char*); - continue; - case BUILD_END: - break; - default: - return NULL; + return &this->public; } - break; - } - if (!keyid.len || keyid.len > 40) - { - return NULL; - } - - memset(keyname, 0, sizeof(keyname)); - if (slot != -1) - { - snprintf(keyname, sizeof(keyname), "%d:", slot); - } - if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) - { - return NULL; - } - chunk_to_hex(keyid, keyname + strlen(keyname), FALSE); - - if (!engine_id) - { - engine_id = lib->settings->get_str(lib->settings, - "%s.plugins.openssl.engine_id", "pkcs11", lib->ns); - } - engine = ENGINE_by_id(engine_id); - if (!engine) - { - DBG2(DBG_LIB, "engine '%s' is not available", engine_id); - return NULL; - } - if (!ENGINE_init(engine)) - { - DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id); - ENGINE_free(engine); - return NULL; - } - if (!login(engine, keyid)) - { - DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); - ENGINE_free(engine); - return NULL; - } - key = ENGINE_load_private_key(engine, keyname, NULL, NULL); - if (!key) - { - DBG1(DBG_LIB, "failed to load private key with ID '%s' from " - "engine '%s'", keyname, engine_id); - ENGINE_free(engine); - return NULL; - } - ENGINE_free(engine); - - this = create_empty(); - this->rsa = EVP_PKEY_get1_RSA(key); - this->engine = TRUE; - if (!this->rsa) - { - destroy(this); - return NULL; } - - return &this->public; -#else /* OPENSSL_NO_ENGINE */ +error: + destroy(this); return NULL; -#endif /* OPENSSL_NO_ENGINE */ } #endif /* OPENSSL_NO_RSA */ diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h index 34ce4c776..783181c1d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h @@ -67,9 +67,10 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, * Wrap an EVP_PKEY object of type EVP_PKEY_RSA * * @param key EVP_PKEY_RSA key object (adopted) + * @param engine whether the key was loaded via an engine * @return loaded key, NULL on failure */ -private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key); +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key, bool engine); /** * Connect to a RSA private key on a smartcard. diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index d3a644f72..20bf30ae9 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -1,7 +1,7 @@ /* + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -19,9 +19,11 @@ #ifndef OPENSSL_NO_RSA #include "openssl_rsa_public_key.h" +#include "openssl_hasher.h" #include "openssl_util.h" #include +#include #include #include @@ -54,8 +56,138 @@ struct private_openssl_rsa_public_key_t { refcount_t ref; }; + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + +/** + * Verify RSA signature + */ +static bool verify_signature(private_openssl_rsa_public_key_t *this, + const EVP_MD *md, rsa_pss_params_t *pss, + chunk_t data, chunk_t signature) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = NULL; + EVP_PKEY *key; + int rsa_size = RSA_size(this->rsa); + bool valid = FALSE; + + /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */ + if (signature.len > rsa_size) + { + signature = chunk_skip(signature, signature.len - rsa_size); + } + + mctx = EVP_MD_CTX_create(); + key = EVP_PKEY_new(); + if (!mctx || !key) + { + goto error; + } + if (!EVP_PKEY_set1_RSA(key, this->rsa)) + { + goto error; + } + if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, key) <= 0) + { + goto error; + } + if (pss) + { + const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); + int slen = EVP_MD_size(md); + if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) + { + slen = pss->salt_len; + } + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) + { + goto error; + } + } + if (EVP_DigestVerifyUpdate(mctx, data.ptr, data.len) <= 0) + { + goto error; + } + valid = (EVP_DigestVerifyFinal(mctx, signature.ptr, signature.len) == 1); + +error: + if (key) + { + EVP_PKEY_free(key); + } + if (mctx) + { + EVP_MD_CTX_destroy(mctx); + } + return valid; +} + /** - * Verification of an EMPSA PKCS1 signature described in PKCS#1 + * Verification of a signature without hashing + */ +static bool verify_plain_signature(private_openssl_rsa_public_key_t *this, + chunk_t data, chunk_t signature) +{ + char *buf; + int len, rsa_size = RSA_size(this->rsa); + bool valid = FALSE; + + /* OpenSSL expects a signature of exactly RSA size (no leading 0x00) */ + if (signature.len > rsa_size) + { + signature = chunk_skip(signature, signature.len - rsa_size); + } + buf = malloc(rsa_size); + len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa, + RSA_PKCS1_PADDING); + if (len != -1) + { + valid = chunk_equals_const(data, chunk_create(buf, len)); + } + free(buf); + return valid; +} + +/** + * Verification of an EMSA PKCS1 signature described in PKCS#1 + */ +static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, + int type, chunk_t data, chunk_t signature) +{ + const EVP_MD *md; + + if (type == NID_undef) + { + return verify_plain_signature(this, data, signature); + } + md = EVP_get_digestbynid(type); + return md && verify_signature(this, md, NULL, data, signature); +} + +/** + * Verification of an EMSA PSS signature described in PKCS#1 + */ +static bool verify_emsa_pss_signature(private_openssl_rsa_public_key_t *this, + rsa_pss_params_t *params, chunk_t data, + chunk_t signature) +{ + const EVP_MD *md; + + if (!params) + { + return FALSE; + } + md = openssl_get_md(params->hash); + return md && verify_signature(this, md, params, data, signature); +} + +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ + +/** + * Verification of an EMSA PKCS1 signature described in PKCS#1 */ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, int type, chunk_t data, chunk_t signature) @@ -129,6 +261,8 @@ error: return valid; } +#endif /* OPENSSL_VERSION_NUMBER < 1.0 */ + METHOD(public_key_t, get_type, key_type_t, private_openssl_rsa_public_key_t *this) { @@ -137,7 +271,7 @@ METHOD(public_key_t, get_type, key_type_t, METHOD(public_key_t, verify, bool, private_openssl_rsa_public_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t signature) + void *params, chunk_t data, chunk_t signature) { switch (scheme) { @@ -155,6 +289,10 @@ METHOD(public_key_t, verify, bool, return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature); case SIGN_RSA_EMSA_PKCS1_MD5: return verify_emsa_pkcs1_signature(this, NID_md5, data, signature); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + case SIGN_RSA_EMSA_PSS: + return verify_emsa_pss_signature(this, params, data, signature); +#endif default: DBG1(DBG_LIB, "signature scheme %N not supported in RSA", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c index f6df03f12..3a6d2f193 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -20,6 +20,7 @@ #include "openssl_sha1_prf.h" #include +#include typedef struct private_openssl_sha1_prf_t private_openssl_sha1_prf_t; diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index e03a4255d..60c08770b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -154,7 +154,7 @@ struct private_openssl_x509_t { /** * Signature scheme of the certificate */ - signature_scheme_t scheme; + signature_params_t *scheme; /** * subjectAltNames @@ -188,16 +188,6 @@ struct private_openssl_x509_t { refcount_t ref; }; -/** - * Destroy a CRL URI struct - */ -static void crl_uri_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - /** * Convert a GeneralName to an identification_t. */ @@ -394,7 +384,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_openssl_x509_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { public_key_t *key; bool valid; @@ -406,7 +396,8 @@ METHOD(certificate_t, issued_by, bool, { if (this->flags & X509_SELF_SIGNED) { - return TRUE; + valid = TRUE; + goto out; } } else @@ -424,10 +415,6 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } } - if (this->scheme == SIGN_UNKNOWN) - { - return FALSE; - } key = issuer->get_public_key(issuer); if (!key) { @@ -440,12 +427,15 @@ METHOD(certificate_t, issued_by, bool, tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info); #endif X509_get0_signature(&sig, NULL, this->x509); - valid = key->verify(key, this->scheme, tbs, openssl_asn1_str2chunk(sig)); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, tbs, + openssl_asn1_str2chunk(sig)); free(tbs.ptr); key->destroy(key); + +out: if (valid && scheme) { - *scheme = this->scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -538,6 +528,7 @@ METHOD(certificate_t, destroy, void, { X509_free(this->x509); } + signature_params_destroy(this->scheme); DESTROY_IF(this->subject); DESTROY_IF(this->issuer); DESTROY_IF(this->pubkey); @@ -549,7 +540,8 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); @@ -739,15 +731,15 @@ static bool parse_extKeyUsage_ext(private_openssl_x509_t *this, /** * Parse CRL distribution points */ -static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, - X509_EXTENSION *ext) +bool openssl_parse_crlDistributionPoints(X509_EXTENSION *ext, + linked_list_t *list) { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; identification_t *id, *issuer; x509_cdp_t *entry; char *uri; - int i, j, k, point_num, name_num, issuer_num; + int i, j, k, point_num, name_num, issuer_num, len; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -770,7 +762,12 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, cdp->distpoint->name.fullname, j)); if (id) { - if (asprintf(&uri, "%Y", id) > 0) + len = asprintf(&uri, "%Y", id); + if (!len) + { + free(uri); + } + else if (len > 0) { if (cdp->CRLissuer) { @@ -785,8 +782,7 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, .uri = strdup(uri), .issuer = issuer, ); - this->crl_uris->insert_last( - this->crl_uris, entry); + list->insert_last(list, entry); } } free(uri); @@ -796,7 +792,7 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, INIT(entry, .uri = uri, ); - this->crl_uris->insert_last(this->crl_uris, entry); + list->insert_last(list, entry); } } id->destroy(id); @@ -820,7 +816,7 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, AUTHORITY_INFO_ACCESS *infos; ACCESS_DESCRIPTION *desc; identification_t *id; - int i, num; + int i, num, len; char *uri; infos = X509V3_EXT_d2i(ext); @@ -839,7 +835,12 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, id = general_name2id(desc->location); if (id) { - if (asprintf(&uri, "%Y", id) > 0) + len = asprintf(&uri, "%Y", id); + if (!len) + { + free(uri); + } + else if (len > 0) { this->ocsp_uris->insert_last(this->ocsp_uris, uri); } @@ -1025,7 +1026,7 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_extKeyUsage_ext(this, ext); break; case NID_crl_distribution_points: - ok = parse_crlDistributionPoints_ext(this, ext); + ok = openssl_parse_crlDistributionPoints(ext, this->crl_uris); break; #ifndef OPENSSL_NO_RFC3779 case NID_sbgp_ipAddrBlock: @@ -1063,8 +1064,8 @@ static bool parse_certificate(private_openssl_x509_t *this) { const unsigned char *ptr = this->encoding.ptr; hasher_t *hasher; - chunk_t chunk; - ASN1_OBJECT *oid, *oid_tbs; + chunk_t chunk, sig_scheme, sig_scheme_tbs; + ASN1_OBJECT *oid; X509_ALGOR *alg; this->x509 = d2i_X509(NULL, &ptr, this->encoding.len); @@ -1089,6 +1090,10 @@ static bool parse_certificate(private_openssl_x509_t *this) } switch (openssl_asn1_known_oid(oid)) { + case OID_RSASSA_PSS: + /* TODO: we should treat such keys special and use the params as + * restrictions regarding the use of this key (or rather the + * associated private key) */ case OID_RSA_ENCRYPTION: this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER, @@ -1119,15 +1124,25 @@ static bool parse_certificate(private_openssl_x509_t *this) /* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL * versions, at least on Ubuntu 14.04 it is not actually defined */ X509_get0_signature(NULL, &alg, this->x509); - X509_ALGOR_get0(&oid, NULL, NULL, alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, alg); alg = X509_get0_tbs_sigalg(this->x509); - X509_ALGOR_get0(&oid_tbs, NULL, NULL, alg); - if (!chunk_equals(openssl_asn1_obj2chunk(oid), - openssl_asn1_obj2chunk(oid_tbs))) + sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg); + if (!chunk_equals(sig_scheme, sig_scheme_tbs)) + { + free(sig_scheme_tbs.ptr); + free(sig_scheme.ptr); + return FALSE; + } + free(sig_scheme_tbs.ptr); + + INIT(this->scheme); + if (!signature_params_parse(sig_scheme, 0, this->scheme)) { + DBG1(DBG_ASN, "unable to parse signature algorithm"); + free(sig_scheme.ptr); return FALSE; } - this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid(oid)); + free(sig_scheme.ptr); if (!parse_extensions(this)) { diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 101119300..02a022d03 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 4b69f9f49..37917d441 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 76b0b7b40..8c6c5dae7 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -15,6 +15,8 @@ #include "pem_encoder.h" +#include + #define BYTES_PER_LINE 48 /** diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 8104a2a94..10eb82619 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c index fe0be45d9..e8f5c5ddf 100644 --- a/src/libstrongswan/plugins/pgp/pgp_builder.c +++ b/src/libstrongswan/plugins/pgp/pgp_builder.c @@ -116,21 +116,17 @@ static private_key_t *parse_rsa_private_key(chunk_t blob) BUILD_END); } -/** - * Implementation of private_key_t.sign for encryption-only keys - */ -static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme, - chunk_t data, chunk_t *signature) +METHOD(private_key_t, sign_not_allowed, bool, + private_key_t *this, signature_scheme_t scheme, void *params, + chunk_t data, chunk_t *signature) { DBG1(DBG_LIB, "signing failed - decryption only key"); return FALSE; } -/** - * Implementation of private_key_t.decrypt for signature-only keys - */ -static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme, - chunk_t crypto, chunk_t *plain) +METHOD(private_key_t, decrypt_not_allowed, bool, + private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) { DBG1(DBG_LIB, "decryption failed - signature only key"); return FALSE; @@ -186,7 +182,7 @@ static private_key_t *parse_private_key(chunk_t blob) BUILD_BLOB_PGP, packet, BUILD_END); if (key) { - key->sign = sign_not_allowed; + key->sign = _sign_not_allowed; } return key; case PGP_PUBKEY_ALG_RSA_SIGN_ONLY: @@ -194,7 +190,7 @@ static private_key_t *parse_private_key(chunk_t blob) BUILD_BLOB_PGP, packet, BUILD_END); if (key) { - key->decrypt = decrypt_not_allowed; + key->decrypt = _decrypt_not_allowed; } return key; case PGP_PUBKEY_ALG_ECDSA: diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index 0ffce4cfc..392ef5440 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by,bool, - private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme) + private_pgp_cert_t *this, certificate_t *issuer, signature_params_t **scheme) { /* TODO: check signature blobs for a valid signature */ return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c index 100f3ef33..eba936b83 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.c +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c @@ -15,6 +15,7 @@ #include "pgp_encoder.h" +#include #include /** diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 6f6c6237f..ae24d4085 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c index f64294783..967e501d1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c @@ -57,8 +57,13 @@ static public_key_t *parse_public_key(chunk_t blob) int oid = asn1_parse_algorithmIdentifier(object, parser->get_level(parser)+1, NULL); - if (oid == OID_RSA_ENCRYPTION || oid == OID_RSAES_OAEP) + if (oid == OID_RSA_ENCRYPTION || oid == OID_RSAES_OAEP || + oid == OID_RSASSA_PSS) { + /* TODO: we should parse parameters for PSS and pass them + * (and the type), or the complete subjectPublicKeyInfo, + * along so we can treat these as restrictions when + * generating signatures with the associated private key */ type = KEY_RSA; } else if (oid == OID_EC_PUBLICKEY) diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index 7bf33d967..00d5a6a5d 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c index c0033bd8e..b0fa41b6a 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c @@ -415,13 +415,15 @@ static chunk_t ecparams_lookup(diffie_hellman_group_t group) /** * Described in header. */ -pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, - chunk_t g, chunk_t p) +pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, ...) { switch (group) { case MODP_CUSTOM: { + chunk_t g, p; + + VA_ARGS_GET(group, g, p); return create_modp(group, p.len, g, p); } case ECP_192_BIT: diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h index 2654130c0..1ad58e7a1 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.h @@ -40,12 +40,10 @@ struct pkcs11_dh_t { * Creates a new pkcs11_dh_t object. * * @param group Diffie Hellman group number to use - * @param g generator in case group is MODP_CUSTOM - * @param p prime in case group is MODP_CUSTOM + * @param ... expects generator and prime as chunk_t if MODP_CUSTOM * @return pkcs11_dh_t object, NULL if not supported */ -pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, - chunk_t g, chunk_t p); +pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, ...); #endif /** PKCS11_DH_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 31bcb0d25..c7dfe69d7 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -164,18 +164,13 @@ static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot) } } -/** - * Dispatch slot events - */ -static job_requeue_t dispatch_slot_events(lib_entry_t *entry) +CALLBACK(dispatch_slot_events, job_requeue_t, + lib_entry_t *entry) { CK_SLOT_ID slot; CK_RV rv; - bool old; - old = thread_cancelability(TRUE); rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL); - thread_cancelability(old); if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT) { DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled", @@ -195,6 +190,16 @@ static job_requeue_t dispatch_slot_events(lib_entry_t *entry) return JOB_REQUEUE_DIRECT; } +CALLBACK(cancel_events, bool, + lib_entry_t *entry) +{ + /* it's possible other threads still use the API after this call, but we + * have no other way to return from C_WaitForSlotEvent() if we can't cancel + * the thread because libraries hold locks they don't release */ + entry->lib->f->C_Finalize(NULL); + return TRUE; +} + /** * Get the slot list of a library */ @@ -377,8 +382,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, { query_slots(entry); lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((void*)dispatch_slot_events, - entry, NULL, (void*)return_false, JOB_PRIO_CRITICAL)); + (job_t*)callback_job_create_with_prio(dispatch_slot_events, + entry, NULL, cancel_events, JOB_PRIO_CRITICAL)); } enumerator->destroy(enumerator); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index 1d1016911..6158f6d25 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -243,7 +243,7 @@ static bool reauth(private_pkcs11_private_key_t *this, } METHOD(private_key_t, sign, bool, - private_pkcs11_private_key_t *this, signature_scheme_t scheme, + private_pkcs11_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { CK_MECHANISM_PTR mechanism; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 384777610..36029fa30 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -201,7 +201,7 @@ METHOD(public_key_t, get_keysize, int, } METHOD(public_key_t, verify, bool, - private_pkcs11_public_key_t *this, signature_scheme_t scheme, + private_pkcs11_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t sig) { CK_MECHANISM_PTR mechanism; diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in index d25a1af44..6bb1b9a36 100644 --- a/src/libstrongswan/plugins/pkcs12/Makefile.in +++ b/src/libstrongswan/plugins/pkcs12/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index e5698a302..f56df39d1 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -248,9 +248,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c index 413c3fff5..9b6d3a808 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c @@ -227,7 +227,8 @@ METHOD(enumerator_t, enumerate, bool, if (key) { chunk = info->attributes->get_encoding(info->attributes); - if (key->verify(key, scheme, chunk, info->encrypted_digest)) + if (key->verify(key, scheme, NULL, chunk, + info->encrypted_digest)) { this->auth = auth->clone(auth); key->destroy(key); @@ -563,7 +564,7 @@ static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key, attributes = pkcs9->get_encoding(pkcs9); - if (!key->sign(key, scheme, attributes, &encryptedDigest)) + if (!key->sign(key, scheme, NULL, attributes, &encryptedDigest)) { free(data.ptr); return FALSE; diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index 3ff09f5f2..9c408c443 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index beb8866f8..6cd5da4fd 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -63,6 +63,17 @@ static private_key_t *parse_private_key(chunk_t blob) switch (oid) { + case OID_RSASSA_PSS: + /* TODO: parameters associated with such keys should be + * treated as restrictions later when signing (the type + * itself is already a restriction). However, the + * builders currently don't expect any parameters for + * RSA keys (we also only pass along the params, not the + * exact type, so we'd have to guess that params + * indicate RSA/PSS, but they are optional so that won't + * work for keys without specific restrictions) */ + params = chunk_empty; + /* fall-through */ case OID_RSA_ENCRYPTION: type = KEY_RSA; break; diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 42d443b7a..7d0cc88ed 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -438,7 +438,7 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, } } if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } @@ -698,7 +698,6 @@ static bool load_dependencies(private_plugin_loader_t *this, int level) { registered_feature_t *registered, lookup; - int indent = level * 2; int i; /* first entry is provided feature, followed by dependencies */ @@ -741,6 +740,7 @@ static bool load_dependencies(private_plugin_loader_t *this, #ifndef USE_FUZZING char *name, *provide, *depend; + int indent = level * 2; name = provided->entry->plugin->get_name(provided->entry->plugin); provide = plugin_feature_get_string(&provided->feature[0]); @@ -828,7 +828,6 @@ static void load_provided(private_plugin_loader_t *this, provided_feature_t *provided, int level) { - int indent = level * 2; if (provided->loaded || provided->failed) { @@ -837,6 +836,7 @@ static void load_provided(private_plugin_loader_t *this, #ifndef USE_FUZZING char *name, *provide; + int indent = level * 2; name = provided->entry->plugin->get_name(provided->entry->plugin); provide = plugin_feature_get_string(provided->feature); diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 02607958f..ff7501c00 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index 0631a6857..81dad65b7 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -137,13 +137,16 @@ METHOD(certificate_t, equals, bool, METHOD(certificate_t, issued_by, bool, private_pubkey_cert_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { - if (scheme) + bool valid = equals(this, issuer); + if (valid && scheme) { - *scheme = SIGN_UNKNOWN; + INIT(*scheme, + .scheme = SIGN_UNKNOWN, + ); } - return equals(this, issuer); + return valid; } METHOD(certificate_t, get_public_key, public_key_t*, diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 98702d0d3..3a22a6316 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in index b874e9081..d37c9834d 100644 --- a/src/libstrongswan/plugins/rc2/Makefile.in +++ b/src/libstrongswan/plugins/rc2/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index 40b1d7644..371e34db8 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 8254c1424..15e91b24a 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 0c68798a9..ff0a30462 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 109726b6a..81284e137 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in index a1f79740b..3ca2f5e24 100644 --- a/src/libstrongswan/plugins/sha3/Makefile.in +++ b/src/libstrongswan/plugins/sha3/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index ceccab7f1..47af2c5fd 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -245,9 +245,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 39d705622..f0649b52a 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in index ded2bf8f1..ac644ec0b 100644 --- a/src/libstrongswan/plugins/sshkey/Makefile.in +++ b/src/libstrongswan/plugins/sshkey/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index b7332d4a7..45879e841 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -265,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index 93159ff17..2a4788ee1 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in index 91033262d..7cd680095 100644 --- a/src/libstrongswan/plugins/winhttp/Makefile.in +++ b/src/libstrongswan/plugins/winhttp/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 3596d1f85..0f54f8cf0 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index ba459288b..7a5a31af7 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler * Copyright (C) 2003 Martin Berner, Lukas Suter * Copyright (C) 2002-2017 Andreas Steffen @@ -116,9 +117,9 @@ struct private_x509_ac_t { bool noRevAvail; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -425,7 +426,7 @@ static bool parse_certificate(private_x509_ac_t *this) int objectID; int type = OID_UNKNOWN; int extn_oid = OID_UNKNOWN; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical; @@ -476,7 +477,11 @@ static bool parse_certificate(private_x509_ac_t *this) } break; case AC_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case AC_OBJ_SERIAL_NUMBER: this->serialNumber = chunk_clone(object); @@ -550,12 +555,15 @@ static bool parse_certificate(private_x509_ac_t *this) break; } case AC_OBJ_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, - NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); - success = FALSE; goto end; } break; @@ -570,6 +578,7 @@ static bool parse_certificate(private_x509_ac_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); return success; } @@ -742,13 +751,13 @@ static chunk_t build_extensions(private_x509_ac_t *this) /** * build attributeCertificateInfo */ -static chunk_t build_attr_cert_info(private_x509_ac_t *this) +static chunk_t build_attr_cert_info(private_x509_ac_t *this, chunk_t sig_scheme) { - return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmm", + return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm", ASN1_INTEGER_1, build_holder(this), build_v2_form(this), - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), + sig_scheme, asn1_simple_object(ASN1_INTEGER, this->serialNumber), build_attr_cert_validity(this), build_attributes(this), @@ -758,20 +767,39 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this) /** * build an X.509 attribute certificate */ -static bool build_ac(private_x509_ac_t *this) +static bool build_ac(private_x509_ac_t *this, hash_algorithm_t digest_alg) { - chunk_t signatureValue, attributeCertificateInfo; + chunk_t signatureValue, attributeCertificateInfo, sig_scheme; + private_key_t *key = this->signerKey; - attributeCertificateInfo = build_attr_cert_info(this); - if (!this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1, - attributeCertificateInfo, &signatureValue)) + if (!this->scheme) + { + INIT(this->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key))), + ); + } + if (this->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(this->scheme, &sig_scheme)) + { + return FALSE; + } + + attributeCertificateInfo = build_attr_cert_info(this, sig_scheme); + if (!key->sign(key, this->scheme->scheme, this->scheme->params, + attributeCertificateInfo, &signatureValue)) { free(attributeCertificateInfo.ptr); + free(sig_scheme.ptr); return FALSE; } this->encoding = asn1_wrap(ASN1_SEQUENCE, "mmm", attributeCertificateInfo, - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), + sig_scheme, asn1_bitstring("m", signatureValue)); return TRUE; } @@ -886,10 +914,10 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_ac_t *this, certificate_t *issuer, + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -926,18 +954,16 @@ METHOD(certificate_t, issued_by, bool, } } - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - - if (scheme == SIGN_UNKNOWN || key == NULL) + if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->certificateInfo, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->certificateInfo, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -1020,6 +1046,7 @@ METHOD(certificate_t, destroy, void, DESTROY_IF(this->signerCert); DESTROY_IF(this->signerKey); this->groups->destroy_function(this->groups, (void*)group_destroy); + signature_params_destroy(this->scheme); free(this->serialNumber.ptr); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); @@ -1126,6 +1153,7 @@ static void add_groups_from_list(private_x509_ac_t *this, linked_list_t *list) */ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) { + hash_algorithm_t digest_alg = HASH_SHA1; private_x509_ac_t *ac; ac = create_empty(); @@ -1157,6 +1185,13 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) ac->signerKey = va_arg(args, private_key_t*); ac->signerKey->get_ref(ac->signerKey); continue; + case BUILD_SIGNATURE_SCHEME: + ac->scheme = va_arg(args, signature_params_t*); + ac->scheme = signature_params_clone(ac->scheme); + continue; + case BUILD_DIGEST_ALG: + digest_alg = va_arg(args, int); + continue; case BUILD_END: break; default: @@ -1170,7 +1205,7 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) ac->holderCert->get_type(ac->holderCert) == CERT_X509 && ac->signerCert->get_type(ac->signerCert) == CERT_X509) { - if (build_ac(ac)) + if (build_ac(ac, digest_alg)) { return &ac->public; } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 974e687f9..d1f9d9aac 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -4,7 +4,7 @@ * Copyright (C) 2002 Mario Strasser * Copyright (C) 2000-2017 Andreas Steffen * Copyright (C) 2006-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -197,9 +197,9 @@ struct private_x509_cert_t { x509_flag_t flags; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -240,16 +240,6 @@ static bool gn_to_string(identification_t *id, char **uri) return len > 0; } -/** - * Destroy a CertificateDistributionPoint - */ -static void crl_uri_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - /** * Destroy a CertificatePolicy */ @@ -1385,7 +1375,7 @@ static bool parse_certificate(private_x509_cert_t *this) chunk_t object; int objectID; int extn_oid = OID_UNKNOWN; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical = FALSE; @@ -1416,7 +1406,11 @@ static bool parse_certificate(private_x509_cert_t *this) this->serialNumber = object; break; case X509_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case X509_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); @@ -1570,8 +1564,13 @@ static bool parse_certificate(private_x509_cert_t *this) break; } case X509_OBJ_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); goto end; @@ -1588,6 +1587,7 @@ static bool parse_certificate(private_x509_cert_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); if (success) { hasher_t *hasher; @@ -1687,10 +1687,9 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -1698,6 +1697,10 @@ METHOD(certificate_t, issued_by, bool, { if (this->flags & X509_SELF_SIGNED) { + if (scheme) + { + *scheme = signature_params_clone(this->scheme); + } return TRUE; } } @@ -1717,23 +1720,18 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } /* get the public key of the issuer */ key = issuer->get_public_key(issuer); if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertificate, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsCertificate, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -1920,7 +1918,8 @@ METHOD(certificate_t, destroy, void, { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); @@ -1932,6 +1931,7 @@ METHOD(certificate_t, destroy, void, (void*)cert_policy_destroy); this->policy_mappings->destroy_function(this->policy_mappings, (void*)policy_mapping_destroy); + signature_params_destroy(this->scheme); DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -2187,10 +2187,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty; - chunk_t ipAddrBlocks = chunk_empty; + chunk_t ipAddrBlocks = chunk_empty, sig_scheme = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; - signature_scheme_t scheme; hasher_t *hasher; enumerator_t *enumerator; char *uri; @@ -2223,18 +2222,28 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, cert->notAfter = cert->notBefore + 60 * 60 * 24 * 365; } - /* select signature scheme */ - cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - sign_key->get_type(sign_key)); - if (cert->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!cert->scheme) + { + INIT(cert->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + sign_key->get_type(sign_key))), + ); + } + if (cert->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(cert->scheme, &sig_scheme)) { return FALSE; } - scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, PUBKEY_SPKI_ASN1_DER, &key_info)) { + chunk_free(&sig_scheme); return FALSE; } @@ -2559,10 +2568,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, ipAddrBlocks)); } - cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", + cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2), asn1_integer("c", cert->serialNumber), - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, issuer->get_encoding(issuer), asn1_wrap(ASN1_SEQUENCE, "mm", asn1_from_time(&cert->notBefore, ASN1_UTCTIME), @@ -2570,12 +2579,14 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, subject->get_encoding(subject), key_info, extensions); - if (!sign_key->sign(sign_key, scheme, cert->tbsCertificate, &cert->signature)) + if (!sign_key->sign(sign_key, cert->scheme->scheme, cert->scheme->params, + cert->tbsCertificate, &cert->signature)) { + chunk_free(&sig_scheme); return FALSE; } cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->tbsCertificate, - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, asn1_bitstring("c", cert->signature)); hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); @@ -2639,7 +2650,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) private_x509_cert_t *cert; certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; - hash_algorithm_t digest_alg = HASH_SHA1; + hash_algorithm_t digest_alg = HASH_SHA256; u_int constraint; cert = create_empty(); @@ -2831,6 +2842,10 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) case BUILD_SERIAL: cert->serialNumber = chunk_clone(va_arg(args, chunk_t)); continue; + case BUILD_SIGNATURE_SCHEME: + cert->scheme = va_arg(args, signature_params_t*); + cert->scheme = signature_params_clone(cert->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index d8913ad73..699ac5a39 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2014-2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * Copyright (C) 2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -121,9 +122,9 @@ struct private_x509_crl_t { chunk_t baseCrlNumber; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -225,7 +226,7 @@ static bool parse(private_x509_crl_t *this) chunk_t extnID = chunk_empty; chunk_t userCertificate = chunk_empty; int objectID; - int sig_alg = OID_UNKNOWN; + signature_params_t sig_alg = {}; bool success = FALSE; bool critical = FALSE; revoked_t *revoked = NULL; @@ -246,7 +247,11 @@ static bool parse(private_x509_crl_t *this) DBG2(DBG_ASN, " v%d", this->version); break; case CRL_OBJ_SIG_ALG: - sig_alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (!signature_params_parse(object, level, &sig_alg)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case CRL_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); @@ -342,8 +347,13 @@ static bool parse(private_x509_crl_t *this) } case CRL_OBJ_ALGORITHM: { - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); - if (this->algorithm != sig_alg) + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } + if (!signature_params_equal(this->scheme, &sig_alg)) { DBG1(DBG_ASN, " signature algorithms do not agree"); goto end; @@ -361,6 +371,7 @@ static bool parse(private_x509_crl_t *this) end: parser->destroy(parser); + signature_params_clear(&sig_alg); return success; } @@ -457,10 +468,10 @@ METHOD(certificate_t, has_issuer, id_match_t, } METHOD(certificate_t, issued_by, bool, - private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep) + private_x509_crl_t *this, certificate_t *issuer, + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; chunk_t keyid = chunk_empty; @@ -492,21 +503,17 @@ METHOD(certificate_t, issued_by, bool, } } - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) - { - return FALSE; - } key = issuer->get_public_key(issuer); if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsCertList, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsCertList, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -585,23 +592,15 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } -/** - * Destroy a CDP entry - */ -static void cdp_destroy(x509_cdp_t *this) -{ - free(this->uri); - DESTROY_IF(this->issuer); - free(this); -} - METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); - this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); + this->crl_uris->destroy_function(this->crl_uris, + (void*)x509_cdp_destroy); + signature_params_destroy(this->scheme); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); @@ -718,6 +717,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; + chunk_t sig_scheme = chunk_empty; enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -730,10 +730,20 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); - /* select signature scheme */ - this->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - key->get_type(key)); - if (this->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!this->scheme) + { + INIT(this->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key))), + ); + } + if (this->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(this->scheme, &sig_scheme)) { return FALSE; } @@ -787,23 +797,24 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_integer("c", this->crlNumber))), crlDistributionPoints, baseCrlNumber)); - this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", + this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cccmmmm", ASN1_INTEGER_1, - asn1_algorithmIdentifier(this->algorithm), + sig_scheme, this->issuer->get_encoding(this->issuer), asn1_from_time(&this->thisUpdate, ASN1_UTCTIME), asn1_from_time(&this->nextUpdate, ASN1_UTCTIME), asn1_wrap(ASN1_SEQUENCE, "m", certList), extensions); - if (!key->sign(key, signature_scheme_from_oid(this->algorithm), + if (!key->sign(key, this->scheme->scheme, this->scheme->params, this->tbsCertList, &this->signature)) { + chunk_free(&sig_scheme); return FALSE; } this->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", this->tbsCertList, - asn1_algorithmIdentifier(this->algorithm), + sig_scheme, asn1_bitstring("c", this->signature)); return TRUE; } @@ -842,6 +853,10 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) crl->crlNumber = va_arg(args, chunk_t); crl->crlNumber = chunk_clone(crl->crlNumber); continue; + case BUILD_SIGNATURE_SCHEME: + crl->scheme = va_arg(args, signature_params_t*); + crl->scheme = signature_params_clone(crl->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index aef76af32..de22ab6be 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -276,7 +276,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, return chunk_empty; } - if (!this->key->sign(this->key, scheme, tbsRequest, &signature)) + if (!this->key->sign(this->key, scheme, NULL, tbsRequest, &signature)) { DBG1(DBG_LIB, "creating OCSP signature failed, skipped"); return chunk_empty; @@ -372,7 +372,7 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_request_t *this, certificate_t *issuer, - signature_scheme_t *scheme) + signature_params_t **scheme) { DBG1(DBG_LIB, "OCSP request validation not implemented!"); return FALSE; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 140e9bfa9..aa4999cbd 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -1,4 +1,5 @@ -/** +/* + * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * Copyright (C) 2007-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil @@ -63,9 +64,9 @@ struct private_x509_ocsp_response_t { chunk_t tbsResponseData; /** - * signature algorithm (OID) + * signature scheme */ - int signatureAlgorithm; + signature_params_t *scheme; /** * signature @@ -576,8 +577,13 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, } break; case BASIC_RESPONSE_ALGORITHM: - this->signatureAlgorithm = asn1_parse_algorithmIdentifier(object, - parser->get_level(parser)+1, NULL); + INIT(this->scheme); + if (!signature_params_parse(object, parser->get_level(parser)+1, + this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case BASIC_RESPONSE_SIGNATURE: this->signature = chunk_skip(object, 1); @@ -703,10 +709,9 @@ METHOD(certificate_t, has_issuer, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_ocsp_response_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; @@ -743,21 +748,17 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* get the public key of the issuer */ key = issuer->get_public_key(issuer); - - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->signatureAlgorithm); - - if (scheme == SIGN_UNKNOWN || key == NULL) + if (!key) { return FALSE; } - valid = key->verify(key, scheme, this->tbsResponseData, this->signature); + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->tbsResponseData, this->signature); key->destroy(key); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -839,6 +840,7 @@ METHOD(certificate_t, destroy, void, { this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); this->responses->destroy_function(this->responses, free); + signature_params_destroy(this->scheme); DESTROY_IF(this->responderId); free(this->encoding.ptr); free(this); @@ -879,7 +881,6 @@ static x509_ocsp_response_t *load(chunk_t blob) .producedAt = UNDEFINED_TIME, .usableUntil = UNDEFINED_TIME, .responses = linked_list_create(), - .signatureAlgorithm = OID_UNKNOWN, .certs = linked_list_create(), ); diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index e39e24bff..587fbd5d6 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -72,9 +72,9 @@ struct private_x509_pkcs10_t { chunk_t challengePassword; /** - * Signature algorithm + * Signature scheme */ - int algorithm; + signature_params_t *scheme; /** * Signature @@ -124,10 +124,9 @@ METHOD(certificate_t, has_subject, id_match_t, METHOD(certificate_t, issued_by, bool, private_x509_pkcs10_t *this, certificate_t *issuer, - signature_scheme_t *schemep) + signature_params_t **scheme) { public_key_t *key; - signature_scheme_t scheme; bool valid; if (&this->public.interface.interface != issuer) @@ -136,27 +135,22 @@ METHOD(certificate_t, issued_by, bool, } if (this->self_signed) { - return TRUE; + valid = TRUE; } - - /* determine signature scheme */ - scheme = signature_scheme_from_oid(this->algorithm); - if (scheme == SIGN_UNKNOWN) + else { - return FALSE; - } - - /* get the public key contained in the certificate request */ - key = this->public_key; - if (!key) - { - return FALSE; + /* get the public key contained in the certificate request */ + key = this->public_key; + if (!key) + { + return FALSE; + } + valid = key->verify(key, this->scheme->scheme, this->scheme->params, + this->certificationRequestInfo, this->signature); } - valid = key->verify(key, scheme, this->certificationRequestInfo, - this->signature); - if (valid && schemep) + if (valid && scheme) { - *schemep = scheme; + *scheme = signature_params_clone(this->scheme); } return valid; } @@ -410,7 +404,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) case PKCS10_SUBJECT_PUBLIC_KEY_INFO: this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, BUILD_BLOB_ASN1_DER, object, BUILD_END); - if (this->public_key == NULL) + if (!this->public_key) { goto end; } @@ -438,7 +432,12 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) } break; case PKCS10_ALGORITHM: - this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); + INIT(this->scheme); + if (!signature_params_parse(object, level, this->scheme)) + { + DBG1(DBG_ASN, " unable to parse signature algorithm"); + goto end; + } break; case PKCS10_SIGNATURE: this->signature = chunk_skip(object, 1); @@ -474,6 +473,7 @@ METHOD(certificate_t, destroy, void, { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); + signature_params_destroy(this->scheme); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); chunk_free(&this->encoding); @@ -530,25 +530,34 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, { chunk_t key_info, subjectAltNames, attributes; chunk_t extensionRequest = chunk_empty; - chunk_t challengePassword = chunk_empty; - signature_scheme_t scheme; + chunk_t challengePassword = chunk_empty, sig_scheme = chunk_empty; identification_t *subject; subject = cert->subject; cert->public_key = sign_key->get_public_key(sign_key); - /* select signature scheme */ - cert->algorithm = hasher_signature_algorithm_to_oid(digest_alg, - sign_key->get_type(sign_key)); - if (cert->algorithm == OID_UNKNOWN) + /* select signature scheme, if not already specified */ + if (!cert->scheme) + { + INIT(cert->scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest_alg, + sign_key->get_type(sign_key))), + ); + } + if (cert->scheme->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + if (!signature_params_build(cert->scheme, &sig_scheme)) { return FALSE; } - scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, PUBKEY_SPKI_ASN1_DER, &key_info)) { + chunk_free(&sig_scheme); return FALSE; } @@ -584,15 +593,16 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, key_info, attributes); - if (!sign_key->sign(sign_key, scheme, cert->certificationRequestInfo, - &cert->signature)) + if (!sign_key->sign(sign_key, cert->scheme->scheme, cert->scheme->params, + cert->certificationRequestInfo, &cert->signature)) { + chunk_free(&sig_scheme); return FALSE; } cert->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", cert->certificationRequestInfo, - asn1_algorithmIdentifier(cert->algorithm), + sig_scheme, asn1_bitstring("c", cert->signature)); return TRUE; } @@ -674,6 +684,10 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args) case BUILD_CHALLENGE_PWD: cert->challengePassword = chunk_clone(va_arg(args, chunk_t)); continue; + case BUILD_SIGNATURE_SCHEME: + cert->scheme = va_arg(args, signature_params_t*); + cert->scheme = signature_params_clone(cert->scheme); + continue; case BUILD_DIGEST_ALG: digest_alg = va_arg(args, int); continue; diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index d5d47694f..3a39037bc 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c index df6066b19..4466e91eb 100644 --- a/src/libstrongswan/processing/watcher.c +++ b/src/libstrongswan/processing/watcher.c @@ -513,6 +513,7 @@ METHOD(watcher_t, remove_, void, private_watcher_t *this, int fd) { entry_t *entry, *prev = NULL; + bool found = FALSE; this->mutex->lock(this->mutex); while (TRUE) @@ -530,6 +531,7 @@ METHOD(watcher_t, remove_, void, break; } entry = remove_entry(this, entry, prev); + found = TRUE; continue; } prev = entry; @@ -541,8 +543,10 @@ METHOD(watcher_t, remove_, void, } this->condvar->wait(this->condvar, this->mutex); } - - update(this); + if (found) + { + update(this); + } this->mutex->unlock(this->mutex); } diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 0653b955b..12f160224 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -25,6 +25,10 @@ #include #include +#define IPV4_LEN 4 +#define IPV6_LEN 16 +#define TS_IP_LEN(this) ({ ((this)->type == TS_IPV4_ADDR_RANGE) ? IPV4_LEN : IPV6_LEN; }) + #define NON_SUBNET_ADDRESS_RANGE 255 ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE, @@ -68,26 +72,12 @@ struct private_traffic_selector_t { /** * begin of address range, network order */ - union { - /** dummy char for common address manipulation */ - char from[0]; - /** IPv4 address */ - uint32_t from4[1]; - /** IPv6 address */ - uint32_t from6[4]; - }; + char from[IPV6_LEN]; /** * end of address range, network order */ - union { - /** dummy char for common address manipulation */ - char to[0]; - /** IPv4 address */ - uint32_t to4[1]; - /** IPv6 address */ - uint32_t to6[4]; - }; + char to[IPV6_LEN]; /** * begin of port range @@ -111,7 +101,7 @@ static void calc_range(private_traffic_selector_t *this, uint8_t netbits) this->netbits = netbits; - len = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + len = TS_IP_LEN(this); bytes = (netbits + 7)/8; bits = (bytes * 8) - netbits; mask = bits ? (1 << bits) - 1 : 0; @@ -130,7 +120,7 @@ static uint8_t calc_netbits(private_traffic_selector_t *this) { int byte, bit; uint8_t netbits; - size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + size_t size = TS_IP_LEN(this); bool prefix = TRUE; /* a perfect match results in a single address with a /32 or /128 netmask */ @@ -221,8 +211,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, char to_str[INET6_ADDRSTRLEN] = ""; char *serv_proto = NULL, *sep = ""; bool has_proto, has_ports; - size_t written = 0; - uint32_t from[4], to[4]; + size_t written = 0, len; + char from[IPV6_LEN], to[IPV6_LEN]; if (this == NULL) { @@ -241,11 +231,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, return written; } - memset(from, 0, sizeof(from)); - memset(to, 0xFF, sizeof(to)); + len = TS_IP_LEN(this); + memset(from, 0, len); + memset(to, 0xFF, len); if (this->dynamic && - memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && - memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16)) + memeq(this->from, from, len) && memeq(this->to, to, len)) { written += print_in_hook(data, "dynamic"); } @@ -253,21 +243,21 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, { if (this->type == TS_IPV4_ADDR_RANGE) { - inet_ntop(AF_INET, &this->from4, from_str, sizeof(from_str)); + inet_ntop(AF_INET, &this->from, from_str, sizeof(from_str)); } else { - inet_ntop(AF_INET6, &this->from6, from_str, sizeof(from_str)); + inet_ntop(AF_INET6, &this->from, from_str, sizeof(from_str)); } if (this->netbits == NON_SUBNET_ADDRESS_RANGE) { if (this->type == TS_IPV4_ADDR_RANGE) { - inet_ntop(AF_INET, &this->to4, to_str, sizeof(to_str)); + inet_ntop(AF_INET, &this->to, to_str, sizeof(to_str)); } else { - inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str)); + inet_ntop(AF_INET6, &this->to, to_str, sizeof(to_str)); } written += print_in_hook(data, "%s..%s", from_str, to_str); } @@ -377,17 +367,6 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, { return NULL; } - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - size = sizeof(this->from4); - break; - case TS_IPV6_ADDR_RANGE: - size = sizeof(this->from6); - break; - default: - return NULL; - } if (this->protocol != other->protocol && this->protocol != 0 && other->protocol != 0) @@ -414,6 +393,7 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, return NULL; } } + size = TS_IP_LEN(this); /* get higher from-address */ if (memcmp(this->from, other->from, size) > 0) { @@ -456,29 +436,13 @@ METHOD(traffic_selector_t, equals, bool, METHOD(traffic_selector_t, get_from_address, chunk_t, private_traffic_selector_t *this) { - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - return chunk_create(this->from, sizeof(this->from4)); - case TS_IPV6_ADDR_RANGE: - return chunk_create(this->from, sizeof(this->from6)); - default: - return chunk_empty; - } + return chunk_create(this->from, TS_IP_LEN(this)); } METHOD(traffic_selector_t, get_to_address, chunk_t, private_traffic_selector_t *this) { - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - return chunk_create(this->to, sizeof(this->to4)); - case TS_IPV6_ADDR_RANGE: - return chunk_create(this->to, sizeof(this->to6)); - default: - return chunk_empty; - } + return chunk_create(this->to, TS_IP_LEN(this)); } METHOD(traffic_selector_t, get_from_port, uint16_t, @@ -526,7 +490,7 @@ METHOD(traffic_selector_t, is_host, bool, } else { - size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16; + size_t length = TS_IP_LEN(this); if (this->dynamic) { @@ -555,8 +519,8 @@ METHOD(traffic_selector_t, set_address, void, if (host->is_anyaddr(host)) { - memset(this->from6, 0x00, sizeof(this->from6)); - memset(this->to6, 0xFF, sizeof(this->to6)); + memset(this->from, 0x00, sizeof(this->from)); + memset(this->to, 0xFF, sizeof(this->to)); this->netbits = 0; } else @@ -624,11 +588,11 @@ METHOD(traffic_selector_t, to_subnet, bool, { case TS_IPV4_ADDR_RANGE: family = AF_INET; - net_chunk.len = sizeof(this->from4); + net_chunk.len = IPV4_LEN; break; case TS_IPV6_ADDR_RANGE: family = AF_INET6; - net_chunk.len = sizeof(this->from6); + net_chunk.len = IPV6_LEN; break; default: /* unreachable */ @@ -659,26 +623,16 @@ METHOD(traffic_selector_t, clone_, traffic_selector_t*, private_traffic_selector_t *this) { private_traffic_selector_t *clone; + size_t len = TS_IP_LEN(this); clone = traffic_selector_create(this->protocol, this->type, this->from_port, this->to_port); clone->netbits = this->netbits; clone->dynamic = this->dynamic; - switch (clone->type) - { - case TS_IPV4_ADDR_RANGE: - memcpy(clone->from4, this->from4, sizeof(this->from4)); - memcpy(clone->to4, this->to4, sizeof(this->to4)); - return &clone->public; - case TS_IPV6_ADDR_RANGE: - memcpy(clone->from6, this->from6, sizeof(this->from6)); - memcpy(clone->to6, this->to6, sizeof(this->to6)); - return &clone->public; - default: - /* unreachable */ - return &clone->public; - } + memcpy(clone->from, this->from, len); + memcpy(clone->to, this->to, len); + return &clone->public; } METHOD(traffic_selector_t, hash, u_int, @@ -713,6 +667,7 @@ int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub, void *opts) { private_traffic_selector_t *a, *b; + size_t len; int res; a = (private_traffic_selector_t*)a_pub; @@ -724,36 +679,18 @@ int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub, { return res; } - switch (a->type) + len = TS_IP_LEN(a); + /* lower starting subnets first */ + res = memcmp(a->from, b->from, len); + if (res) { - case TS_IPV4_ADDR_RANGE: - /* lower starting subnets first */ - res = memcmp(a->from4, b->from4, sizeof(a->from4)); - if (res) - { - return res; - } - /* larger subnets first */ - res = memcmp(b->to4, a->to4, sizeof(a->to4)); - if (res) - { - return res; - } - break; - case TS_IPV6_ADDR_RANGE: - res = memcmp(a->from6, b->from6, sizeof(a->from6)); - if (res) - { - return res; - } - res = memcmp(b->to6, a->to6, sizeof(a->to6)); - if (res) - { - return res; - } - break; - default: - return 1; + return res; + } + /* larger subnets first */ + res = memcmp(b->to, a->to, len); + if (res) + { + return res; } /* lower protocols first */ res = compare_int(a->protocol, b->protocol); @@ -782,32 +719,19 @@ traffic_selector_t *traffic_selector_create_from_bytes(uint8_t protocol, private_traffic_selector_t *this = traffic_selector_create(protocol, type, from_port, to_port); - switch (type) + if (!this) { - case TS_IPV4_ADDR_RANGE: - if (from.len != 4 || to.len != 4) - { - free(this); - return NULL; - } - memcpy(this->from4, from.ptr, from.len); - memcpy(this->to4, to.ptr, to.len); - break; - case TS_IPV6_ADDR_RANGE: - if (from.len != 16 || to.len != 16) - { - free(this); - return NULL; - } - memcpy(this->from6, from.ptr, from.len); - memcpy(this->to6, to.ptr, to.len); - break; - default: - free(this); - return NULL; + return NULL; } + if (from.len != to.len || from.len != TS_IP_LEN(this)) + { + free(this); + return NULL; + } + memcpy(this->from, from.ptr, from.len); + memcpy(this->to, to.ptr, to.len); calc_netbits(this); - return (&this->public); + return &this->public; } /* @@ -816,21 +740,15 @@ traffic_selector_t *traffic_selector_create_from_bytes(uint8_t protocol, traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, chunk_t from, chunk_t to) { - size_t len; private_traffic_selector_t *this = traffic_selector_create(0, type, 0, 65535); + size_t len; - switch (type) + if (!this) { - case TS_IPV4_ADDR_RANGE: - len = 4; - break; - case TS_IPV6_ADDR_RANGE: - len = 16; - break; - default: - free(this); - return NULL; + return NULL; } + len = TS_IP_LEN(this); + memset(this->from, 0x00, len); memset(this->to , 0xff, len); @@ -846,7 +764,7 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, this->to[to.len-2] |= mask; } calc_netbits(this); - return (&this->public); + return &this->public; } /* @@ -857,29 +775,29 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, uint16_t from_port, uint16_t to_port) { private_traffic_selector_t *this; + ts_type_t type; chunk_t from; - this = traffic_selector_create(protocol, 0, from_port, to_port); - switch (net->get_family(net)) { case AF_INET: - this->type = TS_IPV4_ADDR_RANGE; + type = TS_IPV4_ADDR_RANGE; break; case AF_INET6: - this->type = TS_IPV6_ADDR_RANGE; + type = TS_IPV6_ADDR_RANGE; break; default: net->destroy(net); - free(this); return NULL; } + + this = traffic_selector_create(protocol, type, from_port, to_port); + from = net->get_address(net); memcpy(this->from, from.ptr, from.len); - netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); + netbits = min(netbits, TS_IP_LEN(this) * 8); calc_range(this, netbits); net->destroy(net); - return &this->public; } @@ -914,7 +832,6 @@ traffic_selector_t *traffic_selector_create_from_string( free(this); return NULL; } - calc_netbits(this); return &this->public; } @@ -947,8 +864,8 @@ traffic_selector_t *traffic_selector_create_dynamic(uint8_t protocol, private_traffic_selector_t *this = traffic_selector_create( protocol, TS_IPV4_ADDR_RANGE, from_port, to_port); - memset(this->from6, 0, sizeof(this->from6)); - memset(this->to6, 0xFF, sizeof(this->to6)); + memset(this->from, 0, sizeof(this->from)); + memset(this->to, 0xFF, sizeof(this->to)); this->netbits = 0; this->dynamic = TRUE; @@ -963,6 +880,12 @@ static private_traffic_selector_t *traffic_selector_create(uint8_t protocol, { private_traffic_selector_t *this; + /* sanity check */ + if (type != TS_IPV4_ADDR_RANGE && type != TS_IPV6_ADDR_RANGE) + { + return NULL; + } + INIT(this, .public = { .get_subset = _get_subset, diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c index 2a92d523b..c618d8837 100644 --- a/src/libstrongswan/settings/settings.c +++ b/src/libstrongswan/settings/settings.c @@ -494,11 +494,12 @@ inline bool settings_value_as_bool(char *value, bool def) } METHOD(settings_t, get_bool, bool, - private_settings_t *this, char *key, bool def, ...) + private_settings_t *this, char *key, int def, ...) { char *value; va_list args; + /* we can't use bool for def due to this call */ va_start(args, def); value = find_value(this, this->top, key, args); va_end(args); @@ -604,41 +605,11 @@ METHOD(settings_t, get_double, double, */ inline uint32_t settings_value_as_time(char *value, uint32_t def) { - char *endptr; - uint32_t timeval; - if (value) + time_t val; + + if (timespan_from_string(value, NULL, &val)) { - errno = 0; - timeval = strtoul(value, &endptr, 10); - if (endptr == value) - { - return def; - } - if (errno == 0) - { - while (isspace(*endptr)) - { - endptr++; - } - switch (*endptr) - { - case 'd': /* time in days */ - timeval *= 24 * 3600; - break; - case 'h': /* time in hours */ - timeval *= 3600; - break; - case 'm': /* time in minutes */ - timeval *= 60; - break; - case 's': /* time in seconds */ - case '\0': - break; - default: - return def; - } - return timeval; - } + return val; } return def; } @@ -665,9 +636,10 @@ METHOD(settings_t, set_str, void, } METHOD(settings_t, set_bool, void, - private_settings_t *this, char *key, bool value, ...) + private_settings_t *this, char *key, int value, ...) { va_list args; + /* we can't use bool for value due to this call */ va_start(args, value); set_value(this, this->top, key, args, value ? "1" : "0"); va_end(args); diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index eec5ece6c..28cde4876 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -173,7 +173,7 @@ struct settings_t { * @param ... argument list for key * @return value of the key */ - bool (*get_bool)(settings_t *this, char *key, bool def, ...); + bool (*get_bool)(settings_t *this, char *key, int def, ...); /** * Get an integer value. @@ -221,7 +221,7 @@ struct settings_t { * @param value value to set * @param ... argument list for key */ - void (*set_bool)(settings_t *this, char *key, bool value, ...); + void (*set_bool)(settings_t *this, char *key, int value, ...); /** * Set an integer value. diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 0231c1c14..07f5eb5f2 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -15,11 +15,11 @@ libtest_la_LIBADD = \ $(PTHREADLIB) $(ATOMICLIB) -TESTS = tests +TESTS = libstrongswan_tests check_PROGRAMS = $(TESTS) -tests_SOURCES = tests.h tests.c \ +libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_linked_list.c \ suites/test_enumerator.c \ suites/test_linked_list_enumerator.c \ @@ -56,16 +56,17 @@ tests_SOURCES = tests.h tests.c \ suites/test_test_rng.c \ suites/test_mgf1.c \ suites/test_ntru.c \ - suites/test_ed25519.c + suites/test_ed25519.c \ + suites/test_signature_params.c -tests_CFLAGS = \ +libstrongswan_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +libstrongswan_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libstrongswan_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ libtest.la diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index ce0ad3772..f8f8ce83e 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -87,7 +87,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = tests$(EXEEXT) +TESTS = libstrongswan_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libstrongswan/tests ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -123,51 +123,53 @@ am__v_lt_1 = libtest_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libtest_la_CFLAGS) \ $(CFLAGS) $(libtest_la_LDFLAGS) $(LDFLAGS) -o $@ -am__EXEEXT_1 = tests$(EXEEXT) -am_tests_OBJECTS = tests-tests.$(OBJEXT) \ - suites/tests-test_linked_list.$(OBJEXT) \ - suites/tests-test_enumerator.$(OBJEXT) \ - suites/tests-test_linked_list_enumerator.$(OBJEXT) \ - suites/tests-test_bio_reader.$(OBJEXT) \ - suites/tests-test_bio_writer.$(OBJEXT) \ - suites/tests-test_chunk.$(OBJEXT) \ - suites/tests-test_enum.$(OBJEXT) \ - suites/tests-test_hashtable.$(OBJEXT) \ - suites/tests-test_identification.$(OBJEXT) \ - suites/tests-test_traffic_selector.$(OBJEXT) \ - suites/tests-test_threading.$(OBJEXT) \ - suites/tests-test_process.$(OBJEXT) \ - suites/tests-test_watcher.$(OBJEXT) \ - suites/tests-test_stream.$(OBJEXT) \ - suites/tests-test_fetch_http.$(OBJEXT) \ - suites/tests-test_utils.$(OBJEXT) \ - suites/tests-test_settings.$(OBJEXT) \ - suites/tests-test_vectors.$(OBJEXT) \ - suites/tests-test_array.$(OBJEXT) \ - suites/tests-test_ecdsa.$(OBJEXT) \ - suites/tests-test_rsa.$(OBJEXT) \ - suites/tests-test_certpolicy.$(OBJEXT) \ - suites/tests-test_certnames.$(OBJEXT) \ - suites/tests-test_host.$(OBJEXT) \ - suites/tests-test_auth_cfg.$(OBJEXT) \ - suites/tests-test_hasher.$(OBJEXT) \ - suites/tests-test_crypter.$(OBJEXT) \ - suites/tests-test_crypto_factory.$(OBJEXT) \ - suites/tests-test_iv_gen.$(OBJEXT) \ - suites/tests-test_pen.$(OBJEXT) \ - suites/tests-test_asn1.$(OBJEXT) \ - suites/tests-test_asn1_parser.$(OBJEXT) \ - suites/tests-test_printf.$(OBJEXT) \ - suites/tests-test_test_rng.$(OBJEXT) \ - suites/tests-test_mgf1.$(OBJEXT) \ - suites/tests-test_ntru.$(OBJEXT) \ - suites/tests-test_ed25519.$(OBJEXT) -tests_OBJECTS = $(am_tests_OBJECTS) -tests_DEPENDENCIES = \ +am__EXEEXT_1 = libstrongswan_tests$(EXEEXT) +am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \ + suites/libstrongswan_tests-test_linked_list.$(OBJEXT) \ + suites/libstrongswan_tests-test_enumerator.$(OBJEXT) \ + suites/libstrongswan_tests-test_linked_list_enumerator.$(OBJEXT) \ + suites/libstrongswan_tests-test_bio_reader.$(OBJEXT) \ + suites/libstrongswan_tests-test_bio_writer.$(OBJEXT) \ + suites/libstrongswan_tests-test_chunk.$(OBJEXT) \ + suites/libstrongswan_tests-test_enum.$(OBJEXT) \ + suites/libstrongswan_tests-test_hashtable.$(OBJEXT) \ + suites/libstrongswan_tests-test_identification.$(OBJEXT) \ + suites/libstrongswan_tests-test_traffic_selector.$(OBJEXT) \ + suites/libstrongswan_tests-test_threading.$(OBJEXT) \ + suites/libstrongswan_tests-test_process.$(OBJEXT) \ + suites/libstrongswan_tests-test_watcher.$(OBJEXT) \ + suites/libstrongswan_tests-test_stream.$(OBJEXT) \ + suites/libstrongswan_tests-test_fetch_http.$(OBJEXT) \ + suites/libstrongswan_tests-test_utils.$(OBJEXT) \ + suites/libstrongswan_tests-test_settings.$(OBJEXT) \ + suites/libstrongswan_tests-test_vectors.$(OBJEXT) \ + suites/libstrongswan_tests-test_array.$(OBJEXT) \ + suites/libstrongswan_tests-test_ecdsa.$(OBJEXT) \ + suites/libstrongswan_tests-test_rsa.$(OBJEXT) \ + suites/libstrongswan_tests-test_certpolicy.$(OBJEXT) \ + suites/libstrongswan_tests-test_certnames.$(OBJEXT) \ + suites/libstrongswan_tests-test_host.$(OBJEXT) \ + suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \ + suites/libstrongswan_tests-test_hasher.$(OBJEXT) \ + suites/libstrongswan_tests-test_crypter.$(OBJEXT) \ + suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \ + suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \ + suites/libstrongswan_tests-test_pen.$(OBJEXT) \ + suites/libstrongswan_tests-test_asn1.$(OBJEXT) \ + suites/libstrongswan_tests-test_asn1_parser.$(OBJEXT) \ + suites/libstrongswan_tests-test_printf.$(OBJEXT) \ + suites/libstrongswan_tests-test_test_rng.$(OBJEXT) \ + suites/libstrongswan_tests-test_mgf1.$(OBJEXT) \ + suites/libstrongswan_tests-test_ntru.$(OBJEXT) \ + suites/libstrongswan_tests-test_ed25519.$(OBJEXT) \ + suites/libstrongswan_tests-test_signature_params.$(OBJEXT) +libstrongswan_tests_OBJECTS = $(am_libstrongswan_tests_OBJECTS) +libstrongswan_tests_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la libtest.la -tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \ - $(tests_LDFLAGS) $(LDFLAGS) -o $@ +libstrongswan_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libstrongswan_tests_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tests_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -202,8 +204,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES) -DIST_SOURCES = $(libtest_la_SOURCES) $(tests_SOURCES) +SOURCES = $(libtest_la_SOURCES) $(libstrongswan_tests_SOURCES) +DIST_SOURCES = $(libtest_la_SOURCES) $(libstrongswan_tests_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -285,9 +287,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -503,7 +507,7 @@ libtest_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(PTHREADLIB) $(ATOMICLIB) -tests_SOURCES = tests.h tests.c \ +libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_linked_list.c \ suites/test_enumerator.c \ suites/test_linked_list_enumerator.c \ @@ -540,17 +544,18 @@ tests_SOURCES = tests.h tests.c \ suites/test_test_rng.c \ suites/test_mgf1.c \ suites/test_ntru.c \ - suites/test_ed25519.c + suites/test_ed25519.c \ + suites/test_signature_params.c -tests_CFLAGS = \ +libstrongswan_tests_CFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ -tests_LDFLAGS = @COVERAGE_LDFLAGS@ -tests_LDADD = \ +libstrongswan_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libstrongswan_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ libtest.la @@ -624,84 +629,86 @@ suites/$(am__dirstamp): suites/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) suites/$(DEPDIR) @: > suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_linked_list.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_enumerator.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_linked_list_enumerator.$(OBJEXT): \ +suites/libstrongswan_tests-test_linked_list.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_bio_reader.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_bio_writer.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_chunk.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_enum.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_traffic_selector.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_process.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_watcher.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_stream.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_fetch_http.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_utils.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_settings.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_vectors.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_array.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_certpolicy.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_auth_cfg.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_crypto_factory.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_iv_gen.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_asn1_parser.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \ - suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \ +suites/libstrongswan_tests-test_enumerator.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_linked_list_enumerator.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_bio_reader.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_bio_writer.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_chunk.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_enum.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_hashtable.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_identification.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_traffic_selector.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_threading.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_process.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_watcher.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_stream.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_fetch_http.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_utils.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_settings.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_vectors.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_array.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ecdsa.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) -suites/tests-test_ed25519.$(OBJEXT): suites/$(am__dirstamp) \ +suites/libstrongswan_tests-test_certpolicy.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_certnames.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_host.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_hasher.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_crypter.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_asn1.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_asn1_parser.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_printf.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_test_rng.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_mgf1.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ntru.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ed25519.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_signature_params.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) -tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) - @rm -f tests$(EXEEXT) - $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS) +libstrongswan_tests$(EXEEXT): $(libstrongswan_tests_OBJECTS) $(libstrongswan_tests_DEPENDENCIES) $(EXTRA_libstrongswan_tests_DEPENDENCIES) + @rm -f libstrongswan_tests$(EXEEXT) + $(AM_V_CCLD)$(libstrongswan_tests_LINK) $(libstrongswan_tests_OBJECTS) $(libstrongswan_tests_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -712,46 +719,47 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libstrongswan_tests-tests.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_runner.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtest_la-test_suite.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_auth_cfg.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certpolicy.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypto_factory.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ecdsa.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ed25519.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enum.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_enumerator.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_fetch_http.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hasher.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_iv_gen.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_process.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_rsa.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_settings.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_traffic_selector.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_array.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_host.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/libtest_la-test_rng.Plo@am__quote@ .c.o: @@ -799,537 +807,551 @@ utils/libtest_la-test_rng.lo: utils/test_rng.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o utils/libtest_la-test_rng.lo `test -f 'utils/test_rng.c' || echo '$(srcdir)/'`utils/test_rng.c -tests-tests.o: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@ +libstrongswan_tests-tests.o: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT libstrongswan_tests-tests.o -MD -MP -MF $(DEPDIR)/libstrongswan_tests-tests.Tpo -c -o libstrongswan_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libstrongswan_tests-tests.Tpo $(DEPDIR)/libstrongswan_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='libstrongswan_tests-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o libstrongswan_tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c + +libstrongswan_tests-tests.obj: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT libstrongswan_tests-tests.obj -MD -MP -MF $(DEPDIR)/libstrongswan_tests-tests.Tpo -c -o libstrongswan_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libstrongswan_tests-tests.Tpo $(DEPDIR)/libstrongswan_tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='libstrongswan_tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o libstrongswan_tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` + +suites/libstrongswan_tests-test_linked_list.o: suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo -c -o suites/libstrongswan_tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/libstrongswan_tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c -tests-tests.obj: tests.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list.obj: suites/test_linked_list.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo -c -o suites/libstrongswan_tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/libstrongswan_tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` -suites/tests-test_linked_list.o: suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enumerator.o: suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo -c -o suites/libstrongswan_tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/libstrongswan_tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.o `test -f 'suites/test_linked_list.c' || echo '$(srcdir)/'`suites/test_linked_list.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c -suites/tests-test_linked_list.obj: suites/test_linked_list.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list.Tpo -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list.Tpo suites/$(DEPDIR)/tests-test_linked_list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list.c' object='suites/tests-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enumerator.obj: suites/test_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo -c -o suites/libstrongswan_tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/libstrongswan_tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list.obj `if test -f 'suites/test_linked_list.c'; then $(CYGPATH_W) 'suites/test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` -suites/tests-test_enumerator.o: suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo -c -o suites/libstrongswan_tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/libstrongswan_tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.o `test -f 'suites/test_enumerator.c' || echo '$(srcdir)/'`suites/test_enumerator.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c -suites/tests-test_enumerator.obj: suites/test_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enumerator.Tpo -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enumerator.Tpo suites/$(DEPDIR)/tests-test_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enumerator.c' object='suites/tests-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo -c -o suites/libstrongswan_tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_linked_list_enumerator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/libstrongswan_tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enumerator.obj `if test -f 'suites/test_enumerator.c'; then $(CYGPATH_W) 'suites/test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enumerator.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` -suites/tests-test_linked_list_enumerator.o: suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.o -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_reader.o: suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo -c -o suites/libstrongswan_tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/libstrongswan_tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.o `test -f 'suites/test_linked_list_enumerator.c' || echo '$(srcdir)/'`suites/test_linked_list_enumerator.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c -suites/tests-test_linked_list_enumerator.obj: suites/test_linked_list_enumerator.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_linked_list_enumerator.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_linked_list_enumerator.Tpo suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_linked_list_enumerator.c' object='suites/tests-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_reader.obj: suites/test_bio_reader.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo -c -o suites/libstrongswan_tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_reader.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/libstrongswan_tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_linked_list_enumerator.obj `if test -f 'suites/test_linked_list_enumerator.c'; then $(CYGPATH_W) 'suites/test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_linked_list_enumerator.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` -suites/tests-test_bio_reader.o: suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_writer.o: suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo -c -o suites/libstrongswan_tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/libstrongswan_tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.o `test -f 'suites/test_bio_reader.c' || echo '$(srcdir)/'`suites/test_bio_reader.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c -suites/tests-test_bio_reader.obj: suites/test_bio_reader.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_reader.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_reader.Tpo -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_reader.Tpo suites/$(DEPDIR)/tests-test_bio_reader.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_reader.c' object='suites/tests-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_bio_writer.obj: suites/test_bio_writer.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo -c -o suites/libstrongswan_tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_bio_writer.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/libstrongswan_tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_reader.obj `if test -f 'suites/test_bio_reader.c'; then $(CYGPATH_W) 'suites/test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_reader.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` -suites/tests-test_bio_writer.o: suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.o -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_chunk.o: suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo -c -o suites/libstrongswan_tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/libstrongswan_tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.o `test -f 'suites/test_bio_writer.c' || echo '$(srcdir)/'`suites/test_bio_writer.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c -suites/tests-test_bio_writer.obj: suites/test_bio_writer.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_bio_writer.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_bio_writer.Tpo -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_bio_writer.Tpo suites/$(DEPDIR)/tests-test_bio_writer.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bio_writer.c' object='suites/tests-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_chunk.obj: suites/test_chunk.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo -c -o suites/libstrongswan_tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_chunk.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/libstrongswan_tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_bio_writer.obj `if test -f 'suites/test_bio_writer.c'; then $(CYGPATH_W) 'suites/test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bio_writer.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` -suites/tests-test_chunk.o: suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.o -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enum.o: suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo -c -o suites/libstrongswan_tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/libstrongswan_tests-test_enum.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.o `test -f 'suites/test_chunk.c' || echo '$(srcdir)/'`suites/test_chunk.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c -suites/tests-test_chunk.obj: suites/test_chunk.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_chunk.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_chunk.Tpo -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_chunk.Tpo suites/$(DEPDIR)/tests-test_chunk.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chunk.c' object='suites/tests-test_chunk.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_enum.obj: suites/test_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo -c -o suites/libstrongswan_tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_enum.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/libstrongswan_tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_chunk.obj `if test -f 'suites/test_chunk.c'; then $(CYGPATH_W) 'suites/test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chunk.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` -suites/tests-test_enum.o: suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.o -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hashtable.o: suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo -c -o suites/libstrongswan_tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/libstrongswan_tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.o `test -f 'suites/test_enum.c' || echo '$(srcdir)/'`suites/test_enum.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c -suites/tests-test_enum.obj: suites/test_enum.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_enum.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_enum.Tpo -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_enum.Tpo suites/$(DEPDIR)/tests-test_enum.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_enum.c' object='suites/tests-test_enum.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hashtable.obj: suites/test_hashtable.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo -c -o suites/libstrongswan_tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hashtable.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/libstrongswan_tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_enum.obj `if test -f 'suites/test_enum.c'; then $(CYGPATH_W) 'suites/test_enum.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_enum.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` -suites/tests-test_hashtable.o: suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_identification.o: suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo -c -o suites/libstrongswan_tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/libstrongswan_tests-test_identification.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.o `test -f 'suites/test_hashtable.c' || echo '$(srcdir)/'`suites/test_hashtable.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c -suites/tests-test_hashtable.obj: suites/test_hashtable.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hashtable.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hashtable.Tpo -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hashtable.Tpo suites/$(DEPDIR)/tests-test_hashtable.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hashtable.c' object='suites/tests-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_identification.obj: suites/test_identification.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo -c -o suites/libstrongswan_tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_identification.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_identification.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/libstrongswan_tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hashtable.obj `if test -f 'suites/test_hashtable.c'; then $(CYGPATH_W) 'suites/test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hashtable.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` -suites/tests-test_identification.o: suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.o -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_traffic_selector.o: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo -c -o suites/libstrongswan_tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/libstrongswan_tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.o `test -f 'suites/test_identification.c' || echo '$(srcdir)/'`suites/test_identification.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c -suites/tests-test_identification.obj: suites/test_identification.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_identification.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_identification.Tpo -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_identification.Tpo suites/$(DEPDIR)/tests-test_identification.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_identification.c' object='suites/tests-test_identification.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_traffic_selector.obj: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo -c -o suites/libstrongswan_tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/libstrongswan_tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` -suites/tests-test_traffic_selector.o: suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_threading.o: suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo -c -o suites/libstrongswan_tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/libstrongswan_tests-test_threading.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c -suites/tests-test_traffic_selector.obj: suites/test_traffic_selector.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_threading.obj: suites/test_threading.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo -c -o suites/libstrongswan_tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_threading.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_threading.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/libstrongswan_tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` -suites/tests-test_threading.o: suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_process.o: suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_process.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo -c -o suites/libstrongswan_tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/libstrongswan_tests-test_process.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c -suites/tests-test_threading.obj: suites/test_threading.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_threading.c' object='suites/tests-test_threading.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_process.obj: suites/test_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_process.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo -c -o suites/libstrongswan_tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_process.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/libstrongswan_tests-test_process.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_threading.obj `if test -f 'suites/test_threading.c'; then $(CYGPATH_W) 'suites/test_threading.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_threading.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` -suites/tests-test_process.o: suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_process.o -MD -MP -MF suites/$(DEPDIR)/tests-test_process.Tpo -c -o suites/tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_process.Tpo suites/$(DEPDIR)/tests-test_process.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/tests-test_process.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_watcher.o: suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo -c -o suites/libstrongswan_tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/libstrongswan_tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_process.o `test -f 'suites/test_process.c' || echo '$(srcdir)/'`suites/test_process.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c -suites/tests-test_process.obj: suites/test_process.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_process.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_process.Tpo -c -o suites/tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_process.Tpo suites/$(DEPDIR)/tests-test_process.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_process.c' object='suites/tests-test_process.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_watcher.obj: suites/test_watcher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo -c -o suites/libstrongswan_tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_watcher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/libstrongswan_tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_process.obj `if test -f 'suites/test_process.c'; then $(CYGPATH_W) 'suites/test_process.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_process.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` -suites/tests-test_watcher.o: suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_stream.o: suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo -c -o suites/libstrongswan_tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/libstrongswan_tests-test_stream.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.o `test -f 'suites/test_watcher.c' || echo '$(srcdir)/'`suites/test_watcher.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c -suites/tests-test_watcher.obj: suites/test_watcher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_watcher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_watcher.Tpo -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_watcher.Tpo suites/$(DEPDIR)/tests-test_watcher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_watcher.c' object='suites/tests-test_watcher.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_stream.obj: suites/test_stream.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo -c -o suites/libstrongswan_tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_stream.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/libstrongswan_tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_watcher.obj `if test -f 'suites/test_watcher.c'; then $(CYGPATH_W) 'suites/test_watcher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_watcher.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` -suites/tests-test_stream.o: suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.o -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_fetch_http.o: suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo -c -o suites/libstrongswan_tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/libstrongswan_tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.o `test -f 'suites/test_stream.c' || echo '$(srcdir)/'`suites/test_stream.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c -suites/tests-test_stream.obj: suites/test_stream.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_stream.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_stream.Tpo -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_stream.Tpo suites/$(DEPDIR)/tests-test_stream.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_stream.c' object='suites/tests-test_stream.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_fetch_http.obj: suites/test_fetch_http.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo -c -o suites/libstrongswan_tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/libstrongswan_tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_stream.obj `if test -f 'suites/test_stream.c'; then $(CYGPATH_W) 'suites/test_stream.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_stream.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` -suites/tests-test_fetch_http.o: suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.o -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_utils.o: suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo -c -o suites/libstrongswan_tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/libstrongswan_tests-test_utils.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.o `test -f 'suites/test_fetch_http.c' || echo '$(srcdir)/'`suites/test_fetch_http.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c -suites/tests-test_fetch_http.obj: suites/test_fetch_http.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_fetch_http.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_fetch_http.Tpo -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_fetch_http.Tpo suites/$(DEPDIR)/tests-test_fetch_http.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_fetch_http.c' object='suites/tests-test_fetch_http.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_utils.obj: suites/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo -c -o suites/libstrongswan_tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_utils.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/libstrongswan_tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_fetch_http.obj `if test -f 'suites/test_fetch_http.c'; then $(CYGPATH_W) 'suites/test_fetch_http.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_fetch_http.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` -suites/tests-test_utils.o: suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.o -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_settings.o: suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo -c -o suites/libstrongswan_tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/libstrongswan_tests-test_settings.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.o `test -f 'suites/test_utils.c' || echo '$(srcdir)/'`suites/test_utils.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c -suites/tests-test_utils.obj: suites/test_utils.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_utils.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_utils.Tpo -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_utils.Tpo suites/$(DEPDIR)/tests-test_utils.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_utils.c' object='suites/tests-test_utils.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_settings.obj: suites/test_settings.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo -c -o suites/libstrongswan_tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_settings.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/libstrongswan_tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_utils.obj `if test -f 'suites/test_utils.c'; then $(CYGPATH_W) 'suites/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_utils.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` -suites/tests-test_settings.o: suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.o -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_vectors.o: suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo -c -o suites/libstrongswan_tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/libstrongswan_tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.o `test -f 'suites/test_settings.c' || echo '$(srcdir)/'`suites/test_settings.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c -suites/tests-test_settings.obj: suites/test_settings.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_settings.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_settings.Tpo -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_settings.Tpo suites/$(DEPDIR)/tests-test_settings.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_settings.c' object='suites/tests-test_settings.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_vectors.obj: suites/test_vectors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo -c -o suites/libstrongswan_tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_vectors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/libstrongswan_tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_settings.obj `if test -f 'suites/test_settings.c'; then $(CYGPATH_W) 'suites/test_settings.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_settings.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` -suites/tests-test_vectors.o: suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.o -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_array.o: suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo -c -o suites/libstrongswan_tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_array.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/libstrongswan_tests-test_array.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.o `test -f 'suites/test_vectors.c' || echo '$(srcdir)/'`suites/test_vectors.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c -suites/tests-test_vectors.obj: suites/test_vectors.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_vectors.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_vectors.Tpo -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_vectors.Tpo suites/$(DEPDIR)/tests-test_vectors.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_vectors.c' object='suites/tests-test_vectors.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_array.obj: suites/test_array.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo -c -o suites/libstrongswan_tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_array.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_array.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/libstrongswan_tests-test_array.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_vectors.obj `if test -f 'suites/test_vectors.c'; then $(CYGPATH_W) 'suites/test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_vectors.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` -suites/tests-test_array.o: suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.o -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ecdsa.o: suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo -c -o suites/libstrongswan_tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/libstrongswan_tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.o `test -f 'suites/test_array.c' || echo '$(srcdir)/'`suites/test_array.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c -suites/tests-test_array.obj: suites/test_array.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_array.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_array.Tpo -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_array.Tpo suites/$(DEPDIR)/tests-test_array.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_array.c' object='suites/tests-test_array.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ecdsa.obj: suites/test_ecdsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo -c -o suites/libstrongswan_tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/libstrongswan_tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_array.obj `if test -f 'suites/test_array.c'; then $(CYGPATH_W) 'suites/test_array.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_array.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` -suites/tests-test_ecdsa.o: suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_rsa.o: suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo -c -o suites/libstrongswan_tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/libstrongswan_tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.o `test -f 'suites/test_ecdsa.c' || echo '$(srcdir)/'`suites/test_ecdsa.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c -suites/tests-test_ecdsa.obj: suites/test_ecdsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ecdsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ecdsa.Tpo -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ecdsa.Tpo suites/$(DEPDIR)/tests-test_ecdsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ecdsa.c' object='suites/tests-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_rsa.obj: suites/test_rsa.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo -c -o suites/libstrongswan_tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/libstrongswan_tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ecdsa.obj `if test -f 'suites/test_ecdsa.c'; then $(CYGPATH_W) 'suites/test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ecdsa.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` -suites/tests-test_rsa.o: suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.o -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certpolicy.o: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo -c -o suites/libstrongswan_tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/libstrongswan_tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.o `test -f 'suites/test_rsa.c' || echo '$(srcdir)/'`suites/test_rsa.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c -suites/tests-test_rsa.obj: suites/test_rsa.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_rsa.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_rsa.Tpo -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_rsa.Tpo suites/$(DEPDIR)/tests-test_rsa.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_rsa.c' object='suites/tests-test_rsa.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certpolicy.obj: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo -c -o suites/libstrongswan_tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/libstrongswan_tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` -suites/tests-test_certpolicy.o: suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certnames.o: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo -c -o suites/libstrongswan_tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/libstrongswan_tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c -suites/tests-test_certpolicy.obj: suites/test_certpolicy.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_certnames.obj: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo -c -o suites/libstrongswan_tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/libstrongswan_tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` -suites/tests-test_certnames.o: suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_host.o: suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo -c -o suites/libstrongswan_tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_host.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/libstrongswan_tests-test_host.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c -suites/tests-test_certnames.obj: suites/test_certnames.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_host.obj: suites/test_host.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo -c -o suites/libstrongswan_tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_host.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/libstrongswan_tests-test_host.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` -suites/tests-test_host.o: suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_auth_cfg.o: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo -c -o suites/libstrongswan_tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/libstrongswan_tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c -suites/tests-test_host.obj: suites/test_host.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_host.c' object='suites/tests-test_host.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_auth_cfg.obj: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo -c -o suites/libstrongswan_tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/libstrongswan_tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` -suites/tests-test_auth_cfg.o: suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hasher.o: suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo -c -o suites/libstrongswan_tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/libstrongswan_tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c -suites/tests-test_auth_cfg.obj: suites/test_auth_cfg.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_hasher.obj: suites/test_hasher.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo -c -o suites/libstrongswan_tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_hasher.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/libstrongswan_tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` -suites/tests-test_hasher.o: suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypter.o: suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo -c -o suites/libstrongswan_tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/libstrongswan_tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c -suites/tests-test_hasher.obj: suites/test_hasher.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_hasher.c' object='suites/tests-test_hasher.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/libstrongswan_tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_hasher.obj `if test -f 'suites/test_hasher.c'; then $(CYGPATH_W) 'suites/test_hasher.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_hasher.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` -suites/tests-test_crypter.o: suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/libstrongswan_tests-test_crypto_factory.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.o `test -f 'suites/test_crypter.c' || echo '$(srcdir)/'`suites/test_crypter.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c -suites/tests-test_crypter.obj: suites/test_crypter.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypter.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypter.Tpo -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypter.Tpo suites/$(DEPDIR)/tests-test_crypter.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypter.c' object='suites/tests-test_crypter.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_crypto_factory.obj: suites/test_crypto_factory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/libstrongswan_tests-test_crypto_factory.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` -suites/tests-test_crypto_factory.o: suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/tests-test_crypto_factory.Tpo -c -o suites/tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypto_factory.Tpo suites/$(DEPDIR)/tests-test_crypto_factory.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/tests-test_crypto_factory.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_iv_gen.o: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo -c -o suites/libstrongswan_tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/libstrongswan_tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c -suites/tests-test_crypto_factory.obj: suites/test_crypto_factory.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_crypto_factory.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_crypto_factory.Tpo -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_crypto_factory.Tpo suites/$(DEPDIR)/tests-test_crypto_factory.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_crypto_factory.c' object='suites/tests-test_crypto_factory.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_iv_gen.obj: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo -c -o suites/libstrongswan_tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/libstrongswan_tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` -suites/tests-test_iv_gen.o: suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_pen.o: suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo -c -o suites/libstrongswan_tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/libstrongswan_tests-test_pen.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c -suites/tests-test_iv_gen.obj: suites/test_iv_gen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_pen.obj: suites/test_pen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo -c -o suites/libstrongswan_tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_pen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/libstrongswan_tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` -suites/tests-test_pen.o: suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1.o: suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo -c -o suites/libstrongswan_tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/libstrongswan_tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c -suites/tests-test_pen.obj: suites/test_pen.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_pen.c' object='suites/tests-test_pen.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1.obj: suites/test_asn1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo -c -o suites/libstrongswan_tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/libstrongswan_tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_pen.obj `if test -f 'suites/test_pen.c'; then $(CYGPATH_W) 'suites/test_pen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_pen.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` -suites/tests-test_asn1.o: suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1_parser.o: suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo -c -o suites/libstrongswan_tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/libstrongswan_tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.o `test -f 'suites/test_asn1.c' || echo '$(srcdir)/'`suites/test_asn1.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c -suites/tests-test_asn1.obj: suites/test_asn1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1.Tpo -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1.Tpo suites/$(DEPDIR)/tests-test_asn1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1.c' object='suites/tests-test_asn1.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_asn1_parser.obj: suites/test_asn1_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo -c -o suites/libstrongswan_tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_asn1_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/libstrongswan_tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1.obj `if test -f 'suites/test_asn1.c'; then $(CYGPATH_W) 'suites/test_asn1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` -suites/tests-test_asn1_parser.o: suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.o -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_printf.o: suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo -c -o suites/libstrongswan_tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/libstrongswan_tests-test_printf.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.o `test -f 'suites/test_asn1_parser.c' || echo '$(srcdir)/'`suites/test_asn1_parser.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c -suites/tests-test_asn1_parser.obj: suites/test_asn1_parser.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_asn1_parser.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_asn1_parser.Tpo -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_asn1_parser.Tpo suites/$(DEPDIR)/tests-test_asn1_parser.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_asn1_parser.c' object='suites/tests-test_asn1_parser.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_printf.obj: suites/test_printf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo -c -o suites/libstrongswan_tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_printf.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/libstrongswan_tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_asn1_parser.obj `if test -f 'suites/test_asn1_parser.c'; then $(CYGPATH_W) 'suites/test_asn1_parser.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_asn1_parser.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` -suites/tests-test_printf.o: suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.o -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_test_rng.o: suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo -c -o suites/libstrongswan_tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/libstrongswan_tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.o `test -f 'suites/test_printf.c' || echo '$(srcdir)/'`suites/test_printf.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c -suites/tests-test_printf.obj: suites/test_printf.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_printf.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_printf.Tpo -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_printf.Tpo suites/$(DEPDIR)/tests-test_printf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_printf.c' object='suites/tests-test_printf.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_test_rng.obj: suites/test_test_rng.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo -c -o suites/libstrongswan_tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_test_rng.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/libstrongswan_tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_printf.obj `if test -f 'suites/test_printf.c'; then $(CYGPATH_W) 'suites/test_printf.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_printf.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` -suites/tests-test_test_rng.o: suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.o -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_mgf1.o: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo -c -o suites/libstrongswan_tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/libstrongswan_tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.o `test -f 'suites/test_test_rng.c' || echo '$(srcdir)/'`suites/test_test_rng.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c -suites/tests-test_test_rng.obj: suites/test_test_rng.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_test_rng.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_test_rng.Tpo -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_test_rng.Tpo suites/$(DEPDIR)/tests-test_test_rng.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_test_rng.c' object='suites/tests-test_test_rng.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_mgf1.obj: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo -c -o suites/libstrongswan_tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/libstrongswan_tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` -suites/tests-test_mgf1.o: suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ntru.o: suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo -c -o suites/libstrongswan_tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/libstrongswan_tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c -suites/tests-test_mgf1.obj: suites/test_mgf1.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ntru.obj: suites/test_ntru.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo -c -o suites/libstrongswan_tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ntru.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/libstrongswan_tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` -suites/tests-test_ntru.o: suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ed25519.o: suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed25519.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo -c -o suites/libstrongswan_tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/libstrongswan_tests-test_ed25519.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c -suites/tests-test_ntru.obj: suites/test_ntru.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ntru.c' object='suites/tests-test_ntru.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_ed25519.obj: suites/test_ed25519.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed25519.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/libstrongswan_tests-test_ed25519.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` -suites/tests-test_ed25519.o: suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.o' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_signature_params.o: suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_signature_params.c' object='suites/libstrongswan_tests-test_signature_params.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c -suites/tests-test_ed25519.obj: suites/test_ed25519.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.obj' libtool=no @AMDEPBACKSLASH@ +suites/libstrongswan_tests-test_signature_params.obj: suites/test_signature_params.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.obj `if test -f 'suites/test_signature_params.c'; then $(CYGPATH_W) 'suites/test_signature_params.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_signature_params.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_signature_params.c' object='suites/libstrongswan_tests-test_signature_params.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_signature_params.obj `if test -f 'suites/test_signature_params.c'; then $(CYGPATH_W) 'suites/test_signature_params.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_signature_params.c'; fi` mostlyclean-libtool: -rm -f *.lo diff --git a/src/libstrongswan/tests/suites/test_asn1.c b/src/libstrongswan/tests/suites/test_asn1.c index fa02df9ca..d7fb7c2a9 100644 --- a/src/libstrongswan/tests/suites/test_asn1.c +++ b/src/libstrongswan/tests/suites/test_asn1.c @@ -758,13 +758,10 @@ END_TEST START_TEST(test_asn1_parse_integer_uint64) { - typedef struct { + struct { uint64_t n; chunk_t chunk; - } testdata_t; - - - testdata_t test[] = { + } test[] = { { 67305985ULL, chunk_from_chars( 0x04, 0x03, 0x02, 0x01) }, { 578437695752307201ULL, chunk_from_chars( @@ -782,6 +779,37 @@ START_TEST(test_asn1_parse_integer_uint64) } END_TEST +/******************************************************************************* + * integer_from_uint64 + */ + +START_TEST(test_asn1_integer_from_uint64) +{ + struct { + uint64_t n; + chunk_t chunk; + } test[] = { + { 0ULL, chunk_from_chars(0x00) }, + { 255ULL, chunk_from_chars(0xff) }, + { 256ULL, chunk_from_chars(0x01, 0x00) }, + { 67305985ULL, chunk_from_chars(0x04, 0x03, 0x02, 0x01) }, + { 578437695752307201ULL, chunk_from_chars( + 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01) }, + { 18446744073709551615ULL, chunk_from_chars( + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff) }, + }; + chunk_t asn; + int i; + + for (i = 0; i < countof(test); i++) + { + asn = asn1_integer_from_uint64(test[i].n); + ck_assert_chunk_eq(test[i].chunk, asn); + chunk_free(&asn); + } +} +END_TEST + Suite *asn1_suite_create() { Suite *s; @@ -861,8 +889,9 @@ Suite *asn1_suite_create() tcase_add_test(tc, test_asn1_integer); suite_add_tcase(s, tc); - tc = tcase_create("parse_integer_uint64"); + tc = tcase_create("integer_uint64"); tcase_add_test(tc, test_asn1_parse_integer_uint64); + tcase_add_test(tc, test_asn1_integer_from_uint64); suite_add_tcase(s, tc); return s; diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c index 139b73021..d0fa8a045 100644 --- a/src/libstrongswan/tests/suites/test_auth_cfg.c +++ b/src/libstrongswan/tests/suites/test_auth_cfg.c @@ -45,7 +45,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, { enumerator_t *enumerator; auth_rule_t t; - void *value; + signature_params_t *value; int i = 0; enumerator = cfg->create_enumerator(cfg); @@ -54,7 +54,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, if (t == type) { ck_assert(expected[i]); - ck_assert_int_eq(expected[i], (signature_scheme_t)value); + ck_assert_int_eq(expected[i], value->scheme); i++; } } @@ -106,6 +106,102 @@ START_TEST(test_ike_contraints_fallback) } END_TEST +typedef union { + rsa_pss_params_t pss; +} signature_param_types_t; + +struct { + char *constraints; + signature_scheme_t sig[5]; + signature_param_types_t p[5]; +} sig_constraints_params_tests[] = { + { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}}, + { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, { + {}, + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, + { "rsa/pss", { 0 }, {}}, +}; + +static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type, + signature_scheme_t scheme[], + signature_param_types_t p[]) +{ + enumerator_t *enumerator; + auth_rule_t t; + signature_params_t *value; + int i = 0; + + enumerator = cfg->create_enumerator(cfg); + while (enumerator->enumerate(enumerator, &t, &value)) + { + if (t == type) + { + if (scheme[i] == SIGN_RSA_EMSA_PSS) + { + signature_params_t expected = { + .scheme = scheme[i], + .params = &p[i].pss, + }; + ck_assert(signature_params_equal(value, &expected)); + } + else + { + ck_assert(scheme[i]); + ck_assert(!value->params); + ck_assert_int_eq(scheme[i], value->scheme); + } + i++; + } + } + enumerator->destroy(enumerator); + ck_assert(!scheme[i]); +} + +START_TEST(test_sig_contraints_params) +{ + auth_cfg_t *cfg; + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE); + check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, + sig_constraints_params_tests[_i].sig, + sig_constraints_params_tests[_i].p); + cfg->destroy(cfg); +} +END_TEST + +struct { + char *constraints; + signature_scheme_t sig[6]; + signature_param_types_t p[6]; +} sig_constraints_rsa_pss_tests[] = { + { "pubkey-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}, {}, {}, {}}}, + { "rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { + { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}}}, +}; + +START_TEST(test_sig_contraints_rsa_pss) +{ + auth_cfg_t *cfg; + + lib->settings->set_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_rsa_pss_tests[_i].constraints, TRUE); + check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, + sig_constraints_rsa_pss_tests[_i].sig, + sig_constraints_rsa_pss_tests[_i].p); + cfg->destroy(cfg); +} +END_TEST + Suite *auth_cfg_suite_create() { Suite *s; @@ -118,5 +214,10 @@ Suite *auth_cfg_suite_create() tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests)); suite_add_tcase(s, tc); + tc = tcase_create("add_pubkey_constraints parameters"); + tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests)); + tcase_add_loop_test(tc, test_sig_contraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_ecdsa.c b/src/libstrongswan/tests/suites/test_ecdsa.c index 3c842996d..6edae81ae 100644 --- a/src/libstrongswan/tests/suites/test_ecdsa.c +++ b/src/libstrongswan/tests/suites/test_ecdsa.c @@ -57,9 +57,9 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey) { continue; } - fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig), + fail_unless(privkey->sign(privkey, schemes[i].scheme, NULL, data, &sig), "sign %N", signature_scheme_names, schemes[i].scheme); - fail_unless(pubkey->verify(pubkey, schemes[i].scheme, data, sig), + fail_unless(pubkey->verify(pubkey, schemes[i].scheme, NULL, data, sig), "verify %N", signature_scheme_names, schemes[i].scheme); free(sig.ptr); } @@ -121,7 +121,8 @@ static void test_bad_sigs(public_key_t *pubkey) for (i = 0; i < countof(invalid_sigs); i++) { fail_if( - pubkey->verify(pubkey, schemes[s].scheme, data, invalid_sigs[i]), + pubkey->verify(pubkey, schemes[s].scheme, NULL, data, + invalid_sigs[i]), "bad %N sig accepted %B", signature_scheme_names, schemes[s].scheme, &invalid_sigs[i]); diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c index 00842628d..86cbb1bc0 100644 --- a/src/libstrongswan/tests/suites/test_ed25519.c +++ b/src/libstrongswan/tests/suites/test_ed25519.c @@ -297,13 +297,13 @@ START_TEST(test_ed25519_sign) ck_assert(public->equals(public, pubkey)); /* sign */ - ck_assert(key->sign(key, SIGN_ED25519, sig_tests[_i].msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig)); ck_assert(sig.len == 64); ck_assert(chunk_equals(sig, sig_tests[_i].sig)); /* verify */ - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, sig_tests[_i].msg, - sig_tests[_i].sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg, + sig_tests[_i].sig)); /* cleanup */ key->destroy(key); @@ -340,10 +340,10 @@ START_TEST(test_ed25519_gen) ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL)); /* wrong signature scheme */ - ck_assert(!key->sign(key, SIGN_ED448, msg, &sig)); + ck_assert(!key->sign(key, SIGN_ED448, NULL, msg, &sig)); /* correct signature scheme*/ - ck_assert(key->sign(key, SIGN_ED25519, msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig)); /* export public key */ pubkey = key->get_public_key(key); @@ -375,10 +375,10 @@ START_TEST(test_ed25519_gen) ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL)); /* verify with wrong signature scheme */ - ck_assert(!pubkey->verify(pubkey, SIGN_ED448, msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig)); /* verify with correct signature scheme */ - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig)); /* cleanup */ key->destroy(key); @@ -404,10 +404,10 @@ START_TEST(test_ed25519_speed) key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519, BUILD_KEY_SIZE, 256, BUILD_END); ck_assert(key != NULL); - ck_assert(key->sign(key, SIGN_ED25519, msg, &sig)); + ck_assert(key->sign(key, SIGN_ED25519, NULL, msg, &sig)); pubkey = key->get_public_key(key); ck_assert(pubkey != NULL); - ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig)); + ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig)); key->destroy(key); pubkey->destroy(pubkey); chunk_free(&sig); @@ -476,25 +476,29 @@ START_TEST(test_ed25519_fail) BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END); ck_assert(pubkey != NULL); - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, chunk_empty, chunk_empty)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty, + chunk_empty)); /* malformed signature */ sig = chunk_create(sig1, 64); memcpy(sig1, sig_tests[0].sig.ptr, 64); sig1[63] |= 0xe0; - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); /* wrong signature */ memcpy(sig1, sig_tests[0].sig.ptr, 64); sig1[0] = 0xe4; - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); /* detect all-zeroes public key */ pubkey->destroy(pubkey); pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519, BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END); ck_assert(pubkey != NULL); - ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig)); + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + sig)); pubkey->destroy(pubkey); } END_TEST diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c index 6a83fe777..7bf527329 100644 --- a/src/libstrongswan/tests/suites/test_hasher.c +++ b/src/libstrongswan/tests/suites/test_hasher.c @@ -90,12 +90,10 @@ START_TEST(test_hasher_sig_to_oid) } END_TEST -typedef struct { +static struct { signature_scheme_t scheme; hash_algorithm_t alg; -}hasher_sig_scheme_t; - -static hasher_sig_scheme_t sig_schemes[] = { +} sig_schemes[] = { { SIGN_UNKNOWN, HASH_UNKNOWN }, { SIGN_RSA_EMSA_PKCS1_NULL, HASH_UNKNOWN }, { SIGN_RSA_EMSA_PKCS1_MD5, HASH_MD5 }, @@ -108,6 +106,7 @@ static hasher_sig_scheme_t sig_schemes[] = { { SIGN_RSA_EMSA_PKCS1_SHA3_256, HASH_SHA3_256 }, { SIGN_RSA_EMSA_PKCS1_SHA3_384, HASH_SHA3_384 }, { SIGN_RSA_EMSA_PKCS1_SHA3_512, HASH_SHA3_512 }, + { SIGN_RSA_EMSA_PSS, HASH_UNKNOWN }, { SIGN_ECDSA_WITH_SHA1_DER, HASH_SHA1 }, { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256 }, { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384 }, @@ -124,16 +123,35 @@ static hasher_sig_scheme_t sig_schemes[] = { { SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 }, { SIGN_ED25519, HASH_IDENTITY }, { SIGN_ED448, HASH_IDENTITY }, - { 30, HASH_UNKNOWN } + { 30, HASH_UNKNOWN }, }; START_TEST(test_hasher_from_sig_scheme) { - ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) == + ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme, NULL) == sig_schemes[_i].alg); } END_TEST +static struct { + signature_scheme_t scheme; + union { + rsa_pss_params_t pss; + } p; + hash_algorithm_t alg; +} sig_schemes_params[] = { + { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA256 }, HASH_SHA256 }, + { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA512 }, + { SIGN_RSA_EMSA_PKCS1_SHA2_256, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA256 }, +}; + +START_TEST(test_hasher_from_sig_scheme_params) +{ + ck_assert(hasher_from_signature_scheme(sig_schemes_params[_i].scheme, + &sig_schemes_params[_i].p) == sig_schemes_params[_i].alg); +} +END_TEST + typedef struct { pseudo_random_function_t prf; hash_algorithm_t alg; @@ -201,9 +219,9 @@ START_TEST(test_hasher_from_integrity) size_t length; length = 0; - ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == + ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, NULL) == auths[_i].alg); - ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == + ck_assert(hasher_algorithm_from_integrity(auths[_i].auth, &length) == auths[_i].alg); ck_assert(length == auths[_i].length); } @@ -226,7 +244,7 @@ typedef struct { static hasher_ikev2_t ikev2[] = { { HASH_IDENTITY, TRUE }, - { HASH_SHA1, TRUE }, + { HASH_SHA1, FALSE }, { HASH_SHA256, TRUE }, { HASH_SHA384, TRUE }, { HASH_SHA512, TRUE }, @@ -269,6 +287,7 @@ Suite *hasher_suite_create() tc = tcase_create("from_sig_scheme"); tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes)); + tcase_add_loop_test(tc, test_hasher_from_sig_scheme_params, 0, countof(sig_schemes_params)); suite_add_tcase(s, tc); tc = tcase_create("from_prf"); diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c index 41e783521..3f6353404 100644 --- a/src/libstrongswan/tests/suites/test_rsa.c +++ b/src/libstrongswan/tests/suites/test_rsa.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -16,6 +19,7 @@ #include "test_suite.h" #include +#include /** * Signature schemes to test @@ -28,6 +32,15 @@ static signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_RSA_EMSA_PSS, +}; +/** + * Default parameters for RSA PSS signatures + */ +static rsa_pss_params_t default_pss_params = { + .hash = HASH_SHA256, + .mgf1_hash = HASH_SHA256, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }; /** @@ -40,16 +53,24 @@ static void test_good_sig(private_key_t *privkey, public_key_t *pubkey) for (i = 0; i < countof(schemes); i++) { + rsa_pss_params_t *params = NULL; + if (!lib->plugins->has_feature(lib->plugins, PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i])) || !lib->plugins->has_feature(lib->plugins, PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i]))) { + warn("%N not supported, skip scheme", signature_scheme_names, + schemes[i]); continue; } - fail_unless(privkey->sign(privkey, schemes[i], data, &sig), + if (schemes[i] == SIGN_RSA_EMSA_PSS) + { + params = &default_pss_params; + } + fail_unless(privkey->sign(privkey, schemes[i], params, data, &sig), "sign %N", signature_scheme_names, schemes[i]); - fail_unless(pubkey->verify(pubkey, schemes[i], data, sig), + fail_unless(pubkey->verify(pubkey, schemes[i], params, data, sig), "verify %N", signature_scheme_names, schemes[i]); free(sig.ptr); } @@ -98,15 +119,23 @@ static void test_bad_sigs(public_key_t *pubkey) for (s = 0; s < countof(schemes); s++) { - if (!lib->plugins->has_feature(lib->plugins, - PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s]))) - { - continue; - } + rsa_pss_params_t *params = NULL; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s]))) + { + warn("%N not supported, skip scheme", signature_scheme_names, + schemes[s]); + continue; + } + if (schemes[s] == SIGN_RSA_EMSA_PSS) + { + params = &default_pss_params; + } for (i = 0; i < countof(invalid_sigs); i++) { fail_if( - pubkey->verify(pubkey, schemes[s], data, invalid_sigs[i]), + pubkey->verify(pubkey, schemes[s], params, data, invalid_sigs[i]), "bad %N sig accepted %B", signature_scheme_names, schemes[s], &invalid_sigs[i]); } @@ -373,6 +402,4770 @@ START_TEST(test_load) } END_TEST +/** + * Keys for the FIPS 186-4 SigGen PKCS#1 Ver1.5 test vectors + */ +static private_key_t *privkey_2048, *privkey_3072; +static public_key_t *pubkey_2048, *pubkey_3072; + +static void create_key(chunk_t n, chunk_t e, chunk_t d, private_key_t **privkey, + public_key_t **pubkey) +{ + *privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, + BUILD_RSA_PRIV_EXP, d, BUILD_END); + ck_assert(*privkey != NULL); + *pubkey = (*privkey)->get_public_key(*privkey); + ck_assert(*pubkey != NULL); +} + +START_SETUP(setup_keys) +{ + create_key(chunk_from_chars( + 0xce,0xa8,0x04,0x75,0x32,0x4c,0x1d,0xc8,0x34,0x78,0x27,0x81,0x8d,0xa5,0x8b,0xac, + 0x06,0x9d,0x34,0x19,0xc6,0x14,0xa6,0xea,0x1a,0xc6,0xa3,0xb5,0x10,0xdc,0xd7,0x2c, + 0xc5,0x16,0x95,0x49,0x05,0xe9,0xfe,0xf9,0x08,0xd4,0x5e,0x13,0x00,0x6a,0xdf,0x27, + 0xd4,0x67,0xa7,0xd8,0x3c,0x11,0x1d,0x1a,0x5d,0xf1,0x5e,0xf2,0x93,0x77,0x1a,0xef, + 0xb9,0x20,0x03,0x2a,0x5b,0xb9,0x89,0xf8,0xe4,0xf5,0xe1,0xb0,0x50,0x93,0xd3,0xf1, + 0x30,0xf9,0x84,0xc0,0x7a,0x77,0x2a,0x36,0x83,0xf4,0xdc,0x6f,0xb2,0x8a,0x96,0x81, + 0x5b,0x32,0x12,0x3c,0xcd,0xd1,0x39,0x54,0xf1,0x9d,0x5b,0x8b,0x24,0xa1,0x03,0xe7, + 0x71,0xa3,0x4c,0x32,0x87,0x55,0xc6,0x5e,0xd6,0x4e,0x19,0x24,0xff,0xd0,0x4d,0x30, + 0xb2,0x14,0x2c,0xc2,0x62,0xf6,0xe0,0x04,0x8f,0xef,0x6d,0xbc,0x65,0x2f,0x21,0x47, + 0x9e,0xa1,0xc4,0xb1,0xd6,0x6d,0x28,0xf4,0xd4,0x6e,0xf7,0x18,0x5e,0x39,0x0c,0xbf, + 0xa2,0xe0,0x23,0x80,0x58,0x2f,0x31,0x88,0xbb,0x94,0xeb,0xbf,0x05,0xd3,0x14,0x87, + 0xa0,0x9a,0xff,0x01,0xfc,0xbb,0x4c,0xd4,0xbf,0xd1,0xf0,0xa8,0x33,0xb3,0x8c,0x11, + 0x81,0x3c,0x84,0x36,0x0b,0xb5,0x3c,0x7d,0x44,0x81,0x03,0x1c,0x40,0xba,0xd8,0x71, + 0x3b,0xb6,0xb8,0x35,0xcb,0x08,0x09,0x8e,0xd1,0x5b,0xa3,0x1e,0xe4,0xba,0x72,0x8a, + 0x8c,0x8e,0x10,0xf7,0x29,0x4e,0x1b,0x41,0x63,0xb7,0xae,0xe5,0x72,0x77,0xbf,0xd8, + 0x81,0xa6,0xf9,0xd4,0x3e,0x02,0xc6,0x92,0x5a,0xa3,0xa0,0x43,0xfb,0x7f,0xb7,0x8d), + chunk_from_chars( + 0x26,0x04,0x45), + chunk_from_chars( + 0x09,0x97,0x63,0x4c,0x47,0x7c,0x1a,0x03,0x9d,0x44,0xc8,0x10,0xb2,0xaa,0xa3,0xc7, + 0x86,0x2b,0x0b,0x88,0xd3,0x70,0x82,0x72,0xe1,0xe1,0x5f,0x66,0xfc,0x93,0x89,0x70, + 0x9f,0x8a,0x11,0xf3,0xea,0x6a,0x5a,0xf7,0xef,0xfa,0x2d,0x01,0xc1,0x89,0xc5,0x0f, + 0x0d,0x5b,0xcb,0xe3,0xfa,0x27,0x2e,0x56,0xcf,0xc4,0xa4,0xe1,0xd3,0x88,0xa9,0xdc, + 0xd6,0x5d,0xf8,0x62,0x89,0x02,0x55,0x6c,0x8b,0x6b,0xb6,0xa6,0x41,0x70,0x9b,0x5a, + 0x35,0xdd,0x26,0x22,0xc7,0x3d,0x46,0x40,0xbf,0xa1,0x35,0x9d,0x0e,0x76,0xe1,0xf2, + 0x19,0xf8,0xe3,0x3e,0xb9,0xbd,0x0b,0x59,0xec,0x19,0x8e,0xb2,0xfc,0xca,0xae,0x03, + 0x46,0xbd,0x8b,0x40,0x1e,0x12,0xe3,0xc6,0x7c,0xb6,0x29,0x56,0x9c,0x18,0x5a,0x2e, + 0x0f,0x35,0xa2,0xf7,0x41,0x64,0x4c,0x1c,0xca,0x5e,0xbb,0x13,0x9d,0x77,0xa8,0x9a, + 0x29,0x53,0xfc,0x5e,0x30,0x04,0x8c,0x0e,0x61,0x9f,0x07,0xc8,0xd2,0x1d,0x1e,0x56, + 0xb8,0xaf,0x07,0x19,0x3d,0x0f,0xdf,0x3f,0x49,0xcd,0x49,0xf2,0xef,0x31,0x38,0xb5, + 0x13,0x88,0x62,0xf1,0x47,0x0b,0xd2,0xd1,0x6e,0x34,0xa2,0xb9,0xe7,0x77,0x7a,0x6c, + 0x8c,0x8d,0x4c,0xb9,0x4b,0x4e,0x8b,0x5d,0x61,0x6c,0xd5,0x39,0x37,0x53,0xe7,0xb0, + 0xf3,0x1c,0xc7,0xda,0x55,0x9b,0xa8,0xe9,0x8d,0x88,0x89,0x14,0xe3,0x34,0x77,0x3b, + 0xaf,0x49,0x8a,0xd8,0x8d,0x96,0x31,0xeb,0x5f,0xe3,0x2e,0x53,0xa4,0x14,0x5b,0xf0, + 0xba,0x54,0x8b,0xf2,0xb0,0xa5,0x0c,0x63,0xf6,0x7b,0x14,0xe3,0x98,0xa3,0x4b,0x0d), + &privkey_2048, &pubkey_2048); + + create_key(chunk_from_chars( + 0xdc,0xa9,0x83,0x04,0xb7,0x29,0xe8,0x19,0xb3,0x40,0xe2,0x6c,0xec,0xb7,0x30,0xae, + 0xcb,0xd8,0x93,0x0e,0x33,0x4c,0x73,0x14,0x93,0xb1,0x80,0xde,0x97,0x0e,0x6d,0x3b, + 0xc5,0x79,0xf8,0x6c,0x8d,0x5d,0x03,0x2f,0x8c,0xd3,0x3c,0x43,0x97,0xee,0x7f,0xfd, + 0x01,0x9d,0x51,0xb0,0xa7,0xdb,0xe4,0xf5,0x25,0x05,0xa1,0xa3,0x4a,0xe3,0x5d,0x23, + 0xcf,0xaa,0xf5,0x94,0x41,0x9d,0x50,0x9f,0x46,0x9b,0x13,0x69,0x58,0x9f,0x9c,0x86, + 0x16,0xa7,0xd6,0x98,0x51,0x3b,0xc1,0xd4,0x23,0xd7,0x00,0x70,0xd3,0xd7,0x2b,0x99, + 0x6c,0x23,0xab,0xe6,0x8b,0x22,0xcc,0xc3,0x9a,0xab,0xd1,0x65,0x07,0x12,0x40,0x42, + 0xc8,0x8d,0x4d,0xa6,0xa7,0x45,0x12,0x88,0xec,0x87,0xc9,0x24,0x4b,0xe2,0x26,0xaa, + 0xc0,0x2d,0x18,0x17,0x68,0x2f,0x80,0xcc,0x34,0xc6,0xea,0xf3,0x7e,0xc8,0x4d,0x24, + 0x7a,0xae,0xde,0xbb,0x56,0xc3,0xbb,0xca,0xff,0xb5,0xcf,0x42,0xf6,0x1f,0xe1,0xb7, + 0xf3,0xfc,0x89,0x74,0x8e,0x21,0x39,0x73,0xbf,0x5f,0x67,0x9d,0x8b,0x8b,0x42,0xa4, + 0x7a,0xc4,0xaf,0xd9,0xe5,0x1e,0x1d,0x12,0x14,0xdf,0xe1,0xa7,0xe1,0x16,0x90,0x80, + 0xbd,0x9a,0xd9,0x17,0x58,0xf6,0xc0,0xf9,0xb2,0x2a,0xe4,0x0a,0xf6,0xb4,0x14,0x03, + 0xd8,0xf2,0xd9,0x6d,0xb5,0xa0,0x88,0xda,0xa5,0xef,0x86,0x83,0xf8,0x6f,0x50,0x1f, + 0x7a,0xd3,0xf3,0x58,0xb6,0x33,0x7d,0xa5,0x5c,0x6c,0xfc,0x00,0x31,0x97,0x42,0x0c, + 0x1c,0x75,0xab,0xdb,0x7b,0xe1,0x40,0x3e,0xa4,0xf3,0xe6,0x42,0x59,0xf5,0xc6,0xda, + 0x33,0x25,0xbb,0x87,0xd6,0x05,0xb6,0xe1,0x4b,0x53,0x50,0xe6,0xe1,0x45,0x5c,0x9d, + 0x49,0x7d,0x81,0x04,0x66,0x08,0xe3,0x87,0x95,0xdc,0x85,0xab,0xa4,0x06,0xc9,0xde, + 0x1f,0x4f,0x99,0x90,0xd5,0x15,0x3b,0x98,0xbb,0xab,0xbd,0xcb,0xd6,0xbb,0x18,0x85, + 0x43,0x12,0xb2,0xda,0x48,0xb4,0x11,0xe8,0x38,0xf2,0x6a,0xe3,0x10,0x9f,0x10,0x4d, + 0xfd,0x16,0x19,0xf9,0x91,0x82,0x4e,0xc8,0x19,0x86,0x1e,0x51,0x99,0xf2,0x6b,0xb9, + 0xb3,0xb2,0x99,0xbf,0xa9,0xec,0x2f,0xd6,0x91,0x27,0x1b,0x58,0xa8,0xad,0xec,0xbf, + 0x0f,0xf6,0x27,0xb5,0x43,0x36,0xf3,0xdf,0x70,0x03,0xd7,0x0e,0x37,0xd1,0x1d,0xdb, + 0xd9,0x30,0xd9,0xab,0xa7,0xe8,0x8e,0xd4,0x01,0xac,0xb4,0x40,0x92,0xfd,0x53,0xd5), + chunk_from_chars( + 0xea,0xf0,0x5d), + chunk_from_chars( + 0x2d,0x6d,0xb9,0x1e,0xb3,0x2e,0x36,0xe5,0xd5,0x12,0x7d,0xeb,0x03,0x4d,0x14,0x07, + 0x2f,0xe6,0x0c,0x1c,0xd1,0x3c,0x8c,0x3d,0xd9,0xad,0xbc,0x87,0x14,0x0b,0x5e,0x71, + 0x36,0xf4,0xf8,0x9e,0x61,0xbb,0xee,0x78,0x26,0xf4,0x5a,0xc1,0xd9,0x91,0x94,0xfb, + 0xaa,0x8c,0x5a,0x0b,0xb9,0x4d,0xb3,0x1d,0x93,0x72,0x3b,0x51,0x41,0x9d,0x9c,0x6f, + 0x6e,0xeb,0x5f,0x36,0x10,0xb6,0x7f,0x4b,0x4e,0x2a,0xde,0x05,0xcc,0x6b,0x89,0x90, + 0xe8,0x83,0x2c,0xf4,0xcd,0x40,0xf2,0xdf,0x03,0x88,0xc9,0xa5,0x20,0x72,0xe2,0x7e, + 0xfe,0xba,0xe2,0x0b,0x4a,0xd5,0x95,0x1f,0x4d,0x20,0xdd,0x18,0x94,0x3e,0x58,0xb7, + 0x86,0xd8,0x79,0x76,0x52,0xb2,0xbb,0x75,0x9c,0x31,0x9d,0x2b,0x00,0x46,0xdb,0xf6, + 0x9c,0x53,0xc0,0x75,0xd0,0x0c,0x28,0x7b,0x87,0x60,0x42,0xfa,0xfa,0x23,0xfe,0x4d, + 0xd7,0x05,0xe4,0xe4,0x23,0x27,0x7c,0x90,0x00,0x31,0x1e,0x94,0xea,0x3f,0x74,0x56, + 0xe3,0x2f,0xd1,0x2a,0xfe,0x4a,0x2b,0xde,0x35,0x8a,0x65,0x82,0x4f,0x10,0x55,0x06, + 0x48,0x23,0xc8,0x93,0xfc,0x93,0xbe,0x3b,0x8c,0x65,0x8b,0xb4,0x41,0xd7,0xf0,0xb0, + 0x0a,0xc2,0x46,0xbf,0x04,0x3a,0x9c,0x00,0x53,0xd3,0x19,0xf0,0x03,0xef,0x5a,0x55, + 0x33,0xf7,0x4d,0x63,0x0d,0x8c,0xe9,0x3b,0xab,0x41,0x6a,0x82,0x95,0x1e,0x05,0xb8, + 0x2c,0x60,0x36,0x59,0x3e,0xca,0x89,0xf0,0xeb,0xac,0xd7,0xd5,0x1e,0xd9,0x61,0x0a, + 0xf4,0x35,0x37,0xfc,0xd2,0x66,0xe5,0xe4,0x7c,0x0d,0x25,0xfe,0xda,0xd6,0xd0,0x47, + 0xa1,0xa1,0xee,0x3e,0xb4,0x44,0x36,0x7e,0x3e,0xff,0x7c,0x75,0x20,0xca,0x4f,0x77, + 0x9f,0x20,0x27,0xfe,0x45,0x03,0x62,0x04,0x16,0x84,0x54,0xdf,0x49,0x18,0xb5,0x47, + 0xa4,0xd1,0x9e,0x93,0x8f,0x3c,0x6d,0xb6,0xca,0x27,0x02,0xad,0x9b,0xbd,0xa1,0x26, + 0x1c,0x64,0xd0,0x0b,0x57,0x82,0x85,0xbd,0xcf,0xc9,0x85,0x1f,0x96,0xa4,0xf2,0xcd, + 0x14,0xd6,0x6b,0x9c,0x1f,0x65,0x74,0x2a,0x13,0x44,0x94,0x8c,0x9f,0x1d,0xa8,0xd3, + 0x38,0xed,0x4e,0x3d,0xeb,0x1e,0xba,0xdf,0x11,0xf8,0xc2,0x81,0x94,0x4e,0x88,0x49, + 0x82,0x34,0x96,0xf8,0x61,0x11,0xf3,0x78,0xbd,0xd0,0x84,0xc9,0x9f,0x65,0xfb,0x9b, + 0x4e,0xe6,0x27,0x1b,0x1d,0x1b,0xe4,0x24,0xc2,0x94,0xd1,0x85,0xd9,0xfd,0x9c,0xdf), + &privkey_3072, &pubkey_3072); +} +END_SETUP + +START_TEARDOWN(teardown_keys) +{ + pubkey_2048->destroy(pubkey_2048); + privkey_2048->destroy(privkey_2048); + pubkey_3072->destroy(pubkey_3072); + privkey_3072->destroy(privkey_3072); +} +END_TEARDOWN + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + signature_scheme_t scheme; + chunk_t m; + chunk_t s; +} pkcs15_2048[] = { + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x5a,0xf2,0x83,0xb1,0xb7,0x6a,0xb2,0xa6,0x95,0xd7,0x94,0xc2,0x3b,0x35,0xca,0x73, + 0x71,0xfc,0x77,0x9e,0x92,0xeb,0xf5,0x89,0xe3,0x04,0xc7,0xf9,0x23,0xd8,0xcf,0x97, + 0x63,0x04,0xc1,0x98,0x18,0xfc,0xd8,0x9d,0x6f,0x07,0xc8,0xd8,0xe0,0x8b,0xf3,0x71, + 0x06,0x8b,0xdf,0x28,0xae,0x6e,0xe8,0x3b,0x2e,0x02,0x32,0x8a,0xf8,0xc0,0xe2,0xf9, + 0x6e,0x52,0x8e,0x16,0xf8,0x52,0xf1,0xfc,0x54,0x55,0xe4,0x77,0x2e,0x28,0x8a,0x68, + 0xf1,0x59,0xca,0x6b,0xdc,0xf9,0x02,0xb8,0x58,0xa1,0xf9,0x47,0x89,0xb3,0x16,0x38, + 0x23,0xe2,0xd0,0x71,0x7f,0xf5,0x66,0x89,0xee,0xc7,0xd0,0xe5,0x4d,0x93,0xf5,0x20, + 0xd9,0x6e,0x1e,0xb0,0x45,0x15,0xab,0xc7,0x0a,0xe9,0x05,0x78,0xff,0x38,0xd3,0x1b), + .s = chunk_from_chars( + 0x6b,0x8b,0xe9,0x7d,0x9e,0x51,0x8a,0x2e,0xde,0x74,0x6f,0xf4,0xa7,0xd9,0x1a,0x84, + 0xa1,0xfc,0x66,0x5b,0x52,0xf1,0x54,0xa9,0x27,0x65,0x0d,0xb6,0xe7,0x34,0x8c,0x69, + 0xf8,0xc8,0x88,0x1f,0x7b,0xcf,0x9b,0x1a,0x6d,0x33,0x66,0xee,0xd3,0x0c,0x3a,0xed, + 0x4e,0x93,0xc2,0x03,0xc4,0x3f,0x55,0x28,0xa4,0x5d,0xe7,0x91,0x89,0x57,0x47,0xad, + 0xe9,0xc5,0xfa,0x5e,0xee,0x81,0x42,0x7e,0xde,0xe0,0x20,0x82,0x14,0x7a,0xa3,0x11, + 0x71,0x2a,0x6a,0xd5,0xfb,0x17,0x32,0xe9,0x3b,0x3d,0x6c,0xd2,0x3f,0xfd,0x46,0xa0, + 0xb3,0xca,0xf6,0x2a,0x8b,0x69,0x95,0x7c,0xc6,0x8a,0xe3,0x9f,0x99,0x93,0xc1,0xa7, + 0x79,0x59,0x9c,0xdd,0xa9,0x49,0xbd,0xaa,0xba,0xbb,0x77,0xf2,0x48,0xfc,0xfe,0xaa, + 0x44,0x05,0x9b,0xe5,0x45,0x9f,0xb9,0xb8,0x99,0x27,0x8e,0x92,0x95,0x28,0xee,0x13, + 0x0f,0xac,0xd5,0x33,0x72,0xec,0xbc,0x42,0xf3,0xe8,0xde,0x29,0x98,0x42,0x58,0x60, + 0x40,0x64,0x40,0xf2,0x48,0xd8,0x17,0x43,0x2d,0xe6,0x87,0x11,0x2e,0x50,0x4d,0x73, + 0x40,0x28,0xe6,0xc5,0x62,0x0f,0xa2,0x82,0xca,0x07,0x64,0x70,0x06,0xcf,0x0a,0x2f, + 0xf8,0x3e,0x19,0xa9,0x16,0x55,0x4c,0xc6,0x18,0x10,0xc2,0xe8,0x55,0x30,0x5d,0xb4, + 0xe5,0xcf,0x89,0x3a,0x6a,0x96,0x76,0x73,0x65,0x79,0x45,0x56,0xff,0x03,0x33,0x59, + 0x08,0x4d,0x7e,0x38,0xa8,0x45,0x6e,0x68,0xe2,0x11,0x55,0xb7,0x61,0x51,0x31,0x4a, + 0x29,0x87,0x5f,0xee,0xe0,0x95,0x57,0x16,0x1c,0xbc,0x65,0x45,0x41,0xe8,0x9e,0x42), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xc4,0x30,0x11,0xf3,0xee,0x88,0xc9,0xc9,0xad,0xca,0xc8,0xbf,0x37,0x22,0x1a,0xfa, + 0x31,0x76,0x9d,0x34,0x7d,0xec,0x70,0x5e,0x53,0xac,0xa9,0x89,0x93,0xe7,0x46,0x06, + 0x59,0x18,0x67,0xcc,0xd2,0x89,0xba,0x1b,0x4f,0x19,0x36,0x5f,0x98,0x3e,0x0c,0x57, + 0x83,0x46,0xda,0x76,0xc5,0xe2,0x22,0x8a,0x07,0xe4,0xfc,0x9b,0x3d,0x48,0x07,0x16, + 0x33,0x71,0xa5,0x2b,0x68,0xb6,0x68,0x73,0x20,0x1d,0xc7,0xd6,0xb5,0x66,0x16,0xac, + 0x2e,0x4c,0xb5,0x22,0x12,0x07,0x87,0xdf,0x7f,0x15,0xa5,0xe8,0x76,0x3a,0x54,0xc1, + 0x79,0xc6,0x35,0xd6,0x58,0x16,0xbc,0x19,0x48,0x5d,0xe3,0xeb,0x35,0xa5,0x20,0x40, + 0x59,0x10,0x94,0xfe,0x0e,0x64,0x85,0xa7,0xe0,0xc6,0x0e,0x38,0xe7,0xc6,0x15,0x51), + .s = chunk_from_chars( + 0xaa,0x3a,0x4e,0x12,0xeb,0x87,0x59,0x6c,0x71,0x1c,0x9a,0x22,0xbc,0xab,0xcb,0x9d, + 0xad,0xff,0xca,0xbc,0xec,0xbd,0x16,0x22,0x88,0x89,0xe9,0xbb,0x45,0x7d,0x5d,0x22, + 0x57,0x1a,0x72,0xf0,0x34,0xbe,0x47,0x83,0x38,0x4f,0x43,0xce,0x6f,0xff,0xc6,0x05, + 0x34,0xb8,0x33,0x1c,0xdd,0x5d,0x7c,0x77,0xf4,0x91,0x80,0xbf,0xd1,0x94,0xb5,0xfd, + 0x43,0xa5,0x08,0xc6,0x6d,0x78,0x6c,0x55,0x88,0x76,0x73,0x58,0x94,0xe6,0xa9,0x30, + 0x09,0x52,0xde,0x79,0x2f,0x74,0x70,0x45,0xe7,0x4d,0x87,0xfd,0x50,0x98,0x02,0x30, + 0x70,0x7a,0x34,0xa4,0xdf,0x01,0x3c,0xe0,0x50,0xbb,0xff,0x0d,0x6f,0x57,0x08,0x85, + 0xc9,0xc7,0xbf,0x8d,0xc4,0x99,0x13,0x2c,0xae,0xe0,0x71,0xb4,0x1d,0x81,0xff,0x91, + 0xb8,0xce,0x21,0xaa,0x2f,0x28,0x2c,0xbf,0x52,0x38,0x9f,0x23,0x9a,0xfe,0x14,0x90, + 0x89,0x0b,0xe2,0x1f,0x9d,0x80,0x8b,0x3d,0x70,0xb9,0x7e,0xfd,0x59,0xc0,0xb6,0x0e, + 0x46,0x60,0x88,0xbb,0x42,0x71,0x4f,0x21,0x2b,0xc9,0x0d,0xb7,0xe9,0x42,0xeb,0xce, + 0xe6,0x0e,0x7b,0x10,0x7f,0xff,0x44,0xfb,0x35,0x64,0xff,0x07,0xd6,0xd0,0x28,0x50, + 0x21,0x5f,0xd3,0x57,0xd8,0x97,0xc4,0xd3,0x2b,0xef,0x86,0x61,0x68,0x9f,0x2d,0x84, + 0xff,0x89,0x76,0x37,0xfb,0x6d,0x55,0x68,0xa7,0x27,0x0e,0x78,0x34,0x26,0xb7,0x4b, + 0x70,0x37,0x49,0x3e,0x51,0x55,0xfd,0x7c,0xb3,0xdd,0xdd,0xfd,0x36,0xbd,0x8a,0x9c, + 0x87,0x7d,0x71,0xd2,0xa9,0x66,0x05,0x7c,0x08,0x26,0x3d,0x29,0x39,0xc8,0x49,0x87), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x61,0xd7,0xb3,0x15,0x01,0x31,0x35,0x1e,0x7b,0x4c,0x8e,0x56,0x45,0xd3,0x8b,0xe9, + 0x33,0x5b,0x40,0x28,0x9a,0xf3,0x4c,0xc6,0xb6,0xfc,0x5e,0x48,0x49,0x3b,0xf8,0xb7, + 0x85,0x2c,0x73,0x98,0x2c,0x99,0x44,0x1e,0xf6,0x6c,0x7d,0x9d,0x33,0xc2,0x97,0x42, + 0xb1,0x40,0x6e,0x02,0xe0,0xaa,0x8d,0xd0,0x34,0xb1,0xac,0x13,0xcb,0x0d,0x77,0x57, + 0x50,0xcc,0x91,0x42,0x1f,0xea,0xd9,0xca,0xa9,0x21,0xec,0xa6,0x1a,0x02,0xeb,0x02, + 0x3a,0x45,0x7e,0x77,0x91,0x5e,0x18,0x3a,0xcf,0x51,0x7d,0x94,0x6b,0xc6,0x82,0x92, + 0x89,0x60,0x14,0xfd,0x21,0x4b,0x7c,0x8c,0x5e,0x14,0xe1,0x59,0x44,0xbe,0x0f,0x92, + 0x96,0x12,0x77,0x71,0xf7,0x36,0x76,0x6e,0x4f,0x81,0xda,0xb3,0x70,0x8e,0xa2,0xd0), + .s = chunk_from_chars( + 0x84,0xe9,0x2a,0x14,0x5a,0xe6,0xbe,0x1f,0xf9,0x24,0x2d,0x9e,0xd2,0xd6,0x8d,0xe6, + 0x68,0xe8,0x02,0x52,0x4e,0x8a,0xc0,0xa7,0x9d,0xe6,0x2f,0xe7,0x40,0x48,0xc3,0x54, + 0x91,0xfd,0x2f,0xfd,0xb1,0x85,0x05,0x7e,0x66,0x6d,0xbf,0xaa,0xc8,0x4c,0x34,0xfd, + 0xe7,0x89,0x12,0x63,0xf8,0xb2,0xbc,0x74,0x74,0x62,0x30,0x32,0x0f,0x67,0xa7,0xbd, + 0x73,0x19,0xc9,0xb9,0xde,0x41,0x90,0x54,0x70,0x14,0xe2,0xd7,0xa2,0xa5,0x06,0x0d, + 0x62,0x00,0xaa,0xdc,0x3a,0x44,0xba,0xc0,0x29,0xff,0x39,0x92,0xed,0xd3,0x0e,0xc5, + 0x3a,0xb0,0xd9,0x12,0x3e,0xaa,0x6b,0x14,0x73,0x52,0xa0,0x73,0xa9,0x81,0x61,0xe6, + 0x4f,0x39,0x4b,0xb9,0x94,0x92,0xc6,0x97,0x7e,0x24,0xf4,0x45,0xc7,0x12,0x5b,0xfb, + 0x90,0xf8,0x7f,0xaf,0x26,0x22,0x72,0x13,0x4a,0xcb,0x18,0x82,0x3a,0x99,0xa5,0x22, + 0x8d,0x14,0x95,0x46,0x32,0x97,0xfd,0x77,0x48,0x77,0xfb,0x63,0xd4,0x91,0x81,0x06, + 0x34,0x7e,0x6f,0x29,0x31,0x5e,0x48,0x36,0x3f,0x39,0xb3,0x32,0x99,0xea,0xa3,0x2d, + 0x8d,0xa7,0x1b,0x22,0x9d,0x8f,0xfe,0xe5,0xf6,0x6f,0x72,0x2a,0xd3,0xaa,0x41,0x75, + 0xd3,0xf8,0x4e,0xce,0x9c,0xc8,0xec,0xa8,0xd6,0xf2,0xf3,0x56,0xa8,0x5c,0x15,0x24, + 0x89,0x6c,0x18,0xf7,0xb5,0xc8,0xf9,0xbc,0xde,0xf4,0x5c,0x49,0x6d,0x53,0x91,0x79, + 0x89,0x1d,0xdc,0x76,0xe5,0x20,0x8a,0xd8,0x35,0x3d,0x48,0xc6,0x24,0x05,0x4f,0x34, + 0x40,0xee,0xba,0x44,0x32,0xa1,0x06,0x54,0xa1,0x1e,0xf5,0x37,0x83,0xbd,0x11,0x6f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xb6,0x77,0x1a,0xb0,0xe1,0x28,0xb4,0x1b,0x32,0xb8,0xb0,0x5e,0x05,0xad,0xd2,0x3c, + 0xe0,0xfb,0x87,0x7b,0x40,0xbf,0xcc,0x3b,0x99,0x2f,0x4c,0x86,0x98,0xd1,0xc8,0x28, + 0xab,0xec,0xbc,0xc1,0xc3,0x3d,0x40,0x18,0x59,0xea,0x2c,0xb2,0xaf,0xbc,0x7f,0xa4, + 0x58,0x88,0x02,0xa5,0xfa,0xee,0x28,0x67,0x53,0x46,0x39,0x28,0x7a,0xd8,0xaf,0x84, + 0x67,0x4b,0xe1,0x8d,0xb6,0x61,0xde,0x1d,0xa8,0xe1,0x9c,0x6b,0x6b,0xd4,0x52,0xdd, + 0x9b,0xf3,0x22,0x1d,0x08,0x61,0xfb,0x6f,0xba,0x96,0xbe,0x42,0x32,0x9b,0x9f,0x04, + 0xf3,0x7d,0xcf,0x3b,0x41,0xfc,0x58,0xd2,0x29,0x83,0x48,0xb0,0xc1,0x5d,0x11,0x90, + 0xb1,0x25,0x30,0x0c,0xf2,0x7e,0x0d,0xfa,0xd6,0x05,0x22,0xfc,0x49,0x84,0x60,0x53), + .s = chunk_from_chars( + 0x62,0x76,0x92,0x55,0x68,0x62,0x6f,0x0c,0xbe,0x6f,0x51,0x50,0xb0,0x50,0xe1,0x70, + 0x25,0x82,0xf8,0xda,0xf9,0x9a,0x6f,0x88,0x0e,0xf7,0x5c,0xd9,0x6c,0x2d,0x42,0x08, + 0xfb,0x6e,0x91,0xb0,0x1b,0xa6,0xab,0xa2,0xa8,0x16,0xb2,0xd3,0xcb,0x97,0x5d,0xf8, + 0x50,0xb1,0xd2,0x68,0xc4,0x66,0x2d,0xd1,0xea,0x3a,0x30,0x0c,0x1d,0x71,0x71,0xc6, + 0x33,0xdd,0x2e,0xfb,0xac,0x30,0x00,0xc5,0x6a,0xb8,0x0f,0x98,0x9d,0xbc,0x18,0x24, + 0x3e,0x63,0x6b,0xa5,0xd4,0xd2,0x6a,0x7d,0x3f,0x19,0x65,0xad,0x3c,0xb0,0xf1,0xa8, + 0x51,0x3f,0x99,0x80,0x03,0xf7,0xb6,0x7e,0x2a,0xc5,0xc7,0x18,0xcb,0x68,0x8b,0x32, + 0x01,0xd5,0x6e,0x68,0xf0,0xb9,0xf8,0x62,0x57,0xb8,0x47,0x94,0xcd,0xff,0xbc,0x1f, + 0xe3,0xea,0x24,0xb7,0xbb,0x6e,0x9e,0xf0,0x53,0x9b,0xd4,0xfb,0xc1,0xaf,0xb5,0x5b, + 0xc1,0xdc,0xa3,0x99,0x96,0xea,0x8a,0x63,0x76,0x9f,0x6e,0x22,0x57,0x07,0xf6,0x90, + 0x47,0x55,0x5e,0x1a,0x4e,0xf3,0xc6,0x39,0xc5,0xf2,0xa4,0x97,0xb8,0x89,0x42,0x4a, + 0x90,0x14,0x86,0x39,0xbb,0x64,0xdf,0x0a,0x06,0xe0,0xb7,0xf0,0xe8,0xed,0x46,0x6a, + 0x97,0x7b,0xac,0xa3,0x2f,0x48,0x23,0x37,0xb2,0xab,0xe3,0x98,0x3e,0xae,0xc3,0xfe, + 0x10,0x75,0x01,0x6e,0x58,0x67,0x52,0x17,0x60,0xfd,0x06,0x07,0xd7,0x99,0xf1,0x76, + 0x6b,0x3f,0xf6,0xe2,0xae,0x15,0x5d,0x69,0x25,0x0f,0x8b,0xf0,0x8c,0x8e,0xdc,0xa0, + 0xb4,0xf3,0x1d,0x0f,0x83,0x8c,0xfd,0x29,0x8c,0xb7,0x31,0x2d,0xf9,0x3f,0x09,0x97), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x6a,0x81,0xcb,0x6c,0x7b,0x26,0x8f,0x4b,0x9f,0xb9,0x17,0x2a,0xdb,0xbb,0x36,0xa2, + 0x37,0xa0,0xdc,0xf1,0xc3,0xc8,0x3a,0x95,0xdc,0xb0,0x27,0x1a,0xac,0x6a,0xc3,0x30, + 0xf0,0x4a,0x5a,0x00,0xfe,0xe3,0x8b,0xc0,0x06,0x31,0xa9,0x85,0x98,0x18,0x61,0x59, + 0x66,0x0d,0x9d,0x8e,0x4c,0x14,0xa9,0x52,0x8d,0xea,0x94,0x83,0x60,0x83,0xda,0xc4, + 0xab,0xb7,0x3f,0xd0,0x0e,0x38,0xfe,0x0e,0x23,0xc7,0x23,0x66,0x04,0xa7,0x36,0x54, + 0x0e,0x52,0x19,0x3a,0xe5,0x6c,0x33,0xfb,0xb8,0xf5,0xcf,0xc5,0xc7,0xc2,0xbe,0x2e, + 0x22,0x2e,0x44,0x83,0xb3,0x0d,0x32,0x5c,0x7e,0xe1,0x4f,0x74,0x28,0x51,0xfc,0xb8, + 0xb6,0xd6,0x18,0x9e,0x98,0xb8,0x22,0xb8,0xe6,0x39,0x9d,0x89,0xe9,0x0f,0xb9,0x97), + .s = chunk_from_chars( + 0xb6,0x79,0x91,0x05,0x0c,0x08,0x3e,0x64,0x50,0x97,0xdb,0x03,0xff,0xf3,0x47,0x58, + 0x86,0x8b,0xeb,0x19,0xe9,0xc0,0xc4,0x84,0x75,0xf0,0xf9,0x13,0x36,0x1e,0x71,0xd3, + 0xd6,0xf2,0x7a,0x8c,0x4f,0x0b,0x26,0x9b,0x49,0xe8,0x53,0x40,0x39,0xe5,0x3a,0xd3, + 0xba,0xb9,0xa3,0xe6,0x2a,0xbe,0x07,0x8e,0xe7,0x5e,0x7f,0xb5,0x95,0x90,0x06,0xfb, + 0xfb,0x01,0x4c,0xa7,0xb8,0x1b,0x3d,0x5a,0xfe,0x0e,0xe5,0xf6,0xfc,0x2d,0xfb,0xc4, + 0x50,0xf2,0x83,0x95,0x43,0x00,0x2f,0x33,0xf4,0xf3,0x54,0xf8,0x27,0x27,0x8c,0x76, + 0xc0,0x41,0x68,0x6e,0xea,0x78,0x86,0xeb,0xb2,0xa7,0xaf,0xa5,0x99,0x5c,0x6c,0xdd, + 0xb1,0xc0,0xb5,0x80,0x66,0xdd,0xb8,0xdc,0x54,0xa6,0x92,0x7c,0x14,0x6c,0x3b,0x2a, + 0x0f,0xa7,0xce,0xf2,0x89,0x03,0xc6,0xc6,0x72,0xbc,0x20,0xef,0x68,0xff,0xbf,0xab, + 0x24,0x7e,0xb6,0x88,0xab,0x4b,0xde,0x71,0x06,0xd9,0xc5,0x9d,0x21,0x53,0x09,0x6d, + 0xc9,0xe5,0x20,0x72,0x67,0x03,0x8d,0x88,0xe2,0x17,0x4e,0x76,0xad,0xc1,0x50,0x8a, + 0xe2,0x4e,0xb6,0x02,0x33,0x2e,0x53,0xc0,0xc2,0xe3,0x31,0x54,0xa6,0x6a,0x97,0xa0, + 0xf1,0x2f,0x66,0xc6,0x12,0x58,0xc7,0xbf,0x6b,0xbf,0x3f,0x1d,0xcb,0xe9,0xca,0xf2, + 0xfd,0x30,0xec,0x68,0xc0,0xa9,0xd0,0x9f,0x4f,0xd7,0x76,0x30,0x4b,0x54,0x0e,0x62, + 0xfc,0x85,0x12,0xbe,0xaa,0xbc,0x4b,0xe2,0x10,0x7a,0x1e,0xc1,0x8e,0x87,0xf6,0x1f, + 0x9d,0xb2,0x5e,0x87,0x1d,0xc0,0x69,0x3c,0xef,0x17,0xc2,0xa6,0x87,0xfc,0x85,0x4f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x05,0x6c,0x1e,0x46,0x44,0x59,0x9e,0x31,0x83,0xdd,0x8d,0x2f,0x64,0xe4,0xbb,0x23, + 0x52,0xff,0x00,0xd0,0x12,0xab,0x76,0x3f,0x9a,0xd6,0xe5,0x60,0x27,0x9f,0x7f,0xf3, + 0x8a,0x5e,0xce,0xa9,0xc2,0xe4,0xea,0x87,0xd0,0x04,0xef,0x8c,0xc7,0x52,0xae,0x93, + 0x23,0x2a,0xa3,0x7b,0x5b,0xf4,0x28,0x84,0xba,0xa7,0xe7,0xfc,0x6a,0x8c,0x95,0x1c, + 0xd2,0x45,0xde,0x2d,0x22,0x0d,0x9b,0xee,0x2b,0x41,0x4b,0x3a,0x75,0x20,0xc1,0xe6, + 0x8b,0xcf,0x1a,0xe9,0x9a,0x9f,0xf2,0xbf,0x3a,0x93,0xd8,0x0f,0x8c,0x1d,0xfe,0x8b, + 0x85,0x29,0x35,0x17,0x89,0x5c,0x19,0x2e,0x3c,0x9e,0x89,0x82,0x95,0xd6,0x5b,0xe3, + 0x34,0xf4,0x4d,0x62,0xf5,0x35,0x3e,0xb6,0xc5,0xa2,0x9e,0xdf,0xb4,0xdb,0x23,0x09), + .s = chunk_from_chars( + 0xae,0x05,0x20,0x4e,0x40,0x9d,0x72,0x7e,0xb9,0xe4,0xdc,0x24,0xbe,0x8f,0x86,0x33, + 0x28,0xc2,0x81,0x3d,0xa4,0xfc,0xef,0x28,0x86,0x6e,0x21,0xa5,0xda,0xb2,0x1a,0x48, + 0x53,0x21,0xb7,0x35,0x27,0x4a,0xf0,0x6b,0xf1,0x7e,0x27,0x15,0x18,0xe1,0x11,0x64, + 0xd7,0x22,0xab,0x07,0x35,0x48,0xf0,0x2e,0x1b,0x44,0x19,0x23,0xdb,0x6f,0x1c,0xee, + 0x65,0xa0,0x17,0xed,0xfb,0xaf,0x33,0x61,0xc6,0x7f,0xbc,0x2b,0x39,0xfe,0x03,0x8c, + 0xb5,0xcb,0x65,0xa6,0x40,0xf9,0x58,0x87,0x38,0x9c,0xe8,0xa5,0xad,0x2e,0xc6,0xe6, + 0x9d,0x3d,0x60,0x35,0x05,0xb0,0x25,0xf6,0xd6,0x33,0x0c,0x8b,0x64,0x88,0x02,0xca, + 0xf7,0xe6,0xfa,0x3f,0xe7,0xb3,0x81,0x41,0x65,0x99,0x86,0xcb,0x89,0xe6,0x23,0x2f, + 0x10,0x62,0x22,0x56,0x4d,0x5e,0x51,0x95,0xed,0xa6,0xa2,0x5f,0x99,0x06,0x85,0x72, + 0xc2,0xfa,0xfe,0x97,0xf1,0x47,0xf7,0xf2,0xf4,0x11,0x9f,0x21,0x38,0x5a,0xf1,0xfc, + 0xed,0x97,0xf7,0x86,0x32,0xd8,0xbf,0x4f,0xd9,0xa9,0x05,0x4d,0x8b,0x9a,0xa2,0xa9, + 0xf4,0xde,0xd5,0x87,0x84,0x7a,0x91,0xd4,0x2c,0x63,0x91,0x12,0x5f,0x10,0x3a,0xe2, + 0x88,0x54,0x7e,0x84,0x89,0x69,0x3a,0xe8,0x68,0x6b,0x84,0x89,0x1b,0x77,0x2b,0x10, + 0xc4,0x79,0x68,0x83,0xf6,0x6c,0xd4,0x59,0xa8,0xc1,0xa6,0xa4,0x18,0x7b,0xd6,0xb3, + 0x87,0xd3,0x49,0xe9,0x2d,0x7b,0x60,0x49,0x53,0x72,0x7c,0x9e,0x9f,0xdc,0x44,0x9e, + 0x73,0x45,0xe7,0xca,0x6b,0x33,0x9e,0x26,0xb0,0x86,0xf5,0x54,0x88,0x98,0xcb,0xe9), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xce,0xc5,0xc9,0xb6,0xf8,0x44,0x97,0xac,0x32,0x7f,0x68,0xef,0x88,0x66,0x41,0xfe, + 0xc9,0x95,0x17,0x8b,0x30,0x71,0x92,0x30,0x43,0x74,0x11,0x5e,0xfc,0xc5,0xee,0x96, + 0x27,0x0c,0x03,0xdb,0x0b,0x84,0x6d,0x67,0x4c,0x52,0x8f,0x9d,0x10,0x15,0x5a,0x3f, + 0x61,0xbe,0xcc,0xe1,0xd3,0xa2,0xb7,0x9d,0x66,0xcd,0xc4,0x09,0xad,0x99,0xb7,0x66, + 0x30,0x80,0xf5,0x1a,0x10,0x2f,0x43,0x61,0xe9,0xdb,0xd0,0x3f,0xfc,0xd8,0x76,0xb9, + 0x8e,0x68,0x3d,0x44,0x8b,0xd1,0x21,0x7e,0x6f,0xb2,0x15,0x1c,0x66,0x96,0x47,0x23, + 0xb2,0xca,0xa6,0x5c,0x4e,0x6c,0xa2,0x01,0xd1,0xc5,0x32,0xbd,0x94,0xd9,0x1c,0xd4, + 0x17,0x3b,0x71,0x9d,0xa1,0x26,0x56,0x39,0x27,0xca,0x0a,0x7f,0x6f,0xe4,0x25,0x36), + .s = chunk_from_chars( + 0xc4,0x8a,0x8e,0x01,0xd4,0xbb,0xfe,0x0f,0x2f,0x05,0x65,0x93,0x37,0xea,0x71,0xd2, + 0x1f,0x38,0xd7,0xf7,0xa1,0x0b,0x00,0xb0,0x6e,0x1f,0x89,0x9e,0xaf,0x40,0xa8,0xe9, + 0x7e,0xad,0x64,0xbc,0xa3,0x7f,0x13,0xa5,0x5e,0xf1,0xcf,0x3f,0xb5,0x2c,0xee,0x27, + 0x9c,0xdc,0xb0,0x96,0x08,0x5a,0x46,0x7a,0xfa,0x97,0xb0,0x3d,0x78,0xd6,0x07,0x6e, + 0x47,0x2b,0x12,0xd6,0xbe,0x96,0x47,0xce,0xc3,0x2d,0x8d,0x91,0xa2,0x62,0x47,0x69, + 0x37,0x71,0x68,0x74,0x60,0xba,0x52,0x69,0xde,0x18,0xe1,0xed,0xef,0x60,0x22,0x53, + 0x3a,0x95,0x79,0xf9,0x1d,0x58,0x4f,0x9e,0x0c,0xee,0x11,0x00,0xc4,0x47,0xb7,0x75, + 0x76,0xb1,0xb4,0xee,0x16,0x3e,0xd4,0x70,0x01,0x47,0xa9,0xaa,0x61,0xbd,0xc4,0xe2, + 0x31,0x6d,0x2d,0x81,0x8c,0x10,0x28,0xed,0x1c,0x3e,0x37,0x2c,0x9f,0x6a,0x17,0x45, + 0x57,0x24,0x44,0x63,0x72,0x48,0x09,0x1b,0x83,0xf7,0xb5,0x39,0xf9,0xbd,0x58,0xb7, + 0x67,0x56,0x76,0x03,0x4c,0x20,0xe4,0xca,0x11,0x9b,0x91,0xc4,0xca,0x5d,0xc7,0x6a, + 0xcb,0xff,0x3d,0x04,0x62,0x89,0x83,0x52,0xc5,0x91,0xc2,0xca,0x6f,0x2d,0x8b,0x09, + 0xe2,0xe6,0x33,0x8a,0x84,0x33,0x6e,0x06,0xf0,0xcc,0x02,0x0e,0x9e,0xb8,0xda,0x78, + 0x58,0x89,0xb4,0x97,0xf3,0xb9,0x8e,0x82,0x7e,0xe7,0xa7,0xd3,0xf1,0xb0,0xb7,0x3c, + 0x19,0x58,0xe1,0x6a,0xa9,0x78,0x61,0xe6,0x67,0x59,0x70,0xce,0x31,0xd9,0xd1,0x19, + 0xbb,0x34,0x0b,0xe8,0x0f,0xd0,0xf4,0x3c,0x3d,0xbe,0x64,0xf2,0xa5,0x9d,0x62,0x9d), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x91,0x93,0xf8,0xb9,0x14,0xdf,0xe0,0xe6,0x25,0x21,0xf3,0x5a,0xfa,0x4f,0xa5,0xd4, + 0x28,0x35,0xe1,0x98,0xaf,0x67,0x38,0x09,0x37,0x7a,0x3e,0x7a,0x99,0x73,0x31,0x42, + 0xa1,0x80,0xdc,0x0e,0x13,0xe6,0xbb,0x7c,0xeb,0x3b,0x60,0xe5,0xe9,0xd5,0x15,0x79, + 0x4d,0x82,0xc3,0x92,0xe0,0x79,0x13,0x42,0x33,0x91,0xd2,0x2e,0x2b,0xb1,0x9a,0xa0, + 0xbd,0x88,0xaf,0xd7,0xf7,0x7e,0x27,0xa2,0x40,0xea,0x4e,0x2d,0xe0,0x85,0x48,0x1a, + 0xc3,0x1f,0xf8,0xd3,0x79,0x90,0x21,0x1f,0x82,0xf2,0xcb,0xf4,0xc9,0x0d,0xe9,0x8d, + 0x6e,0x13,0x38,0xbb,0xc8,0x8e,0x6a,0x80,0xab,0x96,0x84,0xda,0xe6,0x47,0x85,0xdd, + 0x10,0x72,0x48,0x04,0x85,0x93,0xab,0xc9,0xab,0x03,0xf1,0x73,0x7a,0x6f,0x65,0x30), + .s = chunk_from_chars( + 0x5c,0x2f,0xe4,0x53,0xa8,0xb0,0x8c,0x90,0xb0,0x2e,0xb2,0xc9,0x99,0x42,0x42,0xd5, + 0x18,0xf3,0xf2,0x1b,0x36,0x88,0x95,0xcf,0xfd,0x62,0x40,0x50,0xe4,0x8a,0xa7,0x14, + 0x00,0x5a,0xe6,0x75,0xfe,0x79,0xaa,0x3c,0xad,0xd4,0xdf,0x55,0xbd,0xf1,0x2b,0xec, + 0x5b,0xe8,0xa4,0x1d,0x87,0x53,0x8f,0x7e,0x03,0x1b,0x78,0x2e,0x34,0xd3,0x92,0x46, + 0x8e,0x5f,0x14,0xbc,0x61,0x3b,0x8f,0x4d,0x28,0xc8,0xfb,0x79,0xa2,0x53,0x7e,0x1e, + 0x60,0x10,0x31,0xda,0x72,0x0a,0xcd,0x7b,0x2c,0x8d,0xcb,0xe9,0x85,0x86,0x24,0xa7, + 0xa9,0xa9,0x2a,0x06,0xf9,0x18,0x45,0xf7,0x32,0x37,0x0d,0x67,0x36,0x5c,0x64,0x64, + 0xf7,0xb6,0x8f,0x22,0xeb,0x3e,0xdf,0xee,0xc9,0x7e,0x32,0x85,0x02,0x4d,0x7f,0x69, + 0x43,0xb6,0xd5,0x0a,0x16,0xcc,0x96,0xd6,0x0f,0x68,0x03,0x51,0xde,0xaa,0x25,0xf0, + 0xbc,0x86,0x89,0x48,0x60,0x7a,0x6b,0xa7,0xf1,0x94,0x9b,0x85,0x94,0x3c,0x6a,0x92, + 0xbd,0x61,0x72,0xe8,0x1b,0xcc,0x05,0x50,0x14,0xb7,0x8a,0x73,0x39,0x72,0xe3,0xf3, + 0x9d,0x14,0x09,0x9d,0x16,0x07,0xa2,0x0f,0xf8,0x68,0x1c,0x29,0xae,0x1e,0xf9,0x9e, + 0xf1,0x15,0xed,0x6a,0x10,0x84,0xb5,0x14,0xb8,0x1a,0x69,0xd4,0xa1,0x5c,0xe1,0xe2, + 0x57,0x6f,0xdc,0xf2,0xb2,0xaf,0x61,0x5b,0x52,0xfe,0xc7,0x01,0x32,0x11,0x2d,0xcc, + 0x5b,0xc1,0x9e,0xc1,0x7f,0x32,0x28,0x14,0x60,0x62,0x34,0x20,0x31,0x73,0x53,0xe8, + 0xa2,0x55,0xfd,0xa5,0x02,0xbd,0x1f,0xb1,0x1a,0x58,0x83,0x2a,0xe2,0xc0,0x4f,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x57,0xef,0x40,0xb0,0x21,0xbf,0x87,0xf6,0x42,0xc5,0x75,0x6b,0x65,0x15,0xa0, + 0xe0,0x6c,0x15,0xa0,0x18,0x56,0xd7,0x16,0xc5,0x66,0xa6,0xed,0xb3,0x81,0xdf,0xdf, + 0x44,0xd9,0x03,0x3b,0x1c,0xc8,0x09,0xe6,0x1d,0xfe,0xf9,0xa0,0x96,0xdf,0xb6,0x89, + 0xb7,0x27,0x1b,0xe4,0x49,0xd0,0x4a,0x1a,0x9c,0x35,0x41,0x02,0xc0,0x77,0xaf,0x5f, + 0xf7,0x20,0x05,0xab,0x6b,0x06,0xcf,0x13,0x1d,0x73,0x45,0xc2,0x1e,0x82,0x1d,0x62, + 0x01,0xcc,0xa4,0xe0,0x90,0x44,0x0d,0x70,0xbe,0x60,0x09,0xd2,0xdd,0x7a,0x98,0xd3, + 0x11,0x75,0x1e,0x16,0x05,0xa3,0xb9,0x14,0xdc,0xe6,0xd2,0x62,0x6b,0x16,0xf2,0x33, + 0xa5,0xa3,0xd7,0x1d,0x56,0x7c,0xc8,0x20,0x15,0x2f,0x25,0xe4,0x73,0x51,0x42,0x42), + .s = chunk_from_chars( + 0x76,0x43,0xaa,0x3f,0xe6,0x3e,0x66,0xf7,0x9d,0x6b,0x40,0x9d,0x14,0x5e,0xa8,0x20, + 0xc9,0xf7,0x35,0x6f,0x71,0xb4,0xac,0xdc,0xbd,0x43,0xfe,0x1e,0x99,0xf8,0x80,0x2c, + 0xd1,0x66,0x2b,0x16,0x24,0x0f,0x5c,0xfd,0x94,0xa7,0x69,0xb0,0xb3,0xf2,0xcb,0x0b, + 0x11,0x88,0x7e,0x88,0x6e,0x5b,0xa4,0x37,0x33,0x36,0x74,0x90,0xb3,0xfc,0x18,0x8f, + 0x2f,0xb3,0xa0,0xc0,0xc8,0xa6,0x8b,0x5d,0x27,0x26,0xc8,0xf7,0xa3,0x19,0x02,0xb6, + 0xb8,0x6c,0xd4,0x02,0x28,0x7d,0x38,0x5c,0x3e,0x3c,0x06,0x50,0x3c,0xe1,0x7f,0xd6, + 0xe5,0x4e,0x58,0x2f,0x4a,0x90,0x7a,0x91,0xf9,0x52,0xd2,0xa3,0x60,0xe2,0xfb,0xa0, + 0x00,0x28,0xe4,0xd3,0xb0,0x2a,0xab,0xf7,0xd2,0x20,0xb3,0x1d,0x1f,0x8e,0xe7,0xfa, + 0xa0,0x70,0x14,0x76,0x82,0xcc,0xc8,0xbc,0xc7,0x56,0xca,0x6a,0x68,0xfc,0x20,0x95, + 0x45,0x50,0xc3,0x17,0xe8,0x79,0x18,0x78,0x1a,0x3d,0x1f,0x19,0x23,0x50,0x30,0x91, + 0x09,0x0c,0x3c,0x60,0xca,0x1c,0x0b,0x1c,0x69,0x99,0x06,0xfb,0xf8,0x5a,0xa7,0x0a, + 0xd9,0xae,0x48,0x70,0x9f,0xf7,0x43,0xb8,0x2d,0xcc,0x31,0x07,0x4c,0xfc,0xea,0x62, + 0x3e,0xa4,0x5e,0x48,0x64,0x4b,0x19,0xa2,0x17,0x72,0xca,0x10,0x7e,0xd6,0x42,0x39, + 0xc5,0x65,0x74,0xa0,0x87,0xf1,0xa6,0xaa,0xdf,0x0f,0x4b,0x00,0xff,0xe5,0x81,0xc1, + 0x41,0x02,0x74,0xc8,0x75,0xe4,0x59,0x90,0x63,0xe4,0x6e,0x51,0x68,0x80,0x3f,0x0d, + 0x28,0xd2,0x1f,0xcd,0x35,0x09,0xb4,0xc6,0x22,0x29,0x95,0xad,0xd7,0x75,0x3b,0xf3), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0c,0x84,0x91,0xfc,0x34,0x8d,0x34,0x1f,0xe8,0x5c,0x46,0xa5,0x61,0x15,0xf2,0x60, + 0x35,0xc5,0x9e,0x6a,0x2b,0xe7,0x65,0xc4,0x4e,0x2e,0xc8,0x3d,0x40,0x7e,0xa0,0x96, + 0xd1,0x3b,0x57,0xe3,0xd0,0xc7,0x58,0x34,0x22,0x46,0xc4,0x75,0x10,0xa5,0x67,0x93, + 0xe5,0xda,0xea,0xe1,0xb9,0x6d,0x4a,0xb9,0x88,0x37,0x89,0x66,0x87,0x6a,0xa3,0x41, + 0xb7,0xd1,0xc3,0x1b,0xba,0x59,0xb7,0xdb,0xe6,0xd1,0xa1,0x68,0x98,0xee,0xf0,0xca, + 0xca,0x92,0x8f,0x8c,0xe8,0x4d,0x5c,0x64,0xe0,0x25,0xdc,0x16,0x79,0x92,0x2d,0x95, + 0xe5,0xcd,0x3c,0x6b,0x99,0x4a,0x38,0x5c,0x5c,0x83,0x46,0x46,0x9e,0xf8,0x76,0x4c, + 0x0c,0x74,0xf5,0x33,0x61,0x91,0x85,0x0c,0x7f,0x7e,0x2b,0x14,0xbe,0x00,0x27,0xd8), + .s = chunk_from_chars( + 0xca,0xcc,0x8d,0x9f,0x5e,0xcd,0x34,0xc1,0x43,0x48,0x84,0x61,0x13,0x5c,0x49,0x51, + 0x67,0x61,0x45,0xc6,0xe4,0x72,0xb9,0x2f,0x12,0xf7,0x58,0x04,0x6f,0x17,0x21,0x42, + 0xfa,0x38,0x8f,0x28,0x5f,0x3f,0xff,0x06,0x82,0x42,0x02,0x88,0x29,0x04,0x7e,0x24, + 0x80,0x59,0xed,0x4f,0xd3,0x9d,0x2c,0x5a,0xde,0x46,0x9d,0xc7,0xc3,0x93,0x45,0xe5, + 0x11,0x49,0x50,0xd2,0x03,0x1c,0xc7,0x46,0x5f,0xe7,0x12,0xc4,0x04,0x1d,0x05,0xc7, + 0x56,0xd3,0xf2,0xd8,0x8a,0x46,0xce,0xb9,0x9f,0x2e,0x24,0xa5,0x2e,0x95,0x8a,0x03, + 0xcd,0x25,0x19,0xa9,0xb1,0x37,0xe6,0x2d,0x5c,0xa2,0xb3,0x53,0xf7,0xb0,0x47,0xb6, + 0x25,0xc3,0x60,0x23,0x13,0xfd,0xb5,0x3c,0x8d,0xb2,0x3d,0x83,0x95,0x1a,0x59,0x9d, + 0xb3,0x28,0xfe,0xdc,0x4a,0xe0,0x6d,0xa8,0x9c,0xe7,0xf5,0x62,0x59,0xb5,0xc8,0x22, + 0x2f,0x7b,0xd3,0xd9,0x74,0x04,0x78,0xfd,0x28,0xe5,0x81,0x0d,0xb7,0x8a,0xee,0x86, + 0x23,0xfd,0xd3,0x9f,0x60,0x3f,0x8d,0xdf,0x98,0x08,0x1d,0x78,0x73,0x98,0x0c,0x4e, + 0xb0,0xe2,0x2a,0x9c,0xd4,0x08,0xf7,0xc4,0x13,0x4c,0x12,0xd2,0x04,0x9a,0x2d,0x12, + 0x0f,0x4b,0x62,0xe6,0xb3,0x82,0xb9,0x97,0xfc,0x37,0x5e,0xf7,0xac,0x95,0x5f,0xcf, + 0x80,0xb0,0x45,0xc3,0xd6,0x38,0x5f,0xf4,0x22,0xda,0xd3,0x50,0xc6,0x88,0x70,0x53, + 0x90,0x68,0xa1,0x62,0xa2,0xed,0xbb,0x93,0xce,0xef,0xed,0x96,0x77,0x93,0x9b,0x90, + 0xbd,0x3d,0xfa,0x0d,0xc0,0x53,0x46,0x0b,0x4e,0x23,0x32,0xef,0xa6,0x92,0x17,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x6c,0xd5,0x9f,0xdd,0x3e,0xfd,0x89,0x3d,0x09,0x1a,0xfd,0xc3,0x15,0x5d,0x35,0x4f, + 0x10,0xd6,0xd8,0x81,0x67,0x42,0x7a,0x2c,0xf7,0x24,0x62,0x07,0xe5,0x17,0x91,0xa6, + 0xca,0x62,0x00,0xa9,0x14,0xcd,0x28,0x34,0xa9,0xb3,0xc7,0x9f,0xcd,0x59,0xe2,0x6e, + 0x45,0x7e,0x06,0x83,0xbc,0x33,0xd4,0x92,0x67,0xed,0xbd,0xd6,0xe5,0xd9,0x09,0x02, + 0x69,0x6f,0x1e,0x7b,0x1a,0x4a,0xff,0xc4,0xba,0x37,0x13,0x39,0x86,0x8c,0x28,0x01, + 0x5e,0xbb,0xb7,0x3e,0x26,0x26,0x69,0x86,0x6c,0x35,0xdb,0x97,0x4b,0xa6,0x9e,0x46, + 0x8f,0x25,0x83,0xb9,0x19,0x1d,0x15,0xd6,0x86,0xcd,0x66,0xfb,0x0b,0x9e,0x0f,0xf0, + 0xa3,0xb4,0x72,0x1a,0x6d,0xc3,0x42,0xf1,0x4f,0x24,0x46,0xb4,0xe0,0x28,0x59,0x5b), + .s = chunk_from_chars( + 0x39,0x74,0x90,0x0b,0xec,0x3f,0xcb,0x08,0x1f,0x0e,0x5a,0x29,0x9a,0xdf,0x30,0xd0, + 0x87,0xaa,0xba,0xa6,0x33,0x91,0x14,0x10,0xe8,0x7a,0x49,0x79,0xbb,0xe3,0xfa,0x80, + 0xc3,0xab,0xcf,0x22,0x16,0x86,0x39,0x9a,0x49,0xbc,0x2f,0x1e,0x5a,0xc4,0x0c,0x35, + 0xdf,0x17,0x00,0xe4,0xb9,0xcb,0x7c,0x80,0x5a,0x89,0x66,0x46,0x57,0x3f,0x4a,0x57, + 0x0a,0x97,0x04,0xd2,0xa2,0xe6,0xba,0xee,0x4b,0x43,0xd9,0x16,0x90,0x68,0x84,0xad, + 0x3c,0xf2,0x83,0x52,0x9e,0xa2,0x65,0xe8,0xfc,0xb5,0xcc,0x1b,0xdf,0x7b,0x7d,0xee, + 0x85,0x94,0x1e,0x4b,0x4f,0xb2,0x5c,0x1f,0xc7,0xb9,0x51,0xfb,0x12,0x9a,0xb3,0x93, + 0xcb,0x06,0x9b,0xe2,0x71,0xc1,0xd9,0x54,0xda,0x3c,0x43,0x67,0x43,0x09,0xf1,0xd2, + 0x12,0x82,0x6f,0xab,0xb8,0xe8,0x12,0xde,0x2d,0x53,0xd1,0x25,0x97,0xde,0x04,0x0d, + 0x32,0xcb,0x28,0xc9,0xf8,0x13,0x15,0x9c,0xb1,0x8c,0x1b,0x51,0xf7,0xa8,0x74,0xcb, + 0xf2,0x29,0xcc,0x22,0x2c,0xae,0xb9,0x8e,0x35,0xec,0x5e,0x4b,0xf5,0xc5,0xe2,0x2c, + 0xc8,0x52,0x86,0x31,0xf1,0x51,0x17,0xe8,0xc2,0xbe,0x6e,0xac,0x91,0xf4,0x07,0x0e, + 0xec,0xdd,0x07,0xec,0xc6,0xdb,0x6c,0x46,0xea,0xa6,0x5f,0x47,0x2f,0x20,0x06,0x98, + 0x8e,0xfe,0xf0,0xb5,0x1c,0x53,0x8c,0x6e,0x04,0xd7,0x51,0x9c,0x8e,0x3d,0xa4,0xb1, + 0x72,0xb1,0xe2,0x76,0x10,0x89,0xed,0x3a,0xd1,0x19,0x79,0x92,0xef,0x37,0xc1,0x68, + 0xdc,0x88,0x1c,0x8b,0x5f,0x8b,0xbf,0xee,0x91,0x9f,0x7c,0x7a,0xfd,0x25,0xb8,0xfc), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xac,0xb3,0x0b,0xe9,0x09,0x2b,0x2f,0x18,0xf2,0x59,0x34,0xa0,0xd6,0x78,0xb6,0xbc, + 0xd6,0xb6,0x7c,0x2b,0x88,0xe7,0x58,0x84,0xf4,0x7b,0x4f,0xca,0xe3,0xad,0xfa,0x40, + 0x5a,0xfe,0x2c,0x7e,0x61,0xe2,0xd6,0xc5,0x08,0xb9,0x27,0x90,0xac,0x00,0xf7,0x6b, + 0x77,0xc9,0x65,0x08,0x26,0x68,0xbf,0x90,0x0f,0x70,0xa3,0x37,0x62,0xde,0x64,0x13, + 0xaf,0x93,0xaf,0x2e,0xa8,0x08,0x6f,0xda,0x29,0x3d,0xed,0x44,0x75,0xf2,0x3c,0x4c, + 0xc3,0x1a,0xd4,0x94,0xf9,0x8d,0x7d,0xd7,0xb7,0xfd,0x6f,0x7d,0x97,0x2b,0xb7,0x6c, + 0xb3,0x5a,0xdc,0x20,0x68,0x04,0xc3,0xfe,0x5a,0xcd,0xd0,0xe5,0xb8,0xb5,0x4e,0x07, + 0xc2,0x91,0x11,0xf7,0x88,0xbc,0x59,0x02,0xf4,0x0a,0xfa,0xc3,0x0a,0xfd,0xba,0xf2), + .s = chunk_from_chars( + 0xb5,0xc6,0x0d,0x8d,0xa9,0xb3,0x94,0x38,0x78,0xcb,0x23,0x59,0xcf,0x65,0xe4,0x81, + 0x7c,0x07,0x94,0xf9,0x50,0x45,0x3c,0xa7,0x7c,0x81,0xa5,0xa1,0xc1,0x58,0x55,0x91, + 0xaa,0x50,0xa6,0x74,0x68,0xe3,0xb3,0x99,0xe4,0xfa,0xf1,0xd6,0x06,0xbe,0xa0,0xd9, + 0xe6,0xcc,0x1d,0x2d,0x70,0xdb,0x80,0x63,0x73,0x9e,0x0c,0x27,0xd3,0xdc,0x9f,0x9a, + 0xfe,0x88,0xde,0xa5,0x2e,0x73,0x29,0x8a,0x07,0xd0,0x5c,0x7d,0x97,0x07,0x00,0x2e, + 0xfa,0x53,0x7c,0x38,0x9e,0x38,0xbd,0x37,0xbc,0xa7,0x4e,0xb0,0xaf,0x62,0x61,0xa5, + 0xda,0x06,0x13,0x62,0x02,0xc8,0xad,0x48,0x7e,0xeb,0xd5,0x0b,0xef,0x74,0x76,0x70, + 0x89,0xc7,0x08,0x70,0xbe,0x1d,0x8f,0xab,0x91,0x56,0xf9,0xfd,0xbc,0x2f,0x2e,0x9c, + 0xc3,0x30,0xa9,0x50,0x18,0xce,0x79,0x43,0x98,0x4b,0xec,0xc2,0x56,0x21,0xbf,0xa6, + 0x60,0x18,0xef,0x83,0x20,0xb6,0x00,0x59,0xf9,0x41,0x15,0x6e,0x9c,0xdd,0x87,0xff, + 0x0d,0x82,0xcf,0x7b,0xe7,0x74,0x65,0xe0,0x20,0x3e,0x71,0x20,0xaa,0xec,0xed,0x84, + 0xab,0xd8,0x18,0x69,0x47,0xd4,0xac,0x3d,0xaf,0x3f,0x99,0x39,0x02,0xae,0xc4,0x7c, + 0x30,0x90,0x47,0x5c,0x85,0x7b,0x5d,0x35,0x9f,0x0a,0x55,0x72,0xd4,0x68,0x8e,0x5a, + 0x76,0xa4,0x65,0x38,0x68,0xff,0x54,0xce,0x9f,0x99,0x9e,0x6b,0xb5,0x59,0xd1,0xc1, + 0x1c,0x67,0xc1,0x5b,0xe9,0xd7,0xfe,0x5f,0x8c,0x17,0x04,0x30,0x1d,0x05,0x5f,0x3d, + 0x29,0x07,0x72,0x27,0x79,0xd6,0x01,0x20,0x36,0x08,0x4e,0x95,0x0d,0xe3,0x6f,0x4f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x60,0x1a,0x6a,0xad,0x3f,0xaa,0x79,0x88,0xd5,0xae,0x52,0x8a,0x69,0x69,0x03,0x1b, + 0x10,0xa6,0xf3,0x92,0x16,0x94,0x6a,0xa8,0x9f,0xd4,0x53,0x2c,0x8e,0xd1,0x41,0xf9, + 0xa6,0x50,0xb1,0x26,0xef,0x48,0x8f,0x7c,0x5c,0xf3,0xfb,0x2d,0xaa,0x25,0x4c,0xc2, + 0x8b,0xdd,0x55,0x56,0x04,0x19,0xe8,0x02,0x14,0xef,0x99,0x98,0x96,0xda,0xc4,0x94, + 0x68,0x52,0xd2,0x4f,0xcd,0x9f,0xb7,0x76,0x10,0xee,0xbf,0xbb,0x6b,0xa5,0x8b,0xca, + 0x26,0xf4,0x56,0x7f,0x03,0xac,0x7e,0x56,0xda,0x55,0x3f,0x23,0x81,0x7b,0xc1,0x03, + 0xee,0x48,0x55,0x92,0xa0,0x58,0xfb,0x5e,0x3b,0xc8,0x29,0x9c,0x72,0x90,0xc7,0x1a, + 0x29,0x13,0x7e,0x75,0xdb,0xf5,0x32,0x8c,0x3a,0x2d,0xcd,0x34,0x16,0x5b,0x3f,0x2e), + .s = chunk_from_chars( + 0x30,0x1d,0x60,0xd5,0x65,0x76,0xf3,0x66,0x3a,0x7f,0xbe,0x80,0x36,0xbb,0xe4,0xfb, + 0xc0,0xfb,0xd8,0x2c,0xd6,0xa4,0x2e,0x36,0xd7,0xbb,0xc8,0xb2,0x06,0x54,0x3d,0xc2, + 0xd5,0x6d,0x31,0x98,0xe7,0x91,0x1a,0xd1,0x38,0xca,0xd2,0x22,0xdd,0x99,0x05,0x0d, + 0xd1,0xf8,0x5f,0xe1,0x9c,0x8a,0x88,0xbf,0x67,0x13,0x5e,0x7f,0x8f,0x11,0xb5,0xf5, + 0xe4,0x85,0xc9,0x1f,0xc7,0xd4,0x78,0x06,0x9b,0x72,0xf4,0x6e,0xbc,0xdc,0xf2,0xd2, + 0xae,0x7d,0xe6,0xac,0x8f,0xe5,0x3b,0xb6,0xc0,0x49,0x11,0xd1,0x22,0xcc,0x23,0x1d, + 0xc2,0x10,0xb2,0x14,0x7e,0xbe,0x8b,0x05,0x2e,0x8b,0x2c,0xcc,0x09,0xf3,0x38,0xb3, + 0x49,0xde,0x20,0x25,0xcc,0x87,0xb2,0x61,0x9a,0x7b,0x16,0x33,0x47,0xca,0x66,0xa3, + 0x47,0x91,0xa2,0xe4,0x6b,0x4e,0x2a,0xc5,0x7e,0xb9,0xf6,0x02,0x9c,0xdb,0xe0,0x24, + 0xe8,0x96,0xd5,0x7f,0x7d,0x04,0x91,0xf7,0x78,0x33,0x12,0xf8,0xf0,0x6c,0x79,0x07, + 0x70,0x15,0x0c,0xd1,0x39,0xf6,0x1f,0xd2,0xb3,0xe7,0x04,0x1b,0x37,0x26,0x1c,0x6e, + 0x7e,0xa8,0x6d,0x4e,0x06,0xd9,0x30,0x0b,0x1a,0x56,0x67,0xcb,0x02,0x88,0xc5,0x50, + 0xb2,0xaf,0xb3,0x55,0x94,0x48,0x34,0xb4,0x61,0xce,0xad,0x13,0x79,0x42,0x76,0xbb, + 0x46,0xe5,0xe2,0x0a,0xec,0x7b,0x63,0xaa,0xca,0x4d,0x49,0x1a,0x50,0x0f,0xac,0xd5, + 0x9a,0x37,0xc5,0x27,0x79,0xcf,0x46,0x7d,0x74,0xaf,0x1e,0x62,0xb1,0xeb,0xe0,0xfd, + 0x0b,0xe1,0xca,0xcb,0x7c,0xe6,0xd0,0x50,0xd8,0x6e,0x4e,0xb7,0x6c,0xde,0x06,0x93), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x44,0xd3,0xe0,0xfc,0x90,0x10,0x0a,0x1c,0x93,0x16,0x06,0x3f,0x26,0xb1,0x80,0x32, + 0x6c,0xc2,0xe3,0x83,0x4c,0xe5,0x6e,0x43,0x24,0x52,0x8a,0x0b,0xbb,0x01,0x5b,0x3d, + 0x78,0x12,0x95,0x8c,0xd2,0x6b,0x91,0xbf,0x08,0xa3,0xa0,0xb1,0x12,0x1f,0x9f,0x9d, + 0xd7,0x7a,0xcb,0x98,0xa0,0x2a,0xd7,0x5f,0xcd,0x61,0x3c,0x53,0xc7,0x32,0xd1,0xc2, + 0x35,0xf5,0x9b,0x68,0x73,0xec,0xe6,0x36,0x3f,0x27,0x94,0x52,0xb6,0xa4,0xb6,0x5e, + 0x80,0xbb,0x59,0xfd,0x47,0xb9,0xa2,0x93,0x6d,0xcc,0x1e,0x4d,0xfe,0x1f,0x53,0x62, + 0xe3,0x45,0x9b,0x98,0x59,0xdb,0x32,0x09,0xa2,0x69,0x8d,0x27,0xfa,0x8a,0xed,0xfe, + 0xcd,0x4d,0x35,0xb9,0x27,0xda,0xf8,0x68,0x6c,0x59,0xd7,0x00,0x49,0x0f,0x0a,0xa3), + .s = chunk_from_chars( + 0xaf,0x22,0x29,0xe9,0x4a,0x85,0x7b,0x89,0xe0,0xe8,0x90,0xda,0xca,0x3a,0x8f,0xe1, + 0x2e,0xbd,0xba,0x04,0x94,0x8d,0x18,0x83,0xa7,0xd7,0x81,0x6a,0x3b,0x68,0x2f,0x7d, + 0xa3,0x03,0x25,0x40,0xa8,0x76,0x9f,0x9c,0xca,0xc9,0x58,0x6c,0xf2,0x4e,0x8c,0x20, + 0x4b,0x45,0xb8,0x5d,0x1b,0xdc,0xc5,0xa5,0x45,0x0a,0x21,0x5b,0x40,0x48,0xea,0x42, + 0x98,0x3b,0x34,0x56,0xfa,0x8c,0x76,0xc6,0x78,0x6e,0x02,0x4f,0x70,0x5e,0x08,0x8d, + 0x69,0x45,0x59,0xd6,0x68,0xca,0xa8,0x68,0x4c,0xad,0x0f,0xc5,0x78,0x50,0xfc,0xaf, + 0x34,0xe4,0x58,0xae,0xe8,0xfa,0xd4,0xe0,0x9e,0x6f,0x19,0x65,0x57,0xd4,0xe8,0x86, + 0x02,0x84,0xd9,0x82,0xc0,0x10,0x5d,0x98,0xce,0x49,0x12,0xe9,0x6c,0x35,0x50,0xe2, + 0xa0,0xc7,0xe8,0xba,0xd5,0xab,0xc2,0x9a,0x9a,0x54,0x2f,0x57,0xa8,0xc6,0x05,0x79, + 0x03,0x80,0x67,0xb3,0xd5,0x39,0x1a,0xbc,0x21,0xb4,0xf9,0xde,0xb0,0x24,0xca,0x58, + 0xf9,0xb0,0xc3,0x8c,0x0d,0x1f,0x82,0x37,0x3f,0x52,0x8e,0x93,0x9b,0xd7,0x3a,0x24, + 0xd5,0x01,0xc5,0x91,0x16,0x88,0x14,0xc8,0x72,0xc5,0x25,0xdb,0x0e,0x56,0xca,0xe4, + 0x7d,0xf0,0x0f,0xa3,0x72,0x8d,0xc3,0xa0,0x97,0x69,0x65,0x32,0x3c,0xe8,0xd2,0xde, + 0xe2,0xb1,0x38,0xb5,0x0a,0xb7,0xaf,0xd4,0x84,0x95,0x11,0x46,0x73,0xe9,0x1b,0xb3, + 0xed,0x22,0x05,0xe2,0x6a,0x84,0x55,0x47,0x4c,0x3d,0x4e,0xc8,0x73,0x9b,0xbf,0xf6, + 0xdf,0x39,0xb2,0xb7,0x2e,0xe0,0x50,0x41,0x09,0x30,0x42,0x3b,0x14,0x72,0xb6,0xed), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x5a,0xf0,0x90,0x77,0xa1,0xf5,0x34,0xb8,0x98,0x22,0xb2,0x6c,0x32,0x72,0xad,0xf8, + 0x50,0x0d,0x3c,0x6b,0xd9,0x0f,0x9b,0x5e,0x0d,0x8b,0x21,0x1f,0x16,0xd0,0x72,0x0e, + 0xe0,0xea,0xf6,0x46,0x2b,0x6c,0x8a,0x80,0xdf,0x6d,0x75,0x35,0x9f,0xd1,0x9d,0x03, + 0xa0,0xca,0xfb,0x52,0xbc,0x9d,0x4c,0x37,0xc2,0xaa,0x09,0x99,0x11,0xa7,0x9a,0x92, + 0x65,0x2c,0xc7,0x17,0xf0,0x74,0x6f,0xdc,0xad,0x62,0x7c,0x72,0xf1,0xc2,0x16,0xb2, + 0x43,0xd2,0x17,0x5f,0x6d,0x00,0xbf,0x07,0xd3,0xf6,0xaa,0x2a,0x04,0xd4,0xfe,0x9f, + 0x8f,0xbc,0xe9,0x32,0x18,0x94,0x4b,0x92,0xaa,0x07,0xaf,0x6b,0x4f,0xcd,0x80,0xcf, + 0xde,0x2d,0x7a,0xda,0x15,0xc0,0x5e,0x96,0xe7,0x77,0xea,0x1c,0x17,0xdf,0x08,0xfc), + .s = chunk_from_chars( + 0xa5,0x68,0x23,0xfa,0x57,0x7e,0x89,0x46,0xf1,0xd2,0xf6,0xe3,0x51,0xb7,0x38,0xb5, + 0x35,0x92,0x54,0x43,0x58,0x52,0x8a,0xf8,0x88,0x07,0xea,0x4f,0x19,0x01,0x7d,0xfe, + 0x81,0xa3,0xd6,0x9f,0x62,0xfb,0xff,0x64,0x95,0x50,0xd9,0xb3,0x10,0xfa,0xf2,0x7a, + 0x04,0x1f,0xe6,0x24,0xf0,0xa0,0x2b,0xdc,0xdd,0xb7,0x9b,0xfb,0x0a,0x46,0x57,0x39, + 0xec,0x8b,0x64,0xb7,0x48,0xcc,0x29,0xe5,0xa0,0x2c,0x77,0x7e,0x18,0x26,0xd3,0xe2, + 0xf1,0xee,0xe6,0xfe,0x2e,0xde,0xe4,0xa8,0xbc,0xac,0x51,0x9c,0x7c,0x7c,0xa5,0xc0, + 0x39,0xe7,0x6d,0x63,0x06,0x68,0x94,0x5a,0x1e,0x5e,0x86,0x18,0xe2,0x35,0x86,0x45, + 0x61,0xa4,0x40,0xe7,0x3e,0x39,0xf6,0xd6,0x84,0x2a,0xd7,0xda,0x64,0xef,0x5b,0x0c, + 0xe1,0xc4,0xab,0x88,0xdb,0x15,0x7b,0x68,0x10,0x71,0x74,0xad,0x7d,0x5c,0x9a,0x60, + 0x65,0x06,0x87,0x68,0xc1,0x1c,0x4c,0x96,0xff,0x67,0x05,0x0b,0x5d,0x07,0xb8,0xcd, + 0x02,0x7f,0xcd,0x0d,0x34,0x7e,0xc7,0x9a,0x19,0x7c,0xf4,0x34,0x35,0x98,0x5b,0xc1, + 0xae,0xb4,0x79,0xdb,0x00,0x22,0x28,0x9e,0x8d,0xd3,0xb3,0x1b,0xb7,0xc6,0x2d,0x88, + 0x31,0xcf,0xe6,0x95,0x2f,0x41,0xd2,0x4f,0x89,0xd7,0x53,0x78,0x95,0x35,0xf9,0x18, + 0xff,0x68,0xb3,0x69,0x50,0xaf,0x6f,0xd3,0x1d,0xee,0x1a,0xc4,0x76,0xa0,0xcf,0x93, + 0xaf,0xe9,0xf4,0xa7,0x66,0xf3,0xc4,0xd2,0xc0,0xc3,0xf9,0x28,0x25,0xd5,0x57,0x2e, + 0xb2,0xeb,0x8a,0x2b,0x64,0x4e,0x32,0x9e,0xea,0x16,0x83,0xf9,0x08,0x10,0xed,0x77), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xf6,0x0a,0x3a,0x54,0x37,0x68,0xfa,0xbe,0x37,0xf0,0x03,0x00,0x9a,0x8c,0x26,0xf7, + 0xdc,0x91,0xf1,0x42,0x2d,0x44,0x29,0xed,0x7f,0x9d,0x74,0x4c,0xdd,0x4b,0x55,0x2a, + 0xfe,0xf7,0x5d,0x24,0x1a,0xcd,0xa0,0x4f,0xfc,0x39,0x67,0x21,0x59,0xee,0x24,0x8e, + 0x60,0x2d,0xab,0x71,0x92,0x44,0x9e,0x2e,0xd4,0x55,0x29,0x95,0xc2,0x58,0xf0,0x0a, + 0x47,0x63,0x46,0xe3,0x6a,0x29,0xa0,0x12,0x6b,0xc2,0x49,0x04,0x0f,0xaa,0x57,0xc9, + 0x38,0x0b,0xdd,0x74,0xb8,0x3f,0x62,0xc5,0x67,0x90,0x92,0x05,0x74,0x43,0x34,0x32, + 0xf8,0xd6,0x5c,0x5c,0xd1,0x85,0xe2,0x4f,0xad,0x13,0x12,0x72,0x65,0xc6,0xa5,0xef, + 0x8d,0xb4,0xf1,0x14,0x49,0x3d,0x5c,0xfa,0x61,0xd9,0x16,0x64,0x98,0x14,0x08,0xe9), + .s = chunk_from_chars( + 0x08,0xd3,0x96,0x48,0x1d,0xee,0xf1,0x8c,0xb0,0xbe,0xf7,0xc3,0xe8,0x26,0xfe,0x6e, + 0x5c,0x9e,0xcc,0x85,0xe5,0x23,0x0d,0x35,0xd6,0x67,0x72,0xb8,0xd2,0xd0,0x15,0xd4, + 0xe5,0xf5,0x79,0x4f,0xbe,0x05,0x50,0xdf,0x2f,0x74,0x57,0x30,0xd6,0xf8,0xd1,0xd3, + 0xb8,0x50,0xd1,0x64,0xfc,0xe4,0x63,0x08,0x05,0xe7,0x11,0xb5,0x93,0x08,0xf8,0x60, + 0x85,0x06,0xb7,0xe0,0x1e,0x8e,0x92,0x94,0xed,0x8b,0x7e,0x75,0x82,0x16,0x56,0x77, + 0xf1,0x80,0xe9,0x65,0x16,0x9d,0xca,0x81,0xb3,0xda,0xf2,0x4d,0x7b,0x92,0xfe,0x32, + 0xd6,0xa9,0xac,0x63,0x82,0x1d,0x48,0xb1,0xa0,0xa1,0x44,0xfc,0x7a,0x04,0xb0,0xbf, + 0xc6,0x3a,0x3b,0xc1,0x6a,0x0f,0xd8,0x37,0xb0,0x20,0x37,0xed,0x76,0xe5,0x0d,0x46, + 0xcb,0xfa,0x38,0x57,0xe6,0x58,0xe3,0x70,0xc5,0x86,0xab,0x1e,0xed,0x82,0x50,0x76, + 0x32,0x1a,0xc8,0xe8,0x2b,0xe3,0x74,0xba,0xcb,0x29,0x5e,0x4d,0x34,0x08,0xf0,0xcc, + 0x1f,0xc4,0xc3,0x00,0xb8,0x42,0x75,0xa5,0x1c,0x35,0x73,0xe9,0xca,0xbf,0xdb,0xe3, + 0xdc,0x51,0xe4,0xa6,0xf5,0x81,0x1d,0x86,0x0d,0x72,0x5a,0xaf,0x8f,0xd0,0xaf,0x19, + 0xa2,0x43,0x7b,0x0f,0x1c,0x80,0xf5,0xac,0x22,0x2f,0x6b,0x25,0xf1,0xfa,0x09,0xe9, + 0x33,0x99,0xa6,0x97,0x6b,0x1b,0x3c,0xa7,0x6a,0xfe,0x60,0x86,0xe9,0xb2,0x32,0xaa, + 0xe6,0xc7,0xb8,0x18,0x25,0x5b,0xf9,0x63,0xf3,0x1c,0x04,0xae,0x3f,0xa2,0x13,0x6c, + 0x0a,0x44,0x29,0x97,0xd4,0xcf,0x12,0xf3,0x95,0xfb,0x80,0x4a,0x47,0x55,0xb5,0x6b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x2c,0x07,0xa8,0x1d,0xe5,0x89,0x55,0xb6,0x76,0xfe,0xc0,0x57,0x2d,0x48,0xd1,0x95, + 0x5b,0x48,0x75,0xff,0x62,0xa4,0x4b,0x00,0x10,0xc7,0xa1,0x07,0x2b,0x29,0x9e,0xe4, + 0x4d,0xd0,0xc0,0x76,0xf2,0x17,0x8a,0x83,0xd0,0xae,0x76,0xe7,0x67,0xe2,0x31,0xf1, + 0xd8,0x1e,0x07,0x0a,0xfa,0xb2,0x9c,0x97,0xab,0xd4,0xde,0x21,0x64,0xe4,0x37,0xb3, + 0x11,0xf5,0x07,0x84,0x1f,0x88,0x51,0xd6,0xd6,0x9a,0xb5,0x1e,0xe9,0xe2,0x9e,0x65, + 0x4b,0x54,0xbc,0xee,0x45,0xe9,0xb5,0x19,0xc6,0xa2,0x17,0x87,0xfa,0xcb,0x92,0x7f, + 0x1d,0x7d,0x64,0x91,0x92,0x66,0x14,0x79,0x2f,0xcc,0x63,0x46,0xdc,0xd0,0x80,0xbb, + 0x5c,0xf0,0x7b,0xf5,0x6a,0xd0,0xfc,0x4e,0x08,0x3a,0x35,0x82,0x14,0x63,0x15,0x10), + .s = chunk_from_chars( + 0x9a,0xa3,0x91,0xe7,0xc2,0xf0,0xe9,0x20,0xaa,0xc2,0x7e,0xd9,0xfc,0x20,0x81,0xd3, + 0xc9,0xca,0xa3,0x73,0x58,0x83,0xd0,0x1a,0xd7,0xa7,0xe3,0xb1,0x18,0x67,0xd0,0xad, + 0x62,0x41,0x56,0x47,0x7b,0xbb,0xdd,0xe6,0x59,0xf4,0x74,0x68,0x2d,0x0d,0x77,0x44, + 0x89,0xe2,0xb5,0xb0,0x39,0xd1,0xeb,0x35,0x45,0x4c,0x9e,0x3e,0xed,0x78,0xcf,0xf9, + 0xc4,0x26,0x2e,0x3a,0xec,0xfc,0xa1,0xd8,0x17,0x54,0x2b,0x48,0x60,0x96,0x59,0x8e, + 0x11,0x14,0xbf,0xc0,0x3f,0x20,0xa4,0x5d,0xe3,0x6f,0x6d,0xf7,0x0d,0x14,0x4d,0x01, + 0xdc,0x48,0x66,0xa0,0xf8,0x33,0x19,0xe7,0xc2,0xb8,0x53,0x0f,0x8c,0x27,0xa4,0x1b, + 0x7a,0xdd,0x9f,0x69,0x2d,0x8a,0x8e,0x64,0x64,0x55,0xb6,0x7c,0x9e,0xc4,0x7a,0x4d, + 0x2c,0xe3,0xdf,0xe3,0x5d,0x6a,0x2e,0x89,0xd9,0xbe,0x50,0xc5,0xb6,0xda,0x39,0xbb, + 0x02,0x54,0xbd,0x23,0xa8,0x09,0xab,0x97,0xb2,0xb4,0x8a,0x06,0x8a,0x87,0xab,0xde, + 0x6b,0x6a,0x6e,0x35,0x95,0x5f,0xc9,0x2a,0x96,0x26,0xf9,0x60,0x7d,0x5b,0x3f,0x40, + 0x15,0x17,0x27,0x15,0x94,0xbe,0xf7,0x38,0x59,0x81,0x2b,0x6a,0x62,0x1e,0xd6,0xbd, + 0xaf,0x3c,0x5f,0x2a,0x90,0xb1,0xe1,0x68,0x0f,0x68,0xdc,0xfc,0xca,0xcb,0x65,0xe0, + 0x08,0x1f,0x1c,0xcb,0x6a,0x20,0x73,0x70,0x9d,0x1b,0xa0,0x67,0x06,0x50,0x16,0xed, + 0x73,0xeb,0xd7,0xeb,0xe9,0xe7,0xa7,0xb6,0x0c,0x8c,0x9d,0xd0,0x4a,0x56,0xfa,0xb3, + 0x07,0x02,0xc8,0xa6,0xdf,0x6a,0x35,0x3a,0x30,0x10,0x47,0xdf,0x4c,0x7a,0xff,0x62), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x35,0xec,0x92,0xaf,0xdb,0xc2,0xfc,0xef,0xe4,0x8f,0x1e,0x2f,0x6e,0x48,0x29,0xae, + 0x53,0xb3,0xda,0x04,0x59,0xcc,0x4e,0xa8,0xa9,0x68,0x18,0xb5,0x83,0x18,0x91,0xee, + 0x2f,0x50,0x6f,0xff,0x37,0xc8,0x99,0x06,0xd3,0x23,0x3a,0x51,0xa5,0xcf,0x14,0x69, + 0xa6,0x2c,0x18,0x50,0x61,0xf0,0x33,0x08,0x5f,0xca,0x6a,0x54,0xe2,0x45,0x29,0xc3, + 0xd6,0xf0,0xd8,0xe9,0x04,0xbc,0xb0,0xf0,0x89,0xa5,0xcd,0x50,0x86,0x94,0x84,0xda, + 0x1a,0x84,0xf6,0xfb,0x8d,0xe4,0xe5,0x3f,0xce,0x3d,0xc7,0x14,0x20,0x15,0x19,0xd1, + 0x10,0x13,0xf6,0xf6,0xaa,0x64,0xe8,0xb5,0xec,0x5c,0xfe,0xb2,0x7b,0x61,0x1f,0x08, + 0x95,0x05,0x9d,0x8c,0x47,0x72,0x0d,0x55,0xe0,0x0b,0x57,0x7c,0xa5,0x50,0x09,0x20), + .s = chunk_from_chars( + 0x6b,0x0f,0x5b,0x50,0xe6,0x78,0xda,0x08,0x3e,0xd0,0xf1,0xb6,0x4e,0x94,0x3e,0x8c, + 0x62,0x79,0xc7,0x24,0x6a,0xf5,0xad,0x07,0x9c,0xdb,0xf2,0x23,0xe4,0x2a,0x0d,0x47, + 0x1e,0x56,0x31,0x4b,0xc0,0xd5,0x8f,0x20,0x2a,0xa6,0xc5,0xe1,0xe5,0x25,0x59,0x85, + 0xb0,0x79,0x5d,0x48,0xeb,0x3d,0x4b,0x8e,0x3f,0xc9,0x22,0x40,0xae,0x02,0xb4,0x08, + 0x8c,0x6c,0xe8,0xab,0x0e,0x8c,0x79,0xc6,0x8d,0xfd,0xc4,0x86,0x57,0xd6,0xa2,0x82, + 0x95,0x39,0x1b,0x9a,0x5a,0x5f,0x35,0x25,0x51,0x26,0xbf,0x8c,0xa5,0x3c,0xbc,0xc0, + 0x08,0x2e,0xab,0x52,0xec,0x10,0x9d,0x22,0xa1,0x18,0x5f,0x6d,0xc7,0x92,0xfc,0x29, + 0x0a,0xa8,0xdb,0xae,0xbb,0x2f,0xbe,0x40,0x4f,0x1d,0x03,0x9a,0xa6,0x34,0x3c,0xd7, + 0xaf,0x9f,0xcb,0x2d,0x1e,0x05,0xde,0xf4,0x80,0x96,0xc2,0x37,0xe1,0x0d,0xaa,0x7c, + 0xfa,0xc5,0xae,0x9b,0x3b,0x30,0x22,0x00,0x5d,0x0d,0x2d,0x5c,0x9c,0x5c,0x50,0x2b, + 0x2f,0x23,0x59,0x4e,0x80,0xd1,0x60,0x4b,0xbb,0x8f,0x5d,0xec,0x07,0xcd,0x3a,0xfe, + 0x1f,0x77,0x77,0x43,0xb0,0xb5,0x8a,0x4e,0x0e,0x4e,0x5c,0xaa,0x14,0x88,0x30,0xee, + 0xe0,0x47,0x96,0x8e,0x7f,0x40,0x66,0x1f,0x9f,0x1a,0x02,0xe1,0xa7,0xfd,0x2b,0x6c, + 0xaf,0x19,0x32,0x6a,0x75,0xe9,0x56,0x5e,0xfd,0xc0,0x11,0x4b,0xce,0xcb,0x14,0xdd, + 0xa0,0x6c,0x32,0x9c,0xf3,0x22,0xa5,0xbd,0x3e,0x6a,0xb4,0x8d,0x95,0xf2,0xd2,0xa9, + 0xc1,0xc1,0x23,0x3a,0x0a,0xa0,0x15,0xa7,0x38,0xf9,0x01,0xf1,0x31,0x48,0xb4,0x54), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x80,0xc9,0xde,0xbd,0xf9,0x31,0x74,0xd7,0x57,0x50,0xa6,0xcf,0x09,0xaf,0x71,0xfc, + 0x18,0xfd,0x51,0x3b,0xff,0x9c,0xb4,0x91,0xbe,0x60,0xaf,0x11,0x2a,0x93,0xf0,0x00, + 0x87,0x3c,0xf4,0x38,0x58,0xa0,0x7a,0xca,0x76,0x0a,0x37,0xe7,0x60,0xc8,0xcb,0x01, + 0xd2,0x76,0xf4,0x2d,0x99,0x7f,0x01,0xcc,0xa5,0xe0,0x8a,0x6a,0x60,0x2f,0x5f,0xe6, + 0x3e,0xdc,0xbe,0xd3,0x95,0xb8,0xc9,0x1f,0xb0,0xb3,0x36,0xf2,0x1f,0xea,0x49,0xd9, + 0x50,0xe1,0xff,0x24,0x64,0x0c,0x8d,0x8d,0x3b,0x95,0x08,0x1a,0xd1,0x59,0x66,0x44, + 0xce,0x34,0xa5,0x58,0x58,0x7e,0x4a,0x1e,0x2c,0xd5,0x0d,0xb9,0xed,0x1d,0xd3,0xce, + 0xbb,0xc6,0xdc,0xe8,0x08,0x4d,0x3e,0x1b,0xa7,0x06,0x92,0xe8,0x26,0x18,0xed,0x61), + .s = chunk_from_chars( + 0x4a,0x15,0xa7,0x83,0xad,0xbf,0x27,0x46,0x22,0xd5,0xa6,0x10,0xbb,0x6f,0xc7,0x33, + 0x37,0x99,0x9e,0x44,0x5d,0xc2,0x13,0x3a,0xcc,0xb7,0x88,0xd6,0x20,0x3d,0x70,0xf3, + 0xcd,0xc6,0x3e,0x67,0xda,0xa4,0x17,0x1a,0x79,0x52,0xa4,0x98,0x64,0x56,0xfa,0xb3, + 0xc0,0x77,0xa8,0x94,0x1f,0xb2,0x59,0xe3,0x7a,0x5c,0x0c,0xbb,0x20,0xc4,0x08,0xfa, + 0x24,0xad,0x0e,0xc8,0x50,0xe9,0xbf,0x02,0x8c,0x36,0x04,0x60,0x99,0x41,0xf5,0xae, + 0x2f,0x18,0xbf,0x1a,0xc3,0x7a,0x24,0xf7,0x55,0xab,0xb9,0xc8,0x5d,0xdc,0xd0,0xbf, + 0x4a,0x12,0xfa,0xbd,0x9d,0x25,0x30,0x29,0xe0,0x81,0xf6,0x28,0xe2,0xbb,0xe9,0xf9, + 0xaf,0xe9,0x22,0x49,0x54,0xd8,0x31,0x5d,0xb8,0x6c,0x21,0x25,0x51,0x2b,0xb9,0x8c, + 0xe9,0xb3,0x69,0x30,0x99,0x4b,0x09,0x1a,0x8a,0x1d,0x7d,0x4e,0x2f,0x4a,0x0e,0x58, + 0xd0,0xa3,0x58,0x76,0xad,0xad,0x14,0x30,0x05,0x30,0xb3,0x9c,0x8d,0xc1,0x1d,0xed, + 0x3e,0xf2,0xfa,0x95,0xd5,0xf2,0x2e,0x67,0xca,0xe3,0x4c,0xc2,0x1a,0xd5,0xe2,0x3f, + 0x91,0x22,0xb5,0x3d,0xfb,0x79,0xf1,0xa2,0xac,0x63,0xc1,0x84,0x4e,0x9e,0xf0,0x69, + 0xa2,0xe4,0x1f,0x17,0x8d,0x6d,0xce,0xdc,0x51,0x8a,0xaf,0xcf,0x81,0xe0,0xeb,0xd8, + 0x82,0x55,0x6e,0x73,0x1c,0xb0,0xab,0x41,0xd9,0x57,0x27,0x4a,0x3f,0xbb,0xb7,0xce, + 0xf2,0x60,0x87,0x91,0x00,0x0c,0x6b,0x86,0x08,0x68,0xcb,0x73,0x93,0xe7,0xd0,0x3d, + 0x94,0x56,0x89,0xff,0xb7,0x75,0x55,0xef,0xe0,0x8f,0x46,0x14,0x51,0xd3,0x3c,0x11), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x31,0x39,0x5c,0xef,0x34,0x95,0x51,0x34,0x3a,0x49,0x27,0x1a,0x8d,0x81,0x2b,0x4c, + 0x7b,0x65,0xb4,0x55,0xb7,0xed,0xa8,0x11,0xfc,0xf7,0x41,0x61,0xf3,0x97,0x11,0x23, + 0x57,0xae,0x44,0x62,0x57,0xbe,0x26,0xc9,0x3c,0xfc,0xe5,0x5e,0x4b,0xa7,0x97,0x6d, + 0xed,0x99,0x7e,0xc1,0x0d,0x1c,0x8b,0x1a,0xc2,0xfe,0x22,0xdc,0x2e,0xe8,0x1d,0x05, + 0xa6,0xeb,0x13,0x61,0x12,0x5c,0xda,0x01,0x97,0xe2,0x4a,0xe9,0x74,0xcd,0x44,0x09, + 0x2a,0xa9,0xf3,0x6f,0xe0,0x13,0x52,0xba,0x05,0xcc,0xef,0xd2,0x37,0x0c,0xee,0xd6, + 0x64,0x19,0x50,0x56,0x2f,0x17,0x76,0xc3,0x95,0x22,0xe0,0x23,0xd0,0x9a,0x3b,0x09, + 0x7b,0xbe,0x9b,0xc5,0xf8,0x7d,0x05,0xd8,0x0f,0x88,0x30,0xab,0xd7,0xac,0x8c,0x80), + .s = chunk_from_chars( + 0x16,0x2f,0x38,0x76,0x95,0xcf,0x9d,0x82,0xdd,0xa8,0x9c,0x74,0x93,0x18,0xe4,0x6c, + 0x9b,0xe8,0x95,0xec,0x36,0x4e,0xa4,0xae,0xce,0x97,0xcc,0xfa,0x63,0x92,0x5a,0xf3, + 0x71,0x08,0x94,0xda,0x2b,0x7b,0x59,0x67,0xe4,0x6f,0x4e,0xfa,0x80,0xca,0x25,0xd2, + 0xa9,0x65,0xa7,0xe1,0x5f,0x75,0xe0,0xaa,0x1b,0xd4,0x25,0x0f,0x8f,0x41,0x09,0x9e, + 0x6e,0x97,0x14,0xc3,0xfc,0x43,0x11,0x07,0x7a,0xe9,0xbd,0xdf,0xe3,0x5b,0xa4,0x72, + 0x75,0x31,0x52,0x9c,0x23,0x9d,0x54,0x6a,0xb1,0xc2,0x98,0x18,0x7f,0x16,0x5f,0x70, + 0x8c,0xcc,0x0a,0xe3,0x97,0x9a,0x8d,0xa1,0x93,0xe3,0x48,0x59,0xa5,0x9c,0x2c,0x3b, + 0xc4,0x22,0x53,0xc8,0x34,0x66,0x88,0xe6,0xbb,0xa6,0xfb,0x1b,0x01,0xb1,0x0c,0x1e, + 0xc2,0xc6,0x49,0x3d,0xed,0xcc,0x26,0x96,0x26,0x9d,0x85,0x1b,0xde,0x63,0xe2,0x7e, + 0x37,0xbe,0xd3,0x57,0x45,0x5c,0x8f,0xee,0x56,0x29,0xf9,0x4a,0xfa,0x7a,0x98,0x66, + 0x95,0xcf,0xd5,0xb9,0x92,0x12,0x65,0x7a,0x6c,0x88,0x46,0x44,0x59,0x60,0x86,0xb8, + 0x9e,0x0c,0x7c,0x05,0xe8,0x19,0xfa,0xeb,0xeb,0xef,0x74,0x5f,0xd2,0x95,0xaf,0x88, + 0x66,0xe0,0x75,0x0f,0x54,0x79,0xba,0xed,0x50,0xcb,0xb3,0xd0,0x59,0xf8,0xa5,0xeb, + 0x7e,0x0e,0x61,0xe2,0x73,0x3a,0xe5,0x0f,0x0c,0x1e,0xc4,0x2b,0xe7,0x1f,0x5d,0xff, + 0x32,0x41,0x95,0xcb,0x4f,0x0e,0x94,0x1a,0x21,0x56,0x15,0x13,0xc3,0x03,0x7d,0xb9, + 0x2f,0xec,0x95,0x56,0xb7,0x72,0xcc,0xab,0x23,0x9e,0x34,0xb1,0x87,0x6c,0x56,0xb1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa7,0xc3,0x09,0xd4,0x4a,0x57,0x18,0x8b,0xbd,0x7b,0x72,0x6b,0x98,0xb9,0x8c,0xe1, + 0x25,0x82,0x22,0x8e,0x14,0x15,0x86,0x48,0x70,0xa2,0x39,0x61,0xd2,0xaf,0xb8,0x2c, + 0xd5,0xbc,0x98,0xbe,0xc9,0x22,0xd5,0xf2,0xac,0x41,0x68,0xb0,0x56,0xda,0x17,0x6e, + 0xf3,0xba,0x91,0xf6,0xb6,0x99,0xba,0x6a,0xcc,0x41,0x44,0x86,0x8f,0xf3,0x7f,0x26, + 0xfd,0x06,0x72,0x08,0x68,0xd1,0x2a,0xd2,0x6e,0xcb,0x52,0x57,0x2c,0xf1,0x04,0x16, + 0xaf,0x68,0xdf,0x03,0xab,0x64,0x5a,0x8b,0x70,0x48,0x57,0xd2,0x19,0x0f,0xfc,0x3f, + 0x07,0xea,0xbe,0x3a,0x8e,0x2a,0xbe,0x34,0xed,0x61,0x59,0xe8,0x84,0xc4,0xfa,0xe1, + 0x41,0xd4,0x33,0x3d,0x5c,0x3e,0x0d,0xb0,0x44,0xff,0x9c,0xcc,0xd9,0xcb,0xd6,0x7f), + .s = chunk_from_chars( + 0x14,0x8a,0xf6,0x1e,0xd5,0xea,0x8a,0x87,0xa0,0x8b,0x3f,0x40,0x39,0x29,0xbf,0x80, + 0x31,0xdb,0x4f,0xd3,0x99,0x9b,0x64,0x40,0x9b,0xa4,0x89,0xf9,0x7a,0x3e,0xe5,0x20, + 0x8e,0xa4,0x20,0x2d,0x2e,0xc1,0x87,0x34,0xf6,0x15,0x00,0x3a,0x51,0xf7,0x74,0x41, + 0x08,0x5b,0xe6,0xac,0x0f,0x11,0x81,0x0f,0xfa,0x2d,0xad,0x58,0xf0,0xe1,0x86,0xd5, + 0x52,0x0a,0xc2,0xb8,0xa5,0xd3,0x96,0x6e,0x8d,0x2a,0xbb,0x80,0x74,0xe1,0x3b,0x50, + 0xa4,0xe7,0xde,0x83,0xbe,0x10,0xa6,0x6f,0xdc,0x7c,0xa1,0x81,0x18,0xc5,0x77,0x4f, + 0x78,0x12,0x12,0xde,0x9e,0xfe,0xbc,0x63,0x76,0xfc,0xdd,0xdc,0x65,0xa3,0xb1,0xb8, + 0xf1,0xab,0x31,0x49,0x2f,0xe4,0x78,0x25,0x9c,0xe7,0x19,0xb3,0xdb,0x58,0x74,0x98, + 0xd8,0x79,0xa0,0x1d,0xec,0x96,0xe8,0xea,0xbe,0xb0,0x7f,0xf7,0x07,0x3f,0x3f,0x3e, + 0xb4,0x46,0x08,0x49,0x55,0xca,0x26,0x32,0x9a,0x79,0x13,0x15,0xa2,0xc2,0x59,0xd2, + 0x25,0xe2,0x6b,0x21,0x54,0xb2,0x04,0x7b,0x21,0xfa,0xba,0x68,0x11,0x5b,0xfd,0x96, + 0x2e,0x5e,0x24,0xec,0x52,0xd7,0xc5,0xd2,0x31,0xe3,0x04,0x4c,0xbc,0xd8,0xc8,0x80, + 0x48,0x55,0x70,0x3c,0xba,0xa6,0x22,0xb1,0x5b,0x6e,0xf7,0x8c,0x74,0x21,0xa3,0x67, + 0x16,0x6f,0x1b,0x02,0x57,0x6c,0x87,0x36,0x05,0x93,0xda,0x75,0xb7,0x18,0x9e,0xfa, + 0xfd,0x10,0x82,0xbd,0x59,0xf6,0x85,0x7f,0x17,0x01,0xf6,0x46,0xc2,0x4d,0x70,0xc9, + 0x52,0x73,0xc4,0x9d,0x5b,0x11,0xe6,0xaf,0xe2,0x58,0x82,0x1b,0x55,0xc1,0x68,0x0c), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xca,0x50,0x5d,0x45,0x91,0x12,0x16,0x64,0x99,0x07,0x47,0xd9,0x5d,0x95,0x55,0xcc, + 0x75,0xbf,0xc3,0xfd,0xae,0xec,0xee,0xaa,0x60,0xea,0xfa,0xb3,0xfc,0x32,0x0c,0xfc, + 0xe5,0x6e,0xb9,0x13,0x81,0x38,0xbf,0x13,0x8f,0x25,0xf3,0xc8,0xbb,0x02,0x7b,0x13, + 0x6f,0x5d,0x3d,0x90,0xed,0x48,0x97,0x77,0x9b,0x59,0x51,0xc0,0x9d,0xf5,0xd0,0x8b, + 0xa9,0xce,0x8c,0xbe,0x17,0xab,0xc4,0xf0,0x38,0x68,0x70,0x86,0xe9,0x3d,0x77,0x1b, + 0x68,0x43,0x22,0x26,0x66,0x33,0xd0,0xd6,0x5d,0x71,0xec,0x41,0x23,0x4a,0x1d,0xbe, + 0xc0,0x7a,0xbc,0x8f,0x7d,0xf2,0x8b,0xc4,0x3d,0xd8,0xa4,0x5b,0x10,0xce,0xaf,0xac, + 0x06,0x77,0x58,0x05,0x41,0x37,0x01,0x91,0x4e,0x3b,0xb3,0x7e,0xb6,0xba,0x5b,0x5e), + .s = chunk_from_chars( + 0x58,0x9c,0xcd,0x4e,0xbf,0x97,0x64,0xf8,0x7e,0x6a,0xfa,0x7f,0x13,0xc4,0x06,0x25, + 0x79,0xb0,0x22,0x28,0x11,0x7b,0x15,0xa8,0x73,0x8a,0xb3,0x9c,0xd6,0x44,0x77,0x06, + 0x9c,0xb4,0xf5,0x2c,0xd8,0xd5,0xf4,0x57,0x4c,0x65,0x7b,0x45,0x38,0x35,0xca,0x3c, + 0xed,0xb8,0x24,0xf0,0x3b,0x92,0xa5,0x73,0xd6,0xd3,0xd9,0x13,0x61,0x31,0x3f,0x11, + 0xbd,0xcb,0x34,0xd2,0x05,0x9f,0xe2,0xe6,0xce,0x2b,0x85,0x44,0x61,0xaf,0x58,0xa9, + 0x29,0x4c,0x88,0xcb,0xfb,0x2a,0x63,0x99,0x76,0xb5,0x6e,0x47,0x48,0x02,0x6f,0x30, + 0x40,0xe2,0xfd,0x71,0x12,0xd6,0xad,0x44,0x50,0x06,0x89,0xac,0x77,0x7c,0x07,0x1d, + 0x17,0x39,0x19,0x69,0x76,0x2e,0x18,0x64,0x17,0xc4,0x40,0x0a,0xbd,0xda,0x5c,0x16, + 0xdc,0xe0,0x07,0x76,0x42,0xf1,0xfc,0x13,0x54,0xe0,0xe8,0xc1,0x4e,0x55,0x8c,0x92, + 0x3c,0x1b,0xfb,0x85,0x48,0x8b,0x83,0x50,0xf4,0x15,0x86,0x6a,0x60,0x87,0x1e,0xd7, + 0x15,0x1f,0x5f,0xbc,0x5b,0x88,0x05,0x00,0x01,0x19,0x77,0xc7,0x78,0xe1,0x7f,0xe8, + 0x91,0x8c,0x5d,0x34,0x3f,0x70,0xb0,0x0d,0x58,0xf7,0x18,0x95,0x61,0x25,0xfe,0x28, + 0xb3,0xa5,0xe2,0xd0,0x76,0x04,0xa2,0xb8,0xa8,0x77,0x20,0x44,0x34,0xce,0x90,0x3b, + 0x35,0xa0,0x30,0x93,0x6b,0xc7,0x19,0x51,0xca,0x59,0x3d,0xf9,0x7d,0x24,0xe8,0xe8, + 0xad,0x8f,0x2d,0xc9,0xb7,0x8f,0x76,0xef,0x13,0xa1,0xd3,0x86,0xca,0x85,0x7c,0xed, + 0x48,0xf1,0x9f,0x3e,0xbe,0x39,0x10,0x8f,0x9b,0x33,0xff,0x59,0xeb,0x05,0x56,0xb1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x23,0x7a,0x7e,0x44,0xb0,0xa6,0xc2,0x68,0xbb,0x63,0x36,0x4b,0x95,0x8a,0xe0,0x2b, + 0x95,0xe7,0xee,0xd3,0x6b,0x3e,0xa5,0xbf,0xb1,0x8b,0x9b,0x81,0xc3,0x8e,0x26,0x63, + 0xd1,0x87,0x14,0x4e,0x32,0x3f,0x9c,0xea,0xfb,0x47,0x95,0x07,0xd1,0x84,0xe6,0x3c, + 0xfb,0xec,0x3e,0xcd,0xbb,0x8a,0x05,0xd2,0xdf,0xc8,0x92,0x96,0x93,0xed,0x9e,0x3e, + 0x79,0xe5,0xf8,0xab,0xfc,0x41,0x7b,0xa1,0xe1,0x7e,0x3e,0x28,0x1e,0x8a,0x0a,0x32, + 0xf0,0x84,0x11,0x7f,0x28,0xc3,0xdc,0xbe,0xc5,0x1b,0x86,0xf5,0xc8,0x5b,0x28,0x22, + 0x44,0x1a,0x94,0x23,0xb5,0xb4,0x46,0xd3,0x92,0x8f,0x97,0x76,0x26,0xa3,0x34,0x57, + 0x9b,0x39,0xcf,0xaf,0x58,0xf2,0x14,0xc9,0x8d,0x0c,0xdf,0x64,0x0b,0xe1,0xac,0x59), + .s = chunk_from_chars( + 0xaf,0x07,0x6b,0xc2,0x13,0xca,0xf7,0x56,0x19,0xf4,0xbd,0x1d,0x78,0x7c,0xc1,0x98, + 0xf7,0xdf,0x33,0x24,0xa0,0xdd,0x87,0xa8,0x84,0x16,0xe0,0xa4,0xb8,0x1c,0x2f,0xb9, + 0xa9,0xdb,0x5f,0x98,0xae,0xd4,0x3b,0xc1,0x5f,0xe2,0x35,0x71,0x43,0xa6,0xe4,0xff, + 0x70,0x1d,0x9c,0x48,0xf5,0x1d,0xe9,0xeb,0x80,0x36,0x70,0xbb,0xc4,0xb0,0xae,0xa7, + 0x22,0x0b,0xe2,0xf8,0x4b,0x83,0x00,0x31,0x8c,0x77,0xa9,0xf6,0x15,0x98,0x6c,0x49, + 0x80,0xab,0xda,0x85,0xe3,0xad,0x00,0x89,0x56,0x4d,0xba,0xf7,0xf4,0x4d,0x81,0xb6, + 0x66,0x4e,0xec,0x03,0x11,0xad,0xb1,0x94,0xd4,0x6d,0xe9,0x6b,0xb1,0x7d,0x5a,0x5d, + 0x47,0x42,0x68,0x45,0x80,0x2c,0xa0,0xf4,0x9a,0x16,0x9e,0xb8,0x2b,0x75,0xaf,0xa1, + 0x91,0x02,0x7a,0x0c,0xc8,0xfc,0xe9,0xdd,0x16,0x05,0x53,0x50,0xdf,0x97,0x45,0xfc, + 0x72,0x00,0xff,0x9f,0x4e,0xa3,0xcf,0xbf,0xc6,0x6c,0x42,0x84,0x81,0x13,0xe3,0xbe, + 0x32,0x93,0xd5,0x10,0x38,0x2d,0x09,0x99,0xf0,0x32,0x51,0x55,0x27,0xbd,0x99,0xf6, + 0x6e,0xfa,0x2a,0x75,0x5e,0x01,0x12,0x47,0xb2,0x23,0xa6,0x8e,0x51,0x25,0x8b,0x6b, + 0xc3,0x19,0xa7,0xcd,0xef,0x4a,0xec,0x53,0x3e,0x9d,0xcd,0x8a,0xe2,0x6e,0x34,0x9e, + 0x5b,0x33,0xc7,0x91,0x21,0x90,0x7d,0xe5,0x09,0xa1,0xcb,0x83,0xc2,0xe5,0x9a,0x47, + 0xc1,0xa8,0x84,0xbf,0x68,0xe7,0x22,0x93,0x16,0xa6,0x2e,0x3c,0x49,0xd1,0xf5,0x42, + 0xeb,0xe7,0x10,0x5c,0xfc,0x27,0x09,0x92,0x68,0x12,0x0a,0x77,0x43,0x90,0x84,0x71), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xab,0x18,0x93,0x92,0x30,0xb0,0x96,0x64,0x6a,0x37,0xa7,0x81,0x62,0x9f,0xbd,0x92, + 0x70,0xf3,0x89,0x1a,0x5c,0xea,0xb4,0xa8,0xc3,0xbc,0x68,0x51,0xbc,0x34,0x11,0x5d, + 0xbc,0x06,0x65,0x41,0xb7,0x64,0xa2,0xce,0x88,0xcc,0x16,0xa7,0x93,0x24,0xe5,0xf8, + 0xa9,0x08,0x07,0x65,0x2c,0x63,0x90,0x41,0x73,0x3c,0x34,0x01,0x6f,0xd3,0x0a,0xf0, + 0x8f,0xed,0x90,0x24,0xe2,0x6c,0xf0,0xb0,0x7c,0x22,0x81,0x1b,0x1a,0xe7,0x91,0x11, + 0x09,0xe9,0x62,0x59,0x43,0x44,0x72,0x07,0xdc,0xd3,0xff,0xf3,0x9c,0x45,0xcb,0x69, + 0xee,0x73,0x1d,0x22,0xf8,0xf0,0x08,0x73,0x0c,0xe2,0xef,0xc5,0x3f,0x11,0x49,0x45, + 0x57,0x3e,0xa2,0xdd,0xeb,0xb6,0xe2,0x62,0xc5,0x27,0xd2,0x0f,0x8b,0xb1,0xdc,0x32), + .s = chunk_from_chars( + 0x95,0xbd,0x0b,0xf2,0x36,0x2f,0x34,0xb2,0xe0,0x40,0x75,0xb2,0x93,0x4f,0x40,0x47, + 0x98,0x70,0x3e,0xa4,0x72,0xb8,0x1a,0xc3,0xcc,0x22,0x3a,0xec,0x48,0x6e,0x4c,0x3d, + 0x9c,0x5d,0x1c,0x2f,0x9e,0xe2,0x24,0x17,0x13,0x29,0x64,0xed,0x58,0xe4,0x99,0x37, + 0xf5,0xb2,0x57,0xd3,0x16,0xca,0x7f,0xff,0xe2,0x90,0xb1,0x9f,0x5b,0x58,0x10,0x38, + 0x36,0x81,0x2b,0xef,0x30,0xca,0x03,0x27,0x03,0x9d,0x8b,0x9e,0xa9,0x12,0x95,0x39, + 0x2f,0xc3,0x94,0xb8,0x81,0xe2,0xd2,0xac,0x9e,0x30,0xc5,0xa4,0x42,0x56,0x70,0x0f, + 0xc9,0xde,0x0d,0xba,0x29,0x82,0x73,0xae,0xc3,0x0c,0x4f,0x77,0x8d,0x2e,0x71,0x27, + 0xe8,0xb8,0xa8,0x8b,0x02,0x74,0xfc,0xe0,0x40,0x81,0xcc,0x13,0xad,0xbe,0xfe,0x55, + 0x50,0x14,0xe1,0xb5,0xd5,0xdc,0xf6,0x22,0x4c,0x5a,0xe2,0x77,0x54,0x23,0xa6,0x6c, + 0x81,0x81,0x8e,0xec,0x01,0x4a,0x3f,0xaf,0x9e,0xe7,0x5a,0x3f,0x6c,0x3e,0x51,0xc5, + 0x56,0xb0,0xa2,0x88,0xe8,0xc2,0x62,0x94,0x66,0x84,0xeb,0x62,0x8b,0x88,0xe3,0xf8, + 0x75,0xe6,0x2e,0xf6,0xe8,0x01,0xca,0xe7,0x5f,0x61,0xce,0xe4,0x04,0x97,0x1c,0x39, + 0xd2,0x4a,0x97,0x12,0xeb,0x34,0x2d,0xdc,0x66,0x35,0x15,0xde,0xc1,0x03,0xb1,0x8d, + 0x97,0xd7,0x8e,0xd6,0x82,0x12,0xf2,0x79,0x00,0xe7,0x7c,0x04,0x9b,0x60,0xc8,0x53, + 0x00,0x2b,0x08,0x02,0x2d,0xf5,0x6f,0x70,0x7e,0xfa,0x71,0x02,0x75,0x89,0xe1,0xa3, + 0xca,0x6e,0x41,0x5b,0xa5,0xf4,0x43,0x7e,0x97,0x8b,0x07,0xaf,0x3b,0x73,0xba,0x0d), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa2,0x80,0xe8,0x9c,0xeb,0x2c,0x8c,0xf2,0x62,0x97,0x19,0x1b,0xaf,0x9a,0x95,0x5d, + 0x0d,0x52,0x37,0x5d,0xa0,0x23,0x63,0x3e,0x0a,0xfc,0xdb,0x0d,0x39,0xdc,0x33,0x5d, + 0x82,0x95,0x85,0x2e,0xf4,0xd0,0x67,0x14,0xe6,0x51,0x1a,0x95,0xd3,0x7c,0x04,0xd2, + 0x68,0x18,0x60,0x6a,0xda,0x54,0x35,0x9b,0x7d,0x07,0x84,0xaa,0x93,0x3c,0xc6,0x85, + 0x61,0xee,0x96,0xa8,0x89,0x10,0xaa,0x3d,0x93,0xd1,0x07,0x87,0xcd,0x1d,0x75,0x80, + 0x55,0x67,0x31,0xc1,0x74,0xa6,0xe3,0xa3,0x2d,0x9d,0xcf,0xa4,0x16,0x60,0x4f,0x0c, + 0x67,0x14,0x81,0xd0,0x51,0xf6,0x3d,0xb6,0x91,0x9f,0x4a,0xba,0x44,0x86,0xd1,0xb0, + 0xfd,0xc6,0x11,0x2c,0x15,0x21,0x55,0x9f,0x42,0x45,0x23,0xc2,0x6b,0x4f,0xb7,0x38), + .s = chunk_from_chars( + 0xcd,0x60,0xde,0x3b,0x4a,0x12,0x89,0xa8,0x4c,0xa7,0x61,0xf9,0x0f,0xa6,0x3f,0x4d, + 0x56,0x88,0xbd,0x88,0x5f,0x4b,0x53,0x1c,0x85,0x15,0xad,0xd2,0xde,0x12,0x51,0xf9, + 0x93,0xff,0x7f,0x98,0x6b,0xef,0x3f,0xba,0x69,0x2e,0xcd,0xeb,0xc8,0x19,0x42,0xd7, + 0x42,0x9c,0x7a,0x59,0xc5,0xd3,0xf1,0xfb,0x87,0x2f,0xc1,0xda,0x19,0x15,0xe9,0x45, + 0x86,0xa5,0xc3,0xd9,0x63,0x60,0x36,0x19,0x00,0x8f,0x7e,0xfe,0xde,0xd1,0xd7,0x0b, + 0x0a,0x11,0xce,0x2c,0xd8,0x1b,0x5b,0x0d,0x86,0xb3,0x76,0x0c,0x94,0x83,0x67,0x4f, + 0x55,0xe9,0xfa,0x47,0xf2,0xf3,0x10,0xd5,0x88,0xfb,0x21,0x60,0xe8,0xb5,0xc3,0x2b, + 0xe4,0xe7,0xa9,0x68,0xd5,0xa8,0xd4,0xac,0x65,0x76,0xb7,0x1a,0x2b,0x91,0xcd,0x6a, + 0xf0,0x01,0x6c,0xbc,0x81,0x6d,0x4a,0xae,0x8c,0x70,0x64,0x9e,0x08,0xdc,0xe9,0x0b, + 0x3c,0xe5,0x2a,0xb4,0x9c,0xe2,0xcb,0x5b,0x0e,0xd8,0xa4,0x5e,0x33,0xd9,0x4c,0xf2, + 0xd4,0xcf,0xde,0xe1,0x15,0x12,0x70,0xb2,0x07,0x3a,0xef,0xfe,0xaf,0x71,0x7d,0x39, + 0xe0,0x41,0x92,0xb8,0xb6,0x93,0xc5,0x3f,0x21,0xa6,0x12,0x38,0x13,0x28,0x08,0x06, + 0x92,0x0b,0x7d,0xc5,0x82,0x20,0x1c,0x9d,0x11,0x70,0x50,0x32,0x06,0x71,0xe8,0x61, + 0x39,0xa0,0x27,0x97,0x6b,0x7e,0xcf,0x41,0x33,0x69,0xa9,0xfc,0x28,0xe0,0xbd,0x71, + 0x9c,0xeb,0x5e,0x10,0x7d,0xe7,0x99,0xf1,0xbc,0x2e,0x25,0x5a,0x9f,0x29,0x47,0x6d, + 0x45,0x74,0xd1,0x33,0x2f,0x66,0x46,0x8a,0xfb,0x90,0x04,0xff,0x7b,0x53,0x53,0x02), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x85,0xed,0x1e,0x3d,0xfc,0xd5,0xbc,0xa2,0x4c,0xad,0x1d,0x01,0xeb,0xe1,0x92,0xb7, + 0xd0,0x59,0xec,0x9b,0x88,0x44,0x36,0xe1,0x87,0x14,0xa4,0x3f,0xbc,0xc9,0xc6,0x4f, + 0x68,0x73,0x01,0x35,0x2f,0xf2,0x40,0x81,0x70,0x01,0xe7,0x57,0xd2,0x73,0x09,0xcd, + 0x1f,0xbb,0xda,0x94,0x56,0xb2,0x67,0xdb,0xfb,0x95,0x84,0x70,0xb2,0x4d,0x06,0x28, + 0x0c,0xf4,0x33,0x82,0xa1,0x94,0x77,0x87,0x5f,0x32,0x59,0xf4,0x21,0x0b,0xac,0x9b, + 0x83,0x1d,0x0a,0x07,0xf5,0xe9,0x7e,0x5f,0x0f,0x78,0x81,0x8c,0x25,0x9c,0x28,0x9e, + 0x1a,0x78,0x9b,0x6c,0x79,0x42,0xc9,0x7b,0xc1,0x48,0x5a,0x22,0x01,0x31,0xe5,0xeb, + 0xa5,0x86,0x64,0x3b,0x90,0x71,0xe5,0x36,0x6b,0xc4,0x82,0xdd,0x3c,0x3c,0x92,0x79), + .s = chunk_from_chars( + 0x13,0x81,0x34,0xbb,0xec,0xef,0xaf,0xc7,0xca,0x8b,0x10,0x2c,0xbe,0x87,0xb0,0x12, + 0xf8,0xaa,0xda,0x88,0x78,0x99,0x50,0x02,0xcf,0x18,0x87,0x69,0x4b,0x5b,0xe3,0xb8, + 0xf0,0xbb,0x61,0x6b,0xc6,0xe0,0x79,0x62,0xd5,0x48,0x2d,0x3a,0x52,0xc5,0x2a,0xb9, + 0x1b,0x3e,0xe0,0x06,0x4d,0x24,0x55,0x8e,0x13,0xc7,0x5c,0x80,0xf6,0xa9,0x5b,0x7d, + 0xc4,0x98,0x44,0x28,0x79,0xd5,0xba,0xf8,0xff,0xa7,0xe2,0xf6,0x38,0x80,0x8b,0x97, + 0xff,0x70,0x13,0x6b,0xb6,0x45,0xe3,0x09,0x44,0xdd,0x97,0xa9,0x97,0xa0,0x20,0x51, + 0x69,0x55,0x3a,0x5b,0x9e,0x87,0x4c,0x5a,0x94,0x41,0xe1,0x8c,0x15,0xeb,0xed,0x76, + 0x04,0x3b,0x63,0x9d,0xfd,0x64,0xdb,0x79,0xe1,0x74,0x84,0x7a,0x10,0x27,0x24,0xa2, + 0xa0,0x5c,0x64,0x94,0x73,0xcc,0x7d,0xac,0xd3,0x9e,0x2e,0x1d,0x56,0x66,0xbb,0xb5, + 0xf0,0x12,0x46,0x74,0x70,0x48,0xff,0xfc,0xdf,0xcd,0xdf,0x78,0x2d,0xa2,0x4a,0x6d, + 0xcc,0x02,0x2b,0x26,0x95,0xf7,0x07,0x81,0xbd,0x9f,0x8f,0xf7,0xd0,0x3b,0xe2,0x2e, + 0xb8,0xfc,0x79,0x3f,0x5c,0x07,0x1a,0x66,0xd9,0xa6,0xea,0x46,0xc6,0xa2,0xcf,0x05, + 0x56,0x52,0x6b,0xa8,0xb0,0x85,0x07,0x35,0x46,0x44,0x80,0x81,0x73,0x2a,0xc1,0x5f, + 0x12,0x83,0x3c,0x1d,0xb1,0x70,0x1f,0xf7,0xf6,0x83,0x44,0xca,0x65,0xdf,0xf8,0x62, + 0x11,0xa0,0x03,0xad,0xbf,0x51,0x89,0xcf,0xae,0x79,0xea,0xa8,0xc8,0xb7,0x14,0x1e, + 0xa3,0x78,0xe4,0x4c,0xc9,0xc5,0xbf,0x02,0x4d,0x2c,0x71,0x0f,0xf5,0xcd,0x68,0xaf), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x0b,0xdb,0xa3,0x4e,0x35,0xfc,0xa6,0x5a,0x17,0x81,0xd4,0xd7,0xc9,0x33,0xa5,0xf2, + 0x10,0xd3,0xa5,0x94,0x83,0xae,0xbc,0x95,0xec,0x71,0xb3,0x2d,0xf1,0x3f,0xf4,0xab, + 0xf4,0x01,0x91,0x69,0x37,0xfd,0x88,0xff,0x44,0xab,0x46,0xb7,0x8c,0xc3,0x69,0x41, + 0x4e,0x9b,0xca,0xa8,0xba,0xb0,0xbb,0x85,0x57,0x82,0x8d,0x73,0xa2,0xa6,0x56,0xc2, + 0xf8,0x16,0xf0,0x70,0xb5,0xcb,0x45,0x54,0x9e,0x8e,0xca,0x9d,0x7c,0x0b,0x4a,0x7b, + 0x0a,0x27,0xe5,0x1c,0x11,0x93,0x58,0xda,0xd2,0xa1,0x7f,0xb3,0xa4,0x57,0x18,0xf9, + 0xde,0xc3,0xc9,0x4a,0xf7,0x8d,0x65,0xc3,0xec,0xd3,0x6b,0x71,0xe2,0x30,0xcf,0x08, + 0x0d,0x1e,0xfd,0xd8,0xd0,0x7f,0x1c,0xfc,0x26,0x76,0x8f,0xd5,0x40,0x7b,0xc2,0xb7), + .s = chunk_from_chars( + 0x9f,0x48,0xde,0xb9,0x6b,0xec,0x0b,0x72,0xfb,0xc4,0xf1,0x2f,0x08,0xaf,0xb4,0x6b, + 0xcc,0xf1,0x9d,0x9e,0x0c,0xd0,0x36,0x8e,0xbe,0xb3,0x12,0xd8,0x38,0x72,0x62,0x63, + 0x80,0xac,0x92,0x8b,0x61,0x2c,0x5c,0xd7,0x74,0x38,0xd4,0x7a,0xa9,0xce,0xea,0x90, + 0x5a,0x9d,0xe7,0x18,0x2c,0x8e,0xf7,0x6e,0x8a,0x7a,0x03,0xd6,0xef,0xec,0x84,0x00, + 0xb6,0x49,0x63,0x62,0xbf,0x6a,0x30,0xce,0xb1,0xce,0xd2,0x18,0x5f,0xc7,0xc2,0x11, + 0x7b,0x6a,0x6d,0x88,0x8a,0xc2,0x0c,0x16,0x87,0xb0,0xf2,0xaa,0x9b,0x76,0x70,0x5f, + 0xd3,0x15,0x48,0x89,0xb6,0xac,0xaf,0x4e,0x63,0xbe,0x25,0x88,0x0c,0x71,0xe6,0xc2, + 0x39,0xec,0xfb,0x96,0x50,0x04,0xcd,0x63,0x21,0x25,0x7f,0x84,0x6a,0xfd,0x2a,0x65, + 0x90,0xc7,0x2a,0xd8,0x31,0x46,0xee,0xfc,0x7b,0x0d,0xc4,0x79,0x63,0x39,0xa7,0xf6, + 0x4d,0xa0,0xfb,0xe3,0x59,0xf9,0x4a,0xce,0x1f,0xd1,0x51,0xc5,0xac,0x7b,0xb5,0x70, + 0x7b,0x32,0xea,0xcf,0x56,0x4f,0xe1,0x62,0x2e,0x66,0xe1,0x84,0x4e,0x63,0x96,0x02, + 0xca,0x36,0x27,0x4a,0xe0,0x1f,0x93,0xe6,0xb2,0xbd,0x1e,0xff,0xd3,0x4a,0xb6,0x3d, + 0x85,0x2c,0xc9,0xca,0xf3,0xce,0x84,0x46,0xc2,0x9c,0x8a,0xe3,0xc6,0x11,0x0f,0xb7, + 0x53,0x8c,0xc8,0x37,0x1c,0x2a,0x39,0x81,0x24,0x9c,0xdc,0x1b,0xe2,0xb2,0x4b,0x6a, + 0x0c,0x95,0x17,0x64,0xd0,0xb7,0xef,0xa9,0x2a,0x22,0xcd,0x8e,0xd1,0x65,0xe1,0x82, + 0x86,0x35,0x79,0x37,0x79,0x97,0xa9,0xee,0x50,0xc8,0xac,0x3a,0xa4,0xdf,0x1a,0xca), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x9a,0xee,0xd8,0x5b,0x40,0xba,0x7f,0x86,0xa2,0x28,0xb5,0xa1,0x51,0x5b,0xa1,0x90, + 0xb2,0xef,0xff,0x66,0x99,0x3a,0x5e,0xce,0x19,0xd1,0x8b,0xaa,0x9b,0x4e,0x4d,0xf9, + 0x2e,0x51,0x52,0xfe,0x1e,0xc5,0x6a,0x9f,0xc8,0x65,0xf3,0x0b,0xac,0x7e,0x94,0x9f, + 0xc4,0xf6,0x2f,0x0b,0x15,0x8d,0x10,0xb0,0x83,0x63,0x6b,0x4d,0xe9,0xbb,0x05,0xdb, + 0x69,0xfe,0x31,0xb5,0x01,0x03,0xfe,0xfc,0x5f,0x8d,0xaf,0x3a,0xf7,0x15,0x6b,0x45, + 0x52,0xca,0x36,0x67,0xa9,0xd7,0x20,0xbb,0xb2,0xe4,0xbc,0xda,0xba,0xdf,0xd4,0xb7, + 0xf4,0xfc,0x5b,0xc8,0x11,0xfa,0xa3,0x67,0x10,0xa9,0xd1,0x77,0x58,0xa9,0x8d,0x4a, + 0x04,0x74,0xfe,0xc2,0x7e,0x9e,0xf5,0xb7,0x4f,0x5c,0x68,0x99,0x35,0x44,0x23,0x57), + .s = chunk_from_chars( + 0x9e,0xec,0xdb,0xd7,0xfb,0xf6,0x18,0xdd,0xdd,0xfb,0x6e,0x75,0xd6,0x44,0x40,0xf6, + 0x04,0x45,0xb8,0x53,0xc5,0x42,0xfe,0x0f,0xba,0xaa,0x6a,0x43,0x12,0x94,0xe6,0xcb, + 0x66,0x83,0xae,0x1a,0x71,0xea,0x05,0x5e,0xb4,0x9c,0xd2,0xa3,0xcb,0x51,0x54,0xdc, + 0x93,0xd9,0xaa,0x16,0x63,0x99,0xf4,0xe6,0x29,0x4f,0x0e,0xb0,0x65,0x28,0x00,0xd7, + 0x1e,0x04,0x1c,0x1c,0xe1,0xad,0x84,0x9c,0x03,0xc9,0x63,0xbc,0x09,0x29,0xdc,0xdd, + 0x11,0xbe,0x5d,0x67,0xa0,0x50,0xd0,0x2b,0x64,0xb2,0x9e,0xab,0xa6,0x55,0x64,0x2b, + 0x64,0x36,0xfb,0xfb,0x16,0x36,0x90,0xbf,0x43,0x2f,0xdc,0xee,0xdd,0x10,0x6c,0x2f, + 0x49,0x72,0xec,0xbf,0x30,0x77,0xed,0x8b,0x75,0x3b,0xb6,0x05,0xec,0x1e,0xa0,0x30, + 0x20,0x83,0x9a,0x31,0x8a,0x24,0xf8,0xd4,0xc1,0xd7,0xd8,0xdf,0x99,0xa7,0xf0,0x01, + 0x0a,0xe4,0x1a,0x8b,0x06,0x8e,0x28,0x88,0x53,0x10,0x56,0xa7,0xda,0xbb,0xe9,0x21, + 0x87,0x8d,0xcd,0x3c,0x7d,0x69,0x41,0x68,0x67,0xf4,0x01,0x2a,0x60,0x6a,0xe8,0x68, + 0x55,0xf1,0x5a,0xed,0x0d,0xa1,0x25,0x0e,0x59,0x68,0x77,0x06,0xe8,0x9c,0x94,0x94, + 0xba,0xf3,0x7f,0x61,0xfb,0x17,0x03,0xb7,0x99,0x28,0x79,0x5f,0x90,0xcc,0xbe,0x29, + 0x3a,0x1e,0x94,0x72,0xf6,0xe0,0xf4,0xb8,0x90,0xfd,0xda,0x3e,0xa2,0x52,0x2e,0x3d, + 0x11,0xd5,0xab,0xdf,0x00,0x69,0x51,0x94,0x24,0xd1,0x47,0xb5,0x64,0x6a,0x5a,0x60, + 0x1f,0x19,0xec,0x89,0x72,0x9a,0x8b,0x48,0x46,0x1e,0x71,0xc0,0x8b,0xbe,0x9c,0xda), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x65,0x4e,0x18,0x9f,0x06,0xc7,0xd4,0x2d,0x55,0x39,0xa5,0x87,0x21,0x84,0xf8,0x33, + 0x6c,0xf1,0x00,0x69,0x1f,0x19,0x08,0x18,0xfd,0x02,0x08,0x2a,0xd6,0x8a,0x76,0x09, + 0xfd,0x09,0x5e,0x62,0xfc,0x32,0xb5,0x29,0x85,0x3a,0xeb,0xdd,0xac,0x3d,0xbf,0x0d, + 0x54,0xdd,0x57,0x1b,0xe7,0x2c,0x90,0x40,0x4b,0xcc,0x93,0xd0,0x11,0x54,0xa9,0xbf, + 0xef,0xf6,0x50,0x65,0x70,0x5f,0x8e,0x7e,0xea,0xdf,0x85,0x75,0xb1,0xca,0x48,0xe2, + 0x8a,0x1e,0xed,0x51,0x62,0x65,0xe3,0x45,0x40,0xdd,0x86,0x7c,0x79,0xd7,0xf1,0x75, + 0x23,0x5d,0x13,0x30,0xcb,0x17,0x06,0x35,0x6b,0x70,0x9b,0xd7,0x96,0xf4,0x3a,0xba, + 0xf6,0xfc,0xe9,0x93,0xf8,0x8e,0xaa,0x2f,0xc6,0x7f,0x0a,0xb7,0x76,0xda,0xf7,0x32), + .s = chunk_from_chars( + 0xaf,0x90,0x29,0x8b,0xce,0xf6,0x15,0x30,0x9f,0x23,0x5d,0x5c,0x33,0x60,0xf0,0xdf, + 0x11,0xf5,0xfb,0x98,0x87,0x89,0xf2,0x13,0xd4,0xc4,0x61,0x34,0xfe,0xe5,0xeb,0x10, + 0x4a,0xa1,0xfa,0xbb,0x13,0x07,0xc9,0xa9,0x04,0x70,0x9d,0xe8,0x86,0x73,0xed,0x99, + 0x51,0xcb,0xa9,0x31,0x67,0xc6,0x7c,0x09,0xd8,0x27,0x02,0x1b,0x08,0xa2,0x2c,0x05, + 0x05,0x82,0x8a,0xb4,0xbe,0xb4,0x2e,0x59,0xa3,0x88,0x32,0xcb,0x4d,0xa2,0x4e,0xcf, + 0x91,0xf4,0x70,0xa3,0xb4,0x12,0xc0,0x71,0x2a,0x8a,0x59,0xf6,0xf2,0x73,0x9d,0x4e, + 0x9e,0xb4,0xcc,0x58,0xd2,0xc5,0x25,0x92,0xf1,0x45,0x2d,0xc6,0x57,0x59,0xab,0xe4, + 0x3e,0x8d,0x2b,0xc8,0x04,0xe2,0xef,0xb3,0xef,0xc9,0xb2,0x3c,0xc1,0x73,0x4f,0xf7, + 0xca,0xef,0xa4,0x6b,0x03,0xba,0x4b,0x39,0x7d,0x07,0x14,0xcd,0xb8,0x50,0x1a,0x81, + 0x2c,0x1b,0x9f,0x47,0x41,0x1c,0x91,0xcb,0xa5,0x3a,0x3d,0x3b,0x13,0x9e,0xdb,0xd7, + 0xcb,0xb5,0x43,0xf5,0xbf,0x38,0x29,0xba,0x7f,0x5f,0xaf,0xd8,0xa7,0x12,0xc0,0xb1, + 0x11,0x94,0x3f,0x53,0x20,0x93,0x53,0xaf,0xab,0xa1,0x76,0xb3,0xf5,0xdc,0x06,0x03, + 0x39,0xd0,0x9b,0x1f,0xb3,0xc2,0x13,0xda,0xe5,0xd0,0xf0,0x04,0xd3,0x02,0x82,0x85, + 0x60,0xfb,0x5d,0xeb,0xf9,0xfe,0x49,0x1e,0xaa,0x66,0xf5,0x97,0xaa,0x4d,0xe2,0x3e, + 0xee,0xf9,0x17,0x63,0x58,0x75,0x5c,0x95,0x2e,0xf9,0x6e,0x36,0x72,0x58,0x3b,0x6e, + 0xcd,0x95,0xa0,0x2e,0x8c,0xa7,0xb2,0x1d,0x7c,0x20,0xcb,0xb7,0xa7,0x57,0xaf,0x71), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x12,0x1f,0x80,0xb4,0x3f,0x97,0x57,0xb3,0xfa,0x80,0x90,0x6a,0xea,0xb2,0x32,0x19, + 0x5f,0x0e,0x2c,0x41,0xe5,0xbf,0x8c,0x09,0x1a,0xc0,0xf1,0xe0,0xbc,0x9e,0x43,0x64, + 0x06,0x80,0xa1,0x82,0x3d,0x64,0x9b,0xdf,0x86,0xab,0xa2,0x77,0xfa,0xd8,0xbc,0x85, + 0xfc,0x95,0x7d,0xa2,0xca,0xf7,0x32,0x30,0x53,0x02,0x5f,0xf9,0x49,0x70,0x6c,0x14, + 0x76,0xae,0x9b,0x09,0x53,0x28,0x3d,0x34,0xd7,0xc6,0x26,0x6f,0x8d,0xb6,0x5e,0xeb, + 0xe9,0x6d,0x19,0x5f,0xdc,0xe8,0xe9,0x65,0xa6,0x38,0x33,0x20,0xec,0x3d,0xe0,0x23, + 0x0a,0xb2,0x54,0x8e,0xaa,0x69,0xa4,0x7a,0x96,0xd8,0x03,0x98,0xca,0xd5,0x7e,0x14, + 0xce,0x9e,0xea,0xc0,0x42,0x1c,0x1a,0x6e,0xba,0x69,0x55,0x9d,0xcd,0x8f,0x06,0x59), + .s = chunk_from_chars( + 0x06,0xa2,0xd7,0x45,0x85,0xf1,0x2e,0xa7,0xa8,0x05,0x27,0xb8,0xc6,0x35,0xa2,0x1c, + 0xc1,0x1b,0x45,0xdb,0xb0,0x88,0x5a,0x12,0x72,0x21,0x26,0x81,0x1d,0xd2,0x5d,0x65, + 0x7b,0xfa,0x9f,0xda,0x77,0x43,0x01,0xca,0x34,0x98,0xd0,0x5d,0xfd,0xfb,0x78,0xa6, + 0xaa,0x16,0xa9,0xf8,0xa9,0x5f,0x40,0xf1,0xf0,0x4b,0xd3,0x54,0xa5,0x22,0xf6,0xa2, + 0xd6,0x2b,0x32,0x4e,0xfa,0x3c,0x00,0x6c,0x22,0xc2,0x31,0x4b,0x01,0xfa,0x0e,0x91, + 0xa3,0xdb,0xa4,0x9a,0xa3,0x5b,0x46,0xb1,0x98,0x04,0xb0,0x7a,0xd9,0x8f,0xe4,0xbc, + 0x99,0x03,0x93,0xa4,0xa2,0x73,0xce,0x8f,0x1c,0x85,0xfc,0x19,0xcd,0x5e,0xae,0x9a, + 0xf0,0xb7,0xd1,0x95,0x7b,0xb2,0x34,0x09,0x77,0x8a,0x01,0x0b,0x00,0xc6,0x95,0x9e, + 0x1b,0x67,0x06,0x6f,0xdb,0x9f,0x84,0x95,0xb4,0xde,0x4d,0xcb,0xb9,0x87,0x35,0x81, + 0x45,0xb1,0xff,0x6a,0x39,0xef,0x6f,0xc5,0x88,0xcd,0xa1,0x74,0x4e,0x0a,0xb9,0xe7, + 0xeb,0x00,0x2c,0x29,0xa7,0x85,0x31,0xd2,0x51,0x57,0xc5,0xc2,0xcd,0x64,0x70,0x55, + 0x15,0x60,0xa0,0x28,0x45,0xdb,0x6d,0xbe,0xe2,0x42,0xf9,0x65,0xa2,0x55,0x40,0x6f, + 0x6e,0xf4,0x7b,0x32,0x21,0xa5,0x11,0x0e,0xdb,0x44,0xd3,0x8b,0x94,0x19,0x1a,0xea, + 0xf4,0x33,0xc0,0xec,0xe3,0x48,0x0b,0x9d,0x1b,0x06,0xd8,0xb8,0xb6,0xc0,0xa2,0x32, + 0xa0,0x4c,0x56,0x78,0x88,0xe6,0x37,0x2f,0x2e,0x94,0xbc,0x2b,0xe6,0xb8,0x27,0xf8, + 0x71,0x2a,0xf4,0x8c,0x6f,0x1e,0x4f,0x22,0x3f,0x55,0x28,0xfc,0xf3,0x48,0x79,0x9d), + }, +}; + +START_TEST(test_sign_pkcs15_2048) +{ + signature_scheme_t scheme = pkcs15_2048[_i].scheme; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + fail_unless(privkey_2048->sign(privkey_2048, scheme, NULL, pkcs15_2048[_i].m, &sig), + "sign %N", signature_scheme_names, scheme); + ck_assert_chunk_eq(pkcs15_2048[_i].s, sig); + fail_unless(pubkey_2048->verify(pubkey_2048, scheme, NULL, pkcs15_2048[_i].m, sig), + "verify %N", signature_scheme_names, scheme); + free(sig.ptr); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + signature_scheme_t scheme; + chunk_t m; + chunk_t s; +} pkcs15_3072[] = { + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xbc,0xf6,0x07,0x43,0x33,0xa7,0xed,0xe5,0x92,0xff,0xc9,0xec,0xf1,0xc5,0x11,0x81, + 0x28,0x7e,0x0a,0x69,0x36,0x3f,0x46,0x7d,0xe4,0xbf,0x6b,0x5a,0xa5,0xb0,0x37,0x59, + 0xc1,0x50,0xc1,0xc2,0xb2,0x3b,0x02,0x3c,0xce,0x83,0x93,0x88,0x27,0x02,0xb8,0x6f, + 0xb0,0xef,0x9e,0xf9,0xa1,0xb0,0xe1,0xe0,0x1c,0xef,0x51,0x44,0x10,0xf0,0xf6,0xa0, + 0x5e,0x22,0x52,0xfd,0x3a,0xf4,0xe5,0x66,0xd4,0xe9,0xf7,0x9b,0x38,0xef,0x91,0x0a, + 0x73,0xed,0xcd,0xfa,0xf8,0x9b,0x4f,0x0a,0x42,0x96,0x14,0xda,0xba,0xb4,0x6b,0x08, + 0xda,0x94,0x40,0x5e,0x93,0x7a,0xa0,0x49,0xec,0x5a,0x7a,0x8d,0xed,0x33,0xa3,0x38, + 0xbb,0x9f,0x1d,0xd4,0x04,0xa7,0x99,0xe1,0x9d,0xdb,0x3a,0x83,0x6a,0xa3,0x9c,0x77), + .s = chunk_from_chars( + 0xd1,0xd2,0x1b,0x8d,0xfa,0x55,0xf0,0x68,0x1e,0x8f,0xa8,0x61,0x35,0xcf,0x29,0x2d, + 0x71,0xb7,0x66,0x97,0x13,0xc2,0x91,0xd8,0xf8,0xdc,0x24,0x64,0x64,0xde,0x3b,0xbb, + 0x96,0x1b,0x59,0x6d,0xfc,0x8f,0xda,0x6c,0x82,0x3c,0x38,0x40,0x08,0xd0,0x5b,0xcb, + 0x3d,0xcc,0xc3,0x6a,0xcc,0xf1,0xb2,0xbe,0xde,0x1a,0x95,0xe5,0x22,0x58,0xd7,0xd1, + 0xbd,0xf1,0xfc,0x44,0xe1,0x80,0x72,0xab,0xd4,0x5c,0x13,0x92,0x01,0x5e,0xe7,0x16, + 0x92,0x69,0x0e,0xf8,0xcd,0xaa,0xed,0x33,0x7d,0xd8,0x54,0x67,0x83,0xf9,0x61,0xbb, + 0x96,0x20,0xeb,0x5c,0x7b,0x8b,0x67,0x16,0xe8,0xc6,0x00,0x35,0x1f,0xab,0x77,0x65, + 0xee,0x38,0xa1,0x5d,0x32,0xd8,0xa2,0xc0,0x94,0x98,0x25,0xc4,0x9a,0x7f,0x25,0xee, + 0xdd,0x9b,0xe7,0xb8,0x07,0xbb,0xfd,0x51,0x79,0x13,0x78,0x66,0x20,0xd2,0x49,0x82, + 0x3d,0xae,0x6f,0xe2,0xfd,0x39,0xac,0x63,0x9d,0xd7,0x48,0x21,0xb0,0xc1,0x20,0xb4, + 0x2f,0x31,0xc2,0xc6,0x39,0xd2,0xc6,0x1b,0x39,0x5f,0x09,0xf8,0x68,0x51,0xbc,0x80, + 0x9b,0x34,0xc4,0x98,0x1a,0xc6,0x5c,0xf2,0x5b,0x2e,0x8a,0xdc,0xbc,0xe1,0x90,0xef, + 0x2e,0xf6,0x7a,0x01,0x89,0x03,0x9c,0x91,0x10,0xf2,0x67,0x01,0xc3,0xee,0xd7,0x31, + 0xc8,0xd9,0xea,0xd1,0x78,0x22,0x0f,0xfc,0xac,0x7f,0x0f,0x67,0x8a,0xa2,0x22,0x68, + 0xe1,0xd0,0x19,0x42,0xec,0x51,0xe8,0x0e,0xef,0x06,0xe2,0x11,0x28,0x30,0x85,0x5e, + 0x87,0xba,0xfe,0x8c,0xc9,0xc2,0x2f,0xd7,0x37,0xc7,0xab,0xbc,0xa5,0xeb,0x7a,0x22, + 0x1d,0x38,0x35,0xa8,0x66,0x10,0xd2,0x4b,0x50,0x7b,0x5d,0xcb,0x46,0x18,0xaa,0x42, + 0x1f,0x63,0xa5,0x60,0x9e,0xf5,0xd6,0x8f,0x57,0x60,0xfd,0xdf,0x97,0x01,0x35,0x60, + 0x2e,0xfa,0xd0,0x85,0x1b,0xbf,0xf9,0x8f,0xe8,0x7f,0xa5,0x8b,0xc3,0x65,0xf3,0x8e, + 0xe7,0xec,0x8e,0xf5,0xaa,0xb1,0x7f,0xd1,0x1d,0x89,0xd9,0x1e,0xf4,0xc6,0x04,0xe0, + 0xd1,0xf0,0x01,0xd0,0xe0,0x88,0x69,0xdf,0x92,0x25,0xe3,0xb4,0xce,0xf5,0x2f,0xf8, + 0x68,0x15,0xe1,0x3b,0x3e,0xfd,0xf4,0x57,0x76,0xf9,0x35,0x37,0x69,0xa8,0xa5,0x1f, + 0xe7,0xd8,0x91,0xa7,0xef,0x70,0x35,0xee,0xcf,0xa2,0x59,0x84,0x87,0x38,0x37,0x68, + 0x86,0xed,0xc9,0x1c,0xc7,0x8f,0x6d,0xa3,0x1c,0x2f,0x07,0xee,0x36,0x2c,0x3d,0x82), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x2b,0xca,0xd6,0xe7,0x44,0xf2,0x49,0x0b,0xa6,0xa6,0xe0,0x72,0x28,0x32,0x41,0x7e, + 0xbd,0x91,0x0f,0x91,0x46,0xeb,0x62,0xba,0xaa,0x5c,0x74,0x95,0x29,0xf7,0x9d,0x6c, + 0xed,0x0b,0x81,0xa2,0xe2,0xa4,0x88,0x52,0xc8,0x55,0x8e,0x33,0x87,0x35,0xdc,0xbf, + 0xc2,0x28,0x57,0x94,0xae,0x60,0xf8,0x1a,0x25,0x23,0x7c,0x66,0xf6,0xce,0x5d,0x5e, + 0x80,0x1a,0x00,0x1e,0x7f,0x9e,0x30,0x9b,0x25,0x95,0xcb,0x86,0x6d,0xe2,0xbb,0x74, + 0xac,0x51,0x28,0x3b,0x68,0x20,0xec,0x9f,0x6e,0xbe,0x48,0x2e,0x1f,0xd2,0xd5,0x68, + 0x0b,0x7f,0xbd,0x23,0xc1,0xe6,0x2a,0x2e,0xe4,0xed,0xff,0x35,0x82,0x3f,0xc7,0xe4, + 0xa2,0x95,0xea,0x4f,0x1c,0x33,0x27,0x92,0xae,0xb5,0x3e,0xb4,0x4b,0x0b,0xed,0xd2), + .s = chunk_from_chars( + 0x37,0xd9,0x60,0xfe,0x39,0x12,0x98,0xbb,0xdc,0x22,0x3f,0xa1,0xeb,0x1d,0x3c,0xd9, + 0xa4,0x6b,0xa8,0xc6,0x2e,0x1d,0xa8,0xc5,0x63,0xc8,0x9a,0x8f,0x0e,0x67,0xb8,0x64, + 0xfc,0x89,0x83,0x7f,0xfc,0x08,0xaa,0xb7,0x12,0x2b,0x84,0xc4,0x35,0xc7,0xf9,0x40, + 0x6e,0x16,0x5a,0x10,0x29,0x85,0x7c,0x1e,0x4d,0xea,0x65,0x35,0x69,0x27,0x72,0x73, + 0xb1,0xd9,0xb0,0xa9,0xf5,0xb0,0xdc,0x24,0xaf,0xdd,0x21,0x44,0x76,0xd4,0x72,0x08, + 0xad,0x52,0x21,0xa7,0xd7,0x93,0xca,0xb8,0x06,0x71,0xfb,0x49,0x87,0xc8,0x6b,0xd6, + 0x14,0x48,0x80,0xc5,0x9d,0x24,0x87,0x14,0x00,0xf6,0x4b,0xdc,0x6d,0x49,0x6d,0xbd, + 0x49,0x7f,0x3d,0xbf,0x64,0x28,0x64,0xfe,0x49,0xaf,0x3e,0x21,0x51,0x5e,0x62,0xd6, + 0x0f,0x00,0x71,0xdb,0x48,0x84,0xf4,0x96,0x70,0xea,0xa9,0xe4,0xe4,0x98,0x2f,0x26, + 0x9a,0xbe,0x72,0x42,0x44,0x28,0x88,0x59,0xc2,0xad,0xf6,0x0a,0x09,0xfa,0xaa,0xbb, + 0x07,0x99,0x0e,0x09,0xe5,0x6d,0xe2,0x54,0xba,0xbb,0xee,0x14,0xbe,0x7e,0xb6,0xed, + 0xa0,0xcd,0xb2,0x2f,0x3d,0x0d,0xe8,0x72,0x48,0x04,0x67,0x3f,0xb9,0x9f,0x86,0xef, + 0xb4,0x26,0x3d,0xcc,0x50,0x17,0xab,0xc9,0x1b,0xd9,0xcd,0x83,0x36,0x79,0x47,0x5b, + 0xfa,0xc5,0x0a,0x2b,0xe8,0xdb,0x86,0x29,0x6b,0xbf,0x80,0x17,0x88,0x93,0x57,0x37, + 0x13,0x14,0x60,0x4e,0x83,0xd6,0x8b,0x6e,0xfe,0xcd,0x4b,0x79,0xf0,0xa8,0xaf,0xa0, + 0xdf,0xfa,0x44,0x8f,0xb7,0xfc,0xe6,0xd3,0x44,0x70,0x9a,0x67,0x0e,0x0c,0xff,0x43, + 0x2c,0x3e,0x18,0x7b,0xcf,0xf7,0xfd,0xc4,0xf4,0xe9,0xab,0xe1,0x09,0x5c,0x46,0xb0, + 0x1d,0x88,0xb6,0x04,0x4b,0xb9,0x50,0xe9,0x28,0x59,0x01,0x0d,0x9a,0x0e,0x3b,0x2d, + 0x1f,0x27,0xa0,0x96,0xea,0xca,0xa2,0x42,0x63,0xa2,0xa0,0x52,0x3d,0x6e,0x0d,0xa1, + 0xfb,0xa8,0xaf,0x76,0x81,0x96,0xf7,0xa5,0x1f,0x92,0xfd,0xf1,0x52,0xbe,0xf0,0x62, + 0xdd,0x1f,0x83,0x27,0xce,0xe1,0xd3,0x44,0xc2,0x00,0xc2,0x11,0x5a,0xc6,0xec,0x1d, + 0xd8,0x51,0x4c,0xef,0x9e,0x36,0xd0,0xce,0x8c,0x32,0xe5,0x87,0x83,0xc4,0xfc,0xba, + 0x90,0x1a,0xa7,0x0c,0x2b,0x42,0x96,0x64,0x88,0x00,0x2f,0xf1,0x71,0xd3,0x64,0x14, + 0xa1,0x44,0xbf,0x46,0x77,0x51,0x83,0xa8,0x81,0x5d,0xe9,0xee,0x3e,0x81,0xf3,0x1b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xc3,0x97,0x8b,0xd0,0x50,0xd4,0x6d,0xa4,0xa7,0x92,0x27,0xd8,0x27,0x0a,0x22,0x02, + 0x95,0x34,0x82,0x87,0x59,0x30,0xfb,0x1a,0xea,0xe4,0xe6,0x7f,0x87,0xe7,0x94,0x95, + 0x28,0x9d,0xe2,0x93,0xb4,0xa4,0x0d,0x92,0x74,0x6f,0xc8,0x4c,0xc8,0x31,0x8c,0x23, + 0x18,0xfd,0x30,0x65,0x0e,0x2b,0xb9,0xce,0x02,0xfd,0x73,0x4e,0xb6,0x83,0x41,0x0d, + 0x44,0xbb,0x31,0xad,0x54,0xfd,0x53,0xcf,0x92,0x96,0xcc,0xd8,0x60,0xb4,0x26,0xf5, + 0xc7,0x82,0xea,0x5c,0xb4,0x93,0x71,0xd5,0x61,0x84,0xf7,0x79,0x11,0xdd,0xf1,0xba, + 0x00,0x39,0xa0,0xa4,0x9a,0xa7,0xe7,0x63,0xeb,0x4f,0x5a,0x04,0x57,0x59,0x97,0x80, + 0x8b,0x0a,0xd9,0xf6,0xb3,0x30,0xca,0x38,0xed,0xc1,0x99,0x89,0xfe,0xbf,0x4d,0xa5), + .s = chunk_from_chars( + 0x9a,0xed,0x20,0xa8,0xbd,0xaf,0x26,0xf1,0xf1,0x19,0x02,0x0d,0x8f,0x3e,0xa6,0xce, + 0x91,0x51,0x38,0xd4,0xc8,0x7d,0xce,0x02,0x5e,0x7f,0x4e,0x49,0x53,0x6c,0x8e,0xc0, + 0x79,0xed,0xc6,0xca,0xf0,0xd6,0x03,0xbf,0x42,0xbd,0x6a,0x45,0x4a,0x6d,0x52,0xd0, + 0xd9,0x9f,0xd0,0xf5,0x9f,0xfb,0x3b,0x22,0xe9,0xe6,0x7b,0x3d,0x0b,0xb2,0xd2,0x75, + 0xd9,0xae,0xdc,0x6d,0xa9,0x6a,0x72,0xcb,0xff,0x35,0xc4,0x3e,0x7f,0x39,0xa9,0x96, + 0xfa,0x8a,0x6d,0x33,0x8a,0x07,0x25,0xf7,0x85,0x25,0x4f,0xe9,0x1a,0x20,0x83,0x4b, + 0xa5,0x57,0xfe,0xdf,0xe7,0x15,0x2b,0x99,0x56,0xfe,0xdd,0xfd,0x94,0x17,0x41,0xef, + 0xf9,0x17,0x7c,0x2f,0xbb,0x55,0xe2,0x00,0xbb,0xe4,0x21,0x62,0xb3,0x2a,0x94,0x0c, + 0xc3,0x00,0xab,0x37,0x55,0x57,0xdf,0xfd,0x48,0xdf,0xa5,0x39,0xf5,0x0e,0xdd,0x52, + 0xdf,0x15,0x8d,0x90,0x72,0xd1,0x49,0x82,0xe9,0x63,0x03,0xbc,0x61,0x2c,0x2c,0x25, + 0x06,0xdb,0xca,0x3a,0x93,0x9d,0x62,0x6d,0x2e,0x7f,0xb4,0x44,0xc6,0xad,0x7d,0x8d, + 0x9f,0x3b,0xba,0x82,0x10,0xb2,0xac,0x2f,0x69,0x67,0x83,0xc3,0x49,0xfc,0x52,0x80, + 0xc1,0x05,0x40,0x2a,0x4b,0x3d,0x86,0xbe,0xf5,0x02,0x6c,0x3d,0xd9,0x99,0xe3,0xb2, + 0x23,0x80,0xf9,0xdc,0xce,0x40,0xe3,0xa9,0xcc,0x9f,0x1d,0x7b,0xc3,0x8e,0xf3,0xdd, + 0x7e,0x94,0x13,0xbb,0x57,0x98,0x00,0xc0,0xe6,0xc3,0xe9,0xab,0x91,0x2d,0xa8,0xfe, + 0xc1,0xa4,0xab,0x21,0x39,0x8e,0x96,0x80,0xba,0x0d,0x04,0xf3,0xb4,0xc8,0xd5,0x3c, + 0x02,0xf0,0x5c,0x7a,0xe4,0x9b,0x70,0xa5,0x61,0x1c,0xf8,0x2e,0x38,0xde,0x84,0xaa, + 0x8c,0x24,0x26,0xf0,0xb6,0x3e,0xa0,0x1b,0x28,0x9f,0x20,0x1d,0x3a,0xf4,0x0d,0xad, + 0x5d,0x6e,0x5b,0xcc,0xc7,0x5b,0x99,0x59,0xe5,0xc9,0x75,0x8e,0x79,0x10,0x5a,0xf7, + 0xa9,0xaf,0xb1,0x2a,0xee,0x57,0x7c,0xb3,0x99,0x18,0x79,0xdb,0x0f,0xd8,0x66,0x2c, + 0x5b,0xc4,0x90,0x22,0x75,0x24,0x98,0xa3,0x01,0xd9,0x5f,0x4b,0x1d,0x08,0xc0,0x1e, + 0xbc,0x31,0x3f,0x89,0xc0,0x0b,0x1e,0xc2,0x73,0x5a,0x07,0x98,0x3f,0xd5,0x28,0xe6, + 0x38,0x82,0x45,0x03,0x6f,0x0e,0xd4,0xa2,0xdb,0xb6,0x5d,0xd3,0x3a,0xb7,0xf1,0x24, + 0xc0,0x14,0xec,0x16,0x79,0xf1,0xc2,0xf1,0x1e,0xdf,0xfb,0x93,0xfa,0x2d,0x1d,0x73), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0c,0x11,0x95,0x02,0xc2,0xa0,0x19,0x20,0xa0,0x90,0xe4,0x33,0x57,0xe7,0xb2,0x8e, + 0x33,0xc7,0xee,0x85,0x8b,0x43,0x30,0xe0,0x5c,0x71,0x04,0x89,0x31,0xc0,0xed,0x88, + 0x46,0x8c,0xa9,0x31,0xec,0xf0,0xb7,0x9c,0x2f,0xdc,0x17,0x56,0xb7,0x67,0x51,0x56, + 0xec,0x66,0xb8,0x33,0x5e,0x3d,0xf0,0x94,0x63,0xf5,0xae,0xe7,0x02,0x8f,0xbf,0x56, + 0x0f,0x98,0x4c,0xf6,0x98,0xfe,0x5c,0x42,0x80,0x22,0x9a,0xc9,0x6a,0x2e,0x59,0x23, + 0xd8,0xa9,0xd5,0x29,0x94,0x49,0xbb,0x66,0x50,0x08,0xec,0xc8,0x89,0x79,0x7e,0x9b, + 0xb1,0x5d,0x04,0xb8,0x8c,0x72,0x10,0xfa,0xdb,0x8b,0xf6,0xf2,0x38,0xe5,0xd2,0xdc, + 0x41,0xb9,0xcc,0xd1,0xf8,0x0e,0x9a,0x3e,0x6a,0xd1,0x47,0x94,0x8f,0x27,0x33,0x41), + .s = chunk_from_chars( + 0x8a,0xbf,0x2a,0x30,0x77,0x4e,0x6e,0x73,0x38,0xec,0xa0,0x9c,0xcc,0xac,0xa3,0x68, + 0x43,0x99,0x94,0x04,0x92,0xfb,0x94,0xb2,0x3b,0x5a,0xd6,0x2c,0xe3,0xe1,0x1d,0x2d, + 0xbe,0xf8,0x96,0x6b,0xa5,0x26,0x99,0x79,0xeb,0x96,0x53,0xba,0xad,0x71,0x95,0x16, + 0xd3,0xe8,0x39,0x90,0x79,0xa2,0xf6,0x70,0x27,0x5a,0x2e,0xd4,0x2c,0x82,0x0a,0x9a, + 0x31,0xfc,0xd7,0x03,0xa7,0x66,0x37,0xe0,0xd7,0x13,0xf3,0x2d,0x79,0x2b,0x9a,0xe3, + 0x6d,0x72,0x88,0xf6,0x0c,0x2d,0x1a,0xe5,0x26,0x83,0xbb,0x15,0x94,0x1b,0x1c,0xd8, + 0x90,0xd2,0xcd,0x64,0x99,0x8b,0x77,0x25,0x85,0xe7,0x60,0x32,0xa1,0x70,0x2e,0x06, + 0x52,0xcb,0xf2,0x59,0xa1,0xce,0xae,0x69,0x5d,0x40,0xcf,0x2f,0x4f,0x6d,0x81,0x34, + 0x1c,0x8b,0xc9,0x08,0x2c,0xb9,0x6c,0x75,0x2c,0x35,0x5d,0xfb,0xe2,0x96,0xdd,0x21, + 0xd6,0x98,0x46,0xfa,0x37,0x61,0x3e,0x73,0x81,0x7b,0x2a,0x07,0x04,0x66,0x58,0xc9, + 0xe3,0xfc,0x6d,0x09,0x1e,0x17,0x59,0x1b,0xb1,0xa4,0xfb,0x6e,0x2a,0xc0,0x0a,0x31, + 0x94,0xc1,0x48,0x8e,0x16,0xa9,0xd2,0x90,0x37,0x86,0xdb,0x86,0xae,0x90,0xe9,0x6a, + 0xcb,0x4d,0xe9,0x90,0x1a,0xaf,0x1b,0x06,0x51,0xfb,0x76,0xa5,0x8d,0xcb,0x3d,0xb4, + 0x73,0xef,0xbf,0xb8,0x31,0xef,0x8e,0x30,0xf8,0x99,0x67,0xdd,0xd3,0xa6,0xc2,0xf1, + 0x89,0x79,0xa0,0x45,0x06,0x57,0xcd,0xae,0xef,0x6e,0x59,0x37,0x7c,0x6d,0xb1,0xec, + 0x46,0x06,0x5f,0x61,0x40,0x24,0xa6,0x9c,0x51,0x8a,0x55,0x99,0x42,0x59,0x4a,0x46, + 0x26,0x6e,0x0d,0x3c,0xa1,0x33,0x42,0x96,0xb9,0x68,0xa2,0x3a,0x4b,0x11,0xc6,0x3a, + 0x97,0xe2,0x9e,0xb1,0x6b,0x24,0xc0,0x2d,0x54,0x5d,0x5b,0x42,0x7e,0x6a,0xa5,0x85, + 0x33,0x33,0x18,0xe6,0x3a,0x20,0x45,0x24,0xe0,0xe4,0x2a,0xc1,0xed,0xb7,0x0d,0x34, + 0x56,0x78,0x0d,0xbe,0xad,0x31,0xf7,0x85,0xf0,0xb2,0xa7,0x7f,0xfe,0xb0,0xd3,0x73, + 0x84,0xcb,0x5f,0x65,0xb4,0xe3,0x6c,0xa2,0x41,0xf3,0xb2,0xb0,0x59,0x10,0x5f,0xaa, + 0xa3,0x22,0x2d,0x6c,0x13,0x5e,0xa5,0xa3,0x66,0x51,0xae,0xa3,0x96,0xd2,0x2f,0xc4, + 0xea,0x1b,0x40,0x4d,0x7e,0x83,0x4b,0x6d,0xf1,0xfb,0x83,0x8b,0xb5,0xba,0x0d,0x78, + 0x4a,0x96,0xe2,0xae,0x28,0x43,0xdb,0x3e,0xee,0xa4,0x96,0xc7,0xad,0x2b,0x42,0x41), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xdd,0xbd,0x84,0x68,0xbd,0xb0,0x36,0xf4,0x79,0x9f,0x42,0x8b,0xc8,0xb4,0x37,0x4e, + 0xd9,0xb7,0xcd,0xe5,0x41,0x33,0x7a,0xc4,0x39,0xd4,0x41,0xac,0x06,0x14,0xcb,0x75, + 0xb8,0x16,0xb8,0x0c,0x17,0xd2,0x37,0xb8,0xdb,0x73,0xd4,0xa1,0x1b,0xfd,0x92,0x92, + 0x08,0x33,0x3a,0xfe,0xdb,0xb8,0xf2,0x41,0x0c,0x74,0x11,0x29,0xc5,0x39,0x32,0xb5, + 0x96,0xa7,0x88,0x1c,0x6a,0x4d,0x71,0x11,0xba,0x10,0x4d,0x46,0x00,0xd1,0x90,0x2f, + 0x6f,0x4a,0x16,0x08,0xe1,0x39,0xb7,0x19,0x11,0xc1,0x1c,0x39,0x0a,0x0d,0xd0,0x91, + 0xdf,0x36,0x9a,0xa2,0x9d,0x67,0x0b,0x8a,0x7e,0x3f,0x53,0x82,0x5f,0x76,0x59,0xac, + 0x74,0xc4,0x0a,0x0c,0x3b,0xfe,0xf0,0xd3,0xae,0x83,0x07,0xe4,0xbd,0xd6,0xcd,0x91), + .s = chunk_from_chars( + 0x4e,0x37,0x7e,0x24,0x59,0x81,0x5d,0x5b,0x33,0x91,0x5f,0xa6,0x3c,0xd4,0x77,0xb5, + 0xbe,0x7c,0x6b,0x7f,0x78,0x14,0xd1,0x35,0x00,0x34,0xce,0x71,0x0b,0xe6,0x7e,0xd6, + 0x91,0x39,0xdb,0x62,0x2e,0xf6,0x0e,0xc6,0xb7,0x63,0x8e,0x94,0xb2,0x02,0x36,0x8b, + 0xac,0x63,0x1e,0x05,0x77,0x02,0xb0,0xe6,0x48,0x7b,0x32,0x4a,0x6b,0x98,0xed,0x7e, + 0x03,0xd1,0xf3,0xf2,0x0a,0x98,0x14,0xb0,0x0e,0x21,0x7a,0x46,0x48,0xe4,0xbb,0xc4, + 0x49,0xa2,0xaf,0x40,0x5c,0xa4,0xb5,0x9f,0x84,0x38,0xdd,0xfd,0x75,0xd3,0x4d,0x10, + 0x64,0xe5,0x8b,0xfb,0x32,0x5c,0x55,0xbd,0x54,0xea,0x6c,0xdf,0x77,0x12,0xba,0x80, + 0x7c,0x3e,0x4c,0x66,0x5d,0x62,0x0c,0xd5,0x95,0x13,0xd7,0xbc,0x08,0x55,0x24,0x7e, + 0xb6,0x70,0xec,0xc2,0x92,0x50,0x96,0x61,0x81,0x27,0x02,0x70,0x32,0x75,0xd9,0xb2, + 0xf8,0x7e,0xf2,0x79,0xd7,0x70,0x0e,0x69,0xd9,0x95,0xdb,0x98,0x14,0x4a,0x14,0xc8, + 0x17,0x74,0xa4,0xcd,0x89,0x0e,0xc0,0x3d,0x13,0xf8,0x58,0xf3,0x76,0x9e,0x50,0x48, + 0xed,0x55,0xca,0xa8,0x12,0x01,0xe8,0x78,0x5d,0x37,0x71,0xce,0x6d,0xa5,0x11,0x75, + 0xd0,0x17,0xd2,0x11,0xfa,0x70,0x37,0x94,0x41,0x6f,0x46,0x9b,0x11,0x29,0xd7,0x31, + 0xab,0xde,0x74,0x4d,0xa5,0xb2,0xfa,0xcd,0x7a,0x9b,0x09,0x3d,0x6c,0x97,0x43,0x50, + 0x9b,0x01,0x03,0xba,0xb9,0xc8,0x1c,0x6e,0x5f,0x38,0xbc,0x97,0x18,0xe3,0xe4,0xfa, + 0xa8,0x64,0x75,0xd1,0x37,0x25,0xa8,0x29,0xac,0x61,0xdf,0x8d,0x15,0xf0,0xb2,0x7c, + 0xb4,0x0d,0x0e,0xba,0x0b,0x24,0x6b,0x9c,0x36,0x0b,0x56,0x9b,0x81,0xb3,0xab,0xf3, + 0x80,0xee,0xc2,0x74,0x92,0x31,0x6b,0xc2,0x92,0xe5,0x15,0x0e,0xe0,0x60,0x72,0x19, + 0xa2,0xbd,0x80,0xba,0x98,0x4c,0x7e,0x3f,0x19,0x89,0xbc,0x51,0xe4,0xc5,0xda,0x3a, + 0xe5,0x07,0x06,0x76,0xe0,0xc1,0x50,0xd0,0x37,0xa8,0x6a,0x0f,0x91,0xbf,0xc0,0x7c, + 0xde,0x64,0xc1,0x9f,0x9c,0x7a,0x7a,0xf4,0x4d,0x69,0x29,0x97,0x00,0x41,0x44,0x8d, + 0x3b,0x17,0xc2,0x49,0xd5,0xe0,0xb5,0x86,0x2e,0x9a,0x25,0x20,0x9e,0x8f,0x97,0xd7, + 0xa0,0xf0,0x30,0x18,0x15,0x04,0xfe,0xad,0x22,0x66,0xc8,0x73,0xfd,0x23,0x59,0x83, + 0xdf,0x3d,0x06,0x57,0xb9,0x20,0x96,0xe2,0xb4,0x90,0xdf,0x33,0xca,0x11,0x57,0x33), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xf9,0x96,0xf3,0xad,0xc2,0xab,0xa5,0x05,0xad,0x4a,0xe5,0x2b,0xc5,0xa4,0x33,0x71, + 0xa3,0x3d,0x0f,0x28,0xe1,0x95,0x0b,0x66,0xd2,0x08,0x24,0x06,0x70,0xf3,0x52,0xef, + 0x96,0x18,0x5e,0x9a,0x70,0x44,0xf4,0xce,0x2f,0x2f,0xf9,0xae,0x01,0xa3,0x1e,0xf6, + 0x40,0xe0,0xb6,0x82,0xe9,0x40,0xc5,0x10,0x51,0x17,0x59,0x46,0x13,0xdd,0x1d,0xf7, + 0x4d,0x8f,0x2b,0xa2,0x0c,0x52,0x22,0x3b,0x04,0x5a,0x78,0x2e,0x85,0x0a,0x12,0xa2, + 0xaa,0x5c,0x12,0xfa,0xd4,0x84,0xf1,0xa2,0x56,0xd0,0xcd,0x08,0x72,0xd3,0x04,0xe8, + 0x85,0xc2,0x01,0xcd,0x7e,0x1e,0x56,0xd5,0x94,0x93,0x0b,0xb4,0x39,0x21,0x36,0xfb, + 0x49,0x79,0xcc,0x9b,0x88,0xaa,0xb7,0xa4,0x4b,0xfc,0x29,0x53,0x75,0x1c,0x2f,0x4c), + .s = chunk_from_chars( + 0x30,0xb3,0x48,0x62,0x4f,0xaa,0x99,0x85,0xfc,0xd9,0x5f,0x9c,0x7e,0xad,0x3a,0xfe, + 0x64,0x56,0xba,0xdf,0x8c,0x0f,0xed,0xbd,0xad,0xb3,0xa9,0x00,0x3a,0x67,0x02,0x97, + 0x3a,0xcd,0xb4,0xe8,0x66,0x52,0x36,0x7d,0xb2,0x3e,0x0a,0x81,0x41,0x88,0x0d,0x66, + 0x31,0x83,0x4f,0x9f,0x17,0x1c,0x94,0xa8,0xfe,0x9c,0x31,0x5b,0xcb,0x86,0x80,0xec, + 0xfb,0x5a,0x4f,0x59,0xb4,0x5d,0x4e,0x4c,0x3c,0x05,0x82,0x8b,0x7f,0xaa,0xa8,0xe4, + 0x23,0x4a,0xad,0xa4,0xe7,0x66,0x64,0x6c,0xc5,0x10,0xd0,0x7b,0x42,0xbd,0x38,0x83, + 0xa8,0x3b,0x5b,0xcb,0x92,0xd9,0xe7,0xcc,0x1d,0xdf,0x59,0x0a,0x69,0x01,0x11,0xbf, + 0xc6,0x2a,0x51,0xaf,0x7e,0x55,0x54,0x3e,0xa5,0x18,0x8c,0x92,0x45,0x3d,0x41,0xd3, + 0xe8,0xfd,0xab,0xee,0x3e,0x1d,0xef,0xa9,0xd0,0xaf,0xdb,0x85,0xc8,0x15,0x3a,0x50, + 0x19,0xae,0x45,0x56,0x3e,0xa3,0x08,0x0a,0x30,0x22,0x66,0x81,0x68,0xf0,0xc2,0x73, + 0xa6,0xdb,0x1a,0xfa,0xdc,0xd5,0xed,0xbc,0xa5,0x02,0x1c,0x2e,0x53,0xf4,0xd9,0x51, + 0xc6,0x04,0x20,0x6a,0xe1,0x0f,0x28,0x7f,0x45,0x18,0x67,0x27,0x1d,0x37,0x04,0x82, + 0x79,0x1c,0xdf,0xdc,0xb6,0xa4,0x01,0x0f,0x6b,0x3d,0x9b,0x92,0x85,0x63,0xd1,0x68, + 0xda,0x19,0xf1,0xc1,0xe5,0x70,0xf8,0xc1,0x58,0xf3,0xd4,0x90,0xb2,0x9a,0xa2,0x3a, + 0xbd,0x1f,0xfd,0xf2,0x08,0x66,0xc3,0x4c,0x6e,0x63,0xb9,0xe8,0xa9,0xa0,0x2d,0x7a, + 0x1b,0x19,0x6d,0x05,0x5f,0x4c,0x53,0xce,0x82,0xb4,0x00,0xe4,0xab,0x9e,0x1b,0x9d, + 0x70,0xd0,0x04,0x9d,0x6d,0x57,0xcf,0x0a,0x49,0x49,0xcf,0xc6,0x8d,0x63,0x38,0x82, + 0x88,0x2d,0xcf,0xdf,0xc5,0x0c,0xf4,0x49,0xdf,0x10,0xac,0xf2,0x03,0x05,0xc2,0xaa, + 0x43,0xbd,0xa1,0x0f,0xd8,0xa1,0x0b,0x4e,0xca,0xa2,0x31,0x00,0xaa,0x47,0xe9,0x29, + 0x36,0xdc,0xe1,0xbf,0xb8,0xd6,0x59,0x52,0x35,0xbb,0xfe,0x2c,0x85,0x85,0xcb,0x16, + 0x47,0xb2,0xbe,0xac,0xb1,0xe1,0xd4,0xb6,0xce,0xf7,0x58,0x81,0x1a,0x68,0x33,0x0f, + 0xa9,0xc3,0xa8,0x25,0x73,0xc0,0x8f,0xa2,0xcd,0xa5,0xa0,0x3f,0x34,0x25,0x55,0x4e, + 0x45,0xd9,0x8c,0x16,0x45,0xc5,0xbd,0x27,0xd1,0x2e,0x6c,0x20,0xb2,0xc4,0x62,0xa7, + 0x46,0xe8,0x82,0xa3,0x42,0x1a,0x7b,0x1b,0x1e,0x25,0xb4,0xc3,0x6c,0x8b,0x16,0xa1), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x6a,0xce,0x05,0x2d,0x7e,0x99,0xcd,0x97,0x3b,0xb5,0xc9,0xf6,0x67,0x9b,0x1c,0x30, + 0x5e,0x07,0x20,0x89,0x65,0xfe,0x58,0xc6,0x3b,0x10,0xa6,0x92,0xf1,0xdb,0xbe,0x22, + 0xfc,0xd0,0xdb,0x15,0x89,0x3a,0xb1,0x9e,0x10,0x7b,0xa2,0xe4,0x2c,0x99,0x34,0xa9, + 0xaa,0xfa,0xc3,0x2a,0xdf,0x6c,0x73,0x47,0x3f,0x69,0x69,0xe4,0x2c,0x98,0x3b,0x8f, + 0x0c,0x96,0xa4,0x63,0x9e,0xf7,0x7d,0x2c,0x8e,0x88,0xe8,0xcc,0x47,0xd7,0xcf,0xdd, + 0x08,0xf6,0x8d,0x97,0x3a,0x7b,0xea,0xf4,0x01,0xcb,0x4d,0x13,0x11,0x99,0x2d,0xda, + 0xc3,0xa9,0xc9,0xe0,0x67,0xda,0x19,0x8a,0xdc,0x63,0x04,0x74,0x5f,0x5d,0xd3,0x12, + 0xa1,0x82,0xe6,0x97,0x1c,0x34,0xa5,0x15,0xa6,0xc1,0xba,0xe6,0x47,0xe5,0x7e,0x4c), + .s = chunk_from_chars( + 0x5f,0x0e,0x74,0xf4,0x54,0x75,0x4a,0x30,0x74,0xfa,0xaf,0xc6,0x05,0xf3,0xc9,0xaf, + 0x47,0x60,0x4a,0x89,0x83,0x65,0x0a,0x9b,0x62,0x11,0xfb,0x19,0x1d,0x9a,0xfa,0x53, + 0x15,0xdf,0x4d,0xb4,0x50,0x1f,0xd4,0xf0,0x4c,0x74,0x1d,0x76,0x46,0x56,0xd4,0xa5, + 0xd0,0x06,0x38,0x8a,0xd8,0xfd,0xb2,0x19,0xec,0x6b,0x75,0x69,0x08,0xe2,0x3b,0x30, + 0xcb,0x63,0x9f,0xfa,0x7b,0xbf,0x28,0x74,0x71,0x3b,0xfd,0x5a,0x10,0x62,0xc1,0x9d, + 0x04,0xe0,0xe4,0xa7,0x4b,0x14,0x44,0x6a,0x7f,0xdf,0x5c,0xb8,0x12,0xe9,0xac,0x7b, + 0x60,0x12,0xd9,0xae,0x99,0x1c,0x47,0x65,0x6d,0x2a,0xde,0xd2,0x40,0x74,0xbb,0x8a, + 0x38,0xb1,0xa8,0x8b,0x1c,0x2b,0x13,0x1e,0x5b,0x09,0xc9,0x37,0x57,0xfd,0xb2,0xd6, + 0xb6,0x9a,0xa8,0x26,0x5a,0x43,0x5f,0xba,0x00,0xae,0xb3,0x6a,0x1f,0x62,0x9b,0xc3, + 0x4b,0x87,0x60,0x89,0xd2,0x8a,0x94,0x8d,0xd6,0xab,0x4c,0x89,0x94,0x30,0xda,0x60, + 0xa2,0x6f,0x6c,0x13,0x60,0x3f,0xc8,0x89,0xc7,0xb2,0x93,0x6c,0xa3,0xc5,0x15,0x6b, + 0xd7,0xfa,0x6e,0x34,0xea,0xc9,0xe0,0x48,0x00,0x83,0x3e,0xf0,0xcb,0x9b,0x6e,0xef, + 0x78,0x8c,0x0e,0xf0,0x02,0x1a,0x45,0x36,0xfb,0x83,0x71,0xfa,0x3e,0x2c,0x8b,0xb8, + 0xbe,0xfa,0xc1,0x6e,0x80,0x92,0xd6,0x9c,0x57,0x1c,0x1e,0x15,0xfd,0x25,0x5e,0xc0, + 0xa0,0x7a,0xcf,0x9a,0xe9,0x95,0x38,0x31,0xef,0xd3,0xdc,0xbe,0xf4,0x4e,0x0f,0xcc, + 0xeb,0xb1,0xaf,0x95,0x9d,0x71,0xf5,0x01,0x30,0xe8,0xac,0xb4,0xfa,0x23,0x19,0x26, + 0x1f,0xba,0x12,0xf2,0x71,0x5d,0xef,0x82,0xbf,0xaf,0xbf,0x40,0xe3,0x45,0xec,0x5d, + 0xcd,0xab,0x5c,0x1b,0xf5,0xf6,0x6b,0x1d,0x0e,0x9f,0x7a,0x9c,0x62,0xc9,0x37,0x57, + 0x46,0xe1,0xae,0x0c,0x8f,0x14,0xa4,0x89,0x18,0x43,0x83,0xe8,0x1d,0xce,0x20,0x70, + 0xad,0x4b,0x52,0x5d,0xf7,0x6b,0x44,0x6b,0x1f,0x22,0x92,0x1d,0x42,0x4d,0x9b,0xa3, + 0xce,0x21,0x57,0x75,0x01,0xdf,0x62,0x80,0xfd,0xc6,0x9f,0x02,0x39,0xae,0x11,0x27, + 0xb6,0x99,0x50,0x75,0x9d,0x5f,0x0b,0x69,0x3f,0x54,0xe8,0x7e,0x07,0x63,0x62,0x3b, + 0xf5,0xd3,0xff,0x69,0x43,0x00,0x81,0xb9,0xc9,0xe2,0x44,0x5a,0x05,0xe1,0x15,0x67, + 0x5e,0x09,0x0b,0xca,0xb2,0xaa,0x1d,0x75,0xce,0xee,0x2a,0xd6,0x19,0xec,0x8b,0x80), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x49,0x74,0x0f,0xdc,0xca,0x6b,0xfc,0xe2,0x94,0xc1,0x1f,0x45,0x40,0x78,0x05, + 0xb3,0xda,0x41,0x2b,0x01,0xef,0x3f,0xb5,0x13,0xe7,0x0e,0x62,0xfd,0x95,0x04,0xc0, + 0x67,0x0d,0xb6,0x9c,0x36,0xb6,0xbe,0xbd,0x69,0xa0,0xbc,0xd2,0x40,0x17,0x9b,0xa8, + 0xa4,0x78,0x16,0xa0,0xc3,0x43,0x7a,0x61,0xfb,0x72,0xad,0xca,0xf9,0x09,0x6f,0x2a, + 0x22,0xef,0xe0,0xb4,0x31,0xfc,0x42,0x2d,0x22,0x53,0x01,0xe8,0x50,0xf2,0xf0,0xf4, + 0xda,0x87,0xd6,0x94,0x4a,0x85,0x29,0xef,0x79,0x78,0x19,0x09,0xad,0x96,0xd1,0xf2, + 0x05,0x96,0xf9,0x3e,0x17,0xc5,0x7f,0xb4,0xd7,0x56,0x97,0x4b,0xbb,0xf9,0x00,0x52, + 0x1c,0xb0,0x89,0xee,0xe0,0xde,0xd5,0xc9,0x56,0xa1,0x5b,0x09,0x61,0x62,0xb0,0x7f), + .s = chunk_from_chars( + 0x7b,0xbb,0x3d,0xdd,0x17,0xa4,0x2b,0xe7,0xcc,0x4e,0x7e,0xaf,0x45,0x65,0x09,0xa4, + 0xba,0x58,0xd4,0x0c,0x49,0xa3,0xd9,0x95,0x73,0xb7,0x33,0xe1,0x94,0x2f,0x9f,0xca, + 0x20,0xba,0x8b,0x91,0x07,0x08,0xd6,0xe7,0x50,0x36,0x7e,0x84,0x73,0x02,0xfc,0x60, + 0x3b,0x80,0x63,0xc1,0x9a,0xf8,0x83,0xe7,0x50,0x7f,0xb0,0xd9,0xcc,0x2b,0xe3,0x74, + 0x79,0xa3,0x7c,0xca,0x25,0xb8,0xc7,0xc4,0x6f,0x6b,0xf6,0x61,0xdc,0x6a,0x32,0x32, + 0xf8,0x8b,0x48,0x3f,0x1b,0x8f,0x41,0xb4,0x6d,0x49,0xba,0x3f,0x17,0x95,0xd6,0x8e, + 0xaa,0xd4,0xa2,0x55,0x6f,0xb5,0xd7,0x87,0x3b,0xbb,0x65,0x01,0xec,0xf0,0x6a,0xc5, + 0x58,0x23,0x5e,0xd1,0x39,0x90,0xb0,0xe1,0x6f,0x67,0x96,0x5b,0x09,0x36,0x6b,0xcb, + 0x36,0x2c,0xfc,0x6f,0xb9,0x78,0xf4,0xf6,0x8d,0x81,0x46,0xdc,0x8b,0x81,0x98,0x04, + 0xdf,0x42,0x4e,0x8c,0xa5,0xb6,0x3c,0xf1,0xfc,0xf9,0x7b,0xbf,0x30,0x0d,0x0b,0x99, + 0x88,0x60,0x79,0x8a,0x63,0x42,0x43,0x83,0xfc,0xd8,0x1d,0x37,0x77,0x3d,0x59,0xbb, + 0x13,0xb4,0xfa,0x5d,0x46,0x8c,0xd1,0x28,0xbb,0xab,0x18,0xa8,0xce,0x51,0x73,0xbe, + 0x5d,0x9d,0x54,0xd3,0x17,0x7f,0x02,0x45,0x78,0x84,0x09,0x97,0x3d,0xf4,0xa9,0x01, + 0x6b,0x94,0x4b,0xae,0xfb,0xf3,0xbf,0x11,0x46,0xa9,0x39,0x3d,0x22,0xe3,0x5e,0xc2, + 0xbe,0x0a,0xe6,0xf4,0xc3,0x1d,0xc4,0x98,0x1f,0x40,0xfc,0x1b,0xaf,0x38,0x26,0x00, + 0x69,0x9e,0xaf,0xce,0xa9,0x2c,0xbe,0x24,0xe2,0x6e,0xe8,0x46,0xfa,0x23,0xbc,0x19, + 0x3b,0x6e,0x72,0x14,0x01,0xb7,0xac,0x3f,0x5f,0x4e,0xbe,0xb6,0x33,0x97,0x9f,0x8e, + 0xf3,0x5f,0x4a,0xb1,0x11,0x7a,0x86,0x9d,0x5b,0x9d,0xbb,0x74,0x82,0xf0,0xd5,0xa5, + 0x9e,0x41,0x63,0x54,0x8d,0x25,0x12,0xae,0x06,0x72,0x05,0xb5,0x7d,0x03,0x0c,0x48, + 0x3f,0x72,0x0d,0x2c,0x44,0x35,0x04,0x28,0xf5,0x26,0x89,0x43,0xfc,0x5f,0x6e,0xa1, + 0xc8,0x8e,0x2e,0xc1,0x3a,0xb3,0xdc,0x14,0x56,0xe9,0x6a,0x3b,0x8e,0x7c,0x12,0x1a, + 0xf4,0xd6,0xa5,0xfe,0x4e,0xe5,0x5e,0x99,0xfb,0xc3,0x59,0x2a,0x48,0x7c,0x19,0x4b, + 0xc2,0xf2,0xbf,0x6e,0x79,0xfb,0x79,0xc2,0x87,0x6c,0xf3,0x36,0x5e,0x07,0x5b,0xee, + 0xac,0xc7,0xdb,0x4d,0xb7,0xee,0x69,0xe7,0xf1,0xfe,0x12,0xa3,0x27,0xe6,0xcb,0x0f), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0x0e,0x67,0x5d,0xac,0x9a,0xec,0x91,0x01,0x06,0xa6,0xab,0x21,0x9b,0x4c,0xce,0xb5, + 0x2d,0xed,0x25,0x49,0xe8,0x99,0xc9,0xa2,0x4d,0x5e,0xe5,0x51,0x77,0x76,0x18,0x88, + 0xa3,0xbe,0x1a,0x2d,0xef,0x6a,0xa3,0x2d,0x62,0xf7,0x88,0x13,0x2d,0x62,0x27,0xd9, + 0x30,0x98,0x06,0xfd,0xc0,0x2d,0xb7,0xd8,0xa8,0x50,0xff,0x2c,0x6d,0xff,0x37,0xfc, + 0xd7,0x77,0xf1,0xa0,0xac,0xef,0xdf,0x18,0xbf,0x85,0xf1,0xa1,0x29,0x79,0xbe,0x86, + 0xd7,0x99,0x25,0x39,0x45,0xfc,0x34,0xa2,0x88,0xf3,0x48,0xb7,0x92,0x3d,0x76,0x4d, + 0xb2,0x7a,0x2a,0x2d,0x5a,0xe2,0x0e,0x6b,0x25,0x37,0x2e,0xf3,0x18,0xf8,0x59,0x65, + 0x29,0xd8,0xca,0x23,0xfd,0x6f,0x08,0xa8,0xf6,0x2e,0x0a,0x1b,0x6d,0x98,0x9f,0x23), + .s = chunk_from_chars( + 0x80,0x52,0xd9,0x5f,0x12,0xce,0x0e,0x6e,0x53,0xa5,0xa3,0x56,0xa0,0xeb,0x35,0x3b, + 0xdc,0xc1,0xa6,0x65,0x14,0xd6,0xcf,0xb3,0xa3,0xd9,0x61,0x55,0x31,0x0b,0xdd,0xa0, + 0xa0,0xd1,0x79,0x5f,0x97,0x64,0x3f,0x3a,0x44,0x96,0x63,0x4f,0x2d,0xd9,0xb9,0x5a, + 0x21,0x38,0xee,0x39,0x0e,0x1e,0x74,0xbe,0x31,0x34,0xf3,0xf4,0x7a,0x91,0x9e,0xe7, + 0xb5,0x9f,0x8e,0xcd,0x27,0x2a,0xb8,0x8c,0x82,0xcb,0xce,0x7c,0x21,0x7e,0x5f,0x92, + 0xd0,0x57,0xa5,0xb0,0x0f,0xbf,0x05,0x75,0xcd,0xae,0xcd,0x7d,0xc2,0x85,0xa4,0x21, + 0x8c,0x8a,0x95,0x52,0x16,0x59,0x8f,0x07,0x42,0x67,0x1e,0x01,0x8e,0x8e,0x4e,0x76, + 0x83,0x9a,0x57,0x5f,0x50,0xb2,0x10,0x2a,0x8b,0x77,0xd1,0xb8,0x4f,0x6d,0xce,0x98, + 0xd7,0x8e,0x57,0x58,0xe0,0xa6,0xf9,0x2b,0xf3,0x5d,0x6a,0x2f,0x18,0xad,0x40,0x09, + 0x25,0xd7,0x88,0x0f,0x9e,0xfc,0x77,0x4a,0x8c,0x7e,0xbf,0x64,0x88,0x5c,0xd2,0xf6, + 0xf6,0x29,0xb5,0x4a,0x7c,0x12,0xec,0x91,0xd3,0x9b,0x3c,0x25,0x18,0x24,0x1f,0xdc, + 0x32,0x2d,0x9b,0x23,0x5a,0x8e,0xa4,0x4f,0x77,0xe8,0x2f,0x3d,0xc4,0xf7,0x28,0xf6, + 0x20,0xc0,0x7d,0x1e,0x7f,0xf4,0x09,0x4f,0x29,0xc6,0x74,0xab,0x0f,0x08,0x02,0xef, + 0xa1,0xc9,0xe6,0x48,0x1e,0xbb,0x84,0xe0,0xbf,0x13,0xef,0x46,0x8d,0x8c,0xca,0x11, + 0x45,0x70,0xb9,0xed,0xcd,0xdf,0x98,0xac,0x4a,0x83,0x4f,0xe7,0xa0,0xd5,0xc6,0xfa, + 0xe8,0xa6,0x0a,0x48,0x39,0x9f,0x3c,0x8a,0xf4,0x2f,0xf4,0x02,0x6e,0x42,0xa8,0x1a, + 0xac,0x36,0x11,0x4f,0xfc,0x05,0x3f,0x3f,0x72,0x9b,0x7c,0xf9,0xa9,0x7a,0x56,0x84, + 0x8e,0xbe,0xa0,0x11,0x5a,0xa8,0x29,0x83,0x41,0xaa,0x22,0x69,0x63,0xeb,0xdf,0x57, + 0xab,0x2d,0x8e,0x4b,0x90,0x00,0xdd,0x05,0x1a,0x6c,0x5d,0x69,0xf6,0x0e,0x1d,0xc1, + 0xb3,0x3f,0x20,0x94,0xfd,0xbf,0x8e,0x5b,0x62,0x7b,0xc0,0x76,0x4d,0xb9,0x52,0x2c, + 0xbb,0xc0,0x81,0xdb,0xf3,0x8c,0x21,0xb1,0x3f,0x98,0x08,0x13,0xbd,0x2b,0x00,0xc7, + 0x57,0xeb,0xb8,0xc0,0xb2,0x12,0x13,0x15,0x2e,0x69,0x40,0x39,0xf3,0x06,0xf7,0x34, + 0x28,0x57,0x65,0x1f,0x72,0x2b,0xdd,0xa0,0x12,0x12,0xa8,0x55,0x27,0x99,0xbd,0xa6, + 0xef,0x07,0xc5,0x20,0x7d,0xc7,0x44,0xef,0x79,0x69,0xaf,0xd5,0xaf,0x2e,0x6f,0x12), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .m = chunk_from_chars( + 0xf6,0xa7,0xa6,0xe5,0x26,0x59,0x12,0x5f,0xbb,0xc8,0x72,0x74,0x17,0x28,0x3b,0x9a, + 0x64,0x44,0x1f,0x87,0x12,0x1e,0x27,0xf3,0x86,0xd5,0x01,0x9f,0x10,0xcc,0x9b,0x96, + 0x1e,0x09,0xf1,0xb3,0xb0,0xdb,0x23,0x63,0x0c,0xc0,0xca,0xac,0xb3,0x85,0x8c,0x6f, + 0x93,0xaf,0xee,0xea,0x7e,0x1a,0x6a,0x80,0xdb,0xe0,0xc2,0xbd,0x9c,0x7c,0x93,0x95, + 0x70,0x30,0x2d,0xec,0x39,0xa4,0xa2,0x5c,0xc0,0xcf,0x1d,0x32,0xa7,0x1a,0x75,0xb9, + 0xa0,0xc3,0x02,0xbc,0xdd,0x80,0xb0,0x46,0xc8,0x66,0x51,0xac,0xf3,0x08,0x38,0xcd, + 0x52,0xe3,0x03,0x99,0xa8,0xfa,0xb8,0xd0,0x3f,0xbd,0x14,0x0c,0xdc,0x2f,0x1f,0x02, + 0xf2,0x48,0x04,0x05,0x16,0x98,0x20,0xcc,0xb3,0x2e,0x59,0x74,0xff,0xb8,0xb1,0xc8), + .s = chunk_from_chars( + 0x84,0x60,0x3a,0xcb,0xfe,0x1f,0x2f,0x76,0x9f,0x1a,0x62,0xb0,0xf2,0x87,0xf3,0x06, + 0x94,0x0b,0x22,0x54,0x76,0x71,0x4a,0x4b,0x68,0x27,0xc0,0x2d,0x7b,0xd0,0x52,0xf3, + 0x03,0xf3,0x0a,0x5f,0xa6,0xda,0x83,0xe6,0x06,0x15,0x30,0x56,0x69,0xca,0x9e,0xc1, + 0x77,0xc5,0xb3,0x2b,0x14,0x15,0xee,0xbe,0xf7,0x86,0x20,0x29,0x6e,0xba,0xd6,0xdb, + 0xbd,0x52,0x08,0x39,0xd3,0xaa,0xcc,0x97,0x81,0xac,0x86,0x02,0xdd,0xce,0x07,0x36, + 0xdc,0xfa,0x72,0x90,0xb4,0x5f,0x15,0x5b,0x8e,0x92,0x4d,0x0a,0xfd,0xf7,0xdf,0xc8, + 0xd1,0x99,0xbf,0x09,0x50,0x9d,0x01,0x76,0xa6,0x8b,0x14,0x57,0x56,0xee,0xf5,0x3d, + 0xe4,0x56,0xe1,0x70,0x78,0x85,0x98,0x49,0xa3,0x52,0xa5,0xbb,0x65,0x42,0x39,0xd8, + 0xeb,0xaf,0x88,0x00,0xca,0x82,0x63,0xd3,0x4a,0x86,0x8d,0x52,0xbf,0x8f,0x22,0x64, + 0x4d,0xd9,0xf3,0xc0,0x5b,0xd8,0x91,0xcd,0x92,0xf2,0x63,0x53,0x0c,0x58,0x96,0x02, + 0x3c,0x6b,0x21,0x3d,0xdb,0x64,0xed,0xe1,0x77,0x0f,0xf1,0x68,0x6c,0x34,0x03,0x6e, + 0x28,0x1e,0x91,0x1d,0x9d,0xc9,0x60,0x35,0x4f,0xd8,0x44,0xcb,0x7b,0x22,0xdc,0x0c, + 0xd8,0x1a,0x96,0x20,0x3b,0xa8,0x18,0x40,0x1c,0xcc,0x22,0x5f,0x85,0x7e,0x59,0xa5, + 0xcb,0x7b,0xa6,0xdf,0xc7,0xf5,0x13,0x5e,0xa3,0x27,0x81,0xe6,0x3d,0xaa,0x14,0xfb, + 0xda,0x1b,0xac,0xc1,0x8e,0xbc,0x50,0x82,0x4d,0x40,0x28,0xb8,0xfd,0xec,0xda,0x49, + 0xe8,0x10,0xba,0xe5,0xac,0xc8,0xad,0xc0,0xdc,0xa2,0xe2,0x36,0xfc,0x83,0x2a,0x97, + 0x33,0x0a,0x12,0x14,0xfa,0x0a,0xed,0x15,0xcd,0x10,0xc0,0x49,0xef,0xb6,0x5c,0xe8, + 0x55,0xc0,0x60,0xf0,0x5b,0xef,0xb3,0x17,0xb8,0x06,0x58,0x43,0xc4,0xeb,0x5a,0x03, + 0x71,0xfc,0x6f,0x20,0x9f,0x6f,0xfb,0x94,0x8c,0x88,0x1f,0x2f,0x20,0x91,0xca,0xf0, + 0xf5,0x9f,0x60,0xb7,0x2c,0x5f,0x67,0x27,0x1b,0xae,0x96,0xb9,0x13,0xfd,0x21,0xfa, + 0x1d,0xfa,0x97,0x5d,0x5e,0xcd,0x62,0xb0,0xd5,0x08,0x73,0xb6,0x86,0xd2,0x9c,0x88, + 0x0d,0x36,0xed,0xca,0xd3,0x3e,0xc3,0xe2,0x21,0x6c,0x9c,0xfc,0xfb,0x4f,0x98,0x4c, + 0x23,0xfd,0xe8,0x15,0xe2,0x80,0xa8,0x02,0x42,0x86,0x08,0xbe,0xd3,0x73,0x9a,0xf9, + 0x20,0x0d,0xe1,0xf8,0x5e,0xde,0xe2,0x83,0x4c,0x04,0x94,0x2c,0x06,0x8a,0xac,0xd2), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xbb,0x29,0x4b,0x95,0xd9,0x13,0x00,0x5b,0x11,0x09,0x87,0xcd,0xe4,0x58,0x87,0x48, + 0x4a,0xe6,0xdf,0x79,0x48,0x73,0xdf,0xc5,0xc4,0x1f,0xb7,0xe8,0x99,0x2c,0x2f,0xdc, + 0xe7,0x06,0x99,0xfc,0xac,0x80,0x04,0x69,0x99,0x61,0xb3,0xad,0x1e,0x1f,0xce,0x9e, + 0xc8,0xea,0x56,0x85,0xcc,0xec,0x5e,0x80,0xe4,0xd0,0x79,0x25,0x59,0x81,0x6f,0x68, + 0x61,0x34,0x34,0xbf,0xac,0xa8,0x1a,0x84,0x3a,0xac,0x45,0x9a,0x6f,0xe3,0x5f,0x53, + 0x69,0xc4,0x8e,0x91,0x91,0xe4,0xa3,0x2c,0x70,0x78,0x95,0x94,0xc5,0x15,0x2d,0xb8, + 0xd4,0xbb,0x02,0x26,0x00,0x12,0xa8,0x73,0x9c,0xf3,0x25,0xdd,0xff,0x2a,0xa4,0x2f, + 0xd6,0x7b,0x6e,0xe5,0xbf,0xe3,0x15,0x91,0x13,0x1f,0xf2,0x7d,0x02,0x73,0xd2,0x92), + .s = chunk_from_chars( + 0x32,0x63,0x7c,0x60,0x79,0x8b,0x45,0x0b,0xff,0x10,0x0b,0xff,0x12,0x83,0x83,0x57, + 0xde,0xff,0x28,0x1d,0x5b,0x31,0xe4,0xf4,0xc2,0xcf,0xc9,0x6e,0xb7,0x79,0xce,0x6d, + 0x31,0xb1,0xce,0x8b,0xd7,0xaa,0x7f,0xa8,0x8d,0xdc,0x42,0x79,0xc8,0xc3,0x28,0x06, + 0x04,0xb0,0x18,0xcc,0xf4,0x52,0x00,0x4a,0x14,0x88,0xed,0x47,0x50,0x18,0x1c,0x50, + 0x25,0x63,0x65,0x11,0xac,0x67,0x24,0xfe,0x51,0x76,0x1c,0x27,0xd7,0xcf,0x9a,0x0c, + 0x87,0x82,0xea,0x22,0x31,0x26,0x88,0x53,0xc4,0xb1,0xf7,0xac,0xb0,0x00,0x5e,0x56, + 0x87,0xc8,0xf3,0xdf,0x16,0xc9,0x62,0xf0,0x2c,0xe5,0x6b,0x23,0xd3,0x87,0xa2,0xba, + 0xad,0xc8,0xbe,0xc9,0x42,0x29,0xc3,0x55,0x75,0x26,0xe6,0x17,0x07,0xa8,0xb5,0x92, + 0x93,0xa9,0x76,0xe3,0x2c,0x7f,0xa1,0x33,0x28,0x50,0x88,0xf3,0xce,0x3e,0x67,0x77, + 0x88,0xaa,0xa9,0x47,0xe7,0x62,0x2c,0x75,0x7e,0x84,0x4b,0x11,0x75,0x92,0xbe,0x99, + 0xfe,0x45,0x37,0x6f,0x8b,0x30,0x13,0xe8,0x77,0x2e,0xc9,0x2c,0x5b,0xb0,0xb9,0xfa, + 0x30,0x1b,0x95,0x54,0x45,0x99,0x69,0x0a,0xd9,0x36,0x68,0xd8,0x3b,0x2d,0xaa,0x7d, + 0xf0,0x5c,0x66,0x21,0x4e,0x27,0x50,0x14,0x78,0x0a,0x91,0x2d,0x8b,0x19,0x32,0xd7, + 0xa6,0x55,0x05,0x8e,0x74,0x3f,0x50,0xb0,0x74,0xb1,0xd9,0x69,0x1c,0xa2,0x3a,0x2f, + 0x95,0xf6,0xaf,0xfb,0xd5,0x16,0xd6,0x4c,0xcb,0x2a,0xa4,0x3c,0x23,0x6e,0xb9,0x5d, + 0x36,0xd2,0x72,0x54,0x5e,0x3b,0xeb,0x8f,0xf5,0xaa,0xcd,0x95,0xb3,0x0f,0x7f,0x1d, + 0x64,0x18,0xaf,0x04,0x2c,0xd9,0xa0,0xcf,0x01,0x89,0x84,0x62,0x62,0x32,0x2a,0x18, + 0x87,0x5a,0xe4,0xc3,0xe6,0x8e,0x4e,0x8f,0xfa,0xa0,0x27,0x6c,0xdd,0x99,0xa0,0x04, + 0x7c,0x86,0xc0,0xf7,0x1d,0x2d,0xee,0xfd,0x50,0x64,0x2d,0x29,0xc1,0x95,0xe6,0xd1, + 0x4f,0xb4,0x6f,0xba,0xc3,0x3a,0x50,0x8c,0x1f,0x03,0xa2,0x32,0xde,0x08,0xaa,0xe0, + 0x9f,0xaf,0x1d,0xa8,0xed,0x2b,0xa2,0xae,0x84,0xbc,0xca,0x88,0xb7,0x8d,0xcc,0xbd, + 0xe9,0xaf,0xde,0x08,0xa3,0xbe,0xb3,0x22,0xdc,0x79,0x35,0x6b,0x29,0xc8,0x48,0x41, + 0x69,0x89,0x14,0xb0,0x50,0xbe,0xb7,0x5a,0x7b,0x2f,0x67,0x01,0xaa,0x81,0x01,0xa5, + 0xa4,0x95,0x5e,0xe2,0x7b,0xaf,0xe8,0x1b,0x21,0xd0,0x3b,0x43,0xe3,0xc7,0x73,0x98), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xf9,0x46,0xc6,0xbd,0x5e,0x1d,0x6b,0x89,0x09,0x2f,0x3c,0x48,0x7c,0x05,0x68,0xfa, + 0x07,0xc3,0x56,0xfa,0xe9,0xb8,0xe8,0x31,0xb8,0x32,0x02,0x89,0x03,0x97,0x46,0xa4, + 0x35,0xb1,0x22,0xcf,0xbc,0x4a,0x0d,0x31,0x6b,0xf9,0x0d,0x48,0x1d,0x3b,0x7d,0x97, + 0x9c,0xc5,0x0d,0x98,0xc1,0x19,0x0a,0xf8,0xdc,0x58,0xe0,0x03,0x55,0x57,0xdd,0x5e, + 0x94,0xf4,0x37,0xf4,0x1f,0xab,0x51,0x32,0x02,0x64,0x3a,0x77,0x74,0x8f,0x76,0xc6, + 0xb7,0x73,0x02,0xbf,0x40,0xc3,0x92,0xcd,0x18,0x73,0x1d,0xa0,0x82,0xc9,0x9b,0xde, + 0xde,0xb7,0x0e,0x15,0xcd,0x68,0xbf,0xf5,0x96,0x19,0xca,0xbc,0xc9,0x2a,0xdc,0xf1, + 0x22,0x75,0x3c,0x55,0xaf,0xde,0x08,0x17,0x35,0x2b,0xc2,0x47,0xd1,0x17,0x0b,0x8d), + .s = chunk_from_chars( + 0x50,0x70,0x6b,0xa4,0x9d,0x9a,0x31,0x66,0x88,0xa3,0xee,0x80,0xa0,0xbd,0x98,0x67, + 0x57,0xd4,0x3e,0xc8,0x32,0x85,0xaf,0x9e,0x78,0x19,0x6b,0xd5,0x2c,0x90,0x0d,0x40, + 0xb2,0x80,0xfa,0x0d,0xe5,0x4e,0x35,0xac,0xe7,0xd6,0x66,0x00,0x12,0xf1,0xa6,0x62, + 0x04,0x09,0x2f,0x0e,0x63,0x4b,0x97,0xe0,0xe5,0x16,0x65,0xb4,0x07,0x5e,0x36,0xf1, + 0x42,0x22,0x66,0xc7,0xca,0xd7,0xb2,0xd9,0x98,0x1b,0x91,0x3d,0xf3,0xfa,0x3e,0x6a, + 0x5a,0x1c,0xad,0xfc,0x63,0x78,0xa8,0x54,0x0e,0x0f,0xaa,0x26,0xf1,0xcc,0x6f,0xb2, + 0xfb,0x49,0x2a,0x80,0xd0,0xa6,0x94,0x5b,0xce,0x5b,0xbc,0x23,0xdd,0xb3,0xb1,0x07, + 0x01,0xf0,0x24,0x9b,0x27,0x40,0x7a,0x67,0x00,0x80,0x2e,0x88,0x42,0xef,0x3c,0xc7, + 0x61,0xc4,0x82,0x3a,0xcb,0x5d,0x14,0x53,0x50,0x8d,0xcd,0xbb,0x97,0x9e,0x7b,0xd8, + 0xd0,0x01,0x28,0xe6,0x0a,0x9b,0x37,0x89,0x16,0x7c,0x91,0x41,0x7d,0x93,0xf0,0xe9, + 0xfb,0xb0,0x0c,0x9a,0xf1,0x49,0x8e,0x09,0xeb,0x64,0x85,0xeb,0x94,0xce,0xa4,0x88, + 0x3f,0x6a,0x25,0x6e,0xab,0x2c,0xaa,0x82,0x6d,0xe4,0xfd,0xac,0x01,0xba,0xca,0x3a, + 0x21,0x6e,0x3d,0x20,0x4a,0x3d,0x83,0x7f,0xfd,0x4d,0x0b,0xe2,0xb2,0xce,0xf7,0x11, + 0x90,0x90,0x54,0xc4,0xda,0x1d,0x5b,0x93,0xa8,0xf9,0x84,0x51,0xc7,0x00,0x2a,0xe8, + 0x4a,0x5e,0x70,0x80,0xd9,0x86,0x71,0xc5,0x0e,0x3c,0x91,0xc4,0x08,0x7d,0x04,0x77, + 0xb1,0x04,0xf9,0x16,0x01,0x0e,0x74,0x2f,0x2d,0x20,0x7f,0xb4,0x0d,0x12,0x2d,0x8f, + 0x21,0x1a,0xf6,0xd7,0xc5,0xec,0xa4,0x95,0x42,0xd9,0xac,0xb0,0xf1,0x66,0xe3,0x6a, + 0xbc,0x37,0x15,0x50,0x70,0xc1,0x2e,0x9f,0x28,0xb9,0x07,0xd6,0x7a,0x2c,0xa7,0x0b, + 0xfc,0xe5,0x54,0xe1,0xc4,0x4c,0x91,0x52,0x0e,0x98,0xfc,0x9a,0xd0,0xc0,0xee,0x47, + 0x7f,0x75,0x05,0x16,0x47,0x6a,0x94,0x16,0x80,0x66,0xce,0x47,0x00,0x00,0x30,0xa9, + 0x9c,0x23,0xe2,0xc3,0x87,0x55,0xde,0x94,0x6d,0x5e,0xdf,0x0d,0x6a,0xa9,0x42,0x12, + 0xf9,0x92,0x31,0x5b,0x24,0x8c,0x1f,0x82,0x72,0x3b,0x29,0xc4,0x22,0x16,0xc7,0x8c, + 0xdc,0xb6,0x68,0xf1,0x12,0x78,0x26,0x1c,0xee,0x92,0x52,0xc8,0xfd,0x0e,0xd3,0x7d, + 0x0a,0x85,0x80,0xca,0x9b,0x9f,0xde,0x75,0x05,0x61,0x59,0x43,0x71,0x2d,0xa1,0x9a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x9a,0x33,0x7d,0x4c,0x0b,0xb9,0xa0,0x05,0xb4,0x7f,0x47,0x65,0xd6,0x96,0xd1,0x9d, + 0xec,0x58,0xbc,0x84,0x82,0xf2,0x17,0x3a,0x4a,0x20,0x3a,0x0b,0x6d,0x38,0xb4,0x96, + 0x1f,0x6a,0x85,0x2e,0x76,0x46,0x8e,0x80,0x7c,0x7e,0x45,0x76,0x83,0xee,0xad,0x5c, + 0xb8,0xd9,0x86,0x42,0xfb,0x76,0xc0,0xa1,0xee,0xab,0x36,0x41,0x4c,0x18,0x99,0x59, + 0x7d,0x57,0xaa,0xf9,0x67,0x82,0xad,0xa5,0x86,0xf6,0x1a,0x42,0x3f,0x57,0x95,0x37, + 0x71,0xd5,0x20,0xcc,0x4e,0xad,0x90,0xd5,0x69,0xf2,0x3d,0x95,0x0f,0x8d,0xfe,0xdd, + 0xdb,0x83,0x55,0x74,0x85,0x76,0xe6,0xbb,0xfb,0x6f,0x2e,0x91,0xb3,0xda,0x71,0x75, + 0x3f,0xd2,0xf4,0xea,0x22,0x9f,0x6d,0x20,0xe2,0x7d,0xb8,0xd0,0x5e,0x9f,0xcb,0x68), + .s = chunk_from_chars( + 0xcf,0xf7,0xaa,0x7f,0x87,0x56,0x42,0xfb,0x93,0x43,0xe0,0x7e,0xf5,0xe7,0x30,0x3b, + 0xbf,0x5f,0x06,0x9b,0x44,0xc1,0x9f,0xbf,0x83,0xe5,0x9d,0x42,0x2e,0x25,0x26,0x7e, + 0xf9,0x30,0x74,0x14,0xb6,0xb1,0xef,0x61,0x71,0x1e,0xd0,0x01,0x32,0x76,0xd1,0xa2, + 0xad,0x98,0x39,0x04,0x74,0x02,0x7a,0x0a,0x70,0x3b,0xfe,0x8a,0x6e,0x87,0x70,0x60, + 0x59,0xd8,0x9c,0x06,0x09,0x80,0xc9,0xc9,0xe6,0x0d,0xc7,0xe1,0xfb,0x9f,0x77,0x7a, + 0x41,0x78,0x5a,0xb4,0xd2,0xb6,0x63,0xba,0x0e,0x3c,0x19,0x21,0x54,0x5c,0x47,0x9c, + 0x2a,0x38,0x3a,0x50,0xda,0x8e,0x48,0x9c,0xb2,0x2b,0x71,0x10,0x1d,0x0e,0xc1,0x48, + 0xac,0x70,0x92,0x87,0x32,0xa7,0x72,0x19,0x5a,0x14,0x0d,0x08,0x01,0x52,0x76,0x2a, + 0x9c,0x40,0x80,0x3a,0x39,0xfa,0x2a,0x69,0x78,0xc2,0xa7,0x5a,0xc4,0xd8,0xbd,0x1b, + 0xcc,0xaa,0x1f,0x42,0x04,0xba,0x65,0xed,0xdd,0xf3,0x2f,0xed,0xf2,0xd9,0xd0,0xa3, + 0xae,0xd9,0xb0,0x6c,0x47,0xe7,0x17,0x73,0x3c,0x57,0x78,0x12,0xd7,0x23,0xdb,0xa7, + 0x4a,0x85,0x2b,0x29,0x05,0x23,0x5c,0x81,0x2d,0xc5,0xf1,0xd0,0xdf,0x0f,0x0d,0xe7, + 0x3d,0xfb,0x86,0x22,0x1c,0x6f,0xfd,0xd1,0xed,0xa1,0x19,0xbb,0xe9,0x8d,0x14,0x8a, + 0xdd,0x36,0xa4,0xfe,0x50,0x48,0x9b,0x06,0xaa,0xee,0xfc,0xb5,0xc2,0x06,0x6d,0x90, + 0xfa,0x79,0x73,0x87,0x06,0xcd,0x18,0xe4,0x74,0xd6,0x96,0x09,0xff,0x12,0x10,0xc7, + 0x7d,0xe7,0xcd,0x23,0xba,0x2a,0x77,0x5a,0x43,0x29,0xcb,0x27,0x1a,0x82,0x6d,0x60, + 0x2c,0x40,0x1a,0x71,0x43,0x90,0x19,0xce,0xc1,0x0c,0xd9,0xf1,0x84,0xc4,0xd0,0x45, + 0x84,0x21,0x18,0x27,0xb1,0x9e,0xad,0xac,0x32,0x58,0xd8,0xa0,0xf2,0x63,0x16,0x13, + 0xf0,0x51,0xaa,0xe0,0xc6,0x13,0x05,0x0c,0xb2,0x44,0x42,0xf1,0x5e,0xd4,0xfe,0x0d, + 0xbd,0x29,0x0e,0x42,0x62,0x91,0x41,0xbd,0x2c,0xd5,0x6d,0x20,0x58,0x4a,0x1d,0x10, + 0xe1,0xf2,0xc2,0xa9,0xec,0x73,0x14,0x33,0xd5,0xbc,0xd1,0xd3,0x18,0xbe,0xd5,0x24, + 0x3b,0x4b,0x7d,0x0f,0x9a,0x79,0x82,0x06,0x1c,0x55,0xdf,0xaa,0x86,0xb2,0xc0,0x18, + 0x45,0xc0,0x21,0xfd,0xd2,0xa9,0x78,0xd4,0x20,0x34,0x21,0x2f,0x43,0xb3,0x35,0x1b, + 0x6a,0xde,0xb0,0x3b,0xdd,0x6c,0xaf,0x7d,0xe0,0x59,0x50,0x2f,0x16,0xd7,0x73,0x48), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x32,0xfd,0x45,0xe7,0x3f,0x6f,0x69,0x49,0xf2,0x0c,0xab,0x78,0xc0,0xcc,0x31,0xd8, + 0x14,0xba,0xea,0x63,0x89,0x54,0x6a,0x36,0x5d,0x35,0xf5,0x4f,0x23,0xf1,0xd9,0x95, + 0xb7,0x41,0x01,0x18,0x77,0x60,0xc8,0x9b,0xb0,0xb4,0x0b,0x50,0x57,0xb1,0x82,0xe2, + 0xfa,0xfb,0x50,0xb8,0xf5,0xca,0xd8,0x79,0xe9,0x93,0xd3,0xcb,0x6a,0xe5,0x9f,0x61, + 0xf8,0x91,0xda,0x34,0x31,0x0d,0x30,0x10,0x44,0x1a,0x71,0x53,0xa9,0xa5,0xe7,0xf2, + 0x10,0xeb,0xe6,0xbc,0x97,0xe1,0xa4,0xe3,0x3f,0xd3,0x4b,0xb8,0xa1,0x4b,0x4d,0xb6, + 0xdd,0x34,0xf8,0xc2,0xd4,0x3f,0x4a,0xb1,0x97,0x86,0x06,0x0b,0x1e,0x70,0x07,0x0e, + 0x3e,0xd4,0xd5,0xf6,0xd5,0x61,0x76,0x7c,0x48,0x3d,0x87,0x9d,0x2f,0xec,0x8b,0x9c), + .s = chunk_from_chars( + 0xc3,0x89,0x61,0x37,0x17,0xec,0x74,0x76,0xec,0xda,0x21,0x44,0xd0,0xe8,0xc8,0xf9, + 0xd6,0x6f,0xb4,0x69,0xc1,0x67,0xc4,0x20,0x9e,0xc0,0xbd,0xee,0xbf,0xb4,0x71,0x66, + 0x5d,0x33,0xda,0xd4,0x7b,0x8f,0x3c,0x31,0x9a,0x76,0xfe,0x8a,0x8a,0x9f,0x66,0x2b, + 0x6c,0x69,0x0b,0x74,0x90,0x3d,0x17,0xf6,0x1e,0x23,0x14,0xe5,0xea,0x8d,0x26,0x67, + 0x0e,0xe4,0xdb,0x4d,0xad,0x29,0x5b,0x27,0x7c,0xa0,0x8a,0xde,0x88,0x0d,0xe2,0xe4, + 0x2d,0x12,0xb9,0x29,0x52,0x76,0x4c,0x1d,0xc8,0x08,0xc2,0x66,0xdb,0xbe,0xdb,0x67, + 0x01,0x58,0xee,0xf3,0x6e,0x89,0x6f,0x55,0xa2,0x03,0xfb,0x99,0x55,0x6d,0xed,0x05, + 0x97,0x41,0x0b,0xa3,0x74,0x86,0xb1,0xd8,0x41,0xf3,0xd6,0xd5,0xc0,0xb3,0x9f,0x2f, + 0x49,0xf0,0xc5,0x79,0x48,0x24,0xfb,0xa9,0x4a,0x8e,0xc7,0xc2,0xb2,0xc9,0x1e,0xad, + 0xd5,0xc8,0xcb,0xe4,0x48,0x95,0xfe,0x3b,0xe3,0xbc,0x17,0x27,0xd6,0xfc,0x0e,0x53, + 0x64,0xf5,0x35,0x78,0x63,0x9d,0x3b,0x3a,0xf6,0x96,0xb7,0x50,0xa0,0x78,0x53,0x69, + 0x4f,0xfe,0x14,0x5a,0x28,0xc0,0x36,0x20,0xc7,0x8d,0xd7,0x37,0x7d,0x09,0x4d,0x92, + 0xc3,0xe0,0x95,0x46,0x88,0x3d,0x47,0x03,0xe6,0x2a,0x98,0xdd,0xf8,0x1f,0xd0,0x1f, + 0xcd,0xf3,0xc4,0xb2,0x15,0x22,0x4f,0xe2,0xb1,0xb4,0x99,0x2a,0xbf,0x31,0xf2,0x0d, + 0x12,0xaf,0xa8,0x68,0x20,0x23,0x90,0xde,0x33,0x4a,0x84,0x6b,0x2d,0x58,0xb2,0x53, + 0xea,0x8a,0xb3,0xc5,0x26,0x5d,0x84,0x77,0x3a,0x65,0x9e,0x8b,0xac,0x7a,0xf4,0x41, + 0x23,0xd9,0xea,0x15,0x06,0x2e,0x65,0xd4,0xd4,0x19,0xcf,0x2d,0x97,0x07,0x7d,0x06, + 0x24,0xf8,0xe5,0xc3,0x6f,0x2c,0x7b,0x35,0xcc,0xf9,0x54,0x35,0xd5,0xc3,0x68,0x86, + 0xff,0x91,0x05,0xa6,0xc1,0xea,0x22,0x5e,0x15,0xea,0x8c,0xbc,0x7b,0x6b,0xf6,0x85, + 0x61,0x51,0xcd,0x76,0xfb,0xb7,0x5b,0x5b,0x98,0xf0,0xe3,0xdb,0x51,0x6a,0x8e,0x21, + 0x81,0x89,0xfc,0xb1,0xcd,0x5d,0xe3,0xca,0xfe,0xaa,0x33,0xef,0x13,0x5c,0x5d,0x8b, + 0x8a,0xa5,0xf8,0x81,0xaf,0xaa,0xca,0xf4,0xc0,0x8b,0xd7,0x28,0x12,0x55,0xbc,0x2a, + 0x33,0xb7,0x6d,0x4a,0x36,0xe0,0xb1,0x70,0xc4,0x55,0x88,0x23,0x9e,0x5b,0x38,0xc6, + 0x79,0xb0,0x8c,0xf8,0x02,0xaf,0x73,0xb6,0xd7,0x9b,0x39,0x35,0x94,0x94,0x61,0xe7), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xab,0x66,0xcc,0x48,0x7e,0xc9,0x51,0xf2,0x11,0x9d,0x6e,0x0f,0xa1,0x7a,0x6d,0x8f, + 0xeb,0x7d,0x07,0x14,0x9b,0xec,0x7d,0xb2,0x07,0x18,0xe4,0xf3,0x1d,0x88,0xc0,0x1f, + 0x9a,0x53,0xd5,0xba,0x7e,0xce,0x3a,0x4d,0xbc,0x67,0xaf,0x6a,0x35,0xd1,0x30,0xea, + 0xe7,0x62,0xcb,0x79,0x62,0xb9,0xae,0x55,0x7c,0xa3,0x84,0x52,0x46,0x40,0x02,0x22, + 0x3f,0x61,0xbc,0xd3,0xc7,0x35,0x3e,0x99,0xd6,0x25,0x58,0xce,0xed,0xfc,0xb9,0x37, + 0x4d,0x4b,0xbf,0x89,0x68,0x0c,0x8e,0x2b,0x95,0x85,0x60,0x3e,0x07,0x6f,0x1c,0xdb, + 0x00,0x58,0x29,0x9b,0x42,0x46,0x84,0x5d,0xc7,0x9d,0x10,0x43,0xb1,0x42,0x2e,0xfe, + 0x84,0x01,0x8e,0x4c,0x93,0x2c,0x45,0xbe,0xb8,0x85,0x1f,0xbf,0x48,0x5e,0x36,0xd2), + .s = chunk_from_chars( + 0xb5,0x13,0x31,0x55,0x2b,0x08,0xbe,0x35,0xa1,0x69,0x8a,0xa6,0x20,0x3d,0x84,0xdb, + 0xff,0xf9,0x00,0x1e,0xd5,0xdd,0x77,0x6f,0x2b,0xe4,0xdd,0xfc,0x07,0xdd,0x46,0x20, + 0xe9,0x65,0x4e,0x82,0xa3,0x34,0x65,0xbd,0x20,0xf1,0x18,0x63,0xc0,0xed,0x02,0xa0, + 0xae,0xa2,0x7a,0x44,0xd4,0x14,0xc3,0x28,0xa9,0x38,0xbf,0x87,0x7e,0x15,0x83,0x8a, + 0xb9,0x9d,0x67,0x0d,0x01,0x41,0x42,0x62,0xe8,0x86,0x5d,0xc1,0xd9,0xfc,0x30,0xfd, + 0x08,0x12,0x69,0x9f,0xa6,0x90,0xc3,0x4f,0x30,0x2f,0x63,0x7e,0xc8,0x02,0xcd,0x40, + 0xac,0x85,0x91,0xe9,0x76,0xc0,0xb8,0xbc,0xcb,0x1b,0x01,0x37,0xaf,0x64,0xa2,0x87, + 0x02,0x10,0xe8,0xfa,0x3d,0xc4,0x31,0xfe,0x09,0x56,0xb8,0xad,0xdf,0xf1,0xe4,0xb1, + 0x8c,0xf0,0x7e,0x07,0x8a,0xa9,0x3a,0xf8,0x1b,0xb3,0x02,0x3c,0x9e,0x59,0x4e,0x66, + 0x59,0x5f,0xd9,0x2b,0x10,0x22,0x6e,0xa1,0x26,0x00,0x5f,0x47,0x24,0x42,0x73,0x52, + 0xc3,0x8e,0x9e,0x85,0xfc,0x2e,0x07,0x23,0xf8,0x0a,0xf1,0xf6,0x15,0x99,0x55,0x0b, + 0x5e,0xf5,0x4c,0x5b,0x38,0xca,0x40,0x57,0x38,0x01,0x7b,0x89,0xcb,0x94,0x68,0xd9, + 0x74,0x1c,0xd6,0xbd,0xf7,0x11,0x21,0x62,0x25,0x1b,0xa1,0xd0,0x83,0xcc,0x37,0x0a, + 0x4a,0x82,0x61,0xc3,0x9b,0x6b,0x94,0xbf,0x21,0xa5,0x3b,0x75,0x64,0x53,0x1a,0xe9, + 0xeb,0xc4,0xcc,0xea,0x7e,0xbb,0x8b,0xd3,0x14,0xb2,0xe1,0x3b,0x58,0xed,0x10,0x18, + 0xae,0x5b,0x41,0x5e,0x0f,0x9e,0x3e,0x19,0xa5,0xea,0xd3,0xa4,0x46,0x03,0xf9,0x06, + 0x74,0xa1,0x90,0xfe,0xbd,0xe2,0x5f,0x8a,0xd8,0x77,0x8a,0xee,0xad,0x4d,0x0f,0x64, + 0xfb,0xae,0x37,0x16,0x6a,0x54,0xe3,0xa7,0x63,0xe3,0x55,0x59,0xbf,0x8c,0x3f,0x17, + 0x3f,0x19,0xff,0x7b,0xab,0x98,0xf3,0xef,0x80,0x3d,0xd5,0x6c,0x07,0x62,0x83,0x99, + 0xaf,0xf8,0x74,0x85,0xee,0x73,0xdb,0xc3,0xdb,0x34,0xec,0xc7,0xbf,0xf3,0xa5,0x32, + 0x26,0xcf,0x87,0xbc,0x81,0xd2,0x56,0xe8,0x0c,0x09,0x52,0x0c,0x8f,0x38,0xe9,0xbc, + 0xda,0x09,0x5e,0x36,0x35,0x12,0x8e,0x1b,0xed,0xd9,0x97,0x06,0x00,0x54,0x6a,0x75, + 0x1e,0xb1,0x1d,0xab,0x42,0xe2,0x89,0xd6,0xfd,0xfe,0xa0,0x4b,0xd5,0x8d,0x45,0x71, + 0xa7,0x9d,0x24,0xbc,0xe4,0x50,0x8c,0x54,0xe1,0xec,0x4c,0xf7,0x5b,0x98,0x5f,0xd3), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xfe,0xf7,0xfe,0x89,0xb9,0xa5,0x99,0x02,0xa7,0x0a,0x1d,0x9c,0xaa,0xd0,0x9c,0xed, + 0x8b,0xee,0x41,0x45,0xed,0xcb,0xe3,0xef,0x7f,0xa6,0xda,0xb3,0x76,0x35,0x12,0x9f, + 0x3b,0x8c,0x5e,0x08,0x60,0x41,0x0e,0xcb,0xd9,0xce,0xc3,0xd8,0x69,0x36,0x82,0xf2, + 0x5a,0xec,0x08,0xb0,0x71,0xf0,0x5d,0xc8,0x21,0x3b,0xac,0x8c,0xff,0x5d,0x52,0xb5, + 0x76,0x65,0x35,0x60,0xbc,0x01,0x57,0x56,0x04,0xe6,0xab,0x90,0xf6,0x72,0x27,0xfb, + 0x5c,0x90,0x1a,0x78,0x1e,0xdd,0xc0,0x27,0x70,0x09,0x13,0xe5,0x4a,0x7f,0xe5,0x13, + 0x18,0x48,0x2c,0x9a,0xb4,0x2c,0x9d,0x2b,0x91,0x1b,0x7c,0xcc,0x39,0xcc,0xb2,0x90, + 0xf9,0xa4,0x20,0xa5,0xda,0xd9,0x33,0x94,0xd4,0xd7,0xb8,0xc5,0x3f,0xe3,0xf2,0x42), + .s = chunk_from_chars( + 0x45,0x06,0x8c,0xa6,0xd8,0x2f,0x2c,0x12,0x39,0x25,0xcd,0xe1,0x19,0x71,0x21,0x5d, + 0x8f,0xa4,0xa4,0xdf,0x68,0x48,0xbb,0x76,0x54,0x86,0x87,0x00,0x97,0x87,0x64,0x85, + 0x46,0x38,0x92,0x1b,0xea,0x58,0x69,0x28,0x0d,0xc6,0xad,0x95,0x81,0xab,0x43,0xff, + 0x70,0x12,0x96,0x99,0x48,0xa5,0x67,0x7f,0xa0,0xa6,0x61,0x36,0xa3,0x16,0xa4,0xbf, + 0xec,0xb8,0x9a,0xdf,0x41,0x31,0xb5,0xbe,0xdf,0x3d,0x46,0x93,0xb7,0x80,0xd1,0x33, + 0xaf,0x9b,0xf9,0xc1,0x33,0x30,0x5b,0xe7,0x83,0x74,0xaf,0xda,0x3b,0xa3,0x85,0x42, + 0x03,0x32,0x44,0x81,0xa9,0xd1,0x0b,0x9c,0xa9,0xb9,0x2d,0xc7,0xd7,0x4d,0xf5,0x31, + 0x87,0x2d,0xdf,0xc7,0x6c,0xaa,0x82,0xde,0x02,0x0e,0x2c,0x41,0x56,0x43,0xcb,0xcc, + 0x42,0x80,0xe6,0xd2,0xf4,0x37,0x1f,0xda,0x7d,0x92,0x49,0x31,0x4a,0x8f,0x43,0x76, + 0x48,0x99,0x1a,0x9b,0x03,0xd7,0x1b,0x58,0x39,0xad,0x38,0xa1,0x55,0x5a,0xd3,0x45, + 0x26,0x99,0x4b,0xa5,0x68,0x70,0xb6,0xea,0x18,0x01,0x12,0x95,0xf2,0xca,0x2b,0x07, + 0x13,0xb2,0xe9,0x2a,0xd7,0x76,0x80,0xc0,0xdc,0x5b,0xed,0x8d,0x3b,0x9b,0x31,0xac, + 0x14,0xdf,0x76,0x99,0x49,0xc4,0xa4,0x3e,0xa6,0x7f,0x6d,0xee,0xb3,0xdc,0x9e,0xd5, + 0x89,0xea,0x4e,0x8a,0x2c,0xf6,0x69,0x5d,0xf4,0x6f,0x94,0x6f,0x14,0x67,0xb2,0x8e, + 0x87,0x54,0x77,0xae,0x4e,0x64,0x50,0x80,0xfa,0xfd,0xa6,0xdd,0x55,0x1d,0x2c,0x02, + 0xfd,0x6b,0x2b,0x19,0x4f,0xc0,0xbd,0xb0,0x50,0xe0,0x6d,0x4c,0x78,0x41,0x05,0xf5, + 0xa3,0x3b,0x53,0xe7,0x30,0x98,0x05,0x59,0x63,0x07,0x1e,0xfc,0x1b,0xf3,0x97,0xfd, + 0x32,0x5f,0x3a,0x6f,0x4e,0x10,0xd7,0x6f,0x04,0x11,0xa0,0x01,0xe6,0x2e,0xc7,0x37, + 0x29,0x01,0x83,0x16,0xf5,0x63,0x10,0xf8,0x93,0xa5,0x93,0x63,0xd1,0xf6,0xfe,0x5c, + 0x17,0x44,0x4b,0x6c,0x72,0x8a,0x49,0x33,0xb7,0x52,0x12,0xfd,0xfa,0x25,0x8e,0x40, + 0x18,0xb7,0x76,0x39,0x51,0xab,0x4e,0x50,0x96,0x41,0x1d,0xf9,0xe5,0xbc,0x16,0xdf, + 0x38,0x96,0xe4,0x6c,0x97,0x3d,0x32,0xac,0x92,0x76,0xa4,0xe2,0xb5,0xb8,0x0e,0x3d, + 0x8d,0x79,0x8d,0xc0,0x47,0x0b,0x45,0x09,0x6b,0x4d,0x73,0x86,0x69,0xce,0x05,0x2e, + 0xd8,0x18,0xe5,0x60,0xaf,0x1e,0x92,0xc9,0x15,0x18,0x7d,0x66,0xcc,0x30,0x8b,0x70), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x82,0xb3,0x84,0x0e,0xeb,0x95,0xc9,0xc5,0x77,0x24,0xc7,0x0f,0x11,0x2b,0x6c,0x2d, + 0xc6,0x17,0xc3,0x17,0x85,0xac,0xd0,0xc8,0x23,0xf8,0xbc,0xdd,0xa2,0x85,0x32,0x5e, + 0xb3,0xd3,0x08,0xdc,0x79,0x05,0x22,0xbc,0x90,0xdb,0x93,0xd2,0x4e,0xe0,0x06,0x32, + 0x49,0xe5,0x5d,0x42,0x19,0xad,0x97,0x14,0x5f,0xea,0xf7,0xf3,0x06,0x68,0x62,0x3c, + 0xc8,0x89,0x0a,0x70,0xf4,0xf1,0x49,0x86,0x6f,0x82,0xcf,0x86,0xf9,0x8b,0x00,0x53, + 0xb2,0x3c,0x98,0xc8,0xdd,0x5e,0x91,0x07,0xe3,0x41,0x46,0x0e,0x9b,0xf5,0xd8,0x8c, + 0xc8,0xbc,0xd1,0xf2,0xe4,0xc0,0x07,0xcc,0x1c,0x02,0xc4,0x52,0x9b,0x93,0x23,0x3a, + 0x0b,0x06,0xbd,0xd1,0x59,0x25,0x85,0x4a,0xb9,0xe3,0xf1,0x56,0xeb,0x92,0x5b,0xf5), + .s = chunk_from_chars( + 0x05,0x93,0xb9,0xfd,0x44,0x21,0x45,0x23,0x76,0xd2,0x7b,0xc7,0xa2,0x80,0x10,0x1c, + 0xfd,0x6e,0x88,0xa6,0x72,0x7d,0x7d,0x77,0xcf,0x65,0xce,0xb7,0x23,0xec,0xd2,0x57, + 0xf3,0x2f,0xe1,0x02,0x77,0xe8,0x57,0x98,0xe0,0xda,0x75,0x91,0x77,0x36,0xda,0x1a, + 0x3b,0xfc,0x22,0xad,0xc7,0x65,0x8f,0xbb,0x84,0xda,0x6e,0xbe,0xa0,0xb0,0x7d,0x1c, + 0xc4,0x05,0x73,0x2f,0xb0,0x40,0xb5,0x85,0xc1,0xb6,0x3c,0x80,0x34,0x06,0x9b,0xff, + 0xb8,0x22,0x06,0x56,0xf1,0xac,0x54,0xce,0x69,0x37,0x20,0xd6,0xfb,0x1b,0x5a,0xec, + 0x67,0xb0,0x3c,0x88,0x7c,0x80,0x77,0xda,0x14,0x8d,0x10,0xf4,0x8a,0xf7,0xc0,0x28, + 0xf9,0x92,0xb1,0x8f,0x13,0xc0,0xe5,0x75,0x30,0xc0,0x86,0xd7,0x75,0x48,0x3d,0xa5, + 0xf6,0x6f,0x3a,0x6a,0x19,0x18,0x78,0x68,0x34,0x0a,0xc6,0x3c,0x62,0x12,0xbc,0xbd, + 0x6c,0xbb,0x7b,0xed,0xa8,0x62,0x0a,0xfd,0x9b,0x66,0xde,0x47,0x47,0x3e,0xf2,0x4d, + 0x1b,0x6a,0x36,0xf4,0xec,0xe9,0xad,0xd4,0x95,0x14,0xfd,0xf1,0xd8,0x4c,0x7a,0x78, + 0x5b,0x7f,0x0e,0x00,0xf3,0x82,0x23,0x58,0x99,0x79,0x0f,0x47,0x2d,0x13,0xf4,0x85, + 0x58,0xa4,0x31,0x47,0x42,0xf3,0x76,0x80,0x8d,0xec,0x96,0xed,0xd2,0xe2,0x29,0xe9, + 0x43,0xf7,0xb9,0x83,0xbe,0xa5,0xec,0x6e,0xdf,0xa5,0xe9,0xbb,0x37,0xf5,0x88,0xe5, + 0x5e,0xf6,0x2e,0xbc,0x92,0x14,0xbe,0xaf,0x9d,0xa5,0x02,0x43,0x4e,0x10,0x88,0xdf, + 0x27,0x2c,0x6c,0x77,0xc1,0xe1,0xd8,0x97,0xc4,0x7b,0xea,0xb7,0x7e,0x3b,0xbe,0x31, + 0x7f,0x8d,0x43,0xd2,0x1f,0xd7,0xe9,0x43,0x37,0xc7,0xe2,0x63,0xe2,0x86,0x7b,0xf5, + 0x80,0xa2,0xa8,0xec,0xb9,0xe3,0x6a,0xb7,0xd3,0xe1,0xd5,0xcf,0x9a,0x23,0x23,0x09, + 0x53,0xd5,0x9d,0xf0,0xd7,0xe2,0x35,0x58,0xfb,0x61,0x2b,0x79,0x18,0xab,0xba,0x31, + 0xb1,0x64,0xce,0x17,0x88,0x18,0xa1,0xa9,0xe6,0xb6,0x68,0x7f,0x4d,0xe6,0x85,0xd7, + 0x0e,0x16,0xbe,0xf6,0xe1,0x92,0xfa,0xed,0xfe,0x0b,0x2b,0x95,0x47,0x7d,0x37,0xb0, + 0xa3,0xa2,0xd0,0x02,0xf3,0x3e,0xf4,0x32,0x1c,0xb9,0x05,0x04,0x0c,0xe0,0x6f,0xda, + 0x1c,0x98,0xa0,0x08,0x76,0x7f,0xbc,0x78,0x1a,0x1e,0xaf,0x33,0x75,0xda,0xb8,0x66, + 0x4b,0x59,0x03,0x36,0xb9,0x9e,0x15,0x7b,0x86,0x87,0xa6,0x60,0x2f,0xef,0x6a,0x3b), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0xe1,0x53,0xcc,0xa4,0x43,0x1e,0xd9,0x71,0x3f,0x47,0x44,0xba,0x05,0x4f,0x5f,0x19, + 0x1c,0xb3,0x7b,0x28,0x01,0x08,0xae,0x3a,0x11,0x4a,0xd3,0x49,0xa8,0x72,0xd1,0x30, + 0x8b,0x46,0x21,0x1a,0x83,0x75,0x8a,0x3b,0x4b,0xe3,0x2f,0xbe,0xac,0x42,0xcc,0xfe, + 0xe7,0xe2,0x3d,0xf8,0x53,0xca,0x40,0x01,0x47,0x07,0x7b,0xb4,0x3a,0x44,0xc1,0x2f, + 0x29,0x9b,0x91,0x7f,0x3a,0xab,0xdf,0x58,0x9e,0xeb,0x17,0x09,0xbb,0x3d,0x60,0xb0, + 0x8b,0xc7,0x1e,0xaa,0x3f,0xfe,0xba,0x4e,0x29,0x03,0xa5,0xdb,0xd8,0x33,0x9a,0xae, + 0x85,0xfa,0x24,0xb9,0xae,0xe7,0x61,0x30,0x00,0x06,0x05,0x85,0x7a,0x6a,0xa1,0x97, + 0xd0,0x09,0x26,0x27,0x0d,0xcd,0xa5,0x8b,0x7d,0xe7,0x58,0xa6,0xca,0x67,0xe6,0x17), + .s = chunk_from_chars( + 0xa8,0x35,0xcd,0x41,0x46,0xbe,0xf4,0x65,0x64,0x2d,0x49,0x49,0x36,0x26,0x8a,0x31, + 0x1a,0x54,0x90,0xd2,0xc9,0xf9,0x16,0x6c,0x6c,0xe9,0x82,0x16,0xa9,0xa2,0x3a,0x64, + 0x35,0x97,0x30,0x0a,0x00,0x50,0xe6,0x44,0x5a,0xbd,0x5a,0x9b,0xfc,0x7a,0x2d,0x9b, + 0x70,0x72,0x6c,0x82,0x4c,0x38,0x3b,0xf5,0xac,0xad,0xdd,0xdc,0x34,0xd4,0x34,0xa3, + 0x1e,0x53,0x14,0xd2,0x5f,0xb5,0x8e,0x25,0x8f,0x51,0x88,0x66,0xc1,0x36,0xe5,0x28, + 0x55,0xc1,0x6f,0xe6,0x4f,0xf8,0xf1,0xc4,0xd6,0x6c,0x4e,0x9e,0x39,0xb8,0xcb,0x11, + 0x96,0xd8,0x09,0x44,0xd0,0x74,0x6c,0x0a,0x3e,0x17,0x69,0xcd,0x41,0x67,0xdf,0x72, + 0xab,0x5e,0x4c,0x9d,0xba,0xe9,0xcb,0x35,0xf4,0x82,0x8e,0x12,0x09,0x9f,0x9b,0x36, + 0xa5,0xa7,0x0c,0x48,0xd4,0xae,0xc9,0x87,0x2d,0x7b,0x19,0xe1,0x29,0x1b,0x33,0xcb, + 0xdf,0x08,0xa2,0x26,0x3d,0x50,0x0c,0x0a,0x83,0xb5,0x23,0x7e,0xf6,0xce,0x92,0xde, + 0x34,0x4b,0x3b,0x41,0xd0,0xd0,0x74,0x04,0xfc,0xd5,0x46,0x7b,0x04,0x6b,0x52,0xb8, + 0xf8,0x5f,0xc6,0xb5,0xd7,0xaf,0xc4,0x37,0xf1,0xee,0x9e,0x78,0x39,0x0c,0xa9,0xbb, + 0x6c,0xec,0x61,0x88,0x85,0xec,0xe2,0x97,0x58,0xf2,0xfd,0x6f,0x4e,0x5f,0x4f,0x89, + 0x69,0x35,0xde,0x5f,0x67,0xcc,0x04,0x05,0x5a,0x4c,0x4c,0x0f,0xba,0x5d,0xef,0x8d, + 0x2c,0xaa,0x17,0x93,0x31,0xa8,0x55,0x01,0xed,0x25,0x82,0x2a,0xe7,0x9d,0xa9,0xbc, + 0x81,0x5c,0xc3,0x9c,0x6a,0x97,0x92,0x11,0x08,0x3e,0x86,0x83,0x13,0x6c,0x94,0x2e, + 0x1e,0x17,0xe9,0xeb,0x8f,0x84,0xaa,0xcf,0x09,0x1a,0xa1,0xe5,0x16,0x65,0xfa,0xe4, + 0x46,0xbc,0x48,0xc3,0x04,0xaf,0x65,0x39,0x1f,0x27,0x9a,0xfb,0x98,0xb9,0x2e,0x04, + 0xc2,0xb7,0x3d,0x9d,0x94,0xe9,0x91,0x19,0x8f,0xe7,0x78,0x1f,0x0f,0x96,0x96,0xfc, + 0xba,0x2c,0x03,0x48,0x5f,0x76,0xe6,0xde,0x30,0xb9,0x53,0x5c,0xf3,0x90,0x3d,0xb2, + 0xf3,0xaf,0xa8,0x51,0xa4,0x7b,0xcd,0xe7,0x2d,0x4e,0xd2,0xe8,0xfa,0xbf,0x9b,0xb7, + 0xd4,0x69,0x6c,0xb4,0xab,0x8c,0x28,0x9b,0x0c,0x21,0xe1,0xf9,0x79,0xeb,0xc5,0x32, + 0xe2,0x80,0xcd,0x90,0x10,0xdf,0x4e,0xe7,0x2f,0x84,0xbb,0x9e,0x82,0x75,0x28,0x28, + 0xf1,0x67,0x03,0x0c,0x0f,0xe3,0x48,0xeb,0xc3,0x1e,0xc1,0x7b,0x8f,0x07,0xd9,0x4b), + },{ + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x9c,0x63,0x89,0x9d,0xfc,0x7b,0xdc,0x0d,0xb3,0x84,0x72,0x72,0x44,0xca,0xf7,0x1e, + 0xcf,0xb9,0xb8,0x79,0x2b,0x9f,0x57,0xe9,0x36,0xb3,0xc2,0xf5,0x69,0x55,0x65,0xa9, + 0xb0,0x97,0x9f,0x3c,0x78,0xfd,0x73,0xf0,0x09,0x81,0x81,0x3a,0x16,0xda,0x34,0x23, + 0x92,0xfe,0x3c,0xee,0xc6,0xe6,0x3f,0xfb,0xa1,0x91,0xcb,0xeb,0x4f,0x4b,0x90,0x05, + 0x0d,0x2f,0xcc,0xd8,0x3b,0xeb,0x06,0x22,0xb2,0xc3,0xff,0xf1,0x59,0xd9,0xe6,0x08, + 0xf3,0xab,0xcb,0x84,0x3b,0xdd,0x56,0xc0,0x33,0x39,0xb9,0x75,0xb9,0xf4,0xe3,0x26, + 0x5b,0x32,0xf6,0xbb,0x6c,0xcd,0xfc,0x6c,0x57,0x52,0xd6,0xe0,0x34,0x4d,0x74,0x96, + 0x99,0xc7,0x4c,0x85,0xb3,0x0c,0x04,0xff,0x95,0xb2,0x72,0xdb,0xcf,0xd6,0xc7,0xd3), + .s = chunk_from_chars( + 0x4d,0x38,0xa2,0x97,0x30,0x2a,0xd0,0x77,0x0d,0x97,0x29,0xce,0x5b,0x72,0x12,0xee, + 0xf2,0x87,0xce,0x02,0x50,0xf4,0x03,0xe3,0x2b,0x4a,0xcc,0x36,0x17,0xdc,0x0d,0x2e, + 0xdc,0xcc,0xc2,0xd5,0x80,0xdd,0xbd,0xbc,0xa5,0x72,0x2b,0x70,0x70,0x40,0x58,0xa3, + 0xb8,0x07,0xf5,0x92,0xe4,0x00,0xbd,0x56,0x3f,0xca,0xa8,0xb0,0x66,0xa6,0x14,0xb4, + 0x90,0x6f,0x14,0x33,0x96,0x8e,0xd2,0xf5,0x20,0xa2,0xf6,0xb0,0x34,0xd4,0xb2,0xd6, + 0x89,0x0a,0x24,0x1a,0xfd,0x1a,0xdb,0x86,0x39,0xa6,0xca,0xd9,0xdb,0xfd,0x2e,0x27, + 0x8d,0xfe,0xbf,0x79,0x74,0x0d,0x75,0xf2,0x95,0x75,0x9d,0x29,0x13,0x0b,0x19,0xab, + 0x19,0x98,0x3d,0xd6,0x8f,0x77,0x9d,0xe4,0x1f,0xfe,0xfd,0x4e,0x82,0xb5,0xe6,0x2f, + 0x72,0xf9,0x0e,0xfb,0x73,0x43,0x7f,0x08,0xa2,0x50,0x3d,0xd9,0x81,0x9d,0xae,0x20, + 0xba,0x97,0x06,0xc1,0x99,0xde,0x9c,0xf8,0x84,0x43,0x3e,0xeb,0x75,0x62,0x86,0xa8, + 0x5e,0xae,0x14,0xbf,0x9f,0x6d,0xbe,0xb7,0x05,0x46,0x1d,0x91,0x82,0x22,0x82,0xf1, + 0x8e,0xfb,0xb1,0x05,0x89,0xa5,0x78,0xf2,0xc9,0xc3,0x45,0xb0,0x79,0xa7,0xe9,0xdd, + 0x07,0xfd,0x4b,0x34,0x05,0x1b,0x27,0x11,0x97,0x29,0x90,0x6c,0x77,0xdf,0xb7,0xd2, + 0xf8,0xfa,0x6b,0xdd,0x5f,0xaa,0x1e,0x13,0x2b,0xfb,0xa9,0xd3,0x91,0xe6,0x63,0x95, + 0xe6,0x7f,0x01,0x35,0x3f,0xa2,0x75,0xea,0xce,0x8b,0x53,0xaa,0x91,0xcb,0x6f,0xb6, + 0x93,0xe1,0x91,0x91,0xd4,0x2a,0x4c,0x1a,0x85,0xa0,0xc5,0x04,0xb1,0xc8,0x5f,0x49, + 0xa4,0xd6,0x09,0x36,0xde,0xe4,0x64,0x6a,0xca,0x62,0xa9,0x4a,0xa4,0xbc,0x78,0x28, + 0xc1,0xff,0xaf,0xde,0x8b,0xe6,0x56,0x31,0x7d,0x50,0x6a,0xbe,0xc1,0x79,0xcc,0x90, + 0x19,0x1d,0x12,0x35,0x6f,0xf5,0x06,0x44,0xd3,0xe0,0x1a,0xa5,0xbc,0xfd,0xd7,0x1d, + 0x3c,0x82,0x8d,0xc3,0x53,0x9d,0xc0,0xcf,0x3f,0xe8,0xb9,0xb9,0x1e,0x0c,0x25,0x24, + 0xf6,0xa3,0x71,0x03,0x79,0xc9,0x0a,0xff,0xd0,0xd0,0xa5,0x0d,0x74,0x38,0x7f,0x9c, + 0xa8,0x8b,0x46,0x46,0x3e,0xf1,0xbd,0xba,0x58,0xcc,0x9a,0x36,0xe5,0xc2,0xc4,0x35, + 0xa2,0x0d,0x96,0x83,0x50,0xd1,0x5d,0x94,0x1c,0x32,0x12,0xcd,0xce,0x81,0x55,0x92, + 0xb3,0x10,0xd2,0x59,0x86,0x0d,0xe1,0xdc,0x1a,0x3d,0x70,0xac,0x22,0x30,0x2a,0x51), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_384, + .m = chunk_from_chars( + 0x04,0x84,0x6c,0x2e,0x67,0x6a,0xc7,0x31,0x60,0xbf,0x4e,0x45,0x65,0x2b,0xdc,0x6c, + 0xc4,0xd4,0xc9,0x28,0x45,0x77,0xb4,0x32,0x0a,0xb7,0x7f,0x6e,0xbb,0xb5,0x9a,0x1f, + 0xe0,0xe0,0x85,0x58,0x8e,0x0f,0x90,0xb3,0x46,0xcd,0xe6,0x44,0x1a,0xf3,0xc9,0xd0, + 0x11,0x7d,0x1f,0x3b,0xcd,0x96,0x2e,0x40,0x6b,0xf5,0xa4,0x65,0xab,0x6c,0xda,0x2d, + 0x51,0xbe,0x59,0x8f,0xcb,0xb2,0x9e,0xa7,0x13,0x65,0x1a,0xac,0xd7,0xe4,0x7d,0x22, + 0xd8,0xfa,0x34,0x50,0x90,0x47,0x30,0xf5,0x17,0x92,0xea,0x37,0x47,0x61,0xa4,0xdc, + 0x1f,0xc6,0xf1,0xbc,0x65,0x7b,0x77,0x76,0x8f,0x31,0xf4,0x63,0xe4,0x26,0x7f,0xc8, + 0xdf,0xf6,0x11,0x50,0xd4,0xb3,0x43,0xb9,0xd5,0x37,0x59,0xcd,0xd7,0xb9,0x80,0x94), + .s = chunk_from_chars( + 0x10,0x3b,0xee,0x57,0xe2,0x5b,0xe8,0xc3,0xa2,0xf7,0x74,0xe7,0x39,0xb4,0x7f,0x93, + 0x43,0x5e,0x41,0x49,0x32,0xc0,0x49,0x4b,0x6b,0x6a,0xa2,0x47,0x5b,0xf7,0xc9,0x30, + 0x5c,0x73,0x74,0x7e,0x0a,0xdf,0x82,0xc2,0x03,0x20,0x07,0xb3,0xf7,0x5a,0x69,0xc9, + 0x31,0x12,0x61,0x7a,0x62,0x56,0x6c,0x5a,0x2d,0xea,0xa2,0x5f,0xb9,0x52,0x09,0xda, + 0x49,0xfe,0x9c,0x16,0x1c,0xb2,0xff,0xa4,0x0f,0xd9,0xd7,0x7f,0x1f,0xf6,0x60,0xc8, + 0xb6,0xcd,0x3b,0x54,0xe3,0xe7,0x9a,0x75,0x9c,0x57,0xc5,0x71,0x98,0x02,0xc9,0x31, + 0x1d,0xb7,0x04,0xba,0x3c,0x67,0xb4,0xa3,0x11,0x37,0x54,0xa4,0x1b,0x8d,0xa5,0x9c, + 0x64,0x5b,0xe3,0x90,0x9e,0x7d,0xb7,0xe7,0xcf,0x72,0x94,0xda,0xb4,0x4f,0x74,0x24, + 0x0f,0x81,0xa2,0x81,0xee,0xcd,0x6e,0xf3,0x1c,0x7c,0xf1,0x8b,0x1a,0x19,0xc7,0xd0, + 0x2a,0x31,0x2b,0x91,0xd6,0xed,0xfa,0xa9,0x54,0x46,0x2d,0x34,0x74,0x0a,0xf5,0xab, + 0x70,0x8d,0xb5,0xa1,0x0b,0x00,0xc5,0x42,0xbe,0x82,0xfa,0x2b,0x20,0x26,0xb0,0x9e, + 0xf3,0x8a,0x40,0x01,0x45,0x7e,0x27,0xa6,0x02,0x37,0x70,0xe4,0xb4,0xd5,0x00,0x32, + 0x67,0xc8,0x5c,0x9e,0xea,0x1d,0x5f,0x8d,0x77,0x0b,0xd4,0x0b,0x55,0x4d,0x5b,0x4d, + 0xaf,0x14,0x6d,0xcc,0xab,0xac,0x3e,0xa8,0xa1,0x3a,0x05,0xc3,0xbd,0xdf,0xc9,0x71, + 0xc5,0x15,0x8f,0xac,0x02,0x7c,0xa1,0x9b,0x72,0x32,0x62,0x1e,0x9d,0x2e,0x37,0xb6, + 0xa6,0x55,0xaf,0x54,0x5e,0x44,0xa2,0x98,0xbe,0x78,0xcd,0x47,0x5c,0x22,0xa4,0x8b, + 0xff,0x7c,0x34,0x94,0xa5,0xf8,0xa6,0xab,0xdf,0x1a,0x46,0xf9,0xde,0x08,0x2e,0x37, + 0x4f,0xd5,0x98,0x86,0x7d,0x61,0xe4,0xd5,0x1d,0xae,0xd8,0x41,0x52,0xe4,0x3c,0xc6, + 0xa2,0xaf,0xfa,0xe2,0x05,0xed,0xc5,0x26,0x13,0x48,0x0d,0x41,0x1a,0xba,0x84,0xfc, + 0xc9,0xb6,0x9d,0x1c,0x28,0xf1,0x6f,0x76,0x83,0x69,0x01,0xa7,0xc5,0xb3,0xeb,0x2f, + 0x2c,0x94,0x0d,0x0a,0x3f,0xad,0x38,0xa8,0xef,0xab,0x96,0x8a,0x0c,0x85,0xeb,0x22, + 0xe1,0x1d,0x3d,0x08,0x61,0x13,0x6c,0xed,0x5f,0x06,0x73,0x4f,0xdf,0x8d,0x4f,0x15, + 0x1d,0x23,0x86,0x1b,0x1c,0xba,0x9b,0x9c,0x58,0x0d,0x33,0x50,0xc7,0x6d,0x4d,0xc8, + 0x08,0x46,0x1d,0x5f,0x87,0x2e,0xc5,0x48,0xb2,0xb4,0x27,0xdf,0xf7,0x4b,0x1d,0x1a), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xdb,0x6c,0x9d,0x4b,0xad,0xb1,0xd9,0xb7,0x4d,0x68,0x34,0x64,0x48,0xb4,0xd5,0x34, + 0x06,0x31,0x78,0x3b,0x5a,0x35,0xac,0x24,0x58,0x56,0x3e,0xd0,0x67,0x2c,0xf5,0x41, + 0x97,0x58,0x7f,0xb7,0x34,0xc4,0xac,0x18,0x9b,0x2d,0xda,0x95,0x4c,0xdf,0xb1,0x8b, + 0x41,0xc0,0x10,0xa7,0x7e,0x90,0x46,0x4e,0xea,0x6f,0x86,0x3c,0x5d,0xa0,0x95,0x6b, + 0xfa,0x8c,0xc6,0x36,0xbf,0x0a,0x28,0xbe,0x5a,0xdd,0xfe,0x8d,0x3e,0x7e,0x6f,0x79, + 0xf7,0x1d,0x7f,0xcb,0xba,0xe2,0x3e,0xa1,0x41,0x78,0x3f,0x91,0xd6,0xcc,0x4c,0x8f, + 0xad,0x12,0x58,0x11,0x76,0x0a,0xb5,0x71,0x33,0x81,0x88,0x92,0x47,0x1a,0x79,0xc6, + 0xd0,0x4e,0xaf,0xef,0x37,0xb2,0xfb,0xe5,0x06,0x78,0x53,0x18,0xf9,0x39,0x83,0x77), + .s = chunk_from_chars( + 0xd4,0x80,0xd5,0xa9,0x79,0xad,0x1a,0x0c,0x4c,0xa3,0x29,0xeb,0xd8,0x8a,0x4a,0xa6, + 0x94,0x8a,0x8c,0xf6,0x6a,0x3c,0x0b,0xfe,0xe2,0x25,0x44,0x09,0xc5,0x30,0x54,0xd6, + 0xff,0xf5,0x9f,0x72,0xa4,0x6f,0x02,0xc6,0x68,0x14,0x6a,0x14,0x4f,0x8f,0x2b,0xa7, + 0xc4,0xe6,0xb4,0xde,0x31,0x40,0x0e,0xba,0x00,0xae,0x3e,0xe8,0x75,0x89,0xdc,0xb6, + 0xea,0x13,0x9e,0x70,0xf7,0x70,0x4f,0x69,0x1b,0xc3,0x7d,0x72,0x2f,0x62,0xbb,0x3b, + 0x2c,0xd3,0x03,0xa3,0x4d,0x92,0xfd,0xe4,0xde,0xb5,0x4a,0x64,0xdd,0x39,0x18,0x43, + 0x82,0xd5,0x9c,0xca,0xf0,0xc0,0x7a,0x7e,0xa4,0x10,0x7d,0x08,0x08,0x26,0x0e,0xd8, + 0xd4,0x21,0xcb,0x8b,0x14,0x07,0xcd,0xf9,0xe9,0x15,0x15,0x92,0x82,0xb9,0xf7,0xbf, + 0xfd,0xbf,0x40,0xd8,0x77,0x88,0x5d,0xa7,0x39,0x9e,0xde,0xbd,0x30,0x0a,0x7e,0x77, + 0xa9,0x08,0xf7,0x56,0x65,0x9a,0x18,0x24,0xf9,0x5c,0x8a,0x81,0x2a,0xa5,0x40,0xeb, + 0xaa,0x64,0xab,0x54,0xa2,0x33,0x72,0x3d,0xb5,0x5c,0xaa,0x8b,0x44,0x66,0xea,0x9a, + 0xe6,0x61,0x4a,0xd1,0xbb,0x86,0x9e,0x9d,0x8e,0x0d,0x03,0x2f,0x39,0x01,0x67,0x1e, + 0x94,0xc0,0xb6,0x73,0xbe,0x65,0x37,0xcd,0x54,0x27,0x8e,0xd3,0xda,0x2e,0x1e,0xdb, + 0xc0,0x4e,0xe3,0xa9,0xe8,0x07,0x0d,0x73,0xba,0x0f,0xfb,0x93,0xe6,0x0f,0x30,0xb8, + 0x7f,0xf3,0x86,0x2e,0x9c,0x53,0x90,0x8f,0x2c,0x8e,0x99,0x91,0x56,0x68,0xc1,0xf4, + 0x66,0x35,0xe0,0x5b,0xf7,0x16,0x30,0x51,0xff,0x9d,0x92,0xbc,0x71,0xa6,0x26,0x55, + 0x3c,0x69,0xdf,0xdd,0x06,0xa4,0x9f,0x7f,0xf1,0xed,0x51,0xe9,0x18,0xf3,0xed,0x80, + 0x1d,0xae,0x62,0xca,0x27,0x6d,0x70,0x63,0xd7,0x2a,0x6e,0xbc,0x13,0x6b,0xa0,0x6c, + 0xfe,0xdf,0x5a,0xa2,0x32,0x77,0xe8,0x10,0x08,0xc6,0x3b,0x2e,0x00,0x83,0xd0,0xfd, + 0x68,0x14,0xf6,0xd4,0xb4,0xb4,0x0a,0x42,0xe8,0xc0,0x20,0x6f,0x3c,0x35,0x6a,0x5e, + 0xc7,0x09,0xb7,0xc8,0xa4,0xb7,0x4b,0x7b,0x48,0xd5,0x3c,0x9d,0x86,0x94,0xd2,0x73, + 0x59,0xc2,0xc7,0x70,0x19,0x38,0xd2,0xf0,0x16,0x17,0x21,0xa5,0x73,0x13,0xbb,0x1a, + 0x2e,0x11,0xda,0x21,0x58,0x72,0x49,0x81,0x82,0x49,0x3d,0x85,0x17,0x04,0x3b,0x4c, + 0x03,0xf9,0x34,0x46,0xaa,0xc9,0x38,0x30,0x27,0x65,0x42,0x02,0x6c,0xe8,0x30,0x55), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xd5,0xdd,0x3b,0x6c,0xe9,0x77,0x2d,0x9a,0x97,0xfe,0x21,0x64,0x84,0x97,0x78,0x3b, + 0xac,0x5b,0xb5,0x25,0x4a,0xad,0x82,0xb6,0xf7,0xcb,0xf4,0x3b,0x15,0xa4,0x0f,0x38, + 0x6e,0xea,0x8d,0x15,0x19,0x67,0xdb,0x14,0x9e,0x94,0x65,0x86,0x59,0x68,0x13,0x3f, + 0x24,0x6e,0x13,0x47,0x30,0x1a,0xda,0xd2,0x34,0x5d,0x65,0x72,0xca,0x77,0xc5,0x8c, + 0x15,0x0d,0xda,0x09,0xa8,0x7b,0x5f,0x4d,0xa3,0x6b,0x26,0x6d,0x1f,0xa7,0xa5,0x9c, + 0xcd,0x2b,0xb2,0xe7,0xd9,0x7f,0x8b,0x23,0x15,0x43,0x19,0x23,0x53,0x0b,0x76,0x2e, + 0x12,0x6e,0xac,0xaf,0x5e,0x5a,0xc0,0x2f,0xf1,0xaa,0xef,0x81,0x9e,0xfb,0x37,0x3c, + 0xf0,0xbb,0x19,0x6f,0x0e,0x82,0x9e,0x8f,0xe1,0xa6,0x98,0xb4,0x79,0x0a,0x2a,0x05), + .s = chunk_from_chars( + 0xbf,0x9e,0x8b,0x4f,0x2a,0xe5,0x13,0xf7,0x3d,0x78,0x89,0x58,0x00,0x37,0x33,0xdb, + 0xe2,0x09,0x57,0xb1,0x47,0xb1,0x7c,0x3f,0x4f,0xd6,0xd0,0x24,0xe8,0xe8,0x3f,0x07, + 0xb6,0x5d,0x9f,0x3d,0xbc,0x3b,0x1f,0xe8,0x4d,0xa0,0x21,0xce,0xab,0xfc,0xcd,0x8c, + 0x57,0xa0,0x14,0xfb,0xe5,0xa2,0xbc,0xe3,0xe4,0x05,0x1b,0x7d,0x03,0xe0,0x9f,0xc0, + 0x35,0x0b,0x6a,0x21,0xfa,0xd2,0x14,0xae,0x7a,0x07,0x32,0x77,0xc7,0x7a,0x40,0xdc, + 0x44,0xa5,0xae,0xea,0x51,0x94,0xa7,0x56,0xb6,0x9c,0x93,0x97,0x7b,0x69,0xee,0x92, + 0x94,0x36,0x0e,0xaa,0x73,0xa5,0x74,0x54,0x8f,0xa6,0xa9,0x74,0xa7,0xcd,0x5a,0x6a, + 0xdc,0xf0,0x9e,0x80,0x63,0x11,0x56,0xaf,0x85,0xa8,0xe5,0xc5,0x31,0x7e,0x18,0x9e, + 0xea,0xd4,0x7e,0x2e,0xad,0x65,0xc3,0x81,0x39,0x6b,0x5c,0xac,0xde,0x26,0x0e,0x93, + 0x72,0x84,0xa8,0xe9,0x0e,0xff,0x2c,0xbc,0xb9,0xde,0xe2,0x29,0x25,0xf2,0xf7,0x25, + 0x6f,0x74,0xc6,0x7c,0xf3,0xff,0xc7,0xb8,0xce,0x65,0x7e,0x8d,0x13,0x5f,0x0f,0x37, + 0x6d,0x9d,0x93,0x6a,0x79,0x79,0x2c,0x98,0x16,0x14,0xd9,0x8e,0x3f,0x7d,0x66,0x2a, + 0x4f,0xd4,0x6d,0xcd,0xa9,0x69,0x16,0xb3,0x2f,0x36,0x6e,0xd2,0x7d,0xab,0x18,0x8f, + 0x18,0x4b,0x98,0x4d,0xf0,0xb5,0x59,0x71,0x0d,0x8f,0xf2,0x04,0x0b,0xe4,0x62,0xf9, + 0x19,0x43,0x50,0x1b,0xda,0x48,0x40,0xfd,0xd5,0xc8,0xec,0x15,0xd1,0x89,0x06,0x4d, + 0xef,0x75,0x6e,0x54,0x5d,0xb3,0x19,0xe0,0x07,0xc4,0x33,0xf0,0x46,0x8a,0x67,0x23, + 0x35,0x7b,0xa4,0x7d,0x15,0x6a,0xb7,0x65,0x2b,0x06,0xae,0x2b,0x18,0x87,0x4f,0x07, + 0x71,0xc6,0x26,0x46,0x6d,0xbd,0x64,0x23,0xe6,0xcb,0xc5,0x18,0xb5,0xe4,0xae,0x7b, + 0x8f,0x15,0xe0,0xf2,0xd0,0x47,0x1a,0x95,0x16,0xdf,0xa9,0x59,0x16,0x97,0xf7,0x42, + 0x86,0x23,0x24,0xd8,0xd1,0x03,0xfb,0x63,0x1d,0x6c,0x20,0x73,0xd4,0x06,0xb6,0x5c, + 0xde,0xe7,0xbd,0xa5,0x43,0xe2,0xe9,0xeb,0xff,0x99,0x06,0x98,0x5d,0x1c,0xb3,0x65, + 0x17,0x2e,0xa6,0x23,0xed,0x7a,0xa4,0xc7,0xa3,0x22,0xf0,0x98,0x46,0x80,0xe3,0x4e, + 0x99,0xbc,0x62,0x31,0xb0,0x2e,0x3d,0x14,0x58,0x16,0x08,0xbc,0x55,0xbc,0xa7,0xfb, + 0xe2,0x2d,0x7f,0x03,0xe9,0x04,0xda,0x45,0x52,0xe0,0x09,0xe5,0x60,0x7f,0x04,0x18), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x59,0x16,0x52,0xb6,0xeb,0x1b,0x52,0xc9,0xbe,0xbd,0x58,0x32,0x56,0xc2,0x22,0x86, + 0x80,0x11,0x0b,0x87,0x89,0x17,0xde,0xa5,0xad,0x69,0xe8,0xc5,0xd2,0xab,0x51,0x42, + 0x77,0xb0,0xac,0x31,0xe7,0xe2,0xcc,0xea,0xb2,0xe5,0xd9,0xc4,0x5d,0x77,0xa4,0x1f, + 0x59,0x9b,0x38,0xa8,0x32,0xf6,0xb2,0xd8,0x09,0x79,0x52,0xbe,0x44,0x40,0xd1,0xff, + 0x84,0xba,0xf5,0x1b,0xd7,0x0b,0x64,0xf1,0x30,0xae,0xb6,0x86,0x14,0x5f,0xcd,0x02, + 0x95,0x38,0x69,0xfb,0x84,0x1a,0xf7,0xf6,0xe3,0x4e,0xaa,0x2b,0x99,0x6c,0xcd,0x89, + 0x69,0x7c,0x58,0xfa,0x25,0x5c,0xc1,0xe8,0x1f,0x62,0x14,0x00,0xe1,0x41,0x46,0x36, + 0x1e,0x31,0xc7,0x09,0xe8,0x4a,0x56,0x08,0x22,0x31,0x19,0x95,0x39,0xf7,0xed,0xe9), + .s = chunk_from_chars( + 0x1d,0xe7,0x9d,0x72,0x16,0xdd,0xe1,0x25,0xde,0xb7,0x7c,0x34,0xd9,0x0a,0xb3,0x21, + 0xa4,0xde,0x5f,0xb1,0x1c,0x29,0x66,0x56,0xad,0x9b,0xf9,0xa2,0x46,0x53,0x59,0x11, + 0x17,0xac,0xe4,0x15,0xe1,0x8e,0xad,0xce,0x92,0x82,0x3f,0x31,0xaf,0xe5,0x6f,0xc8, + 0xe2,0x94,0x94,0xe3,0x7c,0xf2,0xba,0x85,0xab,0xc3,0xba,0xc6,0x6e,0x01,0x95,0x84, + 0x79,0x9a,0xee,0x23,0x4a,0xd5,0x55,0x9e,0x21,0xc7,0xfd,0x4f,0xfd,0x24,0xd8,0x26, + 0x49,0xf6,0x79,0xb4,0xc0,0x5d,0x8c,0x15,0xd3,0xd4,0x57,0x4a,0x2e,0x76,0xb1,0xf3, + 0xee,0x9f,0x8d,0xec,0x0a,0xf6,0x0b,0x0c,0xed,0x1b,0xe8,0xa1,0x9c,0x2f,0xa7,0x1b, + 0xcb,0xc1,0xfb,0x19,0x08,0x99,0xec,0x85,0x56,0x95,0x8e,0x07,0x82,0xac,0xe7,0x19, + 0x6b,0x36,0x65,0x86,0x56,0xcf,0x36,0x4d,0x37,0x73,0xde,0x86,0x26,0x0f,0xd8,0x98, + 0x76,0x04,0xef,0x35,0xea,0xe8,0xf3,0x8e,0xc2,0xcb,0x0d,0xa8,0x64,0xcc,0xa7,0x19, + 0x21,0x9c,0x2a,0xd7,0x1c,0x08,0x50,0x6c,0x41,0x2e,0xc7,0x79,0x95,0xf3,0x74,0x39, + 0xc8,0x56,0x97,0x7b,0x71,0xdf,0xb9,0x64,0x79,0x90,0xef,0x70,0xfa,0xf4,0x32,0x73, + 0xae,0x60,0x83,0x9c,0xd0,0x67,0x9e,0xc9,0xaa,0x42,0xbf,0x91,0x4e,0x42,0x1b,0x79, + 0x7c,0xba,0x21,0x8a,0x40,0x0f,0xf9,0xdb,0xaa,0x20,0x6c,0xb9,0xc2,0xb0,0x59,0x6c, + 0x70,0x9a,0x32,0x2b,0x73,0xcb,0x82,0x72,0x1d,0x79,0xf9,0xdb,0x24,0x21,0x1b,0xf0, + 0x75,0xa1,0xce,0xf7,0x4e,0x8f,0x6d,0x2b,0xa0,0x7f,0xe0,0xdc,0x8a,0x60,0xf4,0x8a, + 0xf5,0x11,0xad,0x46,0x9d,0xcd,0x06,0xe0,0x7a,0x4c,0xe6,0x80,0x72,0x13,0x9c,0x46, + 0xd8,0xbe,0x5e,0x72,0x12,0x53,0xc3,0xb1,0x8b,0x3c,0x94,0x48,0x5c,0xe5,0x5c,0x0e, + 0x7c,0x1c,0xbc,0x39,0xb7,0x7b,0xc6,0xbb,0x7e,0x5e,0x9f,0x42,0xb1,0x53,0x9e,0x44, + 0x2d,0xa8,0x57,0x65,0x8c,0x9e,0x77,0x1c,0xcb,0x86,0xbe,0x73,0x97,0x64,0x7e,0xfb, + 0xc0,0xcc,0xb2,0xc3,0xad,0x31,0xac,0x4e,0x32,0xbf,0x24,0x8c,0xc0,0xce,0xd3,0xa4, + 0xf0,0x94,0x52,0x6b,0x25,0x63,0x1c,0xb5,0x02,0x47,0x09,0x61,0x29,0xb0,0x8a,0x9c, + 0x2c,0xdf,0xb7,0x75,0x97,0x8b,0x0f,0xee,0xe2,0x65,0xa6,0xc4,0x19,0x91,0xc1,0xdc, + 0x44,0x52,0x61,0x5b,0x78,0xc9,0x06,0xc7,0xed,0x1b,0xd2,0x07,0x96,0x9d,0x98,0xd0), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x8d,0xff,0xaa,0x91,0x51,0x27,0x1a,0xd2,0x26,0x22,0xf2,0x28,0xc8,0x92,0xe1,0xd9, + 0x74,0x8b,0x3c,0x39,0x43,0x97,0xf2,0xcb,0xb6,0xfe,0xbe,0xaa,0x92,0x44,0xa0,0x27, + 0xee,0xf2,0x8d,0xb4,0x8a,0x9a,0x66,0x01,0x62,0x15,0x27,0x64,0x83,0x0f,0x61,0x7e, + 0x1e,0xc6,0xea,0x1c,0xdb,0x0e,0xd2,0x5b,0x6f,0x99,0x9a,0x10,0x71,0x75,0xa1,0x66, + 0x69,0xd6,0xdf,0xc9,0x2b,0x16,0xd5,0x03,0x63,0xfa,0xc4,0xa5,0x70,0x37,0x1e,0xa9, + 0x76,0x34,0x3a,0x55,0xae,0x12,0x4b,0x63,0x01,0xea,0x93,0x5e,0xd6,0x55,0xd4,0x4f, + 0x28,0x32,0x08,0x99,0xdb,0xa3,0x51,0x22,0x50,0x59,0x33,0xb3,0x37,0x12,0x01,0xa2, + 0xa4,0x5f,0x95,0xae,0x65,0xab,0x44,0x2a,0x94,0x79,0x12,0x5e,0x68,0xed,0x21,0x2a), + .s = chunk_from_chars( + 0xb3,0x29,0xae,0xf8,0x3a,0x56,0xdd,0xc5,0x7c,0xd9,0xa0,0xe1,0x5e,0xb0,0xb0,0xb7, + 0xae,0xa7,0xd7,0x8d,0x5e,0x8c,0xa3,0x98,0x2b,0xd3,0x1c,0xc8,0x25,0xa0,0xcd,0x1c, + 0x44,0x4d,0x9f,0x7b,0xea,0x9e,0x7a,0x27,0xf3,0xbb,0xb3,0x76,0x10,0x60,0xff,0x95, + 0xfe,0xe1,0xa3,0xe8,0x64,0xd2,0x10,0x8f,0xc4,0x0b,0x64,0x78,0x6a,0x96,0xa6,0xd6, + 0x2d,0x20,0x12,0x17,0xe0,0x3a,0x8b,0xa2,0xc0,0x7e,0xe9,0x4c,0x26,0x71,0x49,0xd1, + 0xe7,0x2c,0xc5,0x77,0x9b,0x73,0x7e,0x85,0x47,0xac,0xd6,0xaa,0x4b,0xba,0x3f,0xf3, + 0x8b,0xf9,0x68,0x7e,0x9e,0x82,0xf5,0x11,0xb5,0x97,0xad,0x7e,0xc1,0xd7,0x95,0xc3, + 0x6a,0x98,0xbf,0x83,0xa9,0x0f,0xc8,0x6b,0x0c,0xad,0x41,0x95,0x33,0x60,0x73,0x89, + 0x21,0x93,0x6a,0x45,0x86,0x74,0xb2,0xe9,0xa7,0x01,0x2a,0xc3,0x02,0x9f,0xdb,0x0a, + 0x9d,0x12,0x31,0x82,0x02,0xd2,0x54,0x4a,0x0d,0x97,0x6e,0xe5,0x36,0xe0,0x3b,0x7e, + 0x8d,0x89,0x4b,0x3b,0x9c,0x76,0x2d,0xab,0x01,0x10,0x84,0x9c,0xc1,0xea,0xad,0x74, + 0x7e,0x3d,0x88,0xd7,0xdc,0xf4,0x9f,0x82,0x4d,0xf0,0x27,0xe6,0x45,0xc0,0xb9,0x29, + 0x4e,0x65,0x5d,0x9f,0xc9,0xe1,0xef,0x95,0xeb,0x53,0xaa,0xff,0x57,0x75,0xc3,0x49, + 0x48,0x6d,0x4b,0x5d,0x67,0xdb,0xa2,0x9b,0x62,0x17,0xf8,0xb9,0x97,0x66,0x12,0xb5, + 0x7e,0x16,0xfc,0x1f,0x99,0x98,0x3f,0x2a,0xf0,0x45,0x79,0x93,0x86,0x06,0x87,0x9b, + 0x7c,0x72,0x53,0xe8,0x70,0x71,0x4b,0x4f,0x0f,0x24,0xe2,0x6d,0xc8,0xc7,0xa6,0xfc, + 0xef,0xfb,0x5f,0x98,0xe3,0xb2,0xfb,0x5d,0xb9,0x49,0xd2,0xf9,0x8c,0xd1,0xae,0x1a, + 0xa5,0x52,0x69,0x6b,0x48,0xc3,0x9f,0x67,0x8e,0x15,0x43,0x51,0xcc,0x75,0x6d,0x3e, + 0x9a,0x97,0xf7,0x92,0x79,0x85,0x3e,0xbd,0x0d,0xb9,0xae,0x68,0x59,0xfb,0x2d,0x57, + 0x21,0x38,0x5d,0x06,0xf5,0x56,0x5a,0x3a,0x8f,0xf0,0x99,0x2d,0x51,0x7a,0xcd,0xa1, + 0xaf,0x69,0xa9,0x28,0x54,0xa1,0xb3,0x2a,0x79,0xcb,0x9e,0x44,0x2a,0x90,0xb0,0x55, + 0xbb,0x2e,0xc3,0xaf,0x8d,0x99,0x26,0xa0,0xd8,0x57,0xe3,0xcb,0x1e,0x7e,0x4a,0x73, + 0x00,0xd1,0xac,0xcb,0x94,0x92,0xec,0x78,0x32,0xaf,0x45,0x35,0x29,0xff,0x0f,0x4a, + 0x6a,0xd3,0x25,0x97,0x57,0xf7,0x07,0xf7,0x13,0xaa,0xa5,0xdf,0x23,0x1f,0x74,0x87), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x71,0xd4,0x16,0x3e,0x70,0x8c,0x12,0x1e,0x93,0x1b,0xb9,0x69,0x2b,0x21,0x7d,0xdd, + 0xd3,0x5c,0x73,0x46,0xf6,0x1c,0xfc,0x95,0x91,0xf7,0xa4,0x31,0x3a,0xbd,0x4a,0x92, + 0x62,0xaf,0x82,0x0b,0xd7,0xeb,0x37,0xe7,0x8c,0x2b,0x95,0xb8,0x9d,0xaf,0x25,0xec, + 0x8e,0x78,0x3a,0xa1,0xd4,0xb7,0x8d,0xbb,0x96,0x85,0x24,0x33,0xb4,0xd4,0x78,0xb1, + 0x09,0xa6,0xd6,0x5e,0xed,0x7d,0x06,0xf3,0xfe,0x12,0x2b,0x17,0x21,0x49,0xea,0xe7, + 0xc3,0x65,0xce,0xd6,0x65,0x78,0xeb,0xb7,0x57,0x1e,0xc2,0x18,0xc3,0x6b,0x65,0xd2, + 0xee,0x22,0xdc,0xde,0xbb,0x28,0xc6,0x6a,0x71,0x38,0x43,0x2c,0xbd,0xd7,0x12,0xf7, + 0xfb,0x8b,0xf7,0x8c,0xb1,0x48,0x60,0xb2,0x5c,0x2b,0x47,0x89,0x70,0x6b,0x5a,0x1b), + .s = chunk_from_chars( + 0x25,0x22,0xee,0x3b,0xda,0x30,0xc0,0x43,0x4e,0x54,0xb1,0x99,0xda,0x8c,0x97,0x33, + 0x96,0x4f,0xd4,0x02,0xb7,0x07,0xf5,0xb3,0x30,0xf4,0xf7,0x54,0xa0,0x50,0x2c,0x7a, + 0x71,0x3c,0x78,0x14,0xf0,0xe8,0x51,0xa4,0xa4,0xdb,0x72,0x69,0x0d,0xb9,0x6e,0xa8, + 0xb8,0x81,0x3b,0xd8,0x62,0x9a,0x94,0x8b,0xb3,0x0c,0x1b,0x82,0x72,0xa8,0x16,0xb3, + 0x0a,0x75,0x5f,0xc6,0xfb,0x17,0x54,0x16,0x7c,0x3e,0xb1,0xf1,0x94,0x39,0x59,0x07, + 0xa5,0x6c,0xf5,0xa7,0x3b,0x41,0x54,0x38,0x3a,0x05,0xb7,0x8b,0x73,0x1f,0xed,0xd9, + 0x07,0x7f,0x3c,0x22,0x67,0xa5,0xcf,0x92,0x66,0x97,0x87,0x1f,0xe0,0xa4,0xbe,0xd9, + 0xc2,0x19,0x55,0x2d,0xd1,0xc8,0x7a,0xff,0x50,0x61,0x30,0x94,0xbc,0xaa,0x2d,0xec, + 0x42,0xa3,0x53,0x80,0xa6,0xba,0xc6,0x73,0xda,0x25,0x94,0xf8,0x24,0xa8,0xf3,0x2f, + 0x21,0xd7,0x59,0x3a,0x3e,0x49,0xc7,0x8e,0xe2,0x80,0x19,0x3a,0x47,0x86,0x21,0xd3, + 0xb0,0x95,0xc1,0x6d,0xce,0x72,0x93,0x53,0x14,0xd4,0xa2,0x32,0x3e,0xeb,0xe7,0x85, + 0x5c,0xa4,0x73,0x8a,0x19,0xb5,0xa3,0x1a,0x5f,0x95,0xab,0x91,0xfb,0xe1,0x28,0x9c, + 0x02,0xfe,0xa7,0xa6,0x5b,0x91,0x32,0x7b,0x7b,0x97,0x90,0x55,0x62,0x89,0xe1,0xb9, + 0x88,0xe4,0x5d,0x50,0xeb,0x8c,0xea,0x15,0x81,0xde,0x5d,0x5d,0xfd,0x21,0x00,0x1c, + 0x73,0xb4,0x39,0x21,0xd8,0xb2,0x1b,0x96,0x44,0xb0,0xf2,0xb9,0x6e,0xe6,0xb0,0x9d, + 0x73,0x70,0x9c,0x33,0x33,0x81,0x43,0xd6,0xa2,0xfe,0xc5,0x59,0xa4,0x36,0xc5,0xec, + 0x86,0x5d,0x3a,0xcc,0xa5,0xfe,0xe6,0x54,0xf1,0x32,0x5a,0xe5,0x72,0x55,0xdf,0xd4, + 0x21,0x88,0xc8,0x4d,0xcb,0x1f,0x7c,0x1e,0x86,0x02,0x8a,0x74,0xe3,0x1d,0x73,0x60, + 0x78,0x74,0x1e,0xe9,0x7c,0x39,0xa5,0x6e,0x4d,0xe0,0x0f,0xc1,0x2b,0x80,0x51,0x83, + 0x5b,0xbd,0x0d,0x8f,0xca,0xe7,0x37,0x32,0x20,0x99,0xad,0xc1,0x01,0x71,0x07,0x02, + 0x2d,0xd1,0x5c,0x11,0x4d,0xa5,0x7e,0x78,0xb9,0x56,0x81,0xba,0x99,0x45,0x61,0x5b, + 0x59,0xda,0x90,0xf5,0xa2,0xa9,0x9a,0x25,0x2e,0xb4,0x2b,0x20,0x06,0xee,0xdd,0x6e, + 0x78,0x47,0x6c,0x29,0x05,0x47,0x3e,0xe6,0xb4,0xf2,0x3c,0x1c,0x5c,0xf0,0xb8,0x04, + 0x51,0xc5,0x42,0x6e,0xa0,0x09,0x14,0x1c,0xb3,0xfc,0xb0,0xdf,0x2d,0xed,0x92,0xbe), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xd0,0x0e,0x15,0x29,0x22,0x8c,0x79,0xa2,0x0a,0x1c,0x36,0x68,0xff,0xa4,0xa5,0x41, + 0x40,0xbb,0x17,0x0b,0xc5,0xc6,0x69,0xfd,0x75,0x60,0xd9,0x30,0x99,0x00,0x17,0x5e, + 0x91,0xd5,0xa0,0xe9,0xc5,0xf5,0x47,0x1f,0xdf,0xb7,0x14,0xbc,0x38,0x5d,0x52,0xb0, + 0x8f,0xf7,0xe4,0x23,0x01,0x84,0xd8,0xb7,0x35,0x59,0x3f,0x0d,0xd8,0xc7,0x3b,0x8a, + 0x49,0xf8,0x59,0x5b,0x95,0x1a,0x21,0xb6,0xa5,0xbf,0xec,0x63,0xb6,0x84,0xf6,0x7c, + 0x0a,0xf1,0xb4,0x71,0xdd,0xa1,0x68,0x4e,0x9b,0xa3,0xf2,0x41,0x50,0x1f,0xe9,0x57, + 0x60,0x3d,0xea,0x86,0x78,0x42,0x30,0xf0,0xc4,0xfd,0x65,0x66,0x63,0x61,0xb8,0x2b, + 0x18,0x73,0x30,0xfb,0x42,0x67,0x40,0x4c,0x0e,0x05,0x9b,0xd4,0xeb,0x52,0x49,0x4b), + .s = chunk_from_chars( + 0x18,0x35,0xdd,0x97,0xe5,0x09,0x3a,0x33,0xce,0x1e,0x62,0xd6,0x83,0x86,0x3f,0x6b, + 0x35,0x07,0xf3,0x58,0xa6,0x2f,0xc8,0x79,0xb5,0x24,0x35,0x0f,0xbc,0x73,0x30,0x68, + 0x1c,0xb0,0xc6,0x82,0xee,0xf4,0x33,0x04,0x19,0xca,0xf8,0x54,0x3b,0xd9,0x26,0x9b, + 0x6d,0x91,0xd8,0xe1,0x07,0xec,0x38,0xb6,0xe9,0xc6,0xea,0xab,0xf9,0x06,0x45,0x72, + 0x05,0xd5,0x2a,0x90,0x0e,0x05,0x57,0x9a,0xa1,0x1f,0xc5,0x81,0x37,0x52,0x64,0xe6, + 0x9a,0x92,0x57,0x98,0xe5,0xa3,0x48,0xe5,0xa1,0x6f,0x15,0x67,0xd5,0xd0,0xe4,0x08, + 0x53,0x38,0x0b,0x34,0xde,0xac,0x93,0xad,0x73,0x77,0xaa,0xe8,0xa2,0x7b,0x09,0x0d, + 0x0d,0x3a,0x92,0xbf,0x7a,0x82,0x4d,0x92,0x6e,0x2e,0x35,0xa0,0xc3,0xbd,0x0e,0x99, + 0x0b,0x59,0x11,0x20,0xd7,0x4d,0xd9,0xb0,0x52,0xa7,0x35,0x68,0xe3,0xc3,0xf2,0x9c, + 0x5a,0x77,0xfb,0x1c,0x92,0x1b,0xce,0x9c,0x1e,0x7f,0x76,0x4a,0xa6,0x7b,0xac,0x11, + 0x9f,0x58,0x39,0xa5,0x30,0x38,0x60,0xed,0xeb,0x63,0x48,0x14,0xc2,0x38,0x6c,0x83, + 0x1f,0xee,0x62,0x00,0xcf,0x55,0xb6,0xbf,0xea,0x05,0x8b,0x79,0x5a,0x0f,0xcf,0x26, + 0xeb,0x72,0x16,0xae,0x1b,0x75,0x87,0xc8,0x2e,0x56,0x85,0xe5,0x84,0x17,0x0c,0xbd, + 0xdc,0x89,0xa7,0x7e,0x09,0x89,0xd4,0xce,0x5c,0x3c,0x7f,0xdb,0x66,0x4a,0xae,0xaa, + 0xdb,0xce,0x1f,0x23,0x1e,0x64,0x79,0x8f,0x6f,0x9a,0x85,0x45,0x6b,0x5a,0x93,0xa5, + 0x02,0x12,0x6a,0x80,0xe2,0xd2,0x1f,0x46,0x92,0x1c,0xc3,0x60,0x1f,0x5e,0xcd,0xbd, + 0x56,0x99,0x8a,0x63,0xb8,0x65,0xfc,0xe7,0xeb,0x29,0x9f,0x76,0xaf,0x40,0xe9,0x12, + 0x81,0xbf,0xc0,0x19,0xf4,0x0e,0x0d,0x46,0x81,0x1e,0x38,0x36,0x91,0xe4,0x02,0x4c, + 0x94,0x56,0x6f,0x18,0x02,0x4f,0xf2,0xb2,0x2a,0xa7,0xe1,0x27,0x02,0x33,0xff,0x16, + 0xe9,0x2f,0x89,0xc6,0x85,0x09,0xea,0x0b,0xe2,0xd3,0x45,0x11,0x58,0x1d,0x47,0x22, + 0x07,0xd1,0xb6,0x5f,0x7e,0xde,0x45,0x13,0x3d,0xe8,0x7a,0x5f,0xfb,0x92,0x62,0xc1, + 0xff,0x84,0x08,0x8f,0xf0,0x4c,0x01,0x83,0xf4,0x84,0x67,0x99,0x6a,0x94,0xd8,0x2b, + 0xa7,0x51,0x0c,0xb0,0xb3,0x6c,0xf2,0x54,0x82,0x09,0xa5,0x06,0x03,0x37,0x5c,0xb8, + 0x2e,0x67,0x8f,0x51,0x49,0x33,0x45,0xca,0x33,0xf9,0x34,0x5f,0xfd,0xf5,0x4b,0xe9), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xa3,0x59,0x26,0x68,0x55,0x61,0xf0,0x9f,0x30,0x92,0x5e,0x94,0xd7,0x4e,0x56,0x61, + 0x89,0x2a,0x2d,0xdd,0x52,0x4f,0x75,0x1f,0x83,0x21,0x16,0x3d,0x61,0x1e,0xa1,0x59, + 0x1a,0x08,0xe0,0xdf,0xfd,0x46,0xb2,0x08,0xe9,0x88,0x15,0xa3,0x06,0xaa,0x85,0x14, + 0xb4,0xdb,0x85,0x9d,0xc1,0xfe,0x7b,0xdc,0xdf,0x50,0xc0,0x95,0x55,0x4b,0xf8,0xb2, + 0xf4,0xcb,0x9f,0x88,0x4d,0x70,0xe5,0x5c,0x21,0x43,0xbc,0x26,0x19,0x9c,0x2f,0x94, + 0xb7,0x43,0xf5,0x52,0x8d,0xd5,0x46,0x89,0xad,0x69,0xed,0xa6,0x60,0x74,0x9f,0x5c, + 0x1b,0xea,0x8b,0xec,0xae,0xa6,0x32,0xa4,0xbf,0x0c,0x79,0xa5,0x77,0xed,0xfc,0xea, + 0x7b,0xaa,0xa6,0x86,0x1e,0x9d,0x7f,0x2d,0xd5,0xb4,0xc4,0xf6,0xeb,0x5f,0x3d,0x5f), + .s = chunk_from_chars( + 0xb1,0xa9,0xc4,0x5a,0x26,0x4d,0x2c,0x9a,0xf4,0x41,0xa7,0xb2,0xd3,0x30,0xdd,0x78, + 0x80,0x89,0xcc,0xef,0x20,0x5d,0x5d,0x66,0x6b,0xfe,0x86,0x43,0x67,0xbe,0x97,0x38, + 0x12,0x4e,0x9d,0x74,0x64,0x8a,0xd9,0x91,0x60,0xbd,0x3a,0xf8,0x1a,0x81,0x85,0x8b, + 0xab,0xe6,0x67,0xa5,0xd9,0x5c,0x98,0x0f,0xe2,0xf6,0xac,0x34,0x86,0x1e,0xb2,0xec, + 0x9b,0x4b,0x4e,0x8b,0x64,0x2e,0xf3,0x82,0x0f,0x56,0xca,0x38,0x8a,0x55,0x65,0x30, + 0xd4,0x27,0x54,0xc4,0x72,0x12,0xe9,0xb2,0xf2,0x52,0x38,0xa1,0xef,0x5a,0xfe,0x29, + 0xbe,0x63,0x40,0x8c,0xf3,0x8c,0xaa,0x2d,0x23,0xa7,0x88,0x24,0xae,0x0b,0x92,0x59, + 0x75,0xd3,0xe9,0x83,0x55,0x8d,0xf6,0xd2,0xe9,0xb1,0xd3,0x4a,0x18,0xb1,0xd9,0x73, + 0xff,0xac,0xcc,0x74,0x5e,0x52,0x7c,0xe7,0x6c,0x66,0x3e,0x90,0x37,0x19,0x35,0x5e, + 0x45,0xcd,0x6d,0x11,0x8e,0xd0,0xb8,0x5b,0x70,0xcb,0xb8,0xe4,0x96,0x41,0x13,0x53, + 0xf8,0x4f,0x88,0x66,0xa0,0x1f,0xad,0xc8,0x19,0xca,0x0f,0xf9,0x5b,0xbe,0x2c,0xc6, + 0x8c,0x8c,0xf7,0x8d,0xa5,0x58,0x1b,0xec,0xc9,0x62,0x47,0xb9,0x11,0xd1,0x85,0xed, + 0x1f,0xae,0x36,0xc4,0xca,0xd2,0x62,0x08,0xeb,0x80,0x88,0x3f,0x42,0xa0,0x81,0x23, + 0xda,0xc6,0x8d,0x88,0xf2,0xf9,0x89,0x3c,0xde,0x02,0xef,0x5a,0x57,0x66,0x1d,0xb2, + 0xb3,0xe1,0xe9,0x26,0x9c,0xbb,0x0e,0x15,0xc4,0x07,0xbc,0xf5,0x5d,0x92,0xe6,0x79, + 0x38,0x3c,0x90,0x80,0x2c,0xd0,0xbf,0xfd,0x46,0x96,0x46,0xdc,0xb6,0x0c,0xa0,0x1a, + 0x1d,0xea,0xd4,0x32,0x28,0x93,0x40,0x18,0x39,0x1d,0xd8,0x1f,0x8b,0x7e,0x79,0x7e, + 0x52,0x7f,0xbe,0x18,0x15,0xb9,0x1b,0xf3,0xcd,0x6a,0x1f,0x2f,0xfb,0xf5,0xdd,0x16, + 0x6a,0xcd,0x55,0x26,0x76,0x1c,0xa8,0xba,0xb5,0xd4,0x63,0xfb,0x9f,0xb8,0x20,0x65, + 0x9f,0x5c,0xd5,0x0f,0x81,0x50,0xf1,0x2f,0x7e,0x8d,0x52,0xe7,0x77,0x73,0xc1,0xe6, + 0x48,0x0c,0x2c,0xc1,0x84,0xd4,0x11,0xd6,0x41,0xf7,0x1a,0x9d,0xed,0xc2,0xc5,0xfc, + 0x2e,0xc3,0x7a,0x27,0x70,0xa9,0x38,0x3b,0xfb,0xf6,0xa4,0x89,0xcf,0x32,0xb5,0x6a, + 0x12,0xcf,0x99,0x37,0x8e,0x39,0xb5,0x0b,0xda,0xdb,0x9f,0x05,0x91,0xb2,0x06,0x5f, + 0x9d,0x44,0xe5,0x11,0xc9,0xdf,0xb6,0x15,0x8f,0xdd,0xdd,0xd1,0xbc,0x2c,0xec,0xe6), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x12,0x71,0xa0,0xdd,0xb9,0x9a,0x0e,0x1e,0x9a,0x50,0x1c,0xa3,0x3c,0x13,0x1b,0x0a, + 0x1c,0x78,0x20,0xa3,0x97,0x79,0x08,0x69,0x09,0x0f,0xba,0x37,0x37,0x03,0xac,0x38, + 0xea,0x00,0xa9,0xa0,0xdd,0xee,0xd1,0x99,0xd9,0x7b,0xe1,0x80,0x1f,0xfa,0xb4,0x52, + 0x06,0x71,0x0a,0x61,0xe5,0xed,0x89,0x4c,0x33,0x19,0x01,0x2d,0xed,0x0f,0xf4,0x14, + 0x38,0x6e,0x56,0xb5,0x48,0xad,0x91,0x5d,0x80,0xaf,0xcc,0x2b,0xdb,0x97,0x6d,0x7c, + 0x8a,0xdd,0xdc,0xa7,0xdf,0xa2,0x8a,0xeb,0x69,0x40,0x33,0xa5,0x61,0x26,0x60,0xc6, + 0x44,0xe3,0x2f,0x85,0xc2,0x80,0x56,0x51,0xd7,0x13,0x66,0x0a,0x38,0x91,0x4d,0x70, + 0xf0,0xe4,0x1f,0xdc,0x4b,0x3d,0x16,0x2e,0xf3,0xac,0xd7,0x06,0x59,0xee,0xf6,0x37), + .s = chunk_from_chars( + 0xbf,0xfd,0x01,0x0b,0x2e,0xc4,0xe4,0xa3,0x27,0x77,0xb7,0x76,0x19,0xb8,0x76,0x22, + 0xf8,0x92,0x1d,0xab,0x56,0xe1,0x02,0xc8,0xd8,0x24,0xfe,0x52,0xb5,0xdf,0x7a,0x20, + 0x3f,0xe7,0x17,0x99,0xee,0xaf,0xdc,0xc0,0xc8,0x87,0x2d,0xba,0x6a,0x37,0x44,0x07, + 0xb5,0x63,0x9a,0xeb,0x5a,0x30,0xa9,0x04,0x71,0x2f,0x15,0x09,0x7d,0xba,0x0f,0x2d, + 0x62,0xe8,0x45,0x41,0x23,0x95,0xcf,0x09,0x54,0x0a,0xbd,0x6e,0x10,0xc1,0xa2,0xe2, + 0x3d,0xbf,0x2f,0xe1,0xdf,0xd2,0xb0,0x2a,0xf4,0xee,0xa4,0x75,0x15,0x95,0x7f,0xa3, + 0x73,0x8b,0x06,0x41,0x1a,0x55,0x1f,0x8f,0x8d,0xc4,0xb8,0x5e,0xa7,0xf5,0xa3,0xa1, + 0xe2,0x6c,0xcc,0x44,0x98,0xbd,0x64,0xaf,0x80,0x38,0xc1,0xda,0x5c,0xbd,0x8e,0x80, + 0xb3,0xcb,0xac,0xde,0xf1,0xa4,0x1e,0xc5,0xaf,0x20,0x55,0x66,0xc8,0xdd,0x80,0xb2, + 0xea,0xda,0xf9,0x7d,0xd0,0xaa,0x98,0x33,0xba,0x3f,0xd0,0xe4,0xb6,0x73,0xe2,0xf8, + 0x96,0x0b,0x04,0xed,0xa7,0x61,0x61,0x64,0x39,0x14,0x24,0x2b,0x96,0x1e,0x74,0xde, + 0xae,0x49,0x7c,0xaf,0x00,0x5b,0x00,0x51,0x5d,0x78,0x49,0x2e,0xc2,0xc2,0xde,0xb6, + 0x0a,0x57,0xb9,0xdc,0xe3,0x6e,0x68,0xdd,0x82,0x00,0x7d,0x94,0x2a,0xe7,0xc0,0x23, + 0xe1,0x21,0x0f,0x0b,0xe8,0xa3,0xeb,0x3f,0x00,0x48,0x24,0x07,0x4b,0x8f,0x72,0x5e, + 0xaf,0x8a,0xc7,0x73,0xe6,0x0f,0xbb,0xb7,0xcb,0xa9,0x63,0x0e,0x88,0xb6,0x9c,0x8b, + 0xcb,0x2d,0x74,0xdb,0xdb,0x29,0xbf,0xff,0x8b,0x22,0x54,0x5b,0x80,0xbb,0x63,0x4e, + 0x4c,0x05,0xf7,0x3e,0x00,0x2a,0x92,0x8e,0xfd,0x5a,0x6a,0xa4,0x56,0x21,0xce,0x1b, + 0x03,0x2a,0x22,0x44,0xde,0x48,0xf4,0xdf,0x43,0x58,0x15,0x66,0x78,0xcb,0xe0,0x39, + 0xc9,0xeb,0xe4,0xce,0xe9,0x45,0xa2,0x5b,0x90,0x38,0x46,0x9f,0xe0,0x0c,0x30,0x92, + 0x93,0x6a,0x8c,0xff,0x93,0x69,0x04,0x5f,0x90,0x67,0x33,0xa9,0xd2,0xab,0x36,0x60, + 0x18,0x20,0x69,0xb1,0x57,0xca,0x8f,0x9b,0x99,0xa7,0x1f,0xc1,0x53,0xc6,0x83,0x01, + 0xe9,0x7a,0x38,0xfc,0x3a,0x87,0xae,0x2b,0x6f,0x03,0x75,0x4e,0x6d,0xa8,0x2d,0x0b, + 0x07,0x26,0xe0,0x70,0x39,0x79,0xc9,0x32,0x02,0x89,0xfe,0xef,0xbc,0xdd,0xcd,0x9d, + 0x70,0x6b,0x71,0xb5,0x1e,0x9a,0x1b,0x9d,0xc1,0x41,0x2e,0x6e,0xd4,0xb5,0x66,0x76), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0xf3,0x0c,0x78,0x3b,0x4e,0xae,0xb4,0x65,0x76,0x7f,0xa1,0xb9,0x6d,0x0a,0xf5,0x24, + 0x35,0xd8,0x5f,0xab,0x91,0x2b,0x6a,0xba,0x10,0xef,0xa5,0xb9,0x46,0xed,0x01,0xe1, + 0x5d,0x42,0x7a,0x4e,0xcd,0x0f,0xf9,0x55,0x67,0x73,0x79,0x17,0x98,0xb6,0x69,0x56, + 0xec,0xc7,0x52,0x88,0xd1,0xe9,0xba,0x2a,0x9e,0xa9,0x48,0x57,0xd3,0x13,0x29,0x99, + 0xa2,0x25,0xb1,0xff,0xaf,0x84,0x46,0x70,0x15,0x6e,0x7a,0x3e,0xa9,0xf0,0x77,0xfe, + 0x82,0x59,0xa0,0x98,0xb9,0xee,0x75,0x9a,0x6d,0xdf,0xb7,0xd2,0x0a,0x7a,0xcd,0x1b, + 0xcb,0x9f,0x67,0x77,0x7e,0x74,0x61,0x5e,0x88,0x59,0xea,0x56,0x28,0x1f,0xe5,0xc4, + 0x00,0x74,0x8f,0x02,0xd1,0xa2,0x63,0xb1,0x86,0x7a,0x3b,0x51,0x74,0x8a,0xb7,0x0f), + .s = chunk_from_chars( + 0x34,0x5e,0x2f,0x60,0xf7,0xc8,0x2c,0x89,0xef,0x7d,0xfd,0x7d,0xff,0x2b,0xc2,0x34, + 0x8b,0xab,0x02,0x04,0x79,0x33,0x08,0x99,0xd4,0x41,0x02,0x13,0xb3,0x5e,0x98,0xd9, + 0xba,0xc9,0x2f,0xd8,0xae,0x80,0x6b,0x5b,0xce,0x8a,0x6c,0x4b,0xd8,0x27,0x5b,0x0f, + 0xac,0xb4,0xdd,0x13,0xf9,0xd6,0x8b,0xa6,0x71,0x41,0xfa,0x50,0x85,0x26,0x4d,0xa6, + 0xdd,0x68,0x5a,0x6d,0x21,0x21,0x70,0xa2,0xc9,0xcb,0xf2,0xcf,0x59,0x30,0x18,0x0e, + 0xff,0xc2,0x50,0x86,0x8c,0x98,0x4b,0xf5,0x0f,0xf6,0x9d,0x60,0x69,0xea,0x28,0xf5, + 0xbc,0x1b,0x63,0x70,0x5d,0x07,0x32,0x41,0x6f,0xd8,0x29,0xa5,0xf5,0xd6,0x21,0x74, + 0x62,0xc2,0x2a,0x33,0xfd,0x46,0x52,0xf7,0xc1,0xd1,0x98,0x79,0x46,0x46,0xc0,0x84, + 0x06,0x02,0x4e,0x81,0x63,0xa7,0xeb,0xe3,0x9c,0xfb,0x51,0x4c,0x54,0x43,0x89,0x7b, + 0x58,0x94,0xdd,0x19,0xa2,0x13,0xe0,0x37,0xf2,0x7e,0x0f,0xfb,0xd6,0xc5,0x44,0x7a, + 0x80,0x5a,0x54,0xdf,0xdf,0x4f,0x65,0x81,0x9d,0x4e,0x0f,0xbe,0xe2,0x5e,0x3d,0xac, + 0x47,0xfb,0x6b,0x63,0x6e,0x8d,0xe6,0x19,0x0a,0xdc,0xcb,0xce,0xe9,0x37,0xd0,0x97, + 0x7b,0x35,0xb9,0x73,0x60,0x6b,0x0c,0xa3,0x48,0x75,0x8b,0x50,0xcd,0xbb,0xa0,0x28, + 0xb7,0x3d,0x0e,0xf0,0x1c,0x56,0x01,0x4c,0x03,0x1c,0x59,0x8f,0xe8,0xdb,0x87,0xd2, + 0xca,0x46,0x44,0x77,0x0a,0xaa,0x04,0x51,0xc3,0x76,0xde,0xd8,0x2f,0xf5,0xc6,0xb8, + 0xe7,0xd2,0xed,0x9d,0x1c,0x8a,0x17,0xc3,0x12,0x2c,0x12,0x82,0x73,0xc6,0x0f,0xd1, + 0xb0,0x08,0x8d,0xfb,0xc9,0xc9,0x27,0xf1,0x62,0xe4,0x38,0x79,0x40,0x59,0x64,0xcb, + 0x11,0xef,0x78,0x99,0x12,0x3f,0xeb,0x8f,0x88,0xdd,0x27,0x34,0xdf,0x98,0xaa,0x69, + 0x6d,0x93,0x6a,0x8d,0xf0,0x70,0x00,0xe8,0x4a,0xf9,0x01,0x01,0xf7,0x00,0x6a,0x9b, + 0xd2,0x54,0x9f,0xdd,0x0a,0xd3,0xf9,0xde,0x09,0x30,0x12,0xd3,0x2d,0x2a,0xfa,0xa8, + 0x28,0x01,0x7e,0xe9,0xc6,0x07,0xcb,0xf5,0xb5,0x4f,0x22,0x36,0x66,0xd4,0xb5,0xf3, + 0xe2,0x6e,0x0d,0xfe,0xc0,0x03,0x96,0x1b,0x83,0xd8,0x3d,0xe3,0x9f,0xf6,0xa0,0xe8, + 0x1e,0x18,0x83,0xc1,0xdb,0x4a,0xaa,0xf0,0x82,0xfe,0xc5,0xaa,0x30,0xa7,0xe5,0x78, + 0x55,0x3d,0x89,0x77,0x4c,0x67,0x90,0x77,0x90,0xc9,0x6d,0xc4,0xf5,0xbe,0x4c,0x8c), + }, + { + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512, + .m = chunk_from_chars( + 0x13,0x2c,0xf5,0x0c,0x66,0xac,0x4c,0xc5,0x43,0x39,0x75,0x1a,0x0e,0xbb,0x86,0x5e, + 0x1d,0x3d,0x32,0x05,0x62,0xfc,0x90,0x5c,0x4a,0xbd,0x1e,0x78,0xe4,0x64,0x06,0x6c, + 0x46,0xc3,0xa0,0xc0,0x2d,0xb0,0x37,0x1e,0xe3,0x5a,0x10,0x4d,0x66,0xdd,0xa8,0x64, + 0xc6,0x13,0x3e,0x37,0xcf,0xad,0x91,0x16,0xe8,0x83,0xeb,0xb7,0x3b,0x29,0x5e,0x70, + 0x16,0xc3,0x4e,0xa9,0x91,0x1a,0x30,0x92,0x72,0xef,0x90,0x11,0x4d,0x8f,0x59,0xff, + 0xf0,0xa7,0x51,0x93,0xfe,0x5a,0xe3,0x1e,0xd9,0x91,0x21,0xf9,0xc5,0x92,0x09,0xbc, + 0x4b,0xd5,0x07,0xb1,0xdc,0x12,0xbc,0x89,0xb7,0x9f,0xfe,0x4d,0x0d,0xf9,0x20,0x97, + 0x62,0xa1,0x73,0x01,0x36,0x29,0x0c,0xde,0xe5,0x8e,0xc8,0x28,0xcc,0xc8,0x8e,0xba), + .s = chunk_from_chars( + 0xb1,0x25,0x03,0xb7,0xb2,0xf7,0x83,0x61,0x88,0x84,0x17,0x4b,0xcb,0x9b,0xe1,0x08, + 0x77,0x96,0x04,0x31,0xed,0x63,0x63,0xc8,0x07,0xe1,0x2d,0xb7,0x1b,0x8b,0x6b,0xd9, + 0xd6,0x40,0x1d,0x06,0x4e,0x25,0x37,0x40,0x15,0x8e,0x8b,0x90,0x01,0x52,0xd3,0x7f, + 0xaf,0x20,0x33,0x3a,0x7d,0x80,0xb3,0xd4,0x7c,0x7c,0x7a,0x3f,0xa1,0x20,0x91,0xce, + 0x31,0xcd,0x8a,0xae,0x27,0x2a,0x4d,0xa1,0x5f,0xe2,0xcb,0x5c,0xfd,0xea,0x54,0x11, + 0x95,0xa4,0x69,0xc9,0x6b,0xcf,0x69,0x5e,0x0b,0x52,0x6d,0xfa,0x48,0xa5,0x90,0x03, + 0xc6,0x76,0x3a,0xf8,0x13,0x63,0x92,0xc4,0xb8,0xd2,0x4d,0xb3,0x14,0x74,0x6f,0x42, + 0xac,0xa5,0x50,0xac,0xc6,0x5e,0x07,0x49,0x13,0xab,0x82,0x23,0x2e,0xb8,0x59,0x35, + 0x09,0x15,0x8a,0x8b,0xa3,0x4b,0xc0,0xf0,0xe3,0x12,0x5a,0x83,0x4a,0x3e,0xd2,0xd6, + 0xa8,0xcb,0x1d,0x08,0x5f,0x23,0x4a,0xe8,0x68,0xb8,0x6a,0xea,0x8d,0x6f,0x82,0xe1, + 0x3a,0x08,0x84,0x24,0x85,0x06,0x6e,0x48,0xaa,0xe4,0x83,0x78,0x73,0x15,0x0f,0x44, + 0x47,0x5e,0x12,0x60,0x2b,0x55,0x2d,0xcb,0x34,0xd1,0xf9,0xfd,0xaa,0xdb,0xc6,0xbf, + 0xf5,0x13,0x4c,0x6f,0xc7,0x62,0x63,0x88,0x8b,0xe6,0x7e,0xfe,0x63,0xee,0x18,0x40, + 0xfa,0x08,0xc4,0x99,0x38,0x85,0x8a,0x9d,0x48,0xb1,0x05,0x8d,0x18,0x97,0x6b,0xf2, + 0xe3,0xbf,0xc6,0x25,0x55,0x2f,0x75,0xb3,0xea,0x44,0xeb,0x91,0xdd,0x36,0x68,0x65, + 0xf2,0x40,0xa0,0xc3,0x36,0xa0,0x11,0x0e,0x0f,0xa0,0x9d,0x09,0xcd,0x94,0xc7,0x0c, + 0xbc,0x88,0x95,0xae,0x3d,0x44,0xae,0x3d,0xff,0x54,0x5f,0x0e,0x8c,0x8c,0xc6,0x62, + 0xec,0xd4,0x0f,0x90,0x99,0xa9,0x52,0x49,0x43,0x96,0xc6,0xb4,0x23,0xeb,0xb4,0x63, + 0x40,0x99,0x69,0x28,0x1c,0xdd,0x54,0xad,0x87,0xa3,0x08,0xe4,0x87,0xce,0x19,0x74, + 0x5b,0x30,0xd5,0xda,0x76,0xb9,0x8d,0x2a,0xa9,0xa0,0x07,0xa5,0x57,0x83,0xb3,0x03, + 0x7e,0x5b,0x86,0x62,0x32,0x28,0x10,0xbd,0xd1,0x1d,0x86,0xdc,0x3f,0x61,0x45,0x11, + 0x49,0x39,0x1f,0xb2,0xf1,0x4e,0xd9,0xc1,0x7c,0x75,0x16,0x23,0xa4,0x04,0x2c,0xe7, + 0xed,0xb8,0x75,0xee,0x27,0xbc,0xd1,0xf1,0x9d,0x6d,0xc9,0x28,0x3a,0xd0,0x6d,0x15, + 0xe0,0x97,0xe2,0xb0,0xb1,0x5a,0x7e,0xb7,0x12,0x8a,0xdb,0xca,0x0a,0xa6,0xad,0xcc), + }, +}; + +START_TEST(test_sign_pkcs15_3072) +{ + signature_scheme_t scheme = pkcs15_3072[_i].scheme; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + fail_unless(privkey_3072->sign(privkey_3072, scheme, NULL, pkcs15_3072[_i].m, &sig), + "sign %N", signature_scheme_names, scheme); + ck_assert_chunk_eq(pkcs15_3072[_i].s, sig); + fail_unless(pubkey_3072->verify(pubkey_3072, scheme, NULL, pkcs15_3072[_i].m, sig), + "verify %N", signature_scheme_names, scheme); + free(sig.ptr); +} +END_TEST + +/** + * Keys for the FIPS 186-4 SigGen RSASSA-PSS test vectors + */ +static private_key_t *privpss_2048, *privpss_3072; +static public_key_t *pubpss_2048, *pubpss_3072; +static bool pss_salt_supported; + +static void pss_salt_test() +{ + chunk_t sig_salt = chunk_from_chars( + 0x3c,0x34,0xa4,0x56,0xdb,0x84,0x7b,0x7b,0xbb,0xbb,0xb0,0x15,0x5c,0xe2,0xe2,0x26, + 0xde,0xa9,0x27,0xb8,0x71,0x1b,0x28,0x0d,0xe3,0xe4,0xc2,0x6b,0x44,0x39,0xae,0x78, + 0x3a,0x93,0x68,0x6c,0xa0,0x91,0x19,0xd3,0x15,0x3b,0x93,0x15,0x92,0x13,0xaa,0x22, + 0x76,0x18,0xfd,0xbf,0x53,0x7f,0x2c,0xa7,0x24,0x5d,0xfa,0x93,0x78,0xff,0xdf,0x25, + 0x25,0x6c,0x65,0x2d,0xc1,0x6c,0xfd,0x43,0x87,0x3c,0x83,0x5b,0xe0,0x76,0xaf,0x99, + 0xa7,0xe4,0x11,0x3d,0xa6,0xa7,0xa4,0x50,0x0c,0xb8,0x4b,0x9b,0xd7,0x29,0xa6,0x6c, + 0x39,0x15,0xef,0xd9,0x46,0x5d,0x64,0x7e,0xf9,0x90,0x4a,0x7e,0x53,0xeb,0xfd,0x2f, + 0x32,0xdc,0x38,0xdf,0x3d,0xef,0xf7,0xa5,0x87,0xf0,0x5c,0x33,0x78,0x61,0x40,0x36, + 0x8d,0x16,0x14,0xf3,0xeb,0xfb,0x58,0x99,0x06,0xe9,0x48,0x67,0x93,0xe7,0x84,0x3c, + 0x6c,0x4a,0x3c,0x7e,0x0b,0xcc,0x62,0xcf,0xdb,0x7b,0x85,0xff,0x6c,0x3d,0x9f,0x7c, + 0x22,0x9e,0x0a,0x83,0x0b,0x3a,0x6a,0xe9,0xc2,0xbe,0x2f,0xd2,0xab,0x66,0xcb,0x1a, + 0x52,0x27,0x71,0x72,0x46,0xbf,0xed,0x8d,0xaa,0x47,0xaf,0x88,0x3a,0xf2,0xc2,0x6d, + 0xf4,0x24,0x01,0x4c,0x21,0xa1,0x40,0x63,0x93,0xeb,0xd9,0x56,0xf5,0xd2,0x74,0xe6, + 0x16,0x94,0x89,0x74,0x31,0x71,0xba,0xbd,0x6a,0x89,0x4a,0x52,0x9a,0x79,0x07,0x68, + 0x34,0x24,0x54,0xfd,0x21,0x54,0x7d,0xbe,0x3a,0x46,0xa6,0x28,0xa5,0xbc,0xea,0x30, + 0xb6,0x85,0xda,0x7e,0x45,0x24,0xc9,0xba,0x5f,0x0d,0xee,0xea,0x1b,0x54,0x67,0xc6); + chunk_t sig_zero = chunk_from_chars( + 0xb0,0x7e,0x08,0xf4,0xb7,0x02,0xf7,0x91,0x7a,0x81,0x65,0xc3,0x87,0x39,0xe7,0x67, + 0xfa,0x28,0x4d,0xe5,0x65,0xe3,0x95,0x94,0xfd,0x30,0x1d,0x94,0x98,0x81,0xce,0x0c, + 0x0e,0x8d,0x40,0xc1,0x37,0x43,0x9b,0xbd,0x81,0x0e,0x19,0x8c,0xee,0xd8,0xd9,0x7a, + 0x95,0x96,0x76,0x57,0x0b,0x86,0xc5,0x69,0xe9,0x4d,0x9a,0x82,0x80,0xd5,0xf7,0x95, + 0x15,0x7c,0xfc,0x82,0xe6,0x0a,0x1a,0x13,0x84,0xb3,0xbc,0xe6,0xe3,0xc0,0xd4,0x84, + 0xcf,0xd4,0xdd,0xbd,0x5a,0x53,0x49,0x1f,0x72,0x47,0xbf,0x93,0x59,0xf4,0xf2,0xfb, + 0xcf,0xf8,0x42,0xb6,0xdb,0xb4,0xfb,0xea,0xa6,0x2e,0xdc,0xb5,0x3c,0x41,0x73,0xaa, + 0xba,0x0a,0xb3,0x7b,0x23,0x03,0x0a,0x71,0x7f,0x49,0xba,0x17,0xaa,0x35,0x15,0xeb, + 0xd0,0xea,0xae,0xb2,0x7a,0xf2,0xed,0x58,0x74,0xb0,0xe5,0xa8,0x1e,0x59,0x10,0x88, + 0xe6,0xe6,0xf7,0xc6,0x41,0x78,0xf5,0x88,0x35,0x03,0xf9,0x82,0x42,0xb5,0x42,0x43, + 0xc6,0x4f,0xeb,0xbf,0xa0,0x3b,0xef,0x61,0x35,0x80,0x2c,0xcb,0x3f,0x3a,0x3e,0x3d, + 0x7a,0x75,0x5e,0x0b,0xdb,0xc8,0xdf,0xc1,0x2f,0x73,0x55,0xec,0x2b,0x20,0xd0,0xf3, + 0xa3,0x8a,0xaf,0x3a,0xb3,0xe5,0xad,0xa2,0x9c,0x4f,0x6b,0x64,0x6b,0xb0,0x54,0x38, + 0x96,0xaa,0xb6,0x9c,0x8b,0xe9,0x7d,0x41,0xa5,0x0a,0xde,0x24,0x4d,0x5a,0x37,0xe6, + 0xe3,0xbd,0xbb,0x1c,0x00,0x8a,0x22,0xd5,0x51,0x70,0x18,0xaf,0x13,0x05,0x6e,0x32, + 0xf7,0xef,0xc3,0xe5,0x4b,0x6f,0x94,0xa0,0x59,0xa8,0xf8,0x7f,0x42,0x08,0x3b,0x51); + chunk_t sig; + rsa_pss_params_t params = { + .hash = HASH_SHA256, + .mgf1_hash = HASH_SHA256, + .salt = chunk_from_chars(0x01,0x02,0x03,0x04), + }; + + pss_salt_supported = FALSE; + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + return; + } + /* we should get one of two signatures, either one without a salt or + * one with the configured salt */ + fail_unless(privpss_2048->sign(privpss_2048, SIGN_RSA_EMSA_PSS, + ¶ms, chunk_from_chars(0x04,0x03,0x02,0x01), &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + + if (chunk_equals(sig, sig_salt)) + { /* matches signature with passed salt */ + pss_salt_supported = TRUE; + } + else if (!chunk_equals(sig, sig_zero)) + { /* does not match signature without salt */ + fail("unexpected signature received: %B", &sig); + } + free(sig.ptr); +} + +START_SETUP(setup_keys_pss) +{ + create_key(chunk_from_chars( + 0xc5,0x06,0x2b,0x58,0xd8,0x53,0x9c,0x76,0x5e,0x1e,0x5d,0xba,0xf1,0x4c,0xf7,0x5d, + 0xd5,0x6c,0x2e,0x13,0x10,0x5f,0xec,0xfd,0x1a,0x93,0x0b,0xbb,0x59,0x48,0xff,0x32, + 0x8f,0x12,0x6a,0xbe,0x77,0x93,0x59,0xca,0x59,0xbc,0xa7,0x52,0xc3,0x08,0xd2,0x81, + 0x57,0x3b,0xc6,0x17,0x8b,0x6c,0x0f,0xef,0x7d,0xc4,0x45,0xe4,0xf8,0x26,0x43,0x04, + 0x37,0xb9,0xf9,0xd7,0x90,0x58,0x1d,0xe5,0x74,0x9c,0x2c,0xb9,0xcb,0x26,0xd4,0x2b, + 0x2f,0xee,0x15,0xb6,0xb2,0x6f,0x09,0xc9,0x96,0x70,0x33,0x64,0x23,0xb8,0x6b,0xc5, + 0xbe,0xc7,0x11,0x13,0x15,0x7b,0xe2,0xd9,0x44,0xd7,0xff,0x3e,0xeb,0xff,0xb2,0x84, + 0x13,0x14,0x3e,0xa3,0x67,0x55,0xdb,0x0a,0xe6,0x2f,0xf5,0xb7,0x24,0xee,0xcb,0x3d, + 0x31,0x6b,0x6b,0xac,0x67,0xe8,0x9c,0xac,0xd8,0x17,0x19,0x37,0xe2,0xab,0x19,0xbd, + 0x35,0x3a,0x89,0xac,0xea,0x8c,0x36,0xf8,0x1c,0x89,0xa6,0x20,0xd5,0xfd,0x2e,0xff, + 0xea,0x89,0x66,0x01,0xc7,0xf9,0xda,0xca,0x7f,0x03,0x3f,0x63,0x5a,0x3a,0x94,0x33, + 0x31,0xd1,0xb1,0xb4,0xf5,0x28,0x87,0x90,0xb5,0x3a,0xf3,0x52,0xf1,0x12,0x1c,0xa1, + 0xbe,0xf2,0x05,0xf4,0x0d,0xc0,0x12,0xc4,0x12,0xb4,0x0b,0xdd,0x27,0x58,0x5b,0x94, + 0x64,0x66,0xd7,0x5f,0x7e,0xe0,0xa7,0xf9,0xd5,0x49,0xb4,0xbe,0xce,0x6f,0x43,0xac, + 0x3e,0xe6,0x5f,0xe7,0xfd,0x37,0x12,0x33,0x59,0xd9,0xf1,0xa8,0x50,0xad,0x45,0x0a, + 0xaf,0x5c,0x94,0xeb,0x11,0xde,0xa3,0xfc,0x0f,0xc6,0xe9,0x85,0x6b,0x18,0x05,0xef), + chunk_from_chars( + 0x86,0xc9,0x4f), + chunk_from_chars( + 0x49,0xe5,0x78,0x6b,0xb4,0xd3,0x32,0xf9,0x45,0x86,0x32,0x7b,0xde,0x08,0x88,0x75, + 0x37,0x9b,0x75,0xd1,0x28,0x48,0x8f,0x08,0xe5,0x74,0xab,0x47,0x15,0x30,0x2a,0x87, + 0xee,0xa5,0x2d,0x4c,0x4a,0x23,0xd8,0xb9,0x7a,0xf7,0x94,0x48,0x04,0x33,0x7c,0x5f, + 0x55,0xe1,0x6b,0xa9,0xff,0xaf,0xc0,0xc9,0xfd,0x9b,0x88,0xec,0xa4,0x43,0xf3,0x9b, + 0x79,0x67,0x17,0x0d,0xdb,0x8c,0xe7,0xdd,0xb9,0x3c,0x60,0x87,0xc8,0x06,0x6c,0x4a, + 0x95,0x53,0x8a,0x44,0x1b,0x9d,0xc8,0x0d,0xc9,0xf7,0x81,0x00,0x54,0xfd,0x1e,0x5c, + 0x9d,0x02,0x50,0xc9,0x78,0xbb,0x2d,0x74,0x8a,0xbe,0x1e,0x94,0x65,0xd7,0x1a,0x81, + 0x65,0xd3,0x12,0x6d,0xce,0x5d,0xb2,0xad,0xac,0xc0,0x03,0xe9,0x06,0x2b,0xa3,0x7a, + 0x54,0xb6,0x3e,0x5f,0x49,0xa4,0xea,0xfe,0xbd,0x7e,0x4b,0xf5,0xb0,0xa7,0x96,0xc2, + 0xb3,0xa9,0x50,0xfa,0x09,0xc7,0x98,0xd3,0xfa,0x3e,0x86,0xc4,0xb6,0x2c,0x33,0xba, + 0x93,0x65,0xed,0xa0,0x54,0xe5,0xfe,0x74,0xa4,0x1f,0x21,0xb5,0x95,0x02,0x6a,0xcf, + 0x10,0x93,0xc9,0x0a,0x8c,0x71,0x72,0x2f,0x91,0xaf,0x1e,0xd2,0x9a,0x41,0xa2,0x44, + 0x9a,0x32,0x0f,0xc7,0xba,0x31,0x20,0xe3,0xe8,0xc3,0xe4,0x24,0x0c,0x04,0x92,0x5c, + 0xc6,0x98,0xec,0xd6,0x6c,0x7c,0x90,0x6b,0xdf,0x24,0x0a,0xda,0xd9,0x72,0xb4,0xdf, + 0xf4,0x86,0x9d,0x40,0x0b,0x5d,0x13,0xe3,0x3e,0xeb,0xa3,0x8e,0x07,0x5e,0x87,0x2b, + 0x0e,0xd3,0xe9,0x1c,0xc9,0xc2,0x83,0x86,0x7a,0x4f,0xfc,0x39,0x01,0xd2,0x06,0x9f), + &privpss_2048, &pubpss_2048); + + create_key(chunk_from_chars( + 0xa7,0xa1,0x88,0x2a,0x7f,0xb8,0x96,0x78,0x60,0x34,0xd0,0x7f,0xb1,0xb9,0xf6,0x32, + 0x7c,0x27,0xbd,0xd7,0xce,0x6f,0xe3,0x9c,0x28,0x5a,0xe3,0xb6,0xc3,0x42,0x59,0xad, + 0xc0,0xdc,0x4f,0x7b,0x9c,0x7d,0xec,0x3c,0xa4,0xa2,0x0d,0x34,0x07,0x33,0x9e,0xed, + 0xd7,0xa1,0x2a,0x42,0x1d,0xa1,0x8f,0x59,0x54,0x67,0x3c,0xac,0x2f,0xf0,0x59,0x15, + 0x6e,0xcc,0x73,0xc6,0x86,0x1e,0xc7,0x61,0xe6,0xa0,0xf2,0xa5,0xa0,0x33,0xa6,0x76, + 0x8c,0x6a,0x42,0xd8,0xb4,0x59,0xe1,0xb4,0x93,0x23,0x49,0xe8,0x4e,0xfd,0x92,0xdf, + 0x59,0xb4,0x59,0x35,0xf3,0xd0,0xe3,0x08,0x17,0xc6,0x62,0x01,0xaa,0x99,0xd0,0x7a, + 0xe3,0x6c,0x5d,0x74,0xf4,0x08,0xd6,0x9c,0xc0,0x8f,0x04,0x41,0x51,0xff,0x49,0x60, + 0xe5,0x31,0x36,0x0c,0xb1,0x90,0x77,0x83,0x3a,0xdf,0x7b,0xce,0x77,0xec,0xfa,0xa1, + 0x33,0xc0,0xcc,0xc6,0x3c,0x93,0xb8,0x56,0x81,0x45,0x69,0xe0,0xb9,0x88,0x4e,0xe5, + 0x54,0x06,0x1b,0x9a,0x20,0xab,0x46,0xc3,0x82,0x63,0xc0,0x94,0xda,0xe7,0x91,0xaa, + 0x61,0xa1,0x7f,0x8d,0x16,0xf0,0xe8,0x5b,0x7e,0x5c,0xe3,0xb0,0x67,0xec,0xe8,0x9e, + 0x20,0xbc,0x4e,0x8f,0x1a,0xe8,0x14,0xb2,0x76,0xd2,0x34,0xe0,0x4f,0x4e,0x76,0x6f, + 0x50,0x1d,0xa7,0x4e,0xa7,0xe3,0x81,0x7c,0x24,0xea,0x35,0xd0,0x16,0x67,0x6c,0xec, + 0xe6,0x52,0xb8,0x23,0xb0,0x51,0x62,0x55,0x73,0xca,0x92,0x75,0x7f,0xc7,0x20,0xd2, + 0x54,0xec,0xf1,0xdc,0xbb,0xfd,0x21,0xd9,0x83,0x07,0x56,0x1e,0xca,0xab,0x54,0x54, + 0x80,0xc7,0xc5,0x2a,0xd7,0xe9,0xfa,0x6b,0x59,0x7f,0x5f,0xe5,0x50,0x55,0x9c,0x2f, + 0xe9,0x23,0x20,0x5a,0xc1,0x76,0x1a,0x99,0x73,0x7c,0xa0,0x2d,0x7b,0x19,0x82,0x2e, + 0x00,0x8a,0x89,0x69,0x34,0x9c,0x87,0xfb,0x87,0x4c,0x81,0x62,0x0e,0x38,0xf6,0x13, + 0xc8,0x52,0x1f,0x03,0x81,0xfe,0x5b,0xa5,0x5b,0x74,0x82,0x7d,0xad,0x3e,0x1c,0xf2, + 0xaa,0x29,0xc6,0x93,0x36,0x29,0xf2,0xb2,0x86,0xad,0x11,0xbe,0x88,0xfa,0x64,0x36, + 0xe7,0xe3,0xf6,0x4a,0x75,0xe3,0x59,0x52,0x90,0xdc,0x0d,0x1c,0xd5,0xee,0xe7,0xaa, + 0xac,0x54,0x95,0x9c,0xc5,0x3b,0xd5,0xa9,0x34,0xa3,0x65,0xe7,0x2d,0xd8,0x1a,0x2b, + 0xd4,0xfb,0x9a,0x67,0x82,0x1b,0xff,0xed,0xf2,0xef,0x2b,0xd9,0x49,0x13,0xde,0x8b), + chunk_from_chars( + 0x14,0x15,0xa7), + chunk_from_chars( + 0x07,0x3a,0x5f,0xc4,0xcd,0x64,0x2f,0x61,0x13,0xdf,0xfc,0x4f,0x84,0x03,0x5c,0xee, + 0x3a,0x2b,0x8a,0xcc,0x54,0x97,0x03,0x75,0x1a,0x1d,0x6a,0x5e,0xaa,0x13,0x48,0x72, + 0x29,0xa5,0x8e,0xf7,0xd7,0xa5,0x22,0xbb,0x9f,0x4f,0x25,0x51,0x0f,0x1a,0xa0,0xf7, + 0x4c,0x6a,0x8f,0xc8,0xa5,0xc5,0xbe,0x8b,0x91,0xa6,0x74,0xed,0xe5,0x0e,0x92,0xf7, + 0xe3,0x4a,0x90,0xa3,0xc9,0xda,0x99,0x9f,0xff,0xb1,0xd6,0x95,0xe4,0x58,0x8f,0x45, + 0x12,0x56,0xc1,0x63,0x48,0x4c,0x15,0x13,0x50,0xcb,0x9c,0x78,0x25,0xa7,0xd9,0x10, + 0x84,0x5e,0xe5,0xcf,0x82,0x6f,0xec,0xf9,0xa7,0xc0,0xfb,0xbb,0xba,0x22,0xbb,0x4a, + 0x53,0x1c,0x13,0x1d,0x2e,0x77,0x61,0xba,0x89,0x8f,0x00,0x2e,0xbe,0xf8,0xab,0x87, + 0x21,0x85,0x11,0xf8,0x1d,0x32,0x66,0xe1,0xec,0x07,0xa7,0xca,0x86,0x22,0x51,0x4c, + 0x6d,0xfd,0xc8,0x6c,0x67,0x67,0x9a,0x2c,0x8f,0x5f,0x03,0x1d,0xe9,0xa0,0xc2,0x2b, + 0x5a,0x88,0x06,0x0b,0x46,0xee,0x0c,0x64,0xd3,0xb9,0xaf,0x3c,0x0a,0x37,0x9b,0xcd, + 0x9c,0x6a,0x1b,0x51,0xcf,0x64,0x80,0x45,0x6d,0x3f,0xd6,0xde,0xf9,0x4c,0xd2,0xa6, + 0xc1,0x71,0xdd,0x3f,0x01,0x0e,0x3c,0x9d,0x66,0x2b,0xc8,0x57,0x20,0x82,0x48,0xc9, + 0x4e,0xbc,0xb9,0xfd,0x99,0x7b,0x9f,0xf4,0xa7,0xe5,0xfd,0x95,0x55,0x85,0x69,0x90, + 0x65,0x25,0xe7,0x41,0xd7,0x83,0x44,0xf6,0xf6,0xcf,0xdb,0xd5,0x9d,0x4f,0xaa,0x52, + 0xee,0x3f,0xa9,0x64,0xfb,0x7c,0xcc,0xb2,0xd6,0xbe,0x19,0x35,0xd2,0x11,0xfe,0x14, + 0x98,0x21,0x77,0x16,0x27,0x39,0x39,0xa9,0x46,0x08,0x1f,0xd8,0x50,0x99,0x13,0xfd, + 0x47,0x74,0x7c,0x5c,0x2f,0x03,0xef,0xd4,0xd6,0xfc,0x9c,0x6f,0xcf,0xd8,0x40,0x2e, + 0x9f,0x40,0xa0,0xa5,0xb3,0xde,0x3c,0xa2,0xb3,0xc0,0xfa,0xc9,0x45,0x69,0x38,0xfa, + 0xa6,0xcf,0x2c,0x20,0xe3,0x91,0x2e,0x59,0x81,0xc9,0x87,0x6d,0x8c,0xa1,0xff,0x29, + 0xb8,0x7a,0x15,0xee,0xae,0x0c,0xcc,0xe3,0xf8,0xa8,0xf1,0xe4,0x05,0x09,0x1c,0x08, + 0x3b,0x98,0xbc,0xc5,0xfe,0x0d,0x0d,0xea,0xae,0x33,0xc6,0x7c,0x03,0x94,0x43,0x7f, + 0x0e,0xcc,0xb3,0x85,0xb7,0xef,0xb1,0x7a,0xee,0xbb,0xa8,0xaf,0xae,0xcc,0xa3,0x0a, + 0x2f,0x63,0xea,0xc8,0xf0,0xac,0x8f,0x1e,0xac,0xad,0x85,0xbb,0xca,0xf3,0x96,0x0b), + &privpss_3072, &pubpss_3072); + + pss_salt_test(); +} +END_SETUP + +START_TEARDOWN(teardown_keys_pss) +{ + pubpss_2048->destroy(pubpss_2048); + privpss_2048->destroy(privpss_2048); + pubpss_3072->destroy(pubpss_3072); + privpss_3072->destroy(privpss_3072); +} +END_TEARDOWN + +/** + * SigGen test vectors from FIPS 186-4 (first two for each hash algo) + */ +static struct { + rsa_pss_params_t params; + chunk_t m; + chunk_t s; +} pss_sign_2048[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 20, + .salt = chunk_from_chars( + 0xe1,0x25,0x6f,0xc1,0xee,0xef,0x81,0x77,0x3f,0xdd,0x54,0x65,0x7e,0x40,0x07,0xfd, + 0xe6,0xbc,0xb9,0xb1), + }, + .m = chunk_from_chars( + 0xdf,0xc2,0x26,0x04,0xb9,0x5d,0x15,0x32,0x80,0x59,0x74,0x5c,0x6c,0x98,0xeb,0x9d, + 0xfb,0x34,0x7c,0xf9,0xf1,0x70,0xaf,0xf1,0x9d,0xee,0xec,0x55,0x5f,0x22,0x28,0x5a, + 0x67,0x06,0xc4,0xec,0xbf,0x0f,0xb1,0x45,0x8c,0x60,0xd9,0xbf,0x91,0x3f,0xba,0xe6, + 0xf4,0xc5,0x54,0xd2,0x45,0xd9,0x46,0xb4,0xbc,0x5f,0x34,0xae,0xc2,0xac,0x6b,0xe8, + 0xb3,0x3d,0xc8,0xe0,0xe3,0xa9,0xd6,0x01,0xdf,0xd5,0x36,0x78,0xf5,0x67,0x44,0x43, + 0xf6,0x7d,0xf7,0x8a,0x3a,0x9e,0x09,0x33,0xe5,0xf1,0x58,0xb1,0x69,0xac,0x8d,0x1c, + 0x4c,0xd0,0xfb,0x87,0x2c,0x14,0xca,0x8e,0x00,0x1e,0x54,0x2e,0xa0,0xf9,0xcf,0xda, + 0x88,0xc4,0x2d,0xca,0xd8,0xa7,0x40,0x97,0xa0,0x0c,0x22,0x05,0x5b,0x0b,0xd4,0x1f), + .s = chunk_from_chars( + 0x8b,0x46,0xf2,0xc8,0x89,0xd8,0x19,0xf8,0x60,0xaf,0x0a,0x6c,0x4c,0x88,0x9e,0x4d, + 0x14,0x36,0xc6,0xca,0x17,0x44,0x64,0xd2,0x2a,0xe1,0x1b,0x9c,0xcc,0x26,0x5d,0x74, + 0x3c,0x67,0xe5,0x69,0xac,0xcb,0xc5,0xa8,0x0d,0x4d,0xd5,0xf1,0xbf,0x40,0x39,0xe2, + 0x3d,0xe5,0x2a,0xec,0xe4,0x02,0x91,0xc7,0x5f,0x89,0x36,0xc5,0x8c,0x9a,0x2f,0x77, + 0xa7,0x80,0xbb,0xe7,0xad,0x31,0xeb,0x76,0x74,0x2f,0x7b,0x2b,0x8b,0x14,0xca,0x1a, + 0x71,0x96,0xaf,0x7e,0x67,0x3a,0x3c,0xfc,0x23,0x7d,0x50,0xf6,0x15,0xb7,0x5c,0xf4, + 0xa7,0xea,0x78,0xa9,0x48,0xbe,0xda,0xf9,0x24,0x24,0x94,0xb4,0x1e,0x1d,0xb5,0x1f, + 0x43,0x7f,0x15,0xfd,0x25,0x51,0xbb,0x5d,0x24,0xee,0xfb,0x1c,0x3e,0x60,0xf0,0x36, + 0x94,0xd0,0x03,0x3a,0x1e,0x0a,0x9b,0x9f,0x5e,0x4a,0xb9,0x7d,0x45,0x7d,0xff,0x9b, + 0x9d,0xa5,0x16,0xdc,0x22,0x6d,0x6d,0x65,0x29,0x50,0x03,0x08,0xed,0x74,0xa2,0xe6, + 0xd9,0xf3,0xc1,0x05,0x95,0x78,0x8a,0x52,0xa1,0xbc,0x06,0x64,0xae,0xdf,0x33,0xef, + 0xc8,0xba,0xdd,0x03,0x7e,0xb7,0xb8,0x80,0x77,0x2b,0xdb,0x04,0xa6,0x04,0x6e,0x9e, + 0xde,0xee,0x41,0x97,0xc2,0x55,0x07,0xfb,0x0f,0x11,0xab,0x1c,0x9f,0x63,0xf5,0x3c, + 0x88,0x20,0xea,0x84,0x05,0xcf,0xd7,0x72,0x16,0x92,0x47,0x5b,0x4d,0x72,0x35,0x5f, + 0xa9,0xa3,0x80,0x4f,0x29,0xe6,0xb6,0xa7,0xb0,0x59,0xc4,0x44,0x1d,0x54,0xb2,0x8e, + 0x4e,0xed,0x25,0x29,0xc6,0x10,0x3b,0x54,0x32,0xc7,0x13,0x32,0xce,0x74,0x2b,0xcc), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 20, + .salt = chunk_from_chars( + 0xe1,0x25,0x6f,0xc1,0xee,0xef,0x81,0x77,0x3f,0xdd,0x54,0x65,0x7e,0x40,0x07,0xfd, + 0xe6,0xbc,0xb9,0xb1), + }, + .m = chunk_from_chars( + 0xfd,0x6a,0x06,0x3e,0x61,0xc2,0xb3,0x54,0xfe,0x8c,0xb3,0x7a,0x5f,0x37,0x88,0xb5, + 0xc0,0x1f,0xf1,0x5a,0x72,0x5f,0x6b,0x81,0x81,0xe6,0xf6,0xb7,0x95,0xce,0x1c,0xf3, + 0x16,0xe9,0x30,0xcc,0x93,0x9c,0xd4,0xe8,0x65,0xf0,0xbd,0xb8,0x8f,0xe6,0xbb,0x62, + 0xe9,0x0b,0xf3,0xff,0x7e,0x4d,0x6f,0x07,0x32,0x0d,0xda,0x09,0xa8,0x75,0x84,0xa0, + 0x62,0x0c,0xad,0xa2,0x2a,0x87,0xff,0x9a,0xb1,0xe3,0x5c,0x79,0x77,0xb0,0xda,0x88, + 0xea,0xb0,0x0c,0xa1,0xd2,0xa0,0x84,0x9f,0xec,0x56,0x95,0x13,0xd5,0x0c,0x5e,0x39, + 0x2a,0xfc,0x03,0x2a,0xee,0x2d,0x3e,0x52,0x2c,0x8c,0x17,0x25,0xdd,0x3e,0xef,0x0e, + 0x0b,0x35,0xc3,0xa8,0x37,0x01,0xaf,0x31,0xf9,0xe9,0xb1,0x3c,0xe6,0x3b,0xb0,0xa5), + .s = chunk_from_chars( + 0x49,0x2b,0x6f,0x68,0x84,0xdf,0x46,0x1f,0xe1,0x05,0x16,0xb6,0xb8,0xcc,0x20,0x53, + 0x85,0xc2,0x01,0x08,0xec,0x47,0xd5,0xdb,0x69,0x28,0x3f,0x4a,0x76,0x88,0xe3,0x18, + 0xcf,0xdc,0x3c,0x49,0x1f,0xb2,0x92,0x25,0x32,0x5a,0xeb,0x46,0xef,0xc7,0x5e,0x85, + 0x58,0x40,0x91,0x0b,0xba,0xf0,0xd1,0xc8,0xd4,0x78,0x45,0x42,0xb9,0x70,0x75,0x4a, + 0xaa,0x84,0xbf,0xe4,0x7c,0x77,0xb3,0xa1,0xb5,0x03,0x7d,0x4d,0x79,0x75,0x94,0x71, + 0xe9,0x6c,0xc7,0xa5,0x27,0xa0,0xed,0x06,0x7e,0x21,0x70,0x9e,0xf7,0xf4,0xc4,0x11, + 0x1b,0x60,0xb8,0xc0,0x80,0x82,0xc8,0x18,0x0c,0x7c,0x96,0xb6,0x1c,0x0f,0x71,0x02, + 0xed,0x9b,0x90,0xe2,0x4d,0xe1,0x1e,0x62,0x98,0xbb,0x24,0x45,0x18,0xf9,0xb4,0x46, + 0xce,0x64,0x1f,0xe9,0x95,0xe9,0xcc,0x29,0x9e,0xd4,0x11,0xb6,0x5e,0xb2,0x5e,0xaa, + 0xe9,0xe5,0x53,0x48,0x4a,0x0a,0x7e,0x95,0x6e,0xad,0xf0,0x84,0x08,0x88,0xc7,0x0e, + 0x5c,0xa6,0xeb,0xc3,0xe4,0x79,0xf8,0xc6,0x9c,0x53,0xcf,0x31,0x37,0x0a,0xb3,0x85, + 0xe8,0xb6,0x73,0xdc,0x45,0xa0,0xc1,0x96,0x4e,0xc4,0x94,0x68,0xd1,0x82,0x46,0x21, + 0x3a,0x8f,0x93,0xa2,0xa9,0x6a,0xad,0x5a,0x27,0x01,0xc1,0x91,0xa1,0x4a,0x31,0x51, + 0x9e,0x4f,0x36,0x54,0x4d,0x66,0x87,0x08,0xff,0x37,0xbe,0x54,0x81,0xcb,0x0f,0xfa, + 0x2b,0x0e,0x1f,0x14,0x5e,0x29,0xf8,0x57,0x5d,0xfa,0x9e,0xc3,0x0c,0x6c,0xb4,0x1c, + 0x39,0x34,0x39,0x29,0x22,0x10,0xea,0x80,0x6a,0x50,0x55,0x98,0xeb,0xdf,0x08,0x33), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 25, + .salt = chunk_from_chars( + 0xb7,0x50,0x58,0x76,0x71,0xaf,0xd7,0x68,0x86,0xe8,0xff,0xb7,0x86,0x5e,0x78,0xf7, + 0x06,0x64,0x1b,0x2e,0x42,0x51,0xb4,0x87,0x06), + }, + .m = chunk_from_chars( + 0x83,0x3a,0xa2,0xb1,0xdc,0xc7,0x76,0x07,0xa4,0x4e,0x80,0x4e,0xe7,0x7d,0x45,0x40, + 0x85,0x86,0xc5,0x36,0x86,0x1f,0x66,0x48,0xad,0xcd,0x2f,0xb6,0x50,0x63,0x36,0x87, + 0x67,0xc5,0x5c,0x6f,0xe2,0xf2,0x37,0xf6,0x40,0x42,0x50,0xd7,0x5d,0xec,0x8f,0xa6, + 0x8b,0xca,0xf3,0xb6,0xe5,0x61,0x86,0x3a,0xe0,0x1c,0x91,0xaa,0x23,0xd8,0x0c,0x69, + 0x99,0xa5,0x58,0xa4,0xc4,0xcb,0x31,0x7d,0x54,0x0c,0xde,0x69,0xf8,0x29,0xaa,0xd6, + 0x74,0xa8,0x98,0x12,0xf4,0xd3,0x53,0x68,0x9f,0x04,0x64,0x8c,0x70,0x20,0xa7,0x39, + 0x41,0x62,0x00,0x18,0x29,0x5a,0x4a,0xe4,0x08,0x35,0x90,0xcc,0x60,0x3e,0x80,0x18, + 0x67,0xa5,0x1c,0x10,0x5a,0x7f,0xb3,0x19,0x13,0x0f,0x10,0x22,0xde,0x44,0xf1,0x3e), + .s = chunk_from_chars( + 0x2c,0xa3,0x7a,0x3d,0x6a,0xbd,0x28,0xc1,0xea,0xf9,0xbd,0xe5,0xe7,0xac,0x17,0xf1, + 0xfa,0x79,0x9c,0xe1,0xb4,0xb8,0x99,0xd1,0x99,0x85,0xc2,0xff,0x7c,0x8b,0xa9,0x59, + 0xfe,0x54,0xe5,0xaf,0xb8,0xbc,0x40,0x21,0xa1,0xf1,0xc6,0x87,0xee,0xbb,0x8c,0xba, + 0x80,0x0d,0x1c,0x51,0x63,0x6b,0x1f,0x68,0xdc,0x3e,0x48,0xf6,0x3e,0x2d,0xa6,0xbc, + 0x6d,0x09,0xc6,0x66,0x8f,0x68,0xe5,0x08,0xc5,0xd8,0xc1,0x9b,0xef,0x15,0x47,0x59, + 0xe2,0xf8,0x9a,0xde,0x15,0x27,0x17,0x37,0x0a,0x89,0x44,0xf5,0x37,0x57,0x82,0x96, + 0x38,0x0d,0x1f,0xe6,0xbe,0x80,0x9e,0x8b,0x11,0x3d,0x2b,0x9d,0x89,0xe6,0xa4,0x6f, + 0x5c,0x33,0x3d,0x4f,0xd4,0x87,0x70,0xfc,0x1e,0xa1,0xc5,0x48,0x10,0x45,0x75,0xb8, + 0x4c,0xf0,0x71,0x04,0x2b,0xfe,0x5a,0xcf,0x49,0x63,0x92,0xbe,0x83,0x51,0xa4,0x1c, + 0x46,0xa2,0xca,0xb0,0x86,0x4c,0x4c,0x1c,0x5b,0x5e,0x0c,0x7b,0x27,0xe7,0xb8,0x8c, + 0x69,0xf3,0x7f,0xfa,0x7e,0x1a,0x8c,0xd9,0x8f,0x34,0x3a,0xc8,0x4a,0x4a,0xd6,0x70, + 0x25,0xa4,0x0e,0xd8,0xf6,0x64,0xe9,0xd6,0x30,0x33,0x7d,0xe6,0xe4,0x8b,0xb2,0x12, + 0x5e,0x25,0x52,0x12,0x36,0x09,0x49,0x1f,0x18,0x3a,0xfd,0x92,0x63,0x44,0x87,0xf0, + 0xb2,0xcf,0x97,0x1f,0x26,0x26,0xe8,0x88,0x58,0x87,0x9d,0x45,0xa2,0x9b,0x0f,0xef, + 0xb6,0x6c,0xd4,0x1b,0x2e,0x4e,0x96,0x83,0x85,0xbd,0x9f,0xc8,0xc7,0x21,0x19,0x76, + 0xbc,0x6b,0xd3,0xe1,0xad,0x6d,0xf6,0x08,0x56,0x98,0x5a,0x82,0x5f,0x47,0x26,0xd2), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 25, + .salt = chunk_from_chars( + 0xb7,0x50,0x58,0x76,0x71,0xaf,0xd7,0x68,0x86,0xe8,0xff,0xb7,0x86,0x5e,0x78,0xf7, + 0x06,0x64,0x1b,0x2e,0x42,0x51,0xb4,0x87,0x06), + }, + .m = chunk_from_chars( + 0x89,0x25,0xb8,0x7e,0x9d,0x1d,0x73,0x9d,0x8f,0x97,0x54,0x50,0xb7,0x9d,0x09,0x19, + 0xdd,0xe6,0x3e,0x8a,0x9e,0xaa,0x1c,0xb5,0x11,0xb4,0x0f,0xe3,0xab,0xb9,0xcd,0x89, + 0x60,0xe8,0x94,0x77,0x0b,0xc2,0xb2,0x53,0x10,0x2c,0x4b,0x46,0x40,0xc3,0x57,0xf5, + 0xfd,0x6f,0xea,0xb3,0x9e,0x3b,0xb8,0xf4,0x15,0x64,0xd8,0x05,0xce,0xaf,0xc8,0xfb, + 0xdb,0x00,0xb2,0xea,0x4f,0x29,0xed,0x57,0xe7,0x00,0xc7,0xef,0xf0,0xb4,0x82,0x79, + 0x64,0x61,0x9c,0x09,0x57,0xe1,0x54,0x76,0x91,0xe6,0x69,0x0f,0x7d,0x45,0x25,0x8a, + 0x42,0x95,0x9a,0x3d,0x2f,0xf9,0x2c,0x91,0x5c,0x3a,0x4f,0xb3,0x8e,0x19,0x92,0x8c, + 0x5c,0xe3,0xdd,0xf4,0x90,0x45,0xf6,0x22,0xd0,0x62,0x4a,0x67,0x7e,0x23,0xeb,0x1d), + .s = chunk_from_chars( + 0x43,0xef,0x93,0xd1,0x4e,0x89,0xb0,0x5d,0x5e,0x0d,0xb2,0xdb,0xd5,0x7a,0x12,0x40, + 0x39,0x10,0x64,0x6b,0x4b,0x0a,0x24,0xd9,0xb8,0x0d,0x94,0x79,0x54,0x59,0x1a,0xfa, + 0x6e,0x98,0x09,0xe9,0x6d,0x7d,0x3e,0x71,0x10,0x03,0xee,0x0a,0x91,0x86,0xab,0x3d, + 0x8e,0x0b,0x4d,0x34,0x25,0xc6,0xda,0x4b,0x5f,0x78,0x99,0x53,0x7e,0x73,0x7b,0x71, + 0xdf,0x9e,0xd6,0x35,0x55,0x29,0xaa,0xce,0x77,0xa7,0xcb,0xa9,0x6b,0x5b,0x0a,0x86, + 0x39,0x92,0x52,0xf1,0x28,0x6a,0x6f,0xca,0xb1,0x80,0xb5,0x98,0x45,0x5d,0xfe,0x1d, + 0xe4,0xb8,0x04,0x70,0xd0,0x63,0x18,0xd5,0xf7,0xa5,0x2e,0x45,0xb6,0xd0,0xbc,0xc0, + 0x0b,0xd3,0x65,0x81,0x9a,0x4a,0x14,0x2b,0x83,0x07,0x27,0x75,0xf4,0x85,0xf6,0x3c, + 0x80,0x04,0xf5,0x33,0x78,0xa9,0xa0,0xd2,0x34,0x5d,0x07,0xb1,0xb3,0x26,0x23,0x8e, + 0xd0,0x70,0xd1,0xe6,0x9f,0xc0,0xb5,0xcf,0x85,0x3a,0x80,0x7c,0xfb,0x72,0x35,0x62, + 0xd1,0xf5,0x68,0x24,0x82,0xe8,0xa4,0x84,0x05,0x88,0xbc,0xc7,0x15,0x4c,0xe0,0x74, + 0x0c,0x76,0x86,0x16,0xcf,0x04,0xd7,0xaa,0x10,0x36,0x42,0x91,0x7e,0xc5,0xb4,0xb5, + 0x14,0xa3,0x73,0x4d,0x9e,0x0c,0x58,0x42,0x7c,0xff,0x42,0xf2,0x7f,0x43,0xfd,0xfc, + 0x85,0x99,0x1e,0x04,0x5a,0xcd,0x17,0xaf,0x6f,0xba,0x7b,0xda,0xb8,0x18,0xe9,0x0e, + 0xb4,0x11,0x76,0x84,0xe8,0x9f,0x91,0x63,0xdf,0xf7,0xb9,0x8b,0x82,0xa0,0x8b,0xaa, + 0x2b,0x49,0xac,0xde,0x48,0x0c,0x57,0x02,0xc3,0x35,0x23,0x7d,0x1b,0xe7,0x71,0xb7), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 30, + .salt = chunk_from_chars( + 0xaa,0x10,0xfe,0xc3,0xf8,0x3b,0x7a,0x97,0xe0,0x92,0x87,0x7a,0x5b,0xf9,0x08,0x12, + 0x83,0xf5,0x02,0xa0,0xa4,0x6b,0x50,0xe3,0x95,0xab,0x98,0x3a,0x49,0xac), + }, + .m = chunk_from_chars( + 0x5f,0x0f,0xe2,0xaf,0xa6,0x1b,0x62,0x8c,0x43,0xea,0x3b,0x6b,0xa6,0x05,0x67,0xb1, + 0xae,0x95,0xf6,0x82,0x07,0x6f,0x01,0xdf,0xb6,0x4d,0xe0,0x11,0xf2,0x5e,0x9c,0x4b, + 0x36,0x02,0xa7,0x8b,0x94,0xce,0xcb,0xc1,0x4c,0xd7,0x61,0x33,0x9d,0x2d,0xc3,0x20, + 0xdb,0xa5,0x04,0xa3,0xc2,0xdc,0xde,0xdb,0x0a,0x78,0xeb,0x49,0x3b,0xb1,0x18,0x79, + 0xc3,0x11,0x58,0xe5,0x46,0x77,0x95,0x16,0x35,0x62,0xec,0x0c,0xa2,0x6c,0x19,0xe0, + 0x53,0x15,0x30,0xa8,0x15,0xc2,0x8f,0x9b,0x52,0x06,0x10,0x76,0xe6,0x1f,0x83,0x1e, + 0x2f,0xc4,0x5b,0x86,0x63,0x1e,0xa7,0xd3,0x27,0x14,0x44,0xbe,0x5d,0xcb,0x51,0x3a, + 0x3d,0x6d,0xe4,0x57,0xa7,0x2a,0xfb,0x67,0xb7,0x7d,0xb6,0x5f,0x9b,0xb1,0xc3,0x80), + .s = chunk_from_chars( + 0x5e,0x07,0x12,0xbb,0x36,0x3e,0x50,0x34,0xef,0x6b,0x23,0xc1,0x19,0xe3,0xb4,0x98, + 0x64,0x44,0x45,0xfa,0xab,0x5a,0x4c,0x0b,0x4e,0x21,0x7e,0x4c,0x83,0x2a,0xb3,0x4c, + 0x14,0x2d,0x7f,0x81,0xdb,0xf8,0xaf,0xfd,0xb2,0xda,0xce,0xfa,0xbb,0x2f,0x83,0x52, + 0x4c,0x5a,0xa8,0x83,0xfc,0x5f,0x06,0xe5,0x28,0xb2,0x32,0xd9,0x0f,0xbe,0xa9,0xca, + 0x08,0xae,0x5a,0xc1,0x80,0xd4,0x77,0xea,0xed,0x27,0xd1,0x37,0xe2,0xb5,0x1b,0xd6, + 0x13,0xb6,0x9c,0x54,0x3d,0x55,0x5b,0xfc,0x7c,0xd8,0x1a,0x4f,0x79,0x57,0x53,0xc8, + 0xc6,0x4c,0x6b,0x5d,0x2a,0xcd,0x9e,0x26,0xd6,0x22,0x5f,0x5b,0x26,0xe4,0xe6,0x6a, + 0x94,0x5f,0xd6,0x47,0x7a,0x27,0x7b,0x58,0x0d,0xbe,0xaa,0x46,0xd0,0xbe,0x49,0x8d, + 0xf9,0xa0,0x93,0x39,0x29,0x26,0xc9,0x05,0x64,0x19,0x45,0xec,0x5b,0x95,0x97,0x52, + 0x5e,0x44,0x9a,0xf3,0x74,0x3f,0x80,0x55,0x47,0x88,0xfc,0x35,0x8b,0xc0,0x40,0x1a, + 0x96,0x8f,0xf9,0x8a,0xaf,0x34,0xe5,0x0b,0x35,0x27,0x51,0xf3,0x22,0x74,0x75,0x0f, + 0xf5,0xc1,0xfb,0xa5,0x03,0x05,0x02,0x04,0xce,0xc9,0xc7,0x7d,0xee,0xde,0x7f,0x8f, + 0xa2,0x08,0x45,0xd9,0x5f,0x51,0x77,0x03,0x0b,0xc9,0x1d,0x51,0xf2,0x6f,0x29,0xd2, + 0xa6,0x5b,0x87,0x0d,0xc7,0x2b,0x81,0xe5,0xef,0x9e,0xee,0xf9,0x90,0xd7,0xc7,0x14, + 0x5b,0xbf,0x1a,0x3b,0xc7,0xae,0xdd,0x19,0xfa,0x7c,0xbb,0x02,0x07,0x56,0x52,0x5f, + 0x18,0x02,0x21,0x6c,0x13,0x29,0x6f,0xd6,0xaa,0xc1,0x1b,0xf2,0xd2,0xd9,0x04,0x94), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 30, + .salt = chunk_from_chars( + 0xaa,0x10,0xfe,0xc3,0xf8,0x3b,0x7a,0x97,0xe0,0x92,0x87,0x7a,0x5b,0xf9,0x08,0x12, + 0x83,0xf5,0x02,0xa0,0xa4,0x6b,0x50,0xe3,0x95,0xab,0x98,0x3a,0x49,0xac), + }, + .m = chunk_from_chars( + 0x9e,0x88,0x0c,0xe5,0x9f,0x54,0x7d,0x59,0x2c,0x30,0x9c,0x22,0xa2,0x97,0x4b,0xa5, + 0xa5,0x2c,0xf1,0xc1,0x64,0xf2,0xd8,0xa8,0x1e,0xbb,0xd4,0xed,0xe6,0xe3,0x26,0xde, + 0xa3,0x3d,0x9f,0x13,0x5a,0x4e,0x09,0x47,0xb0,0xb9,0xc2,0x67,0xaa,0xfb,0xaa,0xe9, + 0xb8,0x58,0x3f,0x5f,0xf2,0x15,0x07,0x4c,0xa1,0xe8,0x2f,0x36,0x01,0xad,0x71,0xfc, + 0x45,0x5a,0x3b,0x6a,0xdc,0x35,0x0d,0x0b,0xf3,0x45,0x22,0x3e,0x3b,0x06,0x54,0x8c, + 0xec,0x61,0x3a,0x39,0x0a,0xda,0x93,0x19,0xe7,0x0c,0xe7,0xa5,0xe9,0x52,0x6b,0x4e, + 0x8d,0xc8,0x26,0x12,0xac,0x72,0x52,0x4c,0xfd,0xba,0x05,0xd0,0xdc,0x20,0x10,0x37, + 0x49,0x2d,0x27,0x78,0x34,0xa8,0x43,0xb9,0xf8,0x0d,0x45,0x64,0x25,0x3b,0xdc,0x7c), + .s = chunk_from_chars( + 0x8c,0x4f,0x81,0x9e,0x68,0x20,0x81,0xbb,0x16,0xdd,0xd4,0x59,0x66,0x2a,0x80,0x78, + 0xbc,0xa4,0x79,0x3e,0x18,0x11,0x00,0x33,0x53,0x94,0x60,0xb4,0x08,0xc0,0xaf,0x74, + 0x7e,0xa5,0xd9,0x41,0xf7,0x12,0x69,0x1f,0x5d,0x9d,0xdb,0x64,0x31,0x66,0xfd,0x96, + 0x5f,0x5b,0x51,0xb8,0x19,0xd5,0x51,0x41,0xd6,0x7c,0x15,0x53,0xb2,0x7a,0x46,0x82, + 0xe6,0x7d,0x55,0x55,0xb6,0x4d,0x7c,0xd3,0xdb,0x7f,0xc5,0xc2,0xe7,0x01,0xdd,0x26, + 0xe4,0x22,0xaf,0x8a,0x1f,0xb5,0x2c,0xd5,0xf5,0xa0,0x9e,0x0d,0x6d,0xb9,0x00,0xa9, + 0x92,0xf3,0x18,0xde,0xeb,0x6f,0x6e,0x39,0xdf,0xd6,0xaf,0x44,0xcb,0x21,0x7c,0x68, + 0x54,0x08,0x9c,0xea,0xa1,0x6e,0x3f,0x9b,0x10,0x0e,0xf8,0xe7,0x8f,0x6b,0x45,0x34, + 0x58,0xb8,0xef,0x6d,0x71,0x49,0x3e,0x7c,0x6e,0x45,0x28,0x2c,0x61,0x7f,0xa8,0x7c, + 0xcd,0xd4,0xa0,0xf2,0xf9,0xf7,0x16,0x62,0x81,0x80,0x6f,0xb4,0x1d,0x0f,0xe1,0x88, + 0xe0,0x0c,0x40,0xaf,0xea,0xa0,0x7d,0x2d,0xa0,0x9a,0x2c,0xd7,0x80,0x52,0xf8,0xd5, + 0x6b,0x7a,0xf4,0x0d,0x4c,0x73,0x14,0xcc,0xf0,0x2e,0x49,0x0d,0x5e,0x21,0x23,0xbf, + 0x67,0x6f,0x2b,0xcb,0xda,0xbe,0xff,0xcf,0x58,0x79,0x29,0x98,0xdd,0x0f,0x67,0xed, + 0x24,0xe4,0x83,0xd8,0x97,0x6b,0x00,0xd6,0x15,0x1a,0x6e,0x0b,0xa7,0x40,0xbd,0xb5, + 0x7c,0x9b,0xc2,0x7f,0xe5,0xdf,0x91,0x26,0xa4,0x70,0x20,0x07,0x5e,0xb2,0x22,0xd5, + 0xca,0x24,0x70,0x72,0x44,0x60,0xc5,0xad,0xf0,0x67,0xb5,0x75,0x02,0x87,0xcd,0x00), + }, +}; + +START_TEST(test_sign_pss_2048) +{ + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + if (!pss_salt_supported) + { + warn("static salt for %N not supported, skip test", + signature_scheme_names, SIGN_RSA_EMSA_PSS); + return; + } + fail_unless(privpss_2048->sign(privpss_2048, SIGN_RSA_EMSA_PSS, + &pss_sign_2048[_i].params, pss_sign_2048[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_2048[_i].s, sig); + fail_unless(pubpss_2048->verify(pubpss_2048, SIGN_RSA_EMSA_PSS, + &pss_sign_2048[_i].params, pss_sign_2048[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); +} +END_TEST + +/** + * SigGen test vectors from FIPS 186-4 (first two for each hash algo) + */ +static struct { + rsa_pss_params_t params; + chunk_t m; + chunk_t s; +} pss_sign_3072[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 32, + .salt = chunk_from_chars( + 0x3e,0x07,0xad,0xe7,0x2a,0x3f,0x52,0x53,0x0f,0x53,0x13,0x5a,0x5d,0x7d,0x93,0x21, + 0x74,0x35,0xba,0x00,0x1e,0xa5,0x5a,0x8f,0x5d,0x5d,0x13,0x04,0x68,0x48,0x74,0xbc), + }, + .m = chunk_from_chars( + 0xc1,0x64,0x99,0x11,0x0e,0xd5,0x77,0x20,0x2a,0xed,0x2d,0x3e,0x4d,0x51,0xde,0xd6, + 0xc6,0x63,0x73,0xfa,0xef,0x65,0x33,0xa8,0x60,0xe1,0x93,0x4c,0x63,0x48,0x4f,0x87, + 0xa8,0xd9,0xb9,0x2f,0x3a,0xc4,0x51,0x97,0xb2,0x90,0x97,0x10,0xab,0xba,0x1d,0xaf, + 0x75,0x9f,0xe0,0x51,0x0e,0x9b,0xd8,0xdd,0x4d,0x73,0xce,0xc9,0x61,0xf0,0x6e,0xe0, + 0x7a,0xcd,0x9d,0x42,0xc6,0xd4,0x0d,0xac,0x9f,0x43,0x0e,0xf9,0x03,0x74,0xa7,0xe9, + 0x44,0xbd,0xe5,0x22,0x00,0x96,0x73,0x74,0x54,0xf9,0x6b,0x61,0x4d,0x0f,0x6c,0xdd, + 0x9f,0x08,0xed,0x52,0x9a,0x4a,0xd0,0xe7,0x59,0xcf,0x3a,0x02,0x3d,0xc8,0xa3,0x0b, + 0x9a,0x87,0x29,0x74,0xaf,0x9b,0x2a,0xf6,0xdc,0x3d,0x11,0x1d,0x0f,0xeb,0x70,0x06), + .s = chunk_from_chars( + 0x43,0x35,0x70,0x7d,0xa7,0x35,0xcf,0xd1,0x04,0x11,0xc9,0xc0,0x48,0xca,0x9b,0x60, + 0xbb,0x46,0xe2,0xfe,0x36,0x1e,0x51,0xfb,0xe3,0x36,0xf9,0x50,0x8d,0xc9,0x45,0xaf, + 0xe0,0x75,0x50,0x3d,0x24,0xf8,0x36,0x61,0x0f,0x21,0x78,0x99,0x6b,0x52,0xc4,0x11, + 0x69,0x30,0x52,0xd5,0xd7,0xae,0xd9,0x76,0x54,0xa4,0x00,0x74,0xed,0x20,0xed,0x66, + 0x89,0xc0,0x50,0x1b,0x7f,0xba,0xc2,0x1d,0xc4,0x6b,0x66,0x5a,0xc0,0x79,0x76,0x00, + 0x86,0x41,0x44,0x06,0xcd,0x66,0xf8,0x53,0x7d,0x1e,0xbf,0x0d,0xce,0x4c,0xf0,0xc9, + 0x8d,0x4c,0x30,0xc7,0x1d,0xa3,0x59,0xe9,0xcd,0x40,0x1f,0xf4,0x97,0x18,0xfd,0xd4, + 0xd0,0xf9,0x9e,0xfe,0x70,0xad,0x8d,0xd8,0xba,0x13,0x04,0xce,0xfb,0x88,0xf2,0x4b, + 0x0e,0xed,0xf7,0x01,0x16,0xda,0x15,0x93,0x2c,0x76,0xf0,0x06,0x95,0x51,0xa2,0x45, + 0xb5,0xfc,0x3b,0x91,0xec,0x10,0x1f,0x1d,0x63,0xb9,0x85,0x3b,0x59,0x8c,0x6f,0xa1, + 0xc1,0xac,0xdb,0xac,0xf9,0x62,0x63,0x56,0xc7,0x60,0x11,0x9b,0xe0,0x95,0x56,0x44, + 0x30,0x18,0x96,0xd9,0xd0,0xd3,0xea,0x5e,0x64,0x43,0xcb,0x72,0xca,0x29,0xf4,0xd4, + 0x52,0x46,0xd1,0x6d,0x74,0xd0,0x05,0x68,0xc2,0x19,0x18,0x2f,0xeb,0x19,0x11,0x79, + 0xe4,0x59,0x3d,0xc1,0x52,0xc6,0x08,0xfd,0x80,0x53,0x63,0x29,0xa5,0x33,0xb3,0xa6, + 0x31,0x56,0x68,0x14,0xcd,0x65,0x4f,0x58,0x7c,0x2d,0x8c,0xe6,0x96,0x08,0x5e,0x6e, + 0xd1,0xb0,0xb0,0x27,0x8e,0x60,0xa0,0x49,0xec,0x7a,0x39,0x9f,0x94,0xfc,0xca,0xe6, + 0x46,0x23,0x71,0xa6,0x96,0x95,0xef,0x52,0x5e,0x00,0x93,0x6f,0xa7,0xd9,0x78,0x1f, + 0x9e,0xe2,0x89,0xd4,0x10,0x5e,0xe8,0x27,0xa2,0x79,0x96,0x58,0x30,0x33,0xce,0xdb, + 0x2f,0x29,0x7e,0x7b,0x49,0x26,0xd9,0x06,0xce,0x0d,0x09,0xd8,0x41,0x28,0x40,0x6a, + 0xb3,0x3d,0x7d,0xa0,0xf8,0xa1,0xd4,0xd2,0xf6,0x66,0x56,0x86,0x86,0xc3,0x94,0xd1, + 0x39,0xb0,0xe5,0xe9,0x93,0x37,0x75,0x8d,0xe8,0x59,0x10,0xa5,0xfa,0x25,0xca,0x2a, + 0xa6,0xd8,0xfb,0x1c,0x77,0x72,0x44,0xe7,0xd9,0x8d,0xe4,0xc7,0x9b,0xbd,0x42,0x6a, + 0x5e,0x6f,0x65,0x7e,0x37,0x47,0x7e,0x01,0x24,0x74,0x32,0xf8,0x37,0x97,0xfb,0xf3, + 0x1b,0x50,0xd0,0x2b,0x83,0xf6,0x9d,0xed,0x26,0xd4,0x94,0x5b,0x2b,0xc3,0xf8,0x6e), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, + .salt_len = 32, + .salt = chunk_from_chars( + 0x3e,0x07,0xad,0xe7,0x2a,0x3f,0x52,0x53,0x0f,0x53,0x13,0x5a,0x5d,0x7d,0x93,0x21, + 0x74,0x35,0xba,0x00,0x1e,0xa5,0x5a,0x8f,0x5d,0x5d,0x13,0x04,0x68,0x48,0x74,0xbc), + }, + .m = chunk_from_chars( + 0x60,0x40,0x2d,0xed,0x89,0xd0,0x97,0x9a,0xfb,0x49,0xf8,0x50,0x8e,0xb9,0x78,0xa8, + 0x41,0xab,0xc2,0xae,0xc5,0x9c,0xac,0xef,0x40,0xb3,0x1a,0xd3,0x4b,0xac,0x1f,0x2d, + 0x3c,0x16,0x66,0x11,0xab,0xbe,0xd1,0xe6,0x2f,0x6b,0x5f,0xbb,0x69,0xcb,0x53,0xdf, + 0x44,0xae,0x93,0xab,0x7a,0x72,0x4e,0xa3,0x5b,0xbe,0xe1,0xbe,0xca,0x74,0xfc,0x01, + 0x88,0xe0,0x00,0x52,0xb5,0x36,0xac,0x8c,0x93,0x3b,0xf9,0xcf,0x8e,0x42,0x42,0x1a, + 0x79,0x5a,0xa8,0x1b,0x1b,0xc6,0xb5,0x45,0xea,0xad,0x40,0x24,0x16,0x13,0x90,0xed, + 0xc9,0x08,0xc4,0x5a,0xae,0x1f,0x71,0xb4,0xb0,0x22,0x8e,0x31,0x04,0x04,0x8d,0x81, + 0x69,0x17,0xcb,0xa4,0xae,0x7f,0x2a,0xfe,0x75,0xe7,0xfc,0xad,0x38,0x73,0x24,0x1a), + .s = chunk_from_chars( + 0x5f,0x18,0x30,0x09,0x70,0x8b,0x37,0x96,0x37,0xda,0xc2,0xb1,0x42,0x93,0x70,0x9a, + 0xa6,0xd7,0xe8,0x6c,0x26,0x7a,0x0b,0x69,0x0a,0x3c,0x27,0x50,0x31,0x13,0x98,0x91, + 0x26,0x7c,0x64,0xe5,0xed,0xec,0xdf,0xf1,0x4c,0x2c,0xc2,0xf2,0xd9,0x85,0xb6,0x2f, + 0x90,0x0a,0xee,0x6e,0x04,0xca,0x51,0xa7,0x0a,0x5f,0x94,0x64,0x63,0x69,0x1c,0xf1, + 0x6c,0x2d,0x45,0x54,0x7c,0x53,0x74,0xf1,0x5b,0xdb,0x88,0x81,0x64,0x1d,0x30,0x40, + 0xef,0x57,0x80,0x75,0x32,0xcf,0x5b,0x2c,0xed,0x07,0x62,0x3d,0x0f,0x63,0x8b,0x39, + 0xeb,0xc2,0xf2,0xce,0x28,0x3e,0xea,0x22,0x47,0xe1,0xdf,0x3a,0xf5,0x43,0x05,0x54, + 0xd1,0xd4,0xb8,0x8b,0x7b,0x21,0x62,0x29,0x93,0x41,0x99,0x71,0xb7,0xd0,0xd5,0x44, + 0x91,0x22,0xa1,0x0f,0xc3,0x1b,0x2d,0xdc,0xc5,0x3f,0xf7,0x51,0xff,0x4b,0xf4,0xd3, + 0x36,0xfa,0xc6,0x67,0xb6,0x46,0x78,0x02,0x72,0xdb,0x89,0xa3,0xea,0x42,0x26,0xaf, + 0xa2,0x08,0x77,0xbf,0xb8,0x6b,0xa3,0xff,0x42,0x04,0xe5,0xcd,0x56,0xe1,0x3a,0x1d, + 0xc9,0xd5,0x3f,0x5c,0x94,0x65,0xb9,0x7a,0x18,0x2b,0x2b,0xf6,0x71,0x51,0x2e,0xf8, + 0x9e,0x6c,0x39,0x69,0xf9,0x73,0x07,0xa3,0xe4,0xbe,0xba,0x39,0xa7,0x8e,0x0a,0xd1, + 0xbb,0x97,0x99,0xcd,0xa9,0x29,0x76,0xca,0x39,0xd9,0x9d,0xb4,0xac,0x14,0x9c,0x84, + 0xbb,0x9b,0xc8,0x99,0x7e,0x8d,0x5e,0x05,0x6d,0x67,0xca,0x23,0xfe,0x4b,0xe2,0x8e, + 0x66,0xc4,0xbc,0x00,0xa2,0x5d,0x65,0xbb,0x9d,0x7d,0x62,0x3f,0xea,0x2d,0x3b,0x9c, + 0xf8,0x59,0xdf,0xd9,0xef,0xa9,0xe5,0x22,0x68,0xbf,0xa2,0x97,0xaf,0xb1,0xcc,0x28, + 0x83,0xdb,0x0c,0x9c,0x42,0xfc,0x04,0x18,0x0e,0x2e,0xc6,0xf4,0x96,0x57,0xc7,0x00, + 0x8e,0x40,0x25,0x06,0x1f,0x89,0x68,0x86,0x61,0x38,0x95,0xa3,0x5b,0xc2,0xd3,0x65, + 0x5a,0x8f,0x50,0xa9,0xfc,0xa2,0xac,0x64,0x8f,0x35,0x2e,0xb0,0x6b,0xfb,0xa2,0xfc, + 0x34,0x0a,0xae,0xea,0xd4,0xa8,0x45,0x7c,0x65,0xe2,0xe8,0xfd,0xba,0x56,0x8c,0x60, + 0xa6,0xd8,0xd3,0x81,0xf5,0xd9,0xca,0xa3,0x01,0x27,0x77,0x1f,0x4a,0x94,0xfd,0xb8, + 0xcd,0xe7,0xbe,0x4f,0xa7,0xb4,0xf8,0x9f,0xe3,0x79,0xdd,0x3e,0x1c,0xa6,0x6a,0xe1, + 0xfd,0xd6,0x3b,0xeb,0xdc,0x00,0x15,0x44,0x8e,0x61,0xef,0x16,0x66,0x59,0x4b,0x8f), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 48, + .salt = chunk_from_chars( + 0x61,0xa7,0x62,0xf8,0x96,0x8d,0x5f,0x36,0x7e,0x2d,0xbc,0xac,0xb4,0x02,0x16,0x53, + 0xdc,0x75,0x43,0x7d,0x90,0x00,0xe3,0x16,0x9d,0x94,0x37,0x29,0x70,0x38,0x37,0xa5, + 0xcb,0xf4,0xde,0x62,0xbd,0xed,0xc9,0x5f,0xd0,0xd1,0x00,0x4e,0x84,0x75,0x14,0x52), + }, + .m = chunk_from_chars( + 0x92,0x21,0xf0,0xfe,0x91,0x15,0x84,0x35,0x54,0xd5,0x68,0x5d,0x9f,0xe6,0x9d,0xc4, + 0x9e,0x95,0xce,0xb5,0x79,0x39,0x86,0xe4,0x28,0xb8,0xa1,0x0b,0x89,0x4c,0x01,0xd6, + 0xaf,0x87,0x82,0xfd,0x7d,0x95,0x2f,0xaf,0x74,0xc2,0xb6,0x37,0xca,0x3b,0x19,0xda, + 0xbc,0x19,0xa7,0xfe,0x25,0x9b,0x2b,0x92,0x4e,0xb3,0x63,0xa9,0x08,0xc5,0xb3,0x68, + 0xf8,0xab,0x1b,0x23,0x33,0xfc,0x67,0xc3,0x0b,0x8e,0xa5,0x6b,0x28,0x39,0xdc,0x5b, + 0xda,0xde,0xfb,0x14,0xad,0xa8,0x10,0xbc,0x3e,0x92,0xba,0xc5,0x4e,0x2a,0xe1,0xca, + 0x15,0x94,0xa4,0xb9,0xd8,0xd1,0x93,0x37,0xbe,0x42,0x1f,0x40,0xe0,0x67,0x4e,0x0e, + 0x9f,0xed,0xb4,0x3d,0x3a,0xe8,0x9e,0x2c,0xa0,0x5d,0x90,0xa6,0x82,0x03,0xf2,0xc2), + .s = chunk_from_chars( + 0x96,0x87,0x11,0x5b,0xe4,0x78,0xe4,0xb6,0x42,0xcd,0x36,0x93,0x92,0xb9,0xdd,0x0f, + 0x35,0x76,0xe7,0x04,0xaf,0x72,0x18,0xb1,0xf9,0x4d,0x7f,0x8f,0xe7,0xf0,0x70,0x73, + 0xe3,0xe8,0xe1,0x18,0x6f,0xa7,0x68,0x97,0x7d,0x6b,0x51,0x4e,0x51,0x34,0x59,0xf2, + 0x37,0x3d,0xf6,0xec,0x52,0xe3,0xde,0x9b,0xd8,0x3f,0xcc,0x5c,0xc3,0xe6,0xb9,0x7f, + 0x8b,0x3f,0xb5,0x34,0x16,0x3c,0x64,0xf5,0x26,0x76,0x20,0x70,0x0e,0x9d,0x8c,0x52, + 0xb3,0xdf,0x61,0xa7,0xc3,0x74,0x8e,0xf1,0x59,0xd6,0xb3,0x90,0x89,0x5a,0xfa,0x3a, + 0xf5,0x91,0x09,0xa5,0x47,0x8d,0x01,0x6d,0x96,0xc4,0x9f,0x68,0xdf,0xc7,0x35,0xba, + 0x2a,0xaf,0xd5,0x01,0x2c,0x13,0x51,0x5e,0xd6,0x64,0x4f,0x0d,0x41,0x09,0xc4,0x55, + 0x56,0xe1,0x4a,0x38,0x21,0xe1,0xaa,0x24,0xbe,0xb8,0xa8,0x1a,0x48,0xda,0x27,0xf1, + 0x31,0xde,0x84,0xf7,0xba,0x51,0x58,0x1d,0x81,0xb8,0xff,0x31,0xba,0x92,0xb8,0xa1, + 0xfd,0xe8,0x67,0xf0,0x7e,0x32,0xe6,0xc2,0x70,0x92,0x53,0x44,0x81,0x74,0xdd,0x31, + 0x32,0x4d,0xbc,0x32,0xb0,0x5f,0x07,0x58,0x7f,0x76,0xa9,0x99,0x7d,0xec,0xb8,0x0f, + 0x38,0xd8,0xc1,0x3d,0x0f,0x6e,0xb3,0xc1,0x0e,0x3d,0x96,0xa2,0x29,0x3f,0x74,0x64, + 0xf1,0xe0,0x46,0x02,0xef,0x6e,0x84,0xc2,0xd0,0x24,0x5d,0x7d,0xb2,0x56,0xa6,0x7d, + 0x13,0x2a,0x47,0xca,0xe9,0xab,0xe0,0x6b,0x61,0xa8,0x96,0x8f,0x50,0xa1,0x74,0x99, + 0x95,0xdc,0x15,0xef,0x0d,0xcb,0x1d,0x5f,0x59,0x59,0xe4,0xd4,0x54,0xc8,0x54,0x7b, + 0xbb,0x4d,0x19,0x56,0x98,0xf4,0x84,0x61,0x7b,0xfd,0x12,0x2a,0xca,0xae,0x2d,0x0e, + 0x8c,0x76,0xd2,0x8b,0x24,0x00,0x5a,0xb0,0x3c,0xaa,0x78,0x1e,0xa9,0x7b,0x1c,0x4d, + 0x93,0x96,0xa1,0x6f,0x79,0x98,0xee,0xe7,0xdd,0xd9,0xde,0x4c,0xab,0xe5,0x70,0x32, + 0xd9,0x43,0x8a,0x5d,0x99,0xc6,0xb3,0x4a,0x95,0x61,0x22,0x35,0x02,0x63,0xc7,0xe9, + 0x98,0xbc,0x61,0xde,0xc9,0x13,0x81,0x01,0x2e,0x68,0x6d,0x07,0x9e,0x39,0xe9,0x6b, + 0x1e,0xa4,0xbf,0xdb,0x7c,0xdf,0x63,0x0d,0xdb,0x42,0x2c,0x6b,0x58,0x0e,0x55,0x06, + 0xc9,0xcc,0x3d,0x6c,0x10,0x0f,0x20,0x41,0xd1,0x7c,0xea,0xaa,0xa5,0x45,0x89,0x24, + 0x9f,0x04,0xa1,0x37,0x0f,0xfa,0x3b,0xf3,0xff,0x1a,0xde,0xb8,0x90,0x68,0x86,0x98), + }, + { + .params = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, + .salt_len = 48, + .salt = chunk_from_chars( + 0x61,0xa7,0x62,0xf8,0x96,0x8d,0x5f,0x36,0x7e,0x2d,0xbc,0xac,0xb4,0x02,0x16,0x53, + 0xdc,0x75,0x43,0x7d,0x90,0x00,0xe3,0x16,0x9d,0x94,0x37,0x29,0x70,0x38,0x37,0xa5, + 0xcb,0xf4,0xde,0x62,0xbd,0xed,0xc9,0x5f,0xd0,0xd1,0x00,0x4e,0x84,0x75,0x14,0x52), + }, + .m = chunk_from_chars( + 0x75,0x2a,0x99,0x16,0xf4,0x49,0xae,0xbf,0x81,0x4c,0xe5,0x9c,0xa6,0xe8,0x2f,0xa8, + 0x03,0x8e,0x46,0x85,0x41,0x92,0x41,0xc1,0x48,0x8c,0x66,0x59,0xb2,0xff,0x3f,0x7b, + 0x7f,0x38,0xf0,0x90,0x0a,0x79,0xc7,0x7a,0x3b,0x57,0x15,0x1a,0xff,0x61,0x3c,0x16, + 0xf5,0x02,0x0a,0xd9,0x6b,0xa9,0x45,0xdb,0x88,0x26,0x87,0x22,0xca,0x58,0x4c,0x09, + 0xb4,0x05,0x4a,0x40,0xc0,0x09,0x01,0x14,0x9b,0xb3,0x92,0xf0,0x91,0x6c,0xd4,0x24, + 0x46,0x99,0xa5,0xe6,0xa8,0xc3,0x7e,0x96,0x21,0xf5,0x4b,0x47,0x11,0x66,0x79,0x7a, + 0x7b,0x58,0x50,0x2c,0xff,0x40,0x83,0x14,0x08,0x27,0x05,0x26,0x46,0x50,0x1f,0x5b, + 0x5f,0x1b,0xc0,0xb4,0xe1,0x29,0x14,0x7d,0x7c,0xc1,0x57,0xcf,0x6e,0x73,0xec,0x58), + .s = chunk_from_chars( + 0x66,0x46,0xa8,0x8e,0xe4,0xb8,0x45,0xda,0x49,0x31,0x27,0x4c,0x23,0x84,0x0d,0xad, + 0xa6,0x14,0x5f,0xe0,0xaf,0x95,0x48,0x29,0xd1,0xd5,0x66,0x61,0x54,0x6a,0x25,0xe4, + 0x63,0x16,0xe2,0x16,0xbb,0x6b,0x94,0x46,0xb3,0x68,0x88,0x4b,0xa1,0x49,0x69,0xa6, + 0xf6,0x8c,0xcb,0xc1,0xcf,0x5b,0x4e,0x7a,0x6d,0x3a,0xab,0xec,0x67,0xf6,0x49,0x63, + 0xf6,0x3b,0x08,0x8f,0xa8,0x17,0xc8,0x55,0xd7,0x76,0xdd,0xca,0xda,0x57,0xe5,0xda, + 0xa5,0x0f,0xc1,0xc8,0x77,0x38,0x9c,0x3c,0xb9,0xd9,0x90,0x95,0xa8,0x69,0xa9,0x63, + 0xbc,0x91,0xec,0x24,0xb2,0x42,0x2e,0xf6,0xb8,0xdd,0x18,0xfd,0x20,0xd2,0xb2,0x15, + 0xfe,0xe6,0xe9,0x8c,0xda,0x41,0x5a,0xe4,0x4d,0x2d,0x26,0x16,0xfe,0x17,0x08,0x29, + 0x2a,0x3e,0xf5,0x0a,0x07,0x51,0x70,0xb3,0xa7,0xeb,0xab,0x02,0x91,0x8a,0xb0,0x30, + 0x17,0x94,0xc1,0x7f,0xb3,0x5e,0x20,0x38,0xf3,0x69,0xd9,0x4d,0xd4,0x95,0x69,0xc0, + 0x66,0xf7,0xc3,0x92,0x88,0x9d,0xc4,0xb8,0x78,0xc5,0x0c,0x7e,0x52,0x58,0x6b,0x50, + 0x81,0x11,0x4d,0x20,0x23,0x38,0xd2,0x33,0x04,0xf1,0x6f,0x91,0x2d,0x51,0x9a,0x9a, + 0xd2,0x1b,0xaf,0xf0,0xe3,0xd2,0x17,0x61,0xf3,0x73,0xd0,0x84,0x21,0xe1,0x01,0x08, + 0xa9,0x83,0x04,0x8f,0xcb,0x90,0xeb,0x2a,0xdc,0x7c,0x7f,0x12,0xff,0xa1,0x57,0x1b, + 0x09,0x1c,0x78,0x1b,0x25,0x5a,0x77,0xa8,0x80,0xe9,0x79,0x75,0xf1,0x4f,0x42,0xba, + 0xf5,0xaa,0x28,0x5e,0xcc,0x14,0x21,0x57,0xc3,0xe1,0xad,0xdd,0x6a,0xa0,0xc0,0x92, + 0x53,0xa1,0x1c,0x59,0x14,0x4a,0xbd,0x3b,0x1e,0x21,0x2d,0x89,0xe2,0x7e,0xd9,0x6f, + 0xb7,0x57,0x56,0xaf,0xc2,0x0e,0xc6,0x74,0x23,0xb1,0x51,0x19,0x4c,0xb0,0xb0,0x64, + 0x8c,0x65,0x99,0x87,0xa5,0x58,0x3c,0xb7,0x75,0x77,0x79,0xd8,0xa3,0x9e,0x20,0x5e, + 0x71,0x01,0xa5,0x35,0x1c,0xe1,0xaf,0x2c,0x9c,0x6b,0x08,0x47,0xcc,0xa5,0x7a,0xf5, + 0x25,0x93,0x32,0x39,0x05,0xe3,0xd2,0x29,0x7c,0x0d,0x54,0x54,0x1a,0x01,0x25,0x62, + 0x16,0x40,0xfe,0x1d,0xee,0xf1,0x3e,0x75,0x9f,0x8f,0x6c,0x56,0xa2,0xec,0x2a,0x94, + 0x83,0x1a,0xc2,0xc6,0x14,0xb9,0x11,0xe7,0x9e,0xdd,0x54,0x2f,0xef,0x65,0x1f,0x5a, + 0x82,0x7f,0x48,0x05,0x75,0xae,0x22,0x0c,0x49,0x5f,0x2a,0x28,0x42,0xf9,0x9e,0xc4), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 62, + .salt = chunk_from_chars( + 0x2d,0x0c,0x49,0xb2,0x07,0x89,0xf3,0x95,0x02,0xee,0xfd,0x09,0x2a,0x2b,0x6a,0x9b, + 0x27,0x57,0xc1,0x45,0x61,0x47,0x56,0x9a,0x68,0x5f,0xca,0x44,0x92,0xa8,0xd5,0xb0, + 0xe6,0x23,0x43,0x08,0x38,0x5d,0x3d,0x62,0x96,0x44,0xca,0x37,0xe3,0x39,0x96,0x16, + 0xc2,0x66,0xf1,0x99,0xb6,0x52,0x1a,0x99,0x87,0xb2,0xbe,0x9e,0xe7,0x83), + }, + .m = chunk_from_chars( + 0x44,0x24,0x0c,0xe5,0x19,0xf0,0x02,0x39,0xbd,0x66,0xba,0x03,0xc8,0x4d,0x31,0x60, + 0xb1,0xce,0x39,0xe3,0x93,0x28,0x66,0xe5,0x31,0xa6,0x2b,0x1c,0x37,0xcf,0x41,0x70, + 0xc3,0xdc,0x48,0x09,0x23,0x6f,0xb1,0xad,0xe1,0x81,0xdb,0x49,0xfc,0x9c,0x7c,0xcd, + 0x79,0x4b,0x43,0x3d,0x1a,0xd0,0xbc,0x05,0x6e,0x14,0x73,0x8e,0x0a,0xe4,0x5c,0x0e, + 0x15,0x59,0x72,0xa4,0x0a,0x98,0x9f,0xa4,0xb9,0xbc,0xdc,0x30,0x8f,0x11,0x99,0x08, + 0x18,0x83,0x5f,0xa2,0xc2,0x56,0xb4,0x7e,0xe4,0x17,0x3f,0xb4,0xfe,0xd2,0x2c,0xcf, + 0x43,0x85,0xd2,0xdd,0x54,0xd5,0x93,0xc7,0x4f,0x00,0x04,0xdf,0x08,0x13,0x4e,0xb8, + 0x96,0x5d,0xd5,0x3a,0x12,0x23,0x17,0xf5,0x9b,0x95,0xd6,0xb6,0x9d,0x01,0x79,0x58), + .s = chunk_from_chars( + 0x8f,0x47,0xab,0xc2,0x32,0x6e,0x22,0xcf,0x62,0x40,0x45,0x08,0xb4,0x42,0xe8,0x1a, + 0xd4,0x5a,0xff,0xf7,0x27,0x40,0x96,0xb9,0xa1,0x3e,0x47,0x8c,0xdd,0x0a,0x72,0xf9, + 0x9a,0x76,0xbf,0x51,0x7f,0x1b,0xb0,0xf8,0x72,0xa5,0x23,0xd8,0xc5,0x88,0xd4,0x40, + 0x25,0x69,0xe9,0x48,0xfd,0x6a,0x10,0x8a,0xe1,0xa4,0x5c,0x65,0x83,0x08,0x28,0xa1, + 0x0e,0x94,0xd4,0x32,0x76,0x53,0x14,0xba,0x82,0xea,0xd3,0x10,0xfc,0x87,0xac,0x99, + 0xa5,0xb3,0x9f,0x30,0xab,0x88,0x20,0xbf,0x69,0xe6,0x93,0x4a,0x9c,0x1c,0x91,0x5c, + 0x19,0xf3,0x6e,0xa7,0x71,0x7e,0xaf,0xf7,0xaf,0x67,0xb4,0x99,0x13,0x15,0xb1,0x87, + 0x3b,0xa9,0x29,0xbe,0xdf,0x18,0xa9,0x75,0xbe,0x80,0x8e,0x7a,0xa1,0x4a,0x67,0x26, + 0x12,0x6c,0x79,0xcc,0x93,0xf6,0x95,0x41,0xc5,0xce,0xfd,0xeb,0x5b,0x67,0xec,0x27, + 0x9d,0x8f,0x5a,0x44,0x65,0x83,0xe4,0xb4,0xfa,0xed,0x16,0x85,0x14,0x0e,0xe4,0xb3, + 0xb7,0x57,0xc8,0xff,0x4a,0x1e,0xf9,0xcd,0x76,0xa8,0x8e,0x05,0x31,0x9e,0xe6,0x20, + 0x03,0xd2,0xd7,0x72,0x90,0xc9,0x4c,0x57,0x9b,0x0c,0xa2,0xab,0x0d,0xeb,0x31,0x76, + 0xef,0x10,0xa3,0xfd,0xb8,0x5c,0x80,0xff,0xbc,0x9e,0x2a,0x66,0x5a,0x23,0x74,0x4f, + 0xc8,0x36,0xf9,0xa9,0xa1,0x03,0xcd,0x9f,0xb7,0x56,0x95,0x23,0x56,0xa2,0xf1,0xac, + 0xdd,0x68,0xa6,0x45,0xe2,0x01,0x79,0x00,0x65,0x58,0xb5,0xd4,0xd0,0xb9,0xb0,0xbd, + 0x3a,0xdf,0x5e,0x29,0x0f,0x49,0xda,0xe6,0x0b,0x9d,0x19,0x92,0x09,0x53,0xea,0x8b, + 0xb2,0x37,0xd5,0xb3,0xdc,0xfe,0x14,0x9a,0x60,0xf1,0x2a,0x4e,0xe3,0xa8,0x89,0xb3, + 0x3b,0xcd,0x3a,0x3b,0x75,0x3d,0x61,0x07,0x57,0xcb,0xcd,0x09,0x3d,0xd5,0xa7,0x34, + 0x25,0x53,0x33,0x68,0x96,0x95,0xab,0x63,0x69,0x63,0xe3,0xd2,0x15,0xa8,0xe7,0x7f, + 0xf3,0x19,0x73,0x71,0x8a,0x49,0x44,0xa1,0xe9,0xe4,0x4f,0x45,0x75,0x4d,0x39,0xf6, + 0xfa,0x43,0x1c,0x53,0xf9,0xa2,0xef,0x36,0xe1,0x6a,0x5f,0x70,0x63,0x6e,0xb5,0xfb, + 0xa5,0x4e,0x15,0xc2,0x0a,0x71,0x4f,0x28,0x09,0xa7,0xcf,0xf4,0xb8,0xdc,0x11,0x65, + 0xf8,0x36,0x60,0x7e,0xb5,0xa5,0xa3,0xbb,0x0c,0x45,0x67,0xee,0xe2,0x69,0x41,0xfe, + 0xf4,0x6f,0xb4,0x1e,0x73,0xb5,0x65,0xc0,0xcf,0x8c,0x72,0xe4,0x04,0x22,0x12,0x64), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, + .salt_len = 62, + .salt = chunk_from_chars( + 0x2d,0x0c,0x49,0xb2,0x07,0x89,0xf3,0x95,0x02,0xee,0xfd,0x09,0x2a,0x2b,0x6a,0x9b, + 0x27,0x57,0xc1,0x45,0x61,0x47,0x56,0x9a,0x68,0x5f,0xca,0x44,0x92,0xa8,0xd5,0xb0, + 0xe6,0x23,0x43,0x08,0x38,0x5d,0x3d,0x62,0x96,0x44,0xca,0x37,0xe3,0x39,0x96,0x16, + 0xc2,0x66,0xf1,0x99,0xb6,0x52,0x1a,0x99,0x87,0xb2,0xbe,0x9e,0xe7,0x83), + }, + .m = chunk_from_chars( + 0x06,0xd5,0x53,0x4b,0x77,0x69,0x25,0x6e,0x8c,0xf6,0x5c,0x6c,0xe5,0x2a,0x3e,0x86, + 0x96,0x5a,0x1f,0xd1,0x2c,0x75,0x82,0xd2,0xeb,0x36,0x82,0x4a,0x5a,0x9d,0x70,0x53, + 0x02,0x9f,0xbe,0xac,0x72,0x1d,0x1b,0x52,0x86,0x13,0xe0,0x50,0xe9,0x12,0xab,0xd7, + 0xd9,0xf0,0x49,0x91,0x2a,0xbe,0xda,0x33,0x8e,0xfa,0x2f,0x52,0x13,0x06,0x77,0x77, + 0xed,0xd9,0x1b,0x75,0x76,0xf5,0xe6,0xfa,0x73,0x98,0x69,0x65,0x99,0x37,0x9e,0xd7, + 0x50,0x28,0xcb,0x8d,0xb6,0x9f,0xa9,0x6d,0xe7,0xdb,0xc6,0xde,0x7c,0xa1,0x28,0xdd, + 0x51,0xea,0x33,0x4e,0x8c,0xd9,0xcd,0x8f,0xda,0xef,0xbf,0x53,0xfc,0x82,0x5e,0xae, + 0x83,0x6b,0x6c,0x6c,0xd7,0x00,0x39,0xa7,0x7e,0x42,0x0d,0x99,0x9b,0x57,0xca,0xae), + .s = chunk_from_chars( + 0x91,0x3f,0xc1,0x18,0xd5,0xac,0x1e,0xdf,0xfb,0x4b,0x8f,0xcf,0xa4,0xe8,0x59,0x86, + 0xb4,0x62,0x31,0xce,0xf3,0xda,0xd9,0x11,0xd5,0xe9,0x53,0x4c,0xc8,0x82,0x61,0xf6, + 0xb6,0x96,0x9b,0x75,0xa3,0xf2,0x5d,0x83,0xec,0xe7,0xec,0x20,0x34,0xb0,0x1d,0x3b, + 0x2b,0xe6,0xc5,0xbd,0x95,0x8c,0xc4,0xaf,0xcd,0x44,0x83,0x9e,0x39,0x53,0xf0,0x1e, + 0x4a,0x15,0xea,0x5e,0xf6,0xe1,0xb4,0xb0,0xe8,0xae,0x90,0xbd,0xfd,0x40,0x41,0x99, + 0xe8,0xf8,0x65,0x47,0xf6,0x7f,0xf6,0xb8,0x4f,0x21,0x62,0xc4,0x31,0x1c,0xc9,0xee, + 0xe0,0x6b,0xfb,0x2f,0xe4,0x61,0x98,0xaf,0xb9,0x74,0x5d,0x9c,0x44,0x38,0x33,0xbf, + 0x23,0x87,0xeb,0x92,0x40,0x6a,0x63,0x39,0x52,0x13,0x96,0xf2,0xcb,0xda,0x55,0xd9, + 0x8f,0xe6,0x40,0x74,0xd2,0xf2,0xe2,0x7b,0x8b,0xc6,0xa7,0x9b,0xe3,0xd1,0xcc,0x56, + 0x88,0x69,0xb0,0xb5,0x0f,0xcb,0xf7,0x02,0xb0,0x83,0x16,0x68,0xfb,0xfd,0xed,0xc2, + 0xd1,0xb5,0x49,0x1e,0x8e,0xc6,0x23,0xed,0xeb,0x60,0xac,0x87,0x0e,0x6e,0x8d,0x05, + 0x85,0x93,0xfb,0xbc,0x93,0x8f,0xbf,0x74,0x17,0x00,0xef,0xc2,0xb2,0x46,0x7e,0x7e, + 0xb2,0x54,0xae,0x00,0x85,0x09,0xe9,0x16,0x07,0xf8,0xe5,0x0a,0xa1,0x6a,0x4e,0x85, + 0x1a,0xbc,0xa7,0xc8,0xd2,0x0c,0x6f,0xf6,0x1c,0xfe,0xe6,0xc1,0xfb,0x67,0x60,0x98, + 0xe5,0xcd,0xf1,0x27,0xc9,0xb7,0x95,0x38,0xfd,0x1e,0x6c,0x01,0x41,0x61,0x05,0x4c, + 0xaf,0x43,0xb7,0x34,0xfa,0x69,0xfe,0x06,0xa0,0x0d,0x76,0xf7,0x10,0xac,0xc1,0x98, + 0xf3,0xda,0x90,0x6a,0x7d,0x2e,0x73,0xa2,0xca,0x88,0x25,0x26,0xcc,0x35,0x4d,0xd7, + 0x63,0x0a,0x30,0x3d,0x8f,0x32,0xc6,0x55,0xb5,0xb3,0x3c,0xf7,0x88,0x59,0xbe,0xea, + 0xba,0x3f,0x9a,0xe0,0x52,0xc8,0xd7,0x47,0x1c,0xd2,0xbd,0x9e,0xdf,0x42,0xfd,0x8f, + 0x70,0xc3,0xb0,0xaa,0x79,0xc0,0x76,0x92,0x80,0x68,0xca,0x97,0x70,0x95,0x9a,0xfa, + 0x63,0x2c,0xa6,0xaa,0xba,0x66,0x79,0xe4,0x5d,0x68,0x88,0xc5,0x01,0x25,0xa7,0x3b, + 0x9d,0xeb,0x00,0xd4,0x2a,0x12,0x5f,0x25,0xdf,0x54,0x34,0xbe,0xff,0x0d,0x5b,0x0e, + 0xe1,0x3a,0x16,0xb1,0x70,0x45,0xce,0xce,0x0f,0x2d,0xa7,0x57,0x7d,0x79,0xd7,0xcd, + 0x75,0xa4,0xb6,0xc5,0xbc,0x34,0x5f,0x46,0x0a,0x17,0x34,0x87,0xb5,0x1b,0xc6,0xa6), + }, +}; + +START_TEST(test_sign_pss_3072) +{ + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + if (!pss_salt_supported) + { + warn("static salt for %N not supported, skip test", + signature_scheme_names, SIGN_RSA_EMSA_PSS); + return; + } + fail_unless(privpss_3072->sign(privpss_3072, SIGN_RSA_EMSA_PSS, + &pss_sign_3072[_i].params, pss_sign_3072[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_3072[_i].s, sig); + fail_unless(pubpss_3072->verify(pubpss_3072, SIGN_RSA_EMSA_PSS, + &pss_sign_3072[_i].params, pss_sign_3072[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 (those with 0 salt are 3072-bit verify vectors) + */ +static struct { + rsa_pss_params_t params; + chunk_t n; + chunk_t d; + chunk_t e; + chunk_t m; + chunk_t s; +} pss_sign_ns[] = { + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xce,0x49,0x24,0xff,0x47,0x0f,0xb9,0x9d,0x17,0xf6,0x65,0x95,0x56,0x1a,0x74,0xde, + 0xd2,0x20,0x92,0xd1,0xdc,0x27,0x12,0x2a,0xe1,0x5c,0xa8,0xca,0xc4,0xbf,0xae,0x11, + 0xda,0xa9,0xe3,0x7a,0x94,0x14,0x30,0xdd,0x1b,0x81,0xaa,0xf4,0x72,0xf3,0x20,0x83, + 0x5e,0xe2,0xfe,0x74,0x4c,0x83,0xf1,0x32,0x08,0x82,0xa8,0xa0,0x23,0x16,0xce,0xb3, + 0x75,0xf5,0xc4,0x90,0x92,0x32,0xbb,0x2c,0x65,0x20,0xb2,0x49,0xc8,0x8b,0xe4,0xf4, + 0x7b,0x8b,0x86,0xfd,0xd9,0x36,0x78,0xc6,0x9e,0x64,0xf5,0x00,0x89,0xe9,0x07,0xa5, + 0x50,0x4f,0xdd,0x43,0xf0,0xca,0xd2,0x4a,0xaa,0x9e,0x31,0x7e,0xf2,0xec,0xad,0xe3, + 0xb5,0xc1,0xfd,0x31,0xf3,0xc3,0x27,0xd7,0x0a,0x0e,0x2d,0x48,0x67,0xe6,0xfe,0x3f, + 0x26,0x27,0x2e,0x8b,0x6a,0x3c,0xce,0x17,0x84,0x3e,0x35,0x9b,0x82,0xeb,0x7a,0x4c, + 0xad,0x8c,0x42,0x46,0x01,0x79,0xcb,0x6c,0x07,0xfa,0x25,0x2e,0xfa,0xec,0x42,0x8f, + 0xd5,0xca,0xe5,0x20,0x8b,0x29,0x8b,0x25,0x51,0x09,0x02,0x6e,0x21,0x27,0x24,0x24, + 0xec,0x0c,0x52,0xe1,0xe5,0xf7,0x2c,0x5a,0xb0,0x6f,0x5d,0x2a,0x05,0xe7,0x7c,0x19, + 0x3b,0x64,0x7e,0xc9,0x48,0xbb,0x84,0x4e,0x0c,0x2e,0xf1,0x30,0x7f,0x53,0xcb,0x80, + 0x0d,0x4f,0x55,0x52,0x3d,0x86,0x03,0x8b,0xb9,0xe2,0x10,0x99,0xa8,0x61,0xb6,0xb9, + 0xbc,0xc9,0x69,0xe5,0xdd,0xdb,0xdf,0x71,0x71,0xb3,0x7d,0x61,0x63,0x81,0xb7,0x8c, + 0x3b,0x22,0xef,0x66,0x51,0x0b,0x27,0x65,0xd9,0x61,0x75,0x56,0xb1,0x75,0x59,0x98, + 0x79,0xd8,0x55,0x81,0x00,0xad,0x90,0xb8,0x30,0xe8,0x7a,0xd4,0x60,0xa2,0x21,0x08, + 0xba,0xa5,0xed,0x0f,0x2b,0xa9,0xdf,0xc0,0x51,0x67,0xf8,0xab,0x61,0xfc,0x9f,0x8a, + 0xe0,0x16,0x03,0xf9,0xdd,0x5e,0x66,0xce,0x1e,0x64,0x2b,0x60,0x4b,0xca,0x92,0x94, + 0xb5,0x7f,0xb7,0xc0,0xd8,0x3f,0x05,0x4b,0xac,0xf4,0x45,0x4c,0x29,0x8a,0x27,0x2c, + 0x44,0xbc,0x71,0x8f,0x54,0x60,0x5b,0x91,0xe0,0xbf,0xaf,0xd7,0x72,0xae,0xba,0xf3, + 0x82,0x88,0x46,0xc9,0x30,0x18,0xf9,0x8e,0x31,0x57,0x08,0xd5,0x0b,0xe8,0x40,0x1e, + 0xb9,0xa8,0x77,0x8d,0xcb,0xd0,0xd6,0xdb,0x93,0x70,0x86,0x04,0x11,0xb0,0x04,0xcd, + 0x37,0xfb,0xb8,0xb5,0xdf,0x87,0xed,0xee,0x7a,0xae,0x94,0x9f,0xff,0x34,0x60,0x7b), + .d = chunk_from_chars( + 0x25,0x8f,0x08,0x40,0x36,0xb7,0xff,0xda,0x1d,0x0a,0xa0,0x37,0x3a,0x50,0x01,0x1d, + 0xd9,0x76,0xb7,0xfd,0x0e,0xe4,0xb8,0x89,0x65,0x4b,0x04,0x4a,0xb2,0x41,0xfb,0x75, + 0x46,0x75,0x46,0x69,0x09,0x42,0x9b,0x1a,0xcb,0xa9,0xd9,0xc1,0xab,0xf2,0xe9,0xbb, + 0x49,0x4c,0xea,0x81,0xc4,0xba,0x10,0xdc,0xd1,0x03,0x6f,0x36,0xea,0x81,0xdc,0x24, + 0xce,0x98,0x3e,0x3a,0xe7,0xda,0x7c,0xf8,0x10,0xdd,0xc0,0x5c,0x96,0xf9,0xcc,0x3a, + 0x90,0x46,0xfd,0xf5,0x8c,0x99,0x02,0x17,0x2c,0x7e,0x53,0xa1,0xbc,0xed,0x1b,0x78, + 0x84,0xf7,0x28,0x13,0x3b,0xe9,0xb4,0xa9,0x11,0x02,0x3e,0x31,0x59,0xd5,0xf2,0x52, + 0xf4,0x07,0xa8,0x08,0x0c,0x88,0xf1,0x22,0xcf,0x4a,0x9e,0x53,0xf1,0x03,0xae,0xcb, + 0x41,0x2c,0xd4,0x4d,0x9d,0x53,0xc1,0x45,0x75,0x7b,0x14,0xeb,0x85,0xa5,0xb0,0xd7, + 0xf8,0xbe,0x88,0xc5,0x6b,0xb0,0x0e,0x73,0x57,0xd4,0x3d,0x6a,0x82,0x89,0x53,0xf9, + 0x31,0x24,0xd1,0xb3,0x9c,0x0c,0xc1,0x37,0xdf,0xf2,0x97,0x2a,0x40,0x2e,0xbf,0xe2, + 0x9e,0xb6,0x14,0xc6,0x57,0x8e,0x10,0x2c,0x61,0xa6,0x00,0x18,0x33,0x32,0x3d,0x4b, + 0x79,0xbe,0xe1,0x01,0xe7,0x6a,0x9c,0x59,0xa3,0x58,0x47,0x1b,0x62,0x25,0x68,0x85, + 0x84,0xfb,0xdd,0x79,0x0a,0x1e,0x38,0xa6,0x0a,0x5f,0x8b,0xf6,0x47,0xf7,0x37,0x46, + 0x80,0xaa,0x1d,0x6c,0xc0,0x37,0x2f,0xd1,0x2e,0xf2,0x33,0xbf,0x6b,0xf7,0x26,0xfa, + 0x4a,0xf4,0x5e,0x1e,0xad,0x9b,0x58,0xdf,0x08,0xf6,0x2a,0xa7,0x6f,0xe9,0xfd,0x9b, + 0xb1,0xa9,0x75,0xbb,0x1c,0x4d,0xdb,0x9b,0x00,0x54,0x53,0xf9,0x57,0xdf,0xe4,0x14, + 0x8d,0x26,0x44,0xc1,0xc4,0x90,0x87,0x74,0x31,0xb6,0x7e,0x97,0x5c,0x5e,0x02,0xb2, + 0xdc,0x40,0x8d,0xe0,0x9e,0x53,0x1c,0x05,0xc0,0x51,0x73,0x11,0xa5,0xcf,0xeb,0x41, + 0x65,0xb5,0xf4,0x40,0x60,0xbb,0x34,0x33,0xff,0xf6,0xee,0x8f,0x0a,0xd3,0xf5,0x59, + 0xb8,0x45,0x8f,0x20,0xcb,0xdc,0xa8,0x46,0x49,0xf0,0xc8,0xa3,0xb6,0x98,0x9f,0x67, + 0x6b,0xc0,0xfe,0x46,0x91,0x03,0x2d,0x2a,0x08,0x97,0x8f,0x90,0x53,0xab,0xf2,0x1c, + 0x1d,0x08,0x1f,0x8e,0xc3,0x27,0x35,0xdd,0x1f,0xf0,0x40,0x7c,0x33,0x02,0xbf,0x55, + 0xd1,0x67,0x19,0x7d,0xbe,0x92,0xc6,0x78,0x29,0x4d,0x5f,0x1f,0x83,0x2d,0xa5,0xbb), + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x08,0x97,0xd4,0x0e,0x7c,0x0f,0x2d,0xfc,0x07,0xb0,0xc7,0xfd,0xda,0xf5,0xfd,0x8f, + 0xcc,0x6a,0xf9,0xc1,0xfd,0xc1,0x7b,0xeb,0xb9,0x23,0xd5,0x9c,0x9f,0xc4,0x3b,0xd4, + 0x02,0xba,0x39,0x73,0x8f,0x0f,0x85,0xf2,0x30,0x15,0xf7,0x51,0x31,0xf9,0xd6,0x50, + 0xa2,0x9b,0x55,0xe2,0xfc,0x9d,0x5d,0xdf,0x07,0xbb,0x8d,0xf9,0xfa,0x5a,0x80,0xf1, + 0xe4,0x63,0x4e,0x0b,0x4c,0x51,0x55,0xbf,0x14,0x89,0x39,0xb1,0xa4,0xea,0x29,0xe3, + 0x44,0xa6,0x64,0x29,0xc8,0x50,0xfc,0xde,0x73,0x36,0xda,0xd6,0x16,0xf0,0x03,0x93, + 0x78,0x39,0x1a,0xbc,0xfa,0xfe,0x25,0xca,0x7b,0xb5,0x94,0x05,0x7a,0xf0,0x7f,0xaf, + 0x7a,0x32,0x2f,0x7f,0xab,0x01,0xe0,0x51,0xc6,0x3c,0xc5,0x1b,0x39,0xaf,0x4d,0x23), + .s = chunk_from_chars( + 0x8e,0xbe,0xd0,0x02,0xd4,0xf5,0x4d,0xe5,0x89,0x8a,0x5f,0x2e,0x69,0xd7,0x70,0xed, + 0x5a,0x5c,0xe1,0xd4,0x5a,0xd6,0xdd,0x9c,0xe5,0xf1,0x17,0x9d,0x1c,0x46,0xda,0xa4, + 0xd0,0x39,0x4e,0x21,0xa9,0x9d,0x80,0x33,0x58,0xd9,0xab,0xfd,0x23,0xbb,0x53,0x16, + 0x63,0x94,0xf9,0x97,0xb9,0x09,0xe6,0x75,0x66,0x20,0x66,0x32,0x4c,0xa1,0xf2,0xb7, + 0x31,0xde,0xba,0x17,0x05,0x25,0xc4,0xee,0x8f,0xa7,0x52,0xd2,0xd7,0xf2,0x01,0xb1, + 0x02,0x19,0x48,0x9f,0x57,0x84,0xe3,0x99,0xd9,0x16,0x30,0x2f,0xd4,0xb7,0xad,0xf8, + 0x84,0x90,0xdf,0x87,0x65,0x01,0xc4,0x67,0x42,0xa9,0x3c,0xfb,0x3a,0xaa,0xb9,0x60, + 0x2e,0x65,0xd7,0xe6,0x0d,0x7c,0x4c,0xea,0xdb,0x7e,0xb6,0x7e,0x42,0x1d,0x18,0x03, + 0x23,0xa6,0xd3,0x8f,0x38,0xb9,0xf9,0x99,0x21,0x3e,0xbf,0xcc,0xc7,0xe0,0x4f,0x06, + 0x0f,0xbd,0xb7,0xc2,0x10,0x20,0x65,0x22,0xb4,0x94,0xe1,0x99,0xe9,0x8c,0x6c,0x24, + 0xe4,0x57,0xf8,0x69,0x66,0x44,0xfd,0xca,0xeb,0xc1,0xb9,0x03,0x1c,0x81,0x83,0x22, + 0xc2,0x9d,0x13,0x5e,0x11,0x72,0xfa,0x0f,0xdf,0x7b,0xe1,0x00,0x7d,0xab,0xca,0xab, + 0x49,0x66,0x33,0x2e,0x7e,0xa1,0x45,0x6b,0x6c,0xe8,0x79,0xcd,0x91,0x0c,0x91,0x10, + 0x10,0x4f,0xc7,0xd3,0xdc,0xab,0x07,0x6f,0x2b,0xd1,0x82,0xbb,0x83,0x27,0xa8,0x63, + 0x25,0x45,0x70,0xcd,0xf2,0xab,0x38,0xe0,0xcd,0xa3,0x17,0x79,0xde,0xaa,0xd6,0x16, + 0xe3,0x43,0x7e,0xd6,0x59,0xd7,0x4e,0x5a,0x4e,0x04,0x5a,0x70,0x13,0x38,0x90,0xb8, + 0x1b,0xc4,0xf2,0x4a,0xb6,0xda,0x67,0xa2,0xee,0x0c,0xe1,0x5b,0xab,0xa3,0x37,0xd0, + 0x91,0xcb,0x5a,0x1c,0x44,0xda,0x69,0x0f,0x81,0x14,0x5b,0x02,0x52,0xa6,0x54,0x9b, + 0xbb,0x20,0xcd,0x5c,0xc4,0x7a,0xfe,0xc7,0x55,0xeb,0x37,0xfe,0xd5,0x5a,0x9a,0x33, + 0xd3,0x65,0x57,0x42,0x45,0x03,0xd8,0x05,0xa0,0xa1,0x20,0xb7,0x69,0x41,0xf4,0x15, + 0x0d,0x89,0x34,0x2d,0x7a,0x7f,0xa3,0xa2,0xb0,0x8c,0x51,0x5e,0x6f,0x68,0x42,0x9c, + 0xf7,0xaf,0xd1,0xa3,0xfc,0xe0,0xf4,0x28,0x35,0x1a,0x6f,0x9e,0xda,0x3a,0xb2,0x4a, + 0x7e,0xf5,0x91,0x99,0x4c,0x21,0xfb,0xf1,0x00,0x1f,0x99,0x23,0x9e,0x88,0x34,0x0f, + 0x9b,0x35,0x9e,0xc7,0x2e,0x8a,0x21,0x2a,0x19,0x20,0xe6,0xcf,0x99,0x3f,0xf8,0x48), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0x9c,0x21,0x3e,0xa3,0x73,0x63,0x1f,0x57,0x2e,0x5e,0x46,0x22,0x5b,0x95,0xa0,0xf5, + 0xea,0x8a,0xb0,0xa5,0xec,0x70,0x90,0xa3,0xb0,0x18,0x1c,0x59,0x06,0xdc,0x22,0xfd, + 0x1b,0xd7,0x3d,0x11,0x47,0x12,0x42,0xa2,0xed,0x18,0x24,0xe6,0x01,0x01,0x7f,0x5b, + 0x53,0x54,0xb9,0x2f,0xdb,0x43,0xd4,0xda,0x00,0xa8,0x24,0x27,0xd0,0x53,0x66,0xa4, + 0xd5,0x52,0xc4,0x0d,0x69,0xd2,0x00,0x48,0x5d,0x5d,0x5d,0xb8,0x3c,0xf5,0x23,0xe6, + 0x1a,0x83,0x4b,0x40,0xcc,0xd4,0x01,0x08,0x7f,0xbb,0x93,0xd8,0x1d,0xbe,0xd7,0xb2, + 0xee,0x23,0x81,0xa1,0x24,0x1a,0xc6,0x8f,0x2a,0xfc,0x02,0x15,0x7e,0xe0,0xc7,0x3c, + 0xc6,0x6c,0x02,0xa6,0xc6,0xeb,0x2d,0xc3,0x51,0x45,0xae,0x55,0xd7,0x70,0x84,0x12, + 0xa3,0x41,0x0f,0x20,0x4c,0x49,0x23,0x76,0xd6,0x31,0x5c,0xed,0xf2,0x53,0xaf,0x91, + 0xf3,0x1d,0xca,0xb3,0x4f,0x72,0xc2,0x06,0xad,0x81,0xe8,0x00,0x50,0x98,0x64,0xfe, + 0x92,0x55,0xd0,0x46,0xac,0x25,0xdb,0xdf,0x49,0x54,0xd2,0x35,0x03,0x24,0x72,0x2e, + 0x73,0xc1,0xf2,0x5d,0x08,0x9f,0x87,0x54,0x2a,0xd9,0x07,0xfb,0x37,0xec,0xea,0xef, + 0xb3,0x30,0xf4,0x32,0x5e,0x97,0xf5,0xea,0xbc,0x04,0x09,0x6a,0x8f,0xab,0xba,0x97, + 0x85,0x89,0xe3,0x55,0x44,0x5d,0x95,0x43,0x27,0x4c,0x1c,0x38,0xff,0x84,0x9b,0xa8, + 0xc2,0x91,0x1f,0x07,0x03,0x06,0x34,0xc1,0x32,0xcc,0xaf,0x4e,0x4f,0x57,0xa5,0xad, + 0x92,0x44,0xf5,0xdf,0x0e,0xe2,0x5a,0xf8,0xef,0x2f,0xc7,0xb2,0x9f,0xdf,0x7c,0xc1, + 0x84,0x04,0xe2,0x0e,0xfa,0xaf,0xfa,0x45,0x1e,0xc4,0x1a,0xb8,0x38,0xd5,0x94,0x90, + 0x6f,0xf2,0xca,0xd5,0x2d,0xcb,0xd0,0xe9,0xa6,0x8e,0xf7,0xb0,0x6c,0x25,0x37,0x10, + 0xe1,0x31,0x8d,0x09,0xad,0x07,0x01,0x27,0x67,0xa8,0x91,0x24,0x17,0x7d,0xf5,0x0d, + 0x16,0x84,0x67,0x9e,0x14,0x30,0x68,0x89,0xd9,0xa7,0xac,0x51,0x43,0xd4,0x86,0x1b, + 0x7d,0x6a,0xe7,0x79,0x92,0xef,0xa7,0x3e,0x0a,0xba,0x9d,0xa0,0xad,0x9a,0x68,0x88, + 0xbc,0x80,0x4d,0xbd,0x07,0xbc,0x26,0xa8,0xa5,0xdf,0xbd,0x29,0x2a,0x0e,0xfa,0x96, + 0x86,0x7f,0xdb,0x92,0xe8,0x45,0xc3,0x6e,0x34,0x33,0xcf,0x29,0x2e,0x0e,0x31,0x66, + 0x24,0x80,0x25,0x7f,0xcf,0x46,0x6f,0x7f,0x65,0xd8,0x14,0xbb,0x3e,0x33,0x99,0x2f), + .d = chunk_from_chars( + 0x3e,0xac,0x18,0x66,0xe2,0x35,0xd6,0x4b,0x9a,0x04,0xd7,0x3c,0x3f,0x49,0x70,0x7f, + 0x53,0x06,0xef,0x23,0x6f,0xcd,0xdb,0x7d,0xec,0x19,0x14,0x8a,0x4b,0xf3,0x48,0x28, + 0xc2,0x9b,0xc5,0x0e,0x75,0xa0,0xdc,0x38,0xd2,0x67,0x1b,0x50,0x28,0x59,0x61,0x8b, + 0xf3,0xf7,0xe5,0xf8,0x71,0x30,0x5a,0xd1,0xdf,0x49,0x72,0x75,0xb6,0x2d,0x36,0x03, + 0x1d,0xf6,0xc9,0x5c,0x9b,0x9d,0x68,0x73,0xa4,0x20,0x66,0x40,0x48,0x26,0x40,0x78, + 0x80,0x19,0x4c,0x61,0x13,0x2c,0x03,0x3c,0x76,0xac,0x16,0x9a,0xd4,0x01,0xcb,0x6e, + 0xd7,0x16,0xe7,0x02,0xbb,0xe3,0x16,0x11,0x72,0x9f,0x3a,0xca,0x1f,0x54,0x38,0xc6, + 0xb7,0x25,0xd9,0x01,0x17,0xca,0x53,0xe2,0x59,0xce,0x65,0xad,0x2f,0xbc,0x8a,0x1a, + 0x30,0xfa,0xa6,0x06,0xc3,0xb9,0x7f,0x1a,0xba,0xc5,0xa9,0x01,0x0f,0xa0,0x78,0x8e, + 0x9d,0x74,0x04,0xfd,0xcf,0xdc,0x55,0xf9,0xec,0x8e,0x91,0xaa,0x5f,0xdd,0x54,0xec, + 0x93,0x25,0xf0,0x21,0x48,0xc7,0xc5,0xdb,0x18,0xfe,0x52,0xed,0x62,0x75,0x8f,0xcd, + 0xb9,0x63,0x72,0x69,0x3f,0x99,0x8b,0x53,0x46,0x5a,0x97,0xca,0xcb,0x3b,0xbd,0x4d, + 0x0b,0xc3,0xd8,0x73,0x16,0x18,0xa2,0x78,0xe8,0x42,0x26,0x0e,0xaa,0xe8,0xdf,0x65, + 0xbe,0x8b,0xb9,0xf6,0xf0,0x85,0x22,0x0a,0x06,0x2a,0x11,0x77,0xf1,0x09,0x2a,0x9e, + 0xbd,0x46,0x71,0x35,0x0f,0xb0,0x5d,0x0c,0x89,0x3c,0x07,0xd8,0x36,0xe3,0x7e,0x73, + 0xc0,0x92,0xac,0x42,0x6e,0x63,0x0e,0x9b,0x6c,0xde,0xf3,0x6d,0x32,0x6c,0xd3,0x0e, + 0x5e,0xd8,0xff,0x37,0xce,0xd3,0x5c,0x4a,0xc4,0x7c,0xf0,0x12,0x61,0x61,0x6e,0xdd, + 0xb1,0x91,0x95,0x7e,0xaa,0x38,0xb2,0x60,0x0e,0x08,0xe7,0x84,0xb2,0x18,0x92,0x48, + 0xcf,0x40,0xf9,0xde,0xe6,0x5f,0x06,0x6a,0x8f,0x1e,0xe1,0x02,0x8d,0xe6,0x01,0xb6, + 0xbc,0x29,0x91,0x5b,0x9c,0xba,0xee,0xc2,0xdc,0x4f,0xe7,0xb1,0x3b,0x84,0x0c,0xf7, + 0x9a,0x4d,0x93,0xb0,0xc9,0xf4,0x7b,0x64,0x47,0xc3,0xf1,0xf8,0x32,0xdc,0x8c,0xf7, + 0xe5,0xf9,0x8f,0x68,0xf9,0x7c,0xc5,0xd9,0x93,0x46,0xb1,0x24,0x23,0x52,0xf7,0x4d, + 0x94,0xa7,0x27,0xa5,0x30,0x3b,0x99,0x67,0x0b,0xb8,0x34,0x19,0x25,0x5a,0xc5,0x12, + 0x70,0xbb,0xe5,0xd8,0x13,0x28,0x40,0x26,0x14,0xba,0xe1,0xc8,0x23,0x64,0x08,0xd9), + .e = chunk_from_chars(0xef,0xab,0xb9), + .m = chunk_from_chars( + 0x3a,0xbd,0x43,0xf1,0xd7,0x41,0xdd,0xf0,0xb7,0x52,0xdd,0x94,0x19,0x7a,0xb6,0x56, + 0x28,0x8f,0xf4,0x65,0xe5,0xdb,0xcc,0xec,0x61,0x79,0xf8,0x93,0x2f,0x02,0xc2,0x48, + 0x19,0x6a,0x5e,0x3f,0x12,0x24,0x7c,0x37,0x6c,0x8d,0x1e,0x00,0x4b,0x87,0xa7,0x3a, + 0x5a,0x64,0x35,0x5f,0xbc,0x07,0x31,0x04,0x46,0x45,0x25,0x5b,0xeb,0x91,0xcd,0xfd, + 0x77,0xd9,0x70,0xe6,0x81,0xab,0x70,0xc1,0x9a,0x9c,0x21,0x67,0xcb,0xea,0xd7,0xa2, + 0x3f,0x60,0x43,0x36,0x3c,0x7a,0xff,0x22,0x58,0xca,0x67,0x23,0xe9,0x9a,0xab,0x7a, + 0xbd,0xd3,0x22,0xef,0x0b,0x1e,0xe1,0x16,0xaa,0x48,0x8d,0xd1,0x81,0xeb,0x6d,0x16, + 0x3f,0x4b,0xc3,0xf2,0x4c,0x7e,0x5d,0xce,0xff,0xd0,0x67,0xf2,0x11,0x65,0x83,0x47), + .s = chunk_from_chars( + 0x47,0x40,0x11,0x5f,0x25,0x1b,0x35,0xcf,0xe1,0x9d,0x38,0x16,0xcc,0x1f,0xbf,0x02, + 0xb9,0xa4,0xd9,0x47,0x0d,0xc6,0x2b,0x41,0xcd,0xb7,0x22,0x84,0xc3,0x0f,0xff,0xd3, + 0x4e,0x70,0x57,0x55,0x9a,0x73,0xb4,0x4a,0xc4,0x9f,0xa7,0x28,0x5f,0x3e,0x9a,0x68, + 0x0b,0xf1,0x94,0x95,0x62,0xa4,0x7f,0x01,0xbf,0xc5,0x5e,0xb7,0xbd,0xa9,0xe2,0x91, + 0xc9,0xa5,0xce,0x1a,0x5d,0x7b,0x61,0x95,0x90,0xc0,0xe1,0xbd,0x36,0x94,0x3f,0xa4, + 0x1b,0x9c,0xc9,0xb2,0xa3,0xa7,0x42,0xc2,0x94,0x2c,0x53,0xec,0x3e,0x45,0xc7,0x71, + 0x76,0xe4,0xbf,0x32,0xb7,0x10,0x1a,0xb4,0xb0,0x5a,0x99,0x6a,0x21,0xfe,0x12,0x92, + 0x18,0x41,0xf8,0xf0,0xfa,0xd1,0xe7,0x1b,0xde,0xff,0x5a,0x7f,0x53,0xe8,0x76,0x63, + 0x67,0x31,0x1a,0x98,0xb9,0xd8,0x61,0x8a,0x61,0x98,0xaa,0x16,0x62,0xe5,0x87,0x33, + 0x2c,0x24,0x28,0x3f,0x9e,0xcf,0x2b,0xb2,0xd8,0x25,0xf5,0x97,0xd1,0x82,0x56,0xce, + 0x9c,0x58,0x64,0xf1,0xff,0xca,0x37,0xc4,0xec,0x8d,0xf4,0xf9,0x45,0xcf,0x22,0xc9, + 0x74,0xf5,0xef,0x3d,0xbb,0x9f,0x17,0x0b,0x39,0x78,0xbd,0xdc,0xc9,0x1b,0x13,0xb9, + 0xe8,0x55,0x0b,0xfc,0xdb,0x74,0xac,0x73,0x49,0xd5,0x31,0xe1,0xe3,0x28,0x0f,0xc0, + 0x05,0xac,0x34,0xc0,0x36,0x08,0x99,0x3b,0x78,0x76,0xca,0xf2,0x7c,0x8b,0xd5,0xa9, + 0x73,0x06,0x29,0x20,0x82,0xf7,0x7d,0x91,0x44,0x00,0x5b,0xcd,0x10,0x46,0xf2,0x73, + 0x03,0x18,0x5b,0x6a,0x7c,0xac,0x53,0x9f,0x1e,0x05,0x80,0x5e,0xe8,0xd0,0x77,0x2f, + 0x37,0xac,0xc3,0xe7,0xfa,0x09,0x20,0x17,0x1c,0x19,0xec,0x92,0x66,0xc4,0xdd,0x6d, + 0x9e,0x51,0x76,0x6c,0x44,0x33,0xa2,0x83,0x1c,0x3e,0x5f,0xb7,0xd8,0x43,0x41,0x62, + 0x4e,0xa9,0xa2,0x5e,0x1a,0x2e,0xb2,0x7e,0xf2,0xc7,0xe8,0xde,0x49,0x1d,0x94,0xd8, + 0xa8,0xa3,0x19,0x19,0xbd,0xd7,0xcd,0xf6,0x07,0x3a,0x1d,0x88,0xf4,0x52,0xff,0x8d, + 0x15,0xe5,0x7c,0xf6,0x50,0x4a,0x81,0x84,0x3c,0x24,0x35,0x1c,0x61,0xa3,0x73,0xb7, + 0x3a,0xcd,0x84,0xc7,0x6d,0xe9,0x16,0xf2,0x90,0xe0,0xe9,0xbd,0xf5,0x1d,0x8f,0xfa, + 0x63,0xf8,0x67,0xaf,0x58,0x7b,0x5c,0x75,0x91,0x11,0x67,0x10,0x79,0xea,0x28,0x84, + 0x64,0x66,0xcc,0x33,0xdf,0x76,0x83,0x63,0x9d,0x01,0x83,0x37,0xeb,0xe1,0x3c,0xb8), + }, + { + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xcd,0x61,0x41,0xe4,0xc8,0xdc,0x69,0x97,0xfc,0x65,0x30,0x0a,0x6e,0x2c,0x74,0x6f, + 0x39,0x10,0x22,0xf1,0x56,0x61,0x23,0x1a,0x83,0x2b,0xe9,0x66,0xaa,0x49,0x8e,0x67, + 0x87,0x77,0x76,0x69,0x44,0xdb,0x54,0xa5,0x99,0xcd,0x6d,0xdb,0xda,0xf7,0x53,0x3f, + 0x42,0x9e,0x6e,0x11,0x97,0xb7,0xeb,0x06,0x19,0x13,0xf5,0x0b,0x09,0xbe,0x04,0xab, + 0x70,0xb1,0xb7,0x02,0xfc,0xe9,0xad,0xa2,0x79,0xea,0x80,0x89,0x67,0x7a,0x37,0x70, + 0x1e,0x64,0x19,0x0f,0x24,0x3d,0xfa,0xbe,0x7c,0xc2,0x54,0xf0,0x8a,0x61,0x43,0xc9, + 0xc5,0x89,0xac,0x4a,0x90,0x88,0x1c,0x0d,0x2b,0x62,0xe9,0x80,0x13,0xe9,0x2d,0x04, + 0x9e,0xe9,0xca,0x11,0xa4,0x25,0xad,0x45,0x0e,0xc5,0xa6,0x99,0xae,0x17,0x67,0x2d, + 0x86,0xef,0xde,0x3f,0xbc,0x81,0x20,0x3f,0x2b,0x50,0x0e,0xf4,0x17,0x46,0xb9,0xe9, + 0xaf,0x26,0x42,0xb3,0x0c,0xbf,0x75,0xe7,0x88,0x9e,0x50,0x08,0x36,0xd6,0xdd,0x32, + 0xbc,0xc5,0xd8,0xb6,0x90,0x21,0xb7,0x64,0xa5,0x91,0xd6,0x85,0x07,0x76,0xcd,0xdf, + 0x0b,0x72,0x40,0xc7,0x5d,0xda,0x9e,0x2d,0x19,0x7f,0x2c,0xd9,0xc6,0x78,0x7b,0x16, + 0x44,0x5b,0x55,0xea,0xec,0xcd,0xfd,0xd1,0x7f,0xb7,0x2d,0x7f,0xe5,0x18,0x9a,0xa1, + 0xa2,0xa6,0xad,0x06,0xb4,0xf2,0xbf,0xc8,0xf6,0xc9,0x1c,0x3a,0x2a,0x80,0xa8,0x3a, + 0x31,0x13,0xe0,0xb4,0x20,0xb7,0x06,0x54,0xd6,0xa5,0x07,0x5d,0x38,0xd9,0xa1,0x2d, + 0x1e,0x0f,0xdd,0xd2,0xcb,0x23,0xb7,0xf3,0xef,0x94,0x99,0x91,0xbf,0x49,0x04,0x8d, + 0xc4,0x00,0x20,0xdc,0xf0,0x42,0xca,0xf0,0x08,0x83,0x36,0x35,0x91,0xdd,0x6a,0x90, + 0x78,0x9a,0xc2,0x12,0xa0,0xce,0xd9,0x5f,0xb4,0x0b,0xca,0xda,0xac,0x2c,0x97,0xee, + 0x7f,0xf3,0x02,0xc3,0x7c,0xf2,0xaa,0x72,0x98,0x31,0x1d,0xb8,0x5a,0x2d,0x4d,0x1b, + 0x9f,0x03,0x70,0x23,0xc2,0x1b,0xf2,0xe9,0xb9,0xab,0xec,0xc7,0x80,0xa7,0x0c,0xf2, + 0xa5,0x40,0x02,0x63,0x42,0x72,0xd7,0xdc,0xf2,0x5e,0xe4,0xc7,0xdb,0xb0,0x44,0x37, + 0xf3,0x0f,0x50,0xbd,0xcf,0x49,0x62,0xd4,0x32,0x48,0x4a,0x5d,0xab,0x7b,0x60,0xb3, + 0x1d,0x80,0x25,0xb9,0x84,0xc8,0x21,0xfa,0xdb,0xf2,0xb6,0x23,0xf2,0xf9,0x2a,0x65, + 0x31,0xdc,0xe1,0x1a,0x1f,0x25,0x2e,0x60,0x30,0x16,0x07,0x8f,0x39,0x86,0xe0,0x81), + .d = chunk_from_chars( + 0x1c,0xc4,0x40,0x8e,0x92,0xd1,0xae,0xd2,0x2f,0x6c,0x04,0x3d,0x82,0x14,0x03,0x04, + 0xe7,0x82,0x5e,0x74,0xeb,0xaa,0x10,0x40,0x8d,0x33,0x95,0x46,0x30,0xb6,0x3b,0x02, + 0x3a,0xc2,0x13,0x6e,0xaf,0x45,0x16,0xd7,0x3a,0xe5,0x4f,0x7f,0xf6,0xf8,0xeb,0x34, + 0x1f,0x1d,0x39,0xae,0xd5,0xc9,0x8d,0x92,0xf1,0x85,0x8a,0xe4,0x11,0xb9,0xe0,0xe2, + 0x06,0xe0,0xe2,0xb2,0x25,0x19,0xbc,0x20,0xd3,0x04,0xbc,0xb4,0x7d,0x81,0xc4,0xf4, + 0x9e,0x59,0x9b,0x86,0x95,0x26,0xb7,0x58,0x88,0xb0,0x2f,0x29,0xdc,0x59,0x58,0xe8, + 0x21,0x6f,0x6a,0xe4,0x75,0xbf,0xf7,0x15,0xa7,0x41,0x63,0x32,0x04,0xbf,0xed,0x27, + 0xbd,0xc6,0x25,0x22,0x60,0x99,0x9f,0xf1,0x77,0xf1,0xa4,0xf7,0xa0,0x60,0x57,0x18, + 0xe9,0xad,0x45,0xb8,0x99,0x2b,0x59,0x46,0x6c,0x11,0xb4,0xda,0x7e,0x0e,0x1a,0x97, + 0x4c,0x28,0xc0,0xe1,0x54,0xe0,0x78,0x68,0xa0,0x1e,0x3f,0xa7,0x4e,0x6c,0xde,0x47, + 0x95,0x26,0xc4,0x6b,0x73,0x18,0xed,0x5f,0x12,0xe7,0xa2,0x27,0x01,0xf7,0x39,0xa3, + 0x10,0xec,0xcd,0x59,0x94,0xd4,0xbc,0x7f,0x8d,0xf6,0xe1,0x5e,0x3b,0x84,0xe1,0x83, + 0x93,0x64,0x62,0x32,0xfe,0x6e,0xc4,0x8b,0xe9,0xed,0x26,0xca,0xb8,0x74,0x96,0x00, + 0x9d,0x25,0xa5,0xbb,0x3c,0xdd,0xbd,0x32,0xb1,0xda,0x3f,0x07,0x03,0x8f,0xfc,0x78, + 0x14,0xdf,0x10,0x33,0xff,0xda,0x30,0xab,0x05,0xf0,0x75,0x5e,0x33,0x00,0x22,0xc9, + 0xcb,0x6b,0x78,0xdf,0xb4,0x75,0x02,0xb6,0x29,0xeb,0x4b,0xad,0xaf,0xf3,0x44,0x25, + 0x96,0x28,0x9f,0xa3,0x29,0xd5,0x08,0x7b,0xf7,0x0f,0x53,0x4f,0x50,0xff,0xa6,0x5e, + 0xeb,0x64,0x14,0x1d,0x0d,0xb4,0x31,0xa4,0x15,0x9d,0x39,0x0f,0x82,0x33,0x98,0x12, + 0x71,0xf4,0x8c,0x66,0x6c,0x50,0xab,0x7f,0xa4,0xf1,0xe7,0xe3,0x96,0x34,0x71,0x84, + 0xe1,0xd9,0x77,0xa0,0x8d,0xae,0xb2,0xfa,0xbe,0x8d,0xca,0x0c,0x2f,0xb9,0x41,0xd3, + 0xe5,0x39,0x8a,0x0d,0x1d,0xb9,0x18,0xee,0x59,0x3c,0x4b,0x4d,0xc9,0x67,0x13,0x1a, + 0x4b,0xc1,0x80,0x80,0xad,0x57,0xa9,0x42,0x8e,0x72,0x69,0x1b,0x0d,0xd6,0xb1,0xd5, + 0x66,0xe0,0x2a,0xd4,0x5f,0x30,0x8b,0xe8,0xbc,0x37,0xf3,0xfe,0xd6,0xc8,0x8d,0x28, + 0x38,0x56,0x67,0x33,0x57,0x04,0xa4,0xa5,0x50,0xf8,0x70,0xea,0x59,0xca,0x18,0x4f), + .e = chunk_from_chars(0x2c,0xc9,0x2f), + .m = chunk_from_chars( + 0xd1,0xac,0xd4,0xa6,0x03,0x5f,0x23,0xbf,0xe6,0x70,0x06,0x13,0x2a,0x1c,0xd4,0x74, + 0xef,0x58,0xc0,0x11,0x36,0x70,0xf5,0x3c,0x95,0xee,0xe5,0x70,0x30,0xbd,0xdd,0x92, + 0xe4,0x8e,0xdd,0x77,0xc5,0x7b,0xa8,0xa7,0xcb,0xea,0x17,0x60,0xc8,0xb5,0xb2,0xde, + 0x9d,0x88,0x81,0xda,0xae,0x8a,0x20,0x51,0x93,0x3f,0x12,0x86,0x11,0xad,0x57,0x4a, + 0x48,0xbd,0x41,0x7b,0x2d,0xe5,0x83,0xcb,0x3b,0x04,0x8b,0xc2,0x66,0x8d,0x12,0x07, + 0x51,0xe8,0xf1,0xdb,0xc0,0x15,0x36,0xe6,0x50,0x93,0x77,0x36,0x66,0x80,0x66,0x85, + 0x65,0x01,0xa6,0xba,0x24,0xe4,0xdd,0xb3,0x9f,0x84,0x0b,0x42,0xec,0xed,0x1a,0x75, + 0x71,0x41,0xb6,0x1b,0x55,0x5b,0x5e,0x83,0x34,0xb1,0xbb,0x87,0x17,0x7f,0x31,0xc9), + .s = chunk_from_chars( + 0x55,0x61,0x3f,0x64,0x33,0x1a,0xbd,0x97,0x1e,0x82,0x2c,0xc3,0xd9,0x72,0xf6,0x7e, + 0x78,0x2b,0x6a,0xf8,0x1a,0xac,0x0b,0x80,0xe2,0xf6,0x32,0x4d,0xa6,0xd9,0xf3,0x3c, + 0x46,0xf8,0xb7,0xe2,0x4c,0x94,0xde,0xee,0x7e,0x98,0x52,0x5a,0xaf,0x4c,0xa6,0x84, + 0x37,0x53,0xdf,0x3d,0x44,0x4e,0x1e,0x05,0x40,0xf9,0xc1,0x96,0xff,0xbb,0xcb,0x4f, + 0xca,0x7a,0xad,0x4b,0xa9,0x42,0x88,0xf9,0x11,0x65,0x0e,0x3c,0xaf,0x6d,0xd2,0x2f, + 0x87,0x92,0x3f,0xa4,0xb1,0x2e,0x2d,0x6b,0x11,0x5f,0x2f,0xe7,0x73,0xaf,0x25,0x63, + 0xcc,0x76,0x0d,0xe8,0x8c,0xfa,0x6e,0x16,0x87,0x8d,0xd9,0xc0,0x7f,0x0d,0x45,0xb1, + 0x0a,0x22,0x4d,0x1a,0x7e,0xe1,0xd2,0x6f,0xfa,0xdf,0xd3,0x8b,0x78,0x00,0x4a,0x20, + 0x45,0xb3,0x5d,0x9c,0xb9,0xfc,0xcd,0xc7,0x15,0x66,0x8a,0x74,0x01,0xdb,0x7a,0xde, + 0xf1,0x09,0xeb,0xca,0xaf,0xc5,0x26,0x9d,0x37,0x7c,0x1e,0x8f,0x7d,0x42,0x92,0x45, + 0x9c,0x80,0x1a,0x93,0xc4,0xd0,0x7e,0xf4,0x77,0xf8,0x71,0x75,0xaa,0x35,0xe0,0x02, + 0xa0,0x3c,0x20,0x51,0x98,0x5f,0xcb,0x69,0x63,0xe9,0xbf,0x96,0xe2,0x8e,0x55,0xeb, + 0x52,0xa3,0x55,0x44,0x75,0xf9,0x09,0x5f,0x24,0xa9,0xe4,0x22,0xfa,0x84,0xb6,0x05, + 0x90,0xe8,0xb8,0xd6,0xec,0x91,0xdc,0xf6,0xa5,0x84,0xcc,0x8a,0x93,0x4e,0x55,0x1b, + 0xef,0xee,0xdc,0x0f,0x0f,0x48,0xda,0xdf,0x29,0x3f,0x0f,0x92,0x60,0xee,0x22,0xd7, + 0x2e,0xa4,0x6e,0x27,0x10,0x45,0xb6,0x65,0x16,0xb2,0xbe,0xbe,0xed,0x52,0x72,0x2a, + 0xec,0x5f,0x08,0x40,0x85,0xf8,0xfa,0xa6,0x89,0x30,0x8b,0xc1,0x3f,0xa5,0xb9,0xe5, + 0xb0,0xaa,0xdf,0x27,0x66,0x25,0x8e,0x01,0xd4,0xb8,0xdd,0xbe,0x0d,0x32,0x8a,0xa1, + 0x12,0x23,0x7e,0xc1,0x0b,0x11,0x5b,0xe8,0x3f,0xae,0x8a,0x01,0x13,0xf8,0x89,0x0e, + 0xda,0xb7,0x9d,0x04,0x63,0xc9,0xec,0x6e,0x2d,0xb4,0x50,0x46,0x93,0x53,0x5d,0xcf, + 0x76,0x95,0xf8,0x44,0x25,0xe9,0xf7,0xb7,0x3e,0x4f,0x18,0xbc,0x07,0x2f,0x51,0x31, + 0x98,0x9b,0x0c,0xdb,0x07,0xf4,0x96,0xf1,0x5e,0x56,0x2d,0x07,0xf0,0x71,0x1c,0xf9, + 0x79,0xf1,0xaa,0x4d,0x14,0x0d,0x97,0x83,0xef,0xd6,0xf9,0x6c,0x41,0xfe,0x5f,0xb7, + 0x9e,0x5d,0x5d,0x68,0x9d,0xd5,0xa7,0x05,0xf1,0xff,0x83,0x77,0x54,0x03,0x1a,0x39), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0x99,0xa5,0xc8,0xd0,0x94,0xa5,0xf9,0x17,0x03,0x46,0x67,0xa0,0x40,0x8b,0x7e,0xcf, + 0xca,0xac,0xc3,0xf9,0x78,0x44,0x44,0xe2,0x17,0x73,0xc3,0x46,0x1e,0xc3,0x55,0xf0, + 0xd0,0xf5,0x2a,0x5d,0xb0,0x56,0x8a,0x71,0xd3,0x88,0x69,0x67,0x88,0xef,0x66,0xae, + 0x73,0x40,0xc6,0xb2,0x8d,0xbf,0x92,0x5f,0xe8,0x35,0x57,0x98,0x65,0x75,0xf7,0x9c, + 0xca,0x69,0x21,0x72,0x21,0x39,0x7e,0xd5,0x80,0x8a,0x26,0xf7,0xe7,0xe7,0x14,0xc9, + 0x32,0x35,0xf9,0x14,0xd4,0x5c,0x4a,0x9a,0xf4,0x61,0x9b,0x20,0xf5,0x11,0xad,0x64, + 0x4b,0xd3,0x41,0x2d,0xfd,0xf0,0xff,0x71,0x7f,0x7a,0xac,0x74,0x6f,0x31,0x0b,0xfa, + 0x9a,0x14,0x1a,0xc3,0xdb,0xf0,0x1c,0x1f,0xc7,0x4f,0xeb,0xd1,0x97,0x93,0x84,0x19, + 0xc2,0x62,0x29,0x35,0x05,0xc3,0x5f,0x40,0x2f,0x90,0x53,0xad,0x13,0xc5,0x1a,0x59, + 0x60,0xec,0xde,0x55,0xec,0x82,0x9e,0x95,0x3f,0x94,0x1a,0xf7,0x33,0xe5,0x87,0x05, + 0x91,0x37,0x67,0xe7,0xa7,0x20,0x0d,0x1d,0x09,0xe7,0xe7,0xe2,0xd2,0x69,0xfa,0x29, + 0xa5,0x58,0xbb,0x16,0x30,0x4b,0x05,0x9f,0x13,0xf4,0xca,0x56,0x0a,0x81,0x01,0xfe, + 0x37,0x20,0xb4,0xa7,0x79,0xec,0x12,0x64,0x27,0x32,0x6c,0xaa,0x13,0x2a,0x3d,0x36, + 0x11,0xd7,0xdb,0xc5,0x03,0x36,0xfa,0xc7,0x89,0xec,0x40,0x6b,0x39,0x7e,0x1e,0x36, + 0xd7,0xda,0xf9,0xb6,0x24,0xbf,0x63,0x9c,0x82,0xb8,0x59,0x28,0x87,0x47,0x69,0x0c, + 0x73,0x0c,0x98,0x0b,0x2f,0x5a,0x23,0x9d,0xd9,0x5a,0xd5,0x38,0x9a,0x2e,0xc9,0x0c, + 0x57,0x78,0x60,0x47,0x13,0x71,0x03,0x83,0xae,0x55,0xd4,0xd2,0x8c,0x06,0xd4,0xac, + 0x26,0xf0,0xd1,0x23,0x1f,0x1d,0x67,0x62,0xc8,0xe0,0xd9,0x18,0x11,0x81,0x56,0xbc, + 0x63,0x77,0x60,0xda,0xea,0x18,0x47,0x46,0xb8,0xdc,0xf6,0xf6,0x1d,0xb2,0x74,0xa7, + 0xdd,0xce,0xaa,0x07,0x49,0x37,0xab,0xab,0xad,0x45,0x49,0xb9,0x7a,0xb9,0x92,0x49, + 0x4a,0x80,0x72,0x08,0xab,0xd7,0x89,0x82,0x3f,0x5d,0x75,0xc4,0xb9,0x94,0x08,0x9c, + 0x80,0x72,0xcf,0xc2,0x54,0xe0,0xd8,0x20,0x2f,0xd8,0x96,0x47,0x6e,0x96,0xad,0x9d, + 0x30,0x9a,0x0e,0x8e,0x73,0x01,0x28,0x2f,0x07,0xeb,0x2a,0xe8,0xed,0xef,0xb7,0xdb, + 0xbe,0x13,0xb9,0x6e,0x8b,0x40,0x24,0xc6,0xb8,0x4d,0xe0,0xa0,0x5e,0x15,0x02,0x85), + .d = chunk_from_chars( + 0x03,0xb1,0x90,0x5b,0x88,0x3e,0xa9,0xd3,0x2a,0x37,0x96,0x4c,0xf2,0xb3,0x19,0x9c, + 0xb1,0xee,0x5f,0x61,0x1f,0xf2,0xaa,0x16,0x32,0x69,0x94,0x2b,0x35,0x43,0x6a,0x4a, + 0x70,0x8e,0x73,0x71,0x85,0x7b,0x60,0x3f,0xe8,0x4e,0x43,0x7f,0xea,0x0f,0xb9,0xc1, + 0x9c,0xb0,0x9b,0x3c,0x39,0xac,0x82,0xfa,0xf7,0x3f,0x12,0x0a,0xb2,0xdd,0x49,0x57, + 0x0e,0xd9,0xc4,0x3c,0x70,0xf4,0x30,0x20,0x4f,0x77,0x74,0x3b,0x29,0x51,0x23,0x21, + 0x8a,0x5b,0x12,0x83,0xda,0xdf,0x93,0xcf,0xe3,0x73,0x75,0x00,0x0f,0xbe,0x64,0xa5, + 0x3f,0xa4,0xe4,0x0f,0x9a,0x8e,0x40,0x37,0x3f,0x75,0x92,0x35,0x66,0x5a,0xb1,0xf8, + 0x4d,0xd2,0xc8,0xa8,0x0a,0x8c,0x18,0x30,0xe7,0xd6,0x82,0xbd,0xba,0xbc,0xed,0xf3, + 0x22,0xe6,0xc7,0x87,0xcd,0x20,0x84,0xab,0x75,0x27,0x04,0x0e,0x78,0x5a,0x8e,0xf8, + 0x62,0xe0,0x25,0x66,0x99,0x5e,0x3a,0x3c,0x1d,0xb9,0xff,0x04,0x60,0xee,0xdf,0x80, + 0x78,0x39,0xb8,0x01,0x70,0xfd,0x4f,0xcb,0xd0,0x85,0x04,0x24,0x90,0x7d,0x8f,0x28, + 0x65,0x2c,0xb7,0xe9,0xd3,0x7e,0x1b,0xda,0x2e,0xad,0xb8,0x89,0xe5,0x55,0x0f,0x3c, + 0x49,0x01,0xdb,0x4d,0xb5,0x77,0x5d,0xd9,0xd1,0xe8,0x63,0xda,0xc1,0xe5,0xd9,0x47, + 0xef,0x0b,0x7b,0xcf,0x74,0x6c,0xbf,0xd3,0xe6,0x00,0x0f,0x40,0x92,0xb0,0xb1,0xee, + 0xa7,0x3d,0x15,0x43,0x11,0xb5,0x1b,0xde,0x7e,0x4d,0xff,0x4a,0x5f,0xcd,0x89,0xb8, + 0x28,0x53,0x45,0x65,0x4c,0x4f,0xc6,0x97,0x53,0x4c,0x79,0x41,0x35,0xfd,0x85,0xe8, + 0x73,0x65,0x6e,0xfe,0x2d,0x90,0x28,0xc7,0x36,0xb4,0x6c,0x59,0x1f,0x4d,0x5b,0xa1, + 0x3b,0x44,0xba,0xce,0x0b,0x39,0x7c,0xc1,0x7f,0x5d,0x77,0x93,0x95,0x05,0x9c,0x59, + 0xd3,0x64,0x52,0x93,0xab,0x0d,0x63,0xca,0xe4,0x39,0x20,0x23,0x61,0x9e,0xc5,0x7d, + 0xc4,0x33,0x93,0x23,0x94,0xa9,0xf5,0x9a,0x69,0x0c,0x0d,0xd1,0xe1,0x1c,0xf0,0x92, + 0xba,0x54,0x1c,0x55,0xf3,0xfa,0x89,0x24,0xd2,0x55,0xa1,0x68,0xc3,0xad,0x26,0xe6, + 0xb4,0xe5,0xe0,0x50,0x02,0x6f,0x65,0x0a,0x2a,0xcb,0xb1,0xee,0xc5,0x74,0xcc,0x8b, + 0x14,0x47,0x0b,0x7d,0x3b,0x12,0x2b,0x00,0x95,0x72,0x0f,0x97,0xc6,0x17,0x5c,0x53, + 0xe7,0x60,0x36,0xd5,0xe9,0xb6,0xa2,0xaa,0xba,0x76,0x31,0xab,0x3b,0x7b,0x8a,0xe9), + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0xcc,0x21,0x59,0x3a,0x6a,0x0f,0x73,0x7e,0x29,0x70,0xb7,0xc0,0x79,0x84,0xb0,0x70, + 0xd7,0x61,0x72,0x62,0x96,0xa0,0x7e,0x24,0xe0,0x56,0xe6,0x8f,0xf8,0x46,0xb2,0x9c, + 0xc1,0x54,0x81,0x79,0x84,0x3d,0x74,0xdc,0xee,0x86,0x47,0x98,0x58,0xb2,0xc1,0x6e, + 0x4c,0xb8,0x4f,0x25,0x44,0xb4,0xec,0xdc,0xb4,0xdd,0x43,0xa0,0x4b,0xb7,0x18,0x3a, + 0x76,0x8a,0xe4,0x4a,0x27,0x12,0xbf,0x9a,0xd4,0x78,0x83,0xac,0xc2,0x81,0x2f,0x95, + 0x83,0x06,0x89,0x0e,0xbe,0xa4,0x08,0xc9,0x2e,0xb4,0xf0,0x01,0xed,0x7d,0xbf,0x55, + 0xf3,0xa9,0xc8,0xd6,0xd9,0xf6,0x1e,0x5f,0xe3,0x2e,0xb3,0x25,0x3e,0x59,0xc1,0x8e, + 0x86,0x31,0x69,0x47,0x8c,0xd6,0x9b,0x91,0x55,0xc3,0x35,0xdb,0x66,0x01,0x6f,0x96), + .s = chunk_from_chars( + 0x0a,0xa5,0x72,0xa6,0x84,0x5b,0x87,0x0b,0x89,0x09,0xa6,0x83,0xbb,0x7e,0x6e,0x76, + 0x16,0xf7,0x7b,0xef,0xf2,0x87,0x46,0x11,0x6d,0x8b,0xc4,0xb7,0x33,0x55,0x46,0xb5, + 0x1e,0x80,0x06,0xed,0x0f,0xc9,0xa0,0xd6,0x6f,0x63,0xce,0x0b,0x9e,0xbf,0x79,0x2d, + 0x7e,0xfd,0x43,0x05,0xd7,0x62,0x4d,0x54,0x54,0x00,0xa5,0xfd,0x6a,0x06,0xb7,0x8f, + 0x17,0x4b,0x86,0x80,0x3f,0x7c,0xd1,0xcc,0x93,0xe3,0xa9,0x72,0x86,0xf0,0xea,0x59, + 0x0e,0x40,0xff,0x26,0x19,0x5a,0xa2,0x19,0xfe,0x15,0x10,0xa0,0x16,0x78,0x52,0x23, + 0x60,0x6d,0x93,0x11,0xa1,0x6c,0x59,0xa8,0xfe,0x4a,0x6d,0xa6,0xec,0xd0,0xc1,0xd7, + 0x77,0x50,0x39,0x29,0x0c,0x2a,0xaa,0x17,0xed,0x1e,0xb1,0xb5,0x43,0x74,0xf7,0xe5, + 0x72,0xdb,0x13,0xcc,0xa3,0xa6,0x38,0x57,0x5f,0x80,0x04,0xaa,0x54,0xa2,0xfa,0x98, + 0x42,0x2f,0xc0,0x7e,0x43,0xad,0x3a,0x20,0xdd,0x93,0x00,0x14,0x93,0x44,0x26,0x77, + 0xd8,0x83,0x91,0x4d,0xc7,0x4e,0xc1,0xcb,0xeb,0xbb,0xd3,0xd2,0xb6,0xba,0xd4,0x66, + 0x6d,0x91,0x45,0x7b,0x69,0xb4,0x6a,0x1a,0x61,0xf2,0x12,0x98,0xf1,0xa6,0x79,0x42, + 0xec,0x86,0xc8,0x76,0x32,0x2d,0xd3,0x66,0xed,0x16,0x78,0x14,0xe9,0xc8,0xfc,0x90, + 0x40,0xc5,0xb4,0xb7,0xa8,0x59,0xbb,0xd8,0x80,0xcb,0x6b,0xc2,0x41,0xb9,0xe3,0x27, + 0xce,0x77,0x9e,0x07,0x83,0xb1,0xcf,0x44,0x5e,0x0b,0x2f,0x57,0x71,0xb3,0xf5,0x82, + 0x2a,0x13,0x64,0x39,0x1c,0x15,0x4d,0xc5,0x06,0xff,0xf1,0xfb,0x9d,0x9a,0x35,0xf8, + 0x01,0x99,0xa6,0xb3,0x0b,0x4b,0x92,0xb9,0x26,0x19,0xa4,0x0e,0x21,0xae,0xa1,0x92, + 0x84,0x01,0x58,0x63,0xc4,0x48,0x66,0xc6,0x1e,0xd9,0x04,0xa7,0xad,0x19,0xee,0x04, + 0xd9,0x66,0xc0,0xaa,0xe3,0x90,0x63,0x62,0x43,0x56,0x55,0x81,0xff,0x20,0xbd,0x6e, + 0x3c,0xfb,0x6e,0x31,0xf5,0xaf,0xba,0x96,0x4b,0x31,0x1d,0xc2,0xd0,0x23,0xa2,0x19, + 0x98,0xc8,0xdd,0x50,0xca,0x45,0x36,0x99,0x19,0x0b,0xd4,0x67,0x42,0x9e,0x2f,0x88, + 0xac,0xe2,0x9c,0x4d,0x1d,0xa4,0xda,0x61,0xaa,0xc1,0xed,0xa2,0x38,0x02,0x30,0xaa, + 0x8d,0xbb,0x63,0xc7,0x5a,0x3c,0x1e,0xc0,0x4d,0xa3,0xa1,0xf8,0x80,0xc9,0xc7,0x47, + 0xac,0xdb,0x74,0xa8,0x39,0x5a,0xf5,0x8f,0x5f,0x04,0x40,0x15,0xcc,0xaf,0x6e,0x94), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xb4,0x3d,0x4a,0x44,0x6d,0xe4,0x5a,0xa8,0xf3,0x36,0xb9,0x3a,0x4c,0x59,0x23,0xf3, + 0xa5,0x38,0x6e,0xf8,0xdd,0x1e,0x94,0xc4,0x23,0x00,0xde,0x08,0x80,0xe9,0xbd,0x08, + 0x28,0xfb,0x32,0xe3,0x6e,0x4c,0x50,0xcb,0xf6,0x66,0x03,0x7a,0x8f,0x2e,0x05,0xf4, + 0x57,0x73,0x89,0x6c,0x10,0xae,0xa9,0x75,0xb3,0xdb,0xf4,0xc4,0xcd,0xfc,0x24,0xa0, + 0x38,0xc5,0xc0,0x6d,0x36,0x1b,0xaf,0x84,0xc3,0x8f,0xc2,0x2c,0x03,0xa3,0x6b,0x9d, + 0xce,0x38,0xe0,0x90,0x11,0x1d,0x9c,0x13,0x23,0xd7,0xa7,0x7d,0x3e,0x04,0xb7,0x13, + 0xfa,0xf7,0x40,0x96,0x5a,0x9e,0x18,0x83,0xee,0x37,0x75,0x48,0x9a,0xb5,0x14,0xce, + 0x48,0x07,0x86,0xf9,0xeb,0x74,0x1c,0x60,0xab,0x89,0x6a,0x9d,0x6e,0xae,0x3a,0x53, + 0xed,0x92,0x68,0x76,0x8c,0x21,0xf7,0x9e,0x30,0x75,0x9e,0x0b,0x01,0xab,0x7f,0xa2, + 0x24,0xea,0x82,0x29,0xc2,0x93,0x78,0x00,0x58,0xf2,0x58,0xe9,0x22,0x6d,0x73,0x74, + 0xac,0x42,0x5e,0xf1,0xd2,0xb6,0xe0,0x6e,0x5b,0x26,0x3d,0xf0,0xc6,0xd6,0x6c,0x00, + 0xed,0x26,0xcb,0xf2,0x46,0xa5,0xaf,0x0a,0x01,0x63,0x33,0x68,0x86,0xef,0x8d,0x92, + 0x9b,0x37,0x74,0x9a,0x08,0xf0,0xec,0x1d,0xb0,0x59,0x73,0xa8,0xaf,0xc8,0x17,0x78, + 0xb6,0xcc,0x91,0x06,0xf9,0x2b,0x14,0x53,0xf1,0x52,0x86,0x97,0xb1,0xdc,0x8d,0xd0, + 0xb2,0x55,0xe8,0x01,0x06,0x0f,0xe1,0x79,0xb2,0xd1,0x0a,0x9c,0x4c,0x3e,0x13,0xf3, + 0xc5,0x6f,0xa6,0xd5,0x51,0x66,0xf6,0x46,0x1a,0xf4,0xaa,0xf4,0xf4,0x16,0x8f,0xd5, + 0xea,0x6d,0xad,0xed,0xaa,0x3f,0x9f,0x1d,0xe4,0xde,0x99,0x3d,0x88,0x44,0x35,0x7c, + 0x0a,0xf7,0x9a,0x09,0x0e,0xcc,0x80,0x57,0x0c,0x64,0x15,0x45,0xbe,0xb4,0x2a,0x12, + 0x48,0xa5,0x2d,0xe6,0x12,0xf2,0xe0,0xf8,0x83,0x44,0x96,0x33,0x1a,0x73,0x54,0xf7, + 0xeb,0x91,0xa1,0x94,0x3b,0x5c,0xb3,0xb6,0xcf,0x19,0x84,0x51,0x73,0x5f,0xb5,0x54, + 0x92,0x2f,0x04,0xf0,0x09,0xa5,0x2a,0x15,0xd9,0x93,0x69,0xad,0xc2,0xe4,0x6b,0x09, + 0xbb,0x87,0x1f,0x4f,0x3e,0xc1,0x90,0x5a,0xcd,0x79,0x2b,0x8c,0x81,0xa3,0xd7,0x4b, + 0x31,0x6f,0xf9,0xd2,0x0b,0x93,0xf4,0x88,0x17,0xae,0x61,0x86,0x77,0xdc,0x94,0x51, + 0xf5,0x82,0xec,0x99,0x95,0xf4,0x45,0x52,0xf4,0x24,0x49,0x53,0xcd,0xe8,0x3f,0x11), + .d = chunk_from_chars( + 0x05,0x50,0x8e,0x4a,0xec,0x1e,0x7e,0xad,0xdd,0x40,0x20,0x4c,0x8a,0x3a,0x38,0x90, + 0x48,0x79,0x2b,0x4d,0x1f,0x15,0x0d,0xc5,0x3a,0x10,0x9a,0xc8,0x05,0x5f,0xa9,0x49, + 0x22,0x78,0x2c,0x43,0xc3,0x07,0x12,0x36,0x65,0x8b,0x1c,0x7b,0x5d,0x07,0xb2,0xef, + 0xae,0xef,0x39,0x44,0x9e,0x02,0x80,0x97,0x98,0x0b,0x0a,0x3a,0x20,0x40,0x68,0x47, + 0xed,0x3f,0x79,0x5d,0x03,0xd5,0xfc,0xed,0x2a,0x39,0x08,0x24,0x58,0x9f,0x57,0x1f, + 0x5d,0xbb,0x79,0x5d,0x97,0x7e,0x8b,0x76,0x9a,0xdd,0x7f,0x4e,0xe7,0x65,0x82,0x9d, + 0x59,0xb4,0xb5,0xb5,0x8e,0xf0,0xda,0xa6,0xc8,0x68,0x2f,0x13,0x84,0x49,0xd8,0x7a, + 0xd4,0x30,0x7f,0xc0,0x46,0xcc,0xf6,0x36,0x03,0xef,0xf9,0xee,0xb1,0x48,0x2d,0xd7, + 0x4d,0xa2,0x55,0x98,0x4f,0x2b,0xd3,0x00,0xab,0xa6,0xb9,0x54,0x9d,0x5d,0x6e,0xab, + 0x02,0x7f,0x73,0xa8,0xf9,0x69,0x5a,0x81,0x40,0xdd,0x6c,0x83,0x9e,0xd6,0xf0,0x48, + 0x19,0xc3,0x8e,0xac,0xd8,0x75,0x3b,0xbb,0xbd,0x66,0xf3,0x4d,0xd1,0x6d,0xa4,0x04, + 0x4f,0x93,0xa5,0x00,0xc4,0x80,0x3f,0x33,0xf6,0xbc,0x20,0xbe,0x75,0xd1,0x30,0x25, + 0x46,0x1f,0xc5,0xb7,0x83,0xd9,0xc7,0x64,0x64,0xe8,0x95,0xaa,0x82,0x3f,0x18,0xd7, + 0xfe,0x7b,0xac,0xd8,0x91,0xe7,0xf9,0x60,0xfe,0xd6,0xf7,0xe8,0x77,0x41,0x3d,0x46, + 0x0a,0x1d,0xdc,0x4e,0x47,0xe7,0xde,0xcb,0x3f,0xae,0xf4,0x1c,0x34,0x74,0xfc,0x9b, + 0xb4,0x33,0x03,0xb8,0x02,0x71,0x30,0xb4,0x86,0x21,0x58,0xd0,0x17,0xf0,0x57,0x0b, + 0x51,0x9b,0x3f,0x87,0x55,0xe6,0x8b,0xba,0x10,0x38,0xca,0x25,0x0a,0x1c,0x7c,0xda, + 0x22,0xc3,0xbd,0xa9,0xaa,0xca,0x24,0xa5,0x0a,0x56,0x8c,0xca,0x52,0xab,0x72,0x21, + 0x41,0xbf,0x8b,0xdc,0x07,0x77,0x0e,0x69,0x32,0x96,0x64,0x52,0x72,0x58,0x25,0x90, + 0x32,0x8e,0x4f,0x11,0x69,0xac,0x57,0xab,0xa7,0x74,0xa9,0x81,0x89,0x89,0xc4,0xa0, + 0x69,0x10,0x4a,0x9d,0xcc,0xe8,0x72,0xea,0x45,0xb2,0x39,0x2a,0xf7,0x56,0xd9,0x72, + 0x06,0xac,0x90,0x7c,0x6f,0xde,0x9c,0xe5,0x33,0x08,0x3f,0x54,0x68,0xc3,0x04,0xff, + 0x2e,0x4d,0xef,0xca,0xfb,0xd5,0xe2,0x35,0xa2,0x41,0x56,0xee,0xf6,0x05,0x94,0xe9, + 0xf2,0xf4,0x97,0x40,0xa6,0x0f,0xf3,0x62,0x37,0xc1,0x7e,0x93,0x7c,0x27,0x51,0xf5), + .e = chunk_from_chars(0x09,0x8f,0xfb), + .m = chunk_from_chars( + 0xdd,0xdb,0x05,0xcb,0x9b,0xf1,0x0c,0x14,0xe7,0xdd,0x1e,0x9f,0x3b,0x3d,0x2b,0x32, + 0x9a,0x17,0xf3,0x16,0x76,0x28,0x10,0x11,0xd2,0x78,0x37,0x94,0xa4,0x32,0xbb,0x34, + 0x7d,0xb3,0x52,0x5e,0x6b,0xe1,0x1c,0x47,0x1f,0xbe,0xe1,0x23,0x4b,0x3d,0x9b,0x97, + 0x4e,0x54,0x34,0x70,0x13,0x52,0x90,0x95,0x36,0x73,0xce,0x3a,0x69,0xb1,0xcb,0x57, + 0x17,0xde,0xe8,0x59,0x47,0xf0,0x0e,0x17,0xc2,0x9c,0xef,0x07,0x78,0x26,0x8e,0xb2, + 0x20,0x77,0x01,0x65,0x1f,0x70,0x75,0x2a,0xab,0x7e,0x74,0xf6,0x30,0x6e,0x63,0x24, + 0xf2,0x83,0x4f,0x22,0xf5,0xc6,0xe9,0x6b,0x1a,0x9e,0xce,0xb5,0x8a,0xa0,0x0c,0x6b, + 0x57,0xa8,0xe2,0x5d,0x61,0x29,0xc8,0xb7,0x77,0xc1,0xaf,0x2f,0xbf,0x11,0x8a,0x83), + .s = chunk_from_chars( + 0x11,0x10,0x7c,0x6d,0xa7,0xa7,0x6d,0xba,0x8c,0xe8,0xde,0x3d,0x5c,0x90,0xc6,0xbc, + 0xca,0xf3,0x3f,0xb9,0xa7,0xec,0x4d,0x40,0xa9,0x7f,0xbc,0xde,0xba,0xf6,0xe6,0x5c, + 0x09,0x5b,0x67,0xdf,0xa1,0x71,0xc5,0x4a,0x33,0x64,0xa6,0xde,0xd7,0x18,0xe1,0xbe, + 0xbb,0xb4,0x97,0xd1,0x5f,0x1d,0xe1,0x33,0xb5,0x82,0x97,0xe0,0x8c,0x1b,0x20,0x0f, + 0x84,0x66,0x57,0x9c,0xb8,0xe9,0xc3,0xdb,0xe5,0xf7,0x24,0x28,0x2e,0x5b,0xb2,0x85, + 0x70,0xa4,0x1d,0x8d,0x35,0xad,0x6e,0x13,0x1e,0xb2,0xa1,0xd3,0x29,0xd8,0xb0,0x8d, + 0x10,0xfa,0xf7,0x6f,0xdb,0xe7,0x42,0x17,0xa2,0x76,0x93,0x6b,0x15,0x93,0xb1,0xd3, + 0xa1,0x18,0x91,0xd1,0x86,0x41,0xc0,0xbe,0xe0,0xc3,0x7e,0x68,0xbf,0x75,0xad,0xd9, + 0xe7,0xdc,0xf3,0xb9,0xb4,0x41,0x3f,0xa3,0xec,0x90,0x67,0x60,0x38,0x16,0x1f,0x68, + 0xfe,0x3a,0xf6,0x4d,0x69,0xa1,0x6f,0xc2,0x2c,0x8e,0xa7,0xc0,0x6f,0x86,0xbc,0xbb, + 0xa6,0x67,0x9b,0x6f,0xa4,0x58,0x58,0xc8,0x7e,0xc2,0xda,0x88,0x96,0x92,0x0d,0xfd, + 0x77,0xfd,0x16,0xd9,0x53,0xe9,0x84,0x62,0x42,0x03,0xcc,0x21,0x78,0xd2,0x20,0xfa, + 0x47,0xba,0x9a,0x6d,0xdb,0xe7,0x59,0xdb,0x3d,0xc4,0x22,0x4c,0x7c,0xcb,0x09,0xb2, + 0x9e,0x20,0x07,0x22,0xa7,0x45,0xd3,0x32,0x92,0x09,0x32,0x3a,0x08,0x2a,0x3f,0x7a, + 0x2c,0x62,0x4b,0x40,0x53,0xfa,0x42,0x18,0x3d,0xd2,0x2b,0x7f,0x49,0xc4,0x56,0x9f, + 0x8c,0x3d,0x49,0x51,0x57,0x53,0xb9,0x93,0xef,0x81,0x22,0xc3,0x69,0x85,0xe9,0x6a, + 0x32,0x89,0xaf,0x8d,0x6e,0x22,0x93,0x4b,0xbc,0xf7,0x55,0x1b,0x15,0x70,0x92,0x31, + 0x58,0xd1,0xb5,0x54,0xc1,0x3f,0x4f,0xe0,0x8f,0xaf,0xf4,0x89,0x8b,0xe9,0x2f,0x6e, + 0x66,0xff,0x74,0xa8,0x0b,0x13,0x70,0x3e,0x0d,0x26,0x65,0xdb,0x71,0x5c,0x55,0x9e, + 0x68,0xbe,0xad,0x6f,0x6b,0x75,0x93,0xf0,0x2e,0xfb,0xd6,0x8c,0x67,0x62,0x56,0xae, + 0x86,0x95,0xa5,0x1d,0xab,0x90,0xe3,0x29,0x86,0x69,0x7f,0x4e,0xde,0x07,0x66,0x28, + 0x17,0x6c,0xa6,0xb6,0x51,0x91,0x8d,0x74,0x9f,0xd0,0x1a,0x16,0xa8,0x7a,0xda,0xad, + 0x4a,0xae,0x93,0xb8,0xc0,0x5d,0x92,0x56,0x5e,0xc6,0x82,0x17,0xaa,0xab,0x96,0x76, + 0x23,0xda,0x3e,0x5a,0x50,0x95,0x64,0x2c,0xc1,0x7d,0x73,0x0a,0x6d,0x95,0x9c,0xfa), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xb4,0x3d,0x4a,0x44,0x6d,0xe4,0x5a,0xa8,0xf3,0x36,0xb9,0x3a,0x4c,0x59,0x23,0xf3, + 0xa5,0x38,0x6e,0xf8,0xdd,0x1e,0x94,0xc4,0x23,0x00,0xde,0x08,0x80,0xe9,0xbd,0x08, + 0x28,0xfb,0x32,0xe3,0x6e,0x4c,0x50,0xcb,0xf6,0x66,0x03,0x7a,0x8f,0x2e,0x05,0xf4, + 0x57,0x73,0x89,0x6c,0x10,0xae,0xa9,0x75,0xb3,0xdb,0xf4,0xc4,0xcd,0xfc,0x24,0xa0, + 0x38,0xc5,0xc0,0x6d,0x36,0x1b,0xaf,0x84,0xc3,0x8f,0xc2,0x2c,0x03,0xa3,0x6b,0x9d, + 0xce,0x38,0xe0,0x90,0x11,0x1d,0x9c,0x13,0x23,0xd7,0xa7,0x7d,0x3e,0x04,0xb7,0x13, + 0xfa,0xf7,0x40,0x96,0x5a,0x9e,0x18,0x83,0xee,0x37,0x75,0x48,0x9a,0xb5,0x14,0xce, + 0x48,0x07,0x86,0xf9,0xeb,0x74,0x1c,0x60,0xab,0x89,0x6a,0x9d,0x6e,0xae,0x3a,0x53, + 0xed,0x92,0x68,0x76,0x8c,0x21,0xf7,0x9e,0x30,0x75,0x9e,0x0b,0x01,0xab,0x7f,0xa2, + 0x24,0xea,0x82,0x29,0xc2,0x93,0x78,0x00,0x58,0xf2,0x58,0xe9,0x22,0x6d,0x73,0x74, + 0xac,0x42,0x5e,0xf1,0xd2,0xb6,0xe0,0x6e,0x5b,0x26,0x3d,0xf0,0xc6,0xd6,0x6c,0x00, + 0xed,0x26,0xcb,0xf2,0x46,0xa5,0xaf,0x0a,0x01,0x63,0x33,0x68,0x86,0xef,0x8d,0x92, + 0x9b,0x37,0x74,0x9a,0x08,0xf0,0xec,0x1d,0xb0,0x59,0x73,0xa8,0xaf,0xc8,0x17,0x78, + 0xb6,0xcc,0x91,0x06,0xf9,0x2b,0x14,0x53,0xf1,0x52,0x86,0x97,0xb1,0xdc,0x8d,0xd0, + 0xb2,0x55,0xe8,0x01,0x06,0x0f,0xe1,0x79,0xb2,0xd1,0x0a,0x9c,0x4c,0x3e,0x13,0xf3, + 0xc5,0x6f,0xa6,0xd5,0x51,0x66,0xf6,0x46,0x1a,0xf4,0xaa,0xf4,0xf4,0x16,0x8f,0xd5, + 0xea,0x6d,0xad,0xed,0xaa,0x3f,0x9f,0x1d,0xe4,0xde,0x99,0x3d,0x88,0x44,0x35,0x7c, + 0x0a,0xf7,0x9a,0x09,0x0e,0xcc,0x80,0x57,0x0c,0x64,0x15,0x45,0xbe,0xb4,0x2a,0x12, + 0x48,0xa5,0x2d,0xe6,0x12,0xf2,0xe0,0xf8,0x83,0x44,0x96,0x33,0x1a,0x73,0x54,0xf7, + 0xeb,0x91,0xa1,0x94,0x3b,0x5c,0xb3,0xb6,0xcf,0x19,0x84,0x51,0x73,0x5f,0xb5,0x54, + 0x92,0x2f,0x04,0xf0,0x09,0xa5,0x2a,0x15,0xd9,0x93,0x69,0xad,0xc2,0xe4,0x6b,0x09, + 0xbb,0x87,0x1f,0x4f,0x3e,0xc1,0x90,0x5a,0xcd,0x79,0x2b,0x8c,0x81,0xa3,0xd7,0x4b, + 0x31,0x6f,0xf9,0xd2,0x0b,0x93,0xf4,0x88,0x17,0xae,0x61,0x86,0x77,0xdc,0x94,0x51, + 0xf5,0x82,0xec,0x99,0x95,0xf4,0x45,0x52,0xf4,0x24,0x49,0x53,0xcd,0xe8,0x3f,0x11), + .d = chunk_from_chars( + 0x05,0x50,0x8e,0x4a,0xec,0x1e,0x7e,0xad,0xdd,0x40,0x20,0x4c,0x8a,0x3a,0x38,0x90, + 0x48,0x79,0x2b,0x4d,0x1f,0x15,0x0d,0xc5,0x3a,0x10,0x9a,0xc8,0x05,0x5f,0xa9,0x49, + 0x22,0x78,0x2c,0x43,0xc3,0x07,0x12,0x36,0x65,0x8b,0x1c,0x7b,0x5d,0x07,0xb2,0xef, + 0xae,0xef,0x39,0x44,0x9e,0x02,0x80,0x97,0x98,0x0b,0x0a,0x3a,0x20,0x40,0x68,0x47, + 0xed,0x3f,0x79,0x5d,0x03,0xd5,0xfc,0xed,0x2a,0x39,0x08,0x24,0x58,0x9f,0x57,0x1f, + 0x5d,0xbb,0x79,0x5d,0x97,0x7e,0x8b,0x76,0x9a,0xdd,0x7f,0x4e,0xe7,0x65,0x82,0x9d, + 0x59,0xb4,0xb5,0xb5,0x8e,0xf0,0xda,0xa6,0xc8,0x68,0x2f,0x13,0x84,0x49,0xd8,0x7a, + 0xd4,0x30,0x7f,0xc0,0x46,0xcc,0xf6,0x36,0x03,0xef,0xf9,0xee,0xb1,0x48,0x2d,0xd7, + 0x4d,0xa2,0x55,0x98,0x4f,0x2b,0xd3,0x00,0xab,0xa6,0xb9,0x54,0x9d,0x5d,0x6e,0xab, + 0x02,0x7f,0x73,0xa8,0xf9,0x69,0x5a,0x81,0x40,0xdd,0x6c,0x83,0x9e,0xd6,0xf0,0x48, + 0x19,0xc3,0x8e,0xac,0xd8,0x75,0x3b,0xbb,0xbd,0x66,0xf3,0x4d,0xd1,0x6d,0xa4,0x04, + 0x4f,0x93,0xa5,0x00,0xc4,0x80,0x3f,0x33,0xf6,0xbc,0x20,0xbe,0x75,0xd1,0x30,0x25, + 0x46,0x1f,0xc5,0xb7,0x83,0xd9,0xc7,0x64,0x64,0xe8,0x95,0xaa,0x82,0x3f,0x18,0xd7, + 0xfe,0x7b,0xac,0xd8,0x91,0xe7,0xf9,0x60,0xfe,0xd6,0xf7,0xe8,0x77,0x41,0x3d,0x46, + 0x0a,0x1d,0xdc,0x4e,0x47,0xe7,0xde,0xcb,0x3f,0xae,0xf4,0x1c,0x34,0x74,0xfc,0x9b, + 0xb4,0x33,0x03,0xb8,0x02,0x71,0x30,0xb4,0x86,0x21,0x58,0xd0,0x17,0xf0,0x57,0x0b, + 0x51,0x9b,0x3f,0x87,0x55,0xe6,0x8b,0xba,0x10,0x38,0xca,0x25,0x0a,0x1c,0x7c,0xda, + 0x22,0xc3,0xbd,0xa9,0xaa,0xca,0x24,0xa5,0x0a,0x56,0x8c,0xca,0x52,0xab,0x72,0x21, + 0x41,0xbf,0x8b,0xdc,0x07,0x77,0x0e,0x69,0x32,0x96,0x64,0x52,0x72,0x58,0x25,0x90, + 0x32,0x8e,0x4f,0x11,0x69,0xac,0x57,0xab,0xa7,0x74,0xa9,0x81,0x89,0x89,0xc4,0xa0, + 0x69,0x10,0x4a,0x9d,0xcc,0xe8,0x72,0xea,0x45,0xb2,0x39,0x2a,0xf7,0x56,0xd9,0x72, + 0x06,0xac,0x90,0x7c,0x6f,0xde,0x9c,0xe5,0x33,0x08,0x3f,0x54,0x68,0xc3,0x04,0xff, + 0x2e,0x4d,0xef,0xca,0xfb,0xd5,0xe2,0x35,0xa2,0x41,0x56,0xee,0xf6,0x05,0x94,0xe9, + 0xf2,0xf4,0x97,0x40,0xa6,0x0f,0xf3,0x62,0x37,0xc1,0x7e,0x93,0x7c,0x27,0x51,0xf5), + .e = chunk_from_chars(0x09,0x8f,0xfb), + .m = chunk_from_chars( + 0xdd,0xdb,0x05,0xcb,0x9b,0xf1,0x0c,0x14,0xe7,0xdd,0x1e,0x9f,0x3b,0x3d,0x2b,0x32, + 0x9a,0x17,0xf3,0x16,0x76,0x28,0x10,0x11,0xd2,0x78,0x37,0x94,0xa4,0x32,0xbb,0x34, + 0x7d,0xb3,0x52,0x5e,0x6b,0xe1,0x1c,0x47,0x1f,0xbe,0xe1,0x23,0x4b,0x3d,0x9b,0x97, + 0x4e,0x54,0x34,0x70,0x13,0x52,0x90,0x95,0x36,0x73,0xce,0x3a,0x69,0xb1,0xcb,0x57, + 0x17,0xde,0xe8,0x59,0x47,0xf0,0x0e,0x17,0xc2,0x9c,0xef,0x07,0x78,0x26,0x8e,0xb2, + 0x20,0x77,0x01,0x65,0x1f,0x70,0x75,0x2a,0xab,0x7e,0x74,0xf6,0x30,0x6e,0x63,0x24, + 0xf2,0x83,0x4f,0x22,0xf5,0xc6,0xe9,0x6b,0x1a,0x9e,0xce,0xb5,0x8a,0xa0,0x0c,0x6b, + 0x57,0xa8,0xe2,0x5d,0x61,0x29,0xc8,0xb7,0x77,0xc1,0xaf,0x2f,0xbf,0x11,0x8a,0x83), + .s = chunk_from_chars( + 0x11,0x10,0x7c,0x6d,0xa7,0xa7,0x6d,0xba,0x8c,0xe8,0xde,0x3d,0x5c,0x90,0xc6,0xbc, + 0xca,0xf3,0x3f,0xb9,0xa7,0xec,0x4d,0x40,0xa9,0x7f,0xbc,0xde,0xba,0xf6,0xe6,0x5c, + 0x09,0x5b,0x67,0xdf,0xa1,0x71,0xc5,0x4a,0x33,0x64,0xa6,0xde,0xd7,0x18,0xe1,0xbe, + 0xbb,0xb4,0x97,0xd1,0x5f,0x1d,0xe1,0x33,0xb5,0x82,0x97,0xe0,0x8c,0x1b,0x20,0x0f, + 0x84,0x66,0x57,0x9c,0xb8,0xe9,0xc3,0xdb,0xe5,0xf7,0x24,0x28,0x2e,0x5b,0xb2,0x85, + 0x70,0xa4,0x1d,0x8d,0x35,0xad,0x6e,0x13,0x1e,0xb2,0xa1,0xd3,0x29,0xd8,0xb0,0x8d, + 0x10,0xfa,0xf7,0x6f,0xdb,0xe7,0x42,0x17,0xa2,0x76,0x93,0x6b,0x15,0x93,0xb1,0xd3, + 0xa1,0x18,0x91,0xd1,0x86,0x41,0xc0,0xbe,0xe0,0xc3,0x7e,0x68,0xbf,0x75,0xad,0xd9, + 0xe7,0xdc,0xf3,0xb9,0xb4,0x41,0x3f,0xa3,0xec,0x90,0x67,0x60,0x38,0x16,0x1f,0x68, + 0xfe,0x3a,0xf6,0x4d,0x69,0xa1,0x6f,0xc2,0x2c,0x8e,0xa7,0xc0,0x6f,0x86,0xbc,0xbb, + 0xa6,0x67,0x9b,0x6f,0xa4,0x58,0x58,0xc8,0x7e,0xc2,0xda,0x88,0x96,0x92,0x0d,0xfd, + 0x77,0xfd,0x16,0xd9,0x53,0xe9,0x84,0x62,0x42,0x03,0xcc,0x21,0x78,0xd2,0x20,0xfa, + 0x47,0xba,0x9a,0x6d,0xdb,0xe7,0x59,0xdb,0x3d,0xc4,0x22,0x4c,0x7c,0xcb,0x09,0xb2, + 0x9e,0x20,0x07,0x22,0xa7,0x45,0xd3,0x32,0x92,0x09,0x32,0x3a,0x08,0x2a,0x3f,0x7a, + 0x2c,0x62,0x4b,0x40,0x53,0xfa,0x42,0x18,0x3d,0xd2,0x2b,0x7f,0x49,0xc4,0x56,0x9f, + 0x8c,0x3d,0x49,0x51,0x57,0x53,0xb9,0x93,0xef,0x81,0x22,0xc3,0x69,0x85,0xe9,0x6a, + 0x32,0x89,0xaf,0x8d,0x6e,0x22,0x93,0x4b,0xbc,0xf7,0x55,0x1b,0x15,0x70,0x92,0x31, + 0x58,0xd1,0xb5,0x54,0xc1,0x3f,0x4f,0xe0,0x8f,0xaf,0xf4,0x89,0x8b,0xe9,0x2f,0x6e, + 0x66,0xff,0x74,0xa8,0x0b,0x13,0x70,0x3e,0x0d,0x26,0x65,0xdb,0x71,0x5c,0x55,0x9e, + 0x68,0xbe,0xad,0x6f,0x6b,0x75,0x93,0xf0,0x2e,0xfb,0xd6,0x8c,0x67,0x62,0x56,0xae, + 0x86,0x95,0xa5,0x1d,0xab,0x90,0xe3,0x29,0x86,0x69,0x7f,0x4e,0xde,0x07,0x66,0x28, + 0x17,0x6c,0xa6,0xb6,0x51,0x91,0x8d,0x74,0x9f,0xd0,0x1a,0x16,0xa8,0x7a,0xda,0xad, + 0x4a,0xae,0x93,0xb8,0xc0,0x5d,0x92,0x56,0x5e,0xc6,0x82,0x17,0xaa,0xab,0x96,0x76, + 0x23,0xda,0x3e,0x5a,0x50,0x95,0x64,0x2c,0xc1,0x7d,0x73,0x0a,0x6d,0x95,0x9c,0xfa), + }, + { + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0xa3,0xf2,0x23,0x5a,0xd2,0x05,0x3b,0x4c,0x83,0xfa,0x38,0xf8,0x28,0x4e,0xd8,0x05, + 0x42,0x16,0x21,0xfe,0x98,0x84,0x5f,0xb0,0x1b,0x68,0x9f,0x5b,0x82,0xb3,0x25,0x11, + 0xb6,0xd1,0x61,0x73,0xe7,0xb4,0x0a,0x66,0xa3,0xa9,0x99,0xc1,0x89,0xbe,0xb9,0xe0, + 0x68,0x22,0x15,0x0a,0xc8,0xbe,0x67,0x71,0x86,0x37,0x0c,0x82,0x3b,0x52,0x77,0xd9, + 0x09,0xde,0x07,0x56,0x4e,0x28,0x1c,0xca,0x2f,0x13,0x87,0x3d,0x9d,0x07,0xb7,0xbd, + 0x85,0xa2,0xb9,0xac,0x66,0xf4,0xce,0x4f,0x5e,0x38,0xb8,0xe9,0xee,0xbe,0xc0,0x4c, + 0x8c,0xaf,0x31,0x1e,0x37,0x5d,0x69,0xe8,0x08,0x51,0xd5,0x59,0xb8,0xe9,0x0e,0x85, + 0xba,0x6b,0x96,0x47,0x67,0x90,0xf7,0x27,0xc2,0x5a,0xa8,0x16,0x30,0x62,0xec,0x85, + 0x43,0xfc,0xc7,0x75,0x9b,0xe6,0x2c,0x77,0x68,0xec,0xc3,0x7f,0x34,0x0b,0xb0,0x61, + 0x02,0x76,0x2b,0xf0,0x44,0x1c,0xa1,0xaa,0x2c,0x7a,0x81,0xbf,0x37,0xdc,0x8b,0x27, + 0x43,0x9d,0x3a,0xbb,0xa9,0x38,0x12,0xc9,0xbb,0x44,0xfe,0x4d,0x6a,0x94,0xba,0xae, + 0x70,0x93,0x79,0xf5,0xce,0x5d,0x0c,0x8f,0x81,0xd0,0x00,0x86,0xb9,0xca,0xa3,0x02, + 0x68,0x19,0x58,0x8f,0x49,0x1b,0x52,0x58,0x07,0x89,0x9c,0xda,0xb3,0x3d,0x8e,0x99, + 0x21,0x50,0xd2,0xb1,0x05,0xd3,0xaa,0xb6,0x15,0x21,0x7c,0x6a,0x3d,0x74,0x08,0x31, + 0xc7,0xdc,0x76,0xfa,0xab,0xd9,0xc9,0xb9,0x81,0x7e,0xad,0x0b,0x49,0x45,0x66,0xde, + 0x14,0x33,0xff,0xf5,0xba,0x46,0x04,0xc6,0xb8,0x44,0x6f,0x6f,0xc3,0x5e,0x74,0x6a, + 0xff,0x84,0xff,0x8b,0xd7,0x50,0x04,0x10,0xd1,0x0e,0x82,0xbf,0x4c,0x90,0x36,0x48, + 0x9d,0xe4,0x7d,0xee,0x9a,0x32,0x7a,0x5c,0x45,0x10,0xd8,0x56,0x13,0x21,0xb9,0x1d, + 0x55,0x55,0x9a,0x4c,0xba,0x85,0xe0,0xc3,0x61,0x76,0x70,0x84,0xb2,0x52,0x17,0xe8, + 0xa6,0x3c,0x4e,0x15,0x1a,0x1e,0x88,0x68,0x9f,0xee,0xcf,0xfd,0x16,0xfa,0x0a,0x65, + 0xae,0x41,0xd2,0xba,0xbc,0xa9,0x9c,0xf1,0xb9,0x59,0xc3,0xc0,0x76,0xc0,0xf7,0x59, + 0x74,0x14,0x6f,0x2c,0xc4,0x94,0x12,0x6f,0xbe,0xca,0xd4,0x21,0x7b,0x9a,0xaa,0x00, + 0xf1,0x69,0xfa,0x51,0x25,0x27,0xff,0x5a,0x0b,0x50,0xda,0x46,0xd6,0xbe,0x87,0x0e, + 0xce,0xf2,0xaf,0x7a,0x1e,0x6c,0x45,0x56,0xf6,0xf7,0xa0,0xa0,0x0b,0x9f,0x47,0xcb), + .d = chunk_from_chars( + 0x3c,0x27,0x68,0x73,0x67,0xeb,0xd2,0x14,0x0b,0x4f,0x4f,0x20,0x24,0xae,0x38,0xe3, + 0xac,0xde,0xe1,0xfa,0x8a,0xb7,0xce,0xa9,0x91,0x4e,0xec,0xb5,0x80,0x11,0x30,0x15, + 0x1b,0x87,0x9f,0x7d,0xd9,0xc8,0xc5,0x23,0xfb,0xeb,0x16,0xea,0x4c,0x35,0x8b,0xfb, + 0x2b,0x6e,0x49,0x2b,0x46,0x66,0xb4,0xff,0x3f,0x2d,0xce,0xae,0x50,0xc3,0x3e,0xd5, + 0xb2,0x84,0x45,0x40,0x52,0x15,0xb6,0x4d,0xd8,0xd9,0x20,0x06,0xe6,0x81,0xa4,0x5f, + 0x78,0x98,0x34,0x31,0xc0,0xdb,0x66,0x4a,0x78,0x75,0x59,0x47,0x9a,0x3a,0x27,0x9b, + 0xd6,0xab,0x71,0xf9,0xd1,0x5f,0x01,0x09,0x37,0x05,0x47,0xcb,0x12,0xb7,0xaa,0x90, + 0xa8,0x4c,0x1d,0x16,0x51,0xb9,0xbe,0xe5,0xd2,0xe6,0x22,0x60,0x11,0x49,0x18,0x97, + 0xeb,0xf8,0x91,0xfa,0x67,0xcd,0x19,0xfa,0x4f,0xed,0x77,0xcc,0xd5,0xf9,0x63,0x43, + 0x74,0x3d,0x8b,0xd2,0x2e,0x46,0xda,0xbd,0xab,0x46,0x9a,0xdc,0x46,0x4a,0xcf,0x29, + 0xc3,0xa0,0x8f,0x57,0x48,0xf4,0xb0,0x0b,0xb1,0x55,0x87,0xee,0x44,0x4b,0x76,0x5c, + 0x06,0x9d,0xe3,0xe7,0x1d,0x09,0xe2,0x4a,0x69,0xb6,0x27,0xac,0x6f,0xc3,0x49,0x7d, + 0x9d,0x32,0xd7,0x97,0x1f,0xc4,0x47,0x1d,0x5d,0xd4,0x39,0x65,0x2d,0x73,0x93,0xfa, + 0x3b,0x43,0x4b,0x52,0x54,0xa4,0xcb,0x10,0x64,0xde,0xa1,0xd1,0xba,0x41,0x18,0x1a, + 0x6c,0x36,0x72,0xe3,0xe0,0xf6,0xa2,0x84,0xf2,0x31,0x21,0xdc,0x7a,0x14,0xa4,0xc7, + 0xa7,0x6e,0xbc,0x2b,0xfd,0x09,0xcb,0x69,0x84,0x1c,0xa9,0x59,0x07,0xcc,0x30,0xc9, + 0x4e,0x69,0x27,0x51,0x1c,0x72,0xe9,0x7d,0xd3,0x33,0x0b,0xb4,0x56,0x48,0x8d,0x91, + 0x9f,0xaf,0xd6,0xd8,0xf1,0x97,0x59,0xab,0x4c,0x37,0x46,0x63,0x14,0x75,0x1e,0x53, + 0xab,0x13,0x92,0x72,0xe8,0xd6,0x7c,0x0d,0xc0,0x42,0x49,0xd3,0x00,0xee,0x63,0x5a, + 0x20,0xa4,0xf6,0x5e,0xd7,0xcf,0xb3,0x0d,0x18,0x13,0xd0,0xb7,0x58,0x58,0xf2,0xf8, + 0xf9,0x10,0xc0,0x5b,0xcc,0x20,0x13,0xba,0x5c,0x93,0x21,0xc4,0x95,0xe1,0x41,0xa6, + 0x17,0xfa,0x73,0x18,0x19,0x18,0x90,0x9d,0xab,0xc3,0xf9,0xde,0x59,0x4a,0x19,0x33, + 0x12,0xe1,0x47,0x72,0xb4,0xa5,0x9b,0x4f,0xb7,0x2e,0x73,0x15,0xc0,0x55,0x23,0x6a, + 0x78,0x9e,0xb4,0xd2,0x24,0x60,0x97,0x45,0x72,0x1e,0x73,0x03,0x1c,0x91,0x13,0xe7), + .e = chunk_from_chars(0xb3,0xf5,0x7f), + .m = chunk_from_chars( + 0xbe,0x2f,0x3e,0x1d,0xc8,0xa3,0x71,0x15,0x70,0x40,0x1b,0xd5,0x35,0x18,0x54,0x26, + 0x94,0x4d,0x09,0x4e,0x84,0x81,0xa1,0x2a,0x43,0x8d,0xe0,0x7d,0x54,0x76,0x0c,0x88, + 0xc9,0x9d,0x4f,0xdb,0xbe,0x35,0x5d,0x6a,0x26,0xfa,0x56,0xe3,0xca,0x20,0xee,0x3f, + 0x8e,0x8a,0xcb,0x98,0xf6,0x3d,0x2f,0x3a,0xea,0x14,0xd6,0xfc,0xb6,0xb5,0x22,0xd1, + 0x55,0xc3,0x75,0x9a,0xef,0x56,0xde,0x3e,0xa0,0xa8,0xf9,0xfd,0x7b,0x11,0x10,0x01, + 0xcf,0x35,0x86,0x36,0xa8,0x7c,0x76,0x5c,0x99,0xc2,0x97,0x5b,0xb9,0x50,0x63,0xd6, + 0xec,0x0b,0x78,0x02,0x64,0xec,0x3e,0xb9,0x67,0xb0,0xca,0xca,0x52,0xd1,0x02,0x94, + 0xde,0xb4,0x02,0xd3,0xa2,0x24,0xbf,0xb9,0xd9,0xff,0xea,0x41,0x66,0x2f,0x18,0xc0), + .s = chunk_from_chars( + 0x78,0x7c,0xdd,0x6e,0x1d,0x4f,0xdf,0x9a,0x0d,0x9f,0x96,0x5e,0xb8,0x57,0x25,0x23, + 0x2a,0x9e,0xfc,0xc1,0x2a,0xbf,0xa1,0xef,0x25,0xa8,0x1e,0x09,0x83,0x11,0x1d,0x90, + 0x00,0xd4,0x94,0xfc,0x7d,0x32,0x01,0xeb,0x3b,0xba,0x32,0x73,0x02,0x72,0x7f,0x70, + 0x86,0x14,0x7a,0x75,0x5b,0x48,0x27,0x03,0x0c,0x72,0x76,0x53,0x6f,0x42,0x55,0x93, + 0xab,0x2e,0x91,0x27,0xa1,0x49,0xe7,0x54,0xde,0x7a,0xd7,0x7f,0x8c,0x20,0x43,0x26, + 0x7d,0xb4,0x9f,0x8a,0x35,0x03,0x1d,0x83,0xf1,0x3d,0x14,0x0d,0x5d,0xf4,0xd4,0x24, + 0xb4,0x74,0x54,0x04,0x1a,0x23,0xb9,0x2f,0xf6,0x81,0x8e,0x74,0x9d,0x65,0xd0,0x1f, + 0xc5,0x0b,0xeb,0xf6,0x91,0x52,0xf3,0xf5,0xfc,0xb4,0x87,0x3b,0x10,0x36,0x21,0x9e, + 0x22,0xb1,0xe7,0x4f,0x83,0x68,0xc8,0xc5,0x01,0xce,0x65,0xf2,0xc9,0x29,0xd9,0x0a, + 0x8e,0xc8,0x99,0x63,0x0e,0x80,0x25,0x47,0xa7,0xca,0x6e,0xf1,0x8a,0xb3,0xcb,0x3e, + 0xb4,0xa6,0x91,0xee,0x68,0xae,0xbe,0xaf,0x1b,0x9c,0x05,0x5a,0xd1,0x22,0x18,0x03, + 0x9c,0xf4,0x80,0xcd,0x8d,0x29,0x43,0x32,0xc5,0xe1,0x6e,0xbb,0xe6,0xaf,0x11,0xf8, + 0xf4,0xbf,0x49,0xf9,0xb4,0xed,0x2f,0x51,0x11,0x26,0xae,0x78,0x0a,0x3b,0x78,0x4b, + 0xe8,0xf4,0x42,0x6a,0xbd,0x17,0xf8,0x60,0x00,0x74,0x48,0x3f,0x2a,0xf3,0xb7,0x1a, + 0x89,0x64,0xc6,0xe0,0xfa,0x00,0x04,0x9a,0x1d,0x94,0x0d,0x34,0xcc,0x08,0x83,0x9e, + 0x0c,0x59,0x25,0x3d,0x99,0xe9,0x0d,0x17,0x87,0x1d,0x48,0x96,0x74,0x69,0x56,0x63, + 0x62,0x61,0x66,0xd3,0x6f,0xf9,0x1d,0x8c,0x22,0x99,0xa2,0xf0,0x51,0xea,0xe2,0xd6, + 0x0e,0x8e,0xd0,0xbc,0x3f,0xac,0x1e,0x49,0x0b,0x47,0x0c,0x12,0xf3,0xd6,0x97,0xf6, + 0xfb,0xfd,0x88,0x0d,0xe2,0xe9,0x0e,0x9f,0xcb,0xd4,0x85,0xfa,0x33,0x93,0x19,0x83, + 0x72,0xfb,0x01,0xe4,0xce,0xc5,0xc1,0x59,0x17,0xec,0xdd,0x42,0xe5,0x7c,0x43,0xec, + 0xf5,0x5a,0x8c,0x0e,0xcb,0xdc,0xef,0x1b,0xce,0x4e,0x36,0xd9,0x6d,0x46,0xb1,0x12, + 0x57,0x0b,0x53,0xf8,0x2f,0x3d,0x20,0x64,0xb0,0x8a,0xc7,0x86,0x13,0x67,0x0a,0x28, + 0xea,0x69,0xd7,0x9c,0x71,0x7e,0xb1,0xc2,0x94,0x09,0x0d,0xbd,0x56,0x1f,0xa6,0xe5, + 0x04,0xd0,0x9d,0x26,0x57,0x24,0xe3,0x7a,0x2d,0xc6,0xf4,0x45,0xf6,0xf5,0x28,0xc9), + }, +}; + +START_TEST(test_sign_pss_no_salt) +{ + private_key_t *privkey; + public_key_t *pubkey; + chunk_t sig; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS)) || + !lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pss_sign_ns[_i].n, + BUILD_RSA_PUB_EXP, pss_sign_ns[_i].e, + BUILD_RSA_PRIV_EXP, pss_sign_ns[_i].d, BUILD_END); + ck_assert(privkey != NULL); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey != NULL); + fail_unless(privkey->sign(privkey, SIGN_RSA_EMSA_PSS, + &pss_sign_ns[_i].params, pss_sign_ns[_i].m, &sig), + "sign %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + ck_assert_chunk_eq(pss_sign_ns[_i].s, sig); + fail_unless(pubkey->verify(pubkey, SIGN_RSA_EMSA_PSS, + &pss_sign_ns[_i].params, pss_sign_ns[_i].m, sig), + "verify %N", signature_scheme_names, SIGN_RSA_EMSA_PSS); + free(sig.ptr); + pubkey->destroy(pubkey); + privkey->destroy(privkey); +} +END_TEST + +/** + * Test vectors from FIPS 186-4 (only SHA-256) + */ +static struct { + signature_scheme_t scheme; + chunk_t n; + struct { + bool exp; + chunk_t e; + chunk_t m; + chunk_t s; + } tests[6]; +} pkcs15_verify[] = { +{ + .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, + .n = chunk_from_chars( + 0xc4,0x7a,0xba,0xcc,0x2a,0x84,0xd5,0x6f,0x36,0x14,0xd9,0x2f,0xd6,0x2e,0xd3,0x6d, + 0xdd,0xe4,0x59,0x66,0x4b,0x93,0x01,0xdc,0xd1,0xd6,0x17,0x81,0xcf,0xcc,0x02,0x6b, + 0xcb,0x23,0x99,0xbe,0xe7,0xe7,0x56,0x81,0xa8,0x0b,0x7b,0xf5,0x00,0xe2,0xd0,0x8c, + 0xea,0xe1,0xc4,0x2e,0xc0,0xb7,0x07,0x92,0x7f,0x2b,0x2f,0xe9,0x2a,0xe8,0x52,0x08, + 0x7d,0x25,0xf1,0xd2,0x60,0xcc,0x74,0x90,0x5e,0xe5,0xf9,0xb2,0x54,0xed,0x05,0x49, + 0x4a,0x9f,0xe0,0x67,0x32,0xc3,0x68,0x09,0x92,0xdd,0x6f,0x0d,0xc6,0x34,0x56,0x8d, + 0x11,0x54,0x2a,0x70,0x5f,0x83,0xae,0x96,0xd2,0xa4,0x97,0x63,0xd5,0xfb,0xb2,0x43, + 0x98,0xed,0xf3,0x70,0x2b,0xc9,0x4b,0xc1,0x68,0x19,0x01,0x66,0x49,0x2b,0x86,0x71, + 0xde,0x87,0x4b,0xb9,0xce,0xcb,0x05,0x8c,0x6c,0x83,0x44,0xaa,0x8c,0x93,0x75,0x4d, + 0x6e,0xff,0xcd,0x44,0xa4,0x1e,0xd7,0xde,0x0a,0x9d,0xcd,0x91,0x44,0x43,0x7f,0x21, + 0x2b,0x18,0x88,0x1d,0x04,0x2d,0x33,0x1a,0x46,0x18,0xa9,0xe6,0x30,0xef,0x9b,0xb6, + 0x63,0x05,0xe4,0xfd,0xf8,0xf0,0x39,0x1b,0x3b,0x23,0x13,0xfe,0x54,0x9f,0x01,0x89, + 0xff,0x96,0x8b,0x92,0xf3,0x3c,0x26,0x6a,0x4b,0xc2,0xcf,0xfc,0x89,0x7d,0x19,0x37, + 0xee,0xb9,0xe4,0x06,0xf5,0xd0,0xea,0xa7,0xa1,0x47,0x82,0xe7,0x6a,0xf3,0xfc,0xe9, + 0x8f,0x54,0xed,0x23,0x7b,0x4a,0x04,0xa4,0x15,0x9a,0x5f,0x62,0x50,0xa2,0x96,0xa9, + 0x02,0x88,0x02,0x04,0xe6,0x1d,0x89,0x1c,0x4d,0xa2,0x9f,0x2d,0x65,0xf3,0x4c,0xbb), + .tests = { + { + .exp = TRUE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0x95,0x12,0x3c,0x8d,0x1b,0x23,0x65,0x40,0xb8,0x69,0x76,0xa1,0x1c,0xea,0x31,0xf8, + 0xbd,0x4e,0x6c,0x54,0xc2,0x35,0x14,0x7d,0x20,0xce,0x72,0x2b,0x03,0xa6,0xad,0x75, + 0x6f,0xbd,0x91,0x8c,0x27,0xdf,0x8e,0xa9,0xce,0x31,0x04,0x44,0x4c,0x0b,0xbe,0x87, + 0x73,0x05,0xbc,0x02,0xe3,0x55,0x35,0xa0,0x2a,0x58,0xdc,0xda,0x30,0x6e,0x63,0x2a, + 0xd3,0x0b,0x3d,0xc3,0xce,0x0b,0xa9,0x7f,0xdf,0x46,0xec,0x19,0x29,0x65,0xdd,0x9c, + 0xd7,0xf4,0xa7,0x1b,0x02,0xb8,0xcb,0xa3,0xd4,0x42,0x64,0x6e,0xee,0xc4,0xaf,0x59, + 0x08,0x24,0xca,0x98,0xd7,0x4f,0xbc,0xa9,0x34,0xd0,0xb6,0x86,0x7a,0xa1,0x99,0x1f, + 0x30,0x40,0xb7,0x07,0xe8,0x06,0xde,0x6e,0x66,0xb5,0x93,0x4f,0x05,0x50,0x9b,0xea), + .s = chunk_from_chars( + 0x51,0x26,0x5d,0x96,0xf1,0x1a,0xb3,0x38,0x76,0x28,0x91,0xcb,0x29,0xbf,0x3f,0x1d, + 0x2b,0x33,0x05,0x10,0x70,0x63,0xf5,0xf3,0x24,0x5a,0xf3,0x76,0xdf,0xcc,0x70,0x27, + 0xd3,0x93,0x65,0xde,0x70,0xa3,0x1d,0xb0,0x5e,0x9e,0x10,0xeb,0x61,0x48,0xcb,0x7f, + 0x64,0x25,0xf0,0xc9,0x3c,0x4f,0xb0,0xe2,0x29,0x1a,0xdb,0xd2,0x2c,0x77,0x65,0x6a, + 0xfc,0x19,0x68,0x58,0xa1,0x1e,0x1c,0x67,0x0d,0x9e,0xeb,0x59,0x26,0x13,0xe6,0x9e, + 0xb4,0xf3,0xaa,0x50,0x17,0x30,0x74,0x3a,0xc4,0x46,0x44,0x86,0xc7,0xae,0x68,0xfd, + 0x50,0x9e,0x89,0x6f,0x63,0x88,0x4e,0x94,0x24,0xf6,0x9c,0x1c,0x53,0x97,0x95,0x9f, + 0x1e,0x52,0xa3,0x68,0x66,0x7a,0x59,0x8a,0x1f,0xc9,0x01,0x25,0x27,0x3d,0x93,0x41, + 0x29,0x5d,0x2f,0x8e,0x1c,0xc4,0x96,0x9b,0xf2,0x28,0xc8,0x60,0xe0,0x7a,0x35,0x46, + 0xbe,0x2e,0xed,0xa1,0xcd,0xe4,0x8e,0xe9,0x4d,0x06,0x28,0x01,0xfe,0x66,0x6e,0x4a, + 0x7a,0xe8,0xcb,0x9c,0xd7,0x92,0x62,0xc0,0x17,0xb0,0x81,0xaf,0x87,0x4f,0xf0,0x04, + 0x53,0xca,0x43,0xe3,0x4e,0xfd,0xb4,0x3f,0xff,0xb0,0xbb,0x42,0xa4,0xe2,0xd3,0x2a, + 0x5e,0x5c,0xc9,0xe8,0x54,0x6a,0x22,0x1f,0xe9,0x30,0x25,0x0e,0x5f,0x53,0x33,0xe0, + 0xef,0xe5,0x8f,0xfe,0xbf,0x19,0x36,0x9a,0x3b,0x8a,0xe5,0xa6,0x7f,0x6a,0x04,0x8b, + 0xc9,0xef,0x91,0x5b,0xda,0x25,0x16,0x07,0x29,0xb5,0x08,0x66,0x7a,0xda,0x84,0xa0, + 0xc2,0x7e,0x7e,0x26,0xcf,0x2a,0xbc,0xa4,0x13,0xe5,0xe4,0x69,0x3f,0x4a,0x94,0x05), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xf8,0x9f,0xd2,0xf6,0xc4,0x5a,0x8b,0x50,0x66,0xa6,0x51,0x41,0x0b,0x8e,0x53,0x4b, + 0xfe,0xc0,0xd9,0xa3,0x6f,0x3e,0x2b,0x88,0x74,0x57,0xaf,0xd4,0x4d,0xd6,0x51,0xd1, + 0xec,0x79,0x27,0x4d,0xb5,0xa4,0x55,0xf1,0x82,0x57,0x2f,0xce,0xea,0x5e,0x9e,0x39, + 0xc3,0xc7,0xc5,0xd9,0xe5,0x99,0xe4,0xfe,0x31,0xc3,0x7c,0x34,0xd2,0x53,0xb4,0x19, + 0xc3,0xe8,0xfb,0x6b,0x91,0x6a,0xef,0x65,0x63,0xf8,0x7d,0x4c,0x37,0x22,0x4a,0x45, + 0x6e,0x59,0x52,0x69,0x8b,0xa3,0xd0,0x1b,0x38,0x94,0x5d,0x99,0x8a,0x79,0x5b,0xd2, + 0x85,0xd6,0x94,0x78,0xe3,0x13,0x1f,0x55,0x11,0x72,0x84,0xe2,0x7b,0x44,0x1f,0x16, + 0x09,0x5d,0xca,0x7c,0xe9,0xc5,0xb6,0x88,0x90,0xb0,0x9a,0x2b,0xfb,0xb0,0x10,0xa5), + .s = chunk_from_chars( + 0xba,0x48,0x53,0x87,0x08,0x51,0x2d,0x45,0xc0,0xed,0xca,0xc5,0x7a,0x9b,0x4f,0xb6, + 0x37,0xe9,0x72,0x1f,0x72,0x00,0x3c,0x60,0xf1,0x3f,0x5c,0x9a,0x36,0xc9,0x68,0xce, + 0xf9,0xbe,0x8f,0x54,0x66,0x54,0x18,0x14,0x1c,0x3d,0x9e,0xcc,0x02,0xa5,0xbf,0x95, + 0x2c,0xfc,0x05,0x5f,0xb5,0x1e,0x18,0x70,0x5e,0x9d,0x88,0x50,0xf4,0xe1,0xf5,0xa3, + 0x44,0xaf,0x55,0x0d,0xe8,0x4f,0xfd,0x08,0x05,0xe2,0x7e,0x55,0x7f,0x6a,0xa5,0x0d, + 0x26,0x45,0x31,0x4c,0x64,0xc1,0xc7,0x1a,0xa6,0xbb,0x44,0xfa,0xf8,0xf2,0x9c,0xa6, + 0x57,0x8e,0x24,0x41,0xd4,0x51,0x0e,0x36,0x05,0x2f,0x46,0x55,0x1d,0xf3,0x41,0xb2, + 0xdc,0xf4,0x3f,0x76,0x1f,0x08,0xb9,0x46,0xca,0x0b,0x70,0x81,0xda,0xdb,0xb8,0x8e, + 0x95,0x5e,0x82,0x0f,0xd7,0xf6,0x57,0xc4,0xdd,0x9f,0x45,0x54,0xd1,0x67,0xdd,0x7c, + 0x9a,0x48,0x7e,0xd4,0x1c,0xed,0x2b,0x40,0x06,0x80,0x98,0xde,0xed,0xc9,0x51,0x06, + 0x0f,0xaf,0x7e,0x15,0xb1,0xf0,0xf8,0x0a,0xe6,0x7f,0xf2,0xee,0x28,0xa2,0x38,0xd8, + 0x0b,0xf7,0x2d,0xd7,0x1c,0x8d,0x95,0xc7,0x9b,0xc1,0x56,0x11,0x4e,0xce,0x8e,0xc8, + 0x37,0x57,0x3a,0x4b,0x66,0x89,0x8d,0x45,0xb4,0x5a,0x5e,0xac,0xd0,0xb0,0xe4,0x14, + 0x47,0xd8,0xfa,0x08,0xa3,0x67,0xf4,0x37,0x64,0x5e,0x50,0xc9,0x92,0x0b,0x88,0xa1, + 0x6b,0xc0,0x88,0x01,0x47,0xac,0xfb,0x9a,0x79,0xde,0x9e,0x35,0x1b,0x3f,0xa0,0x0b, + 0x3f,0x4e,0x9f,0x18,0x2f,0x45,0x55,0x3d,0xff,0xca,0x55,0xe3,0x93,0xc5,0xea,0xb6), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0x91,0x5c,0x5e,0x4c,0x16,0xac,0xfa,0x0f,0x49,0xde,0x43,0xd6,0x49,0x1f,0x00,0x60, + 0xa9,0x44,0x03,0x44,0x75,0xba,0x51,0x85,0x72,0xc0,0x83,0x66,0xa8,0xd3,0x6c,0x7f, + 0x1e,0x6a,0xfc,0x11,0xe5,0xe4,0x64,0x97,0x57,0xbf,0x7b,0x9d,0xa1,0x0a,0x61,0xd5, + 0x7f,0x1d,0x62,0x68,0x47,0x87,0x1d,0x8a,0x29,0x48,0xe5,0x51,0xb5,0x41,0x67,0xc7, + 0x9d,0xe8,0x8d,0x3e,0xbd,0x40,0xa3,0xe3,0x58,0x09,0xb9,0x96,0xa5,0x33,0x48,0xf9, + 0x8a,0x99,0x18,0xc7,0xa7,0xec,0x60,0x68,0x96,0xed,0x30,0xc2,0x71,0xe0,0x0c,0x51, + 0x95,0x3d,0xd9,0x7a,0xa6,0xa8,0xfe,0x1c,0xd4,0x23,0xc3,0x69,0x5c,0x83,0xfc,0xf4, + 0x51,0x20,0xec,0x0a,0x9c,0xd1,0x64,0x46,0x42,0x18,0x2b,0x60,0xe5,0x99,0xa2,0x46), + .s = chunk_from_chars( + 0x3d,0x57,0xea,0x59,0x61,0xdb,0x8f,0xc1,0x44,0x30,0x1c,0xa4,0x27,0x8f,0x79,0x99, + 0x11,0x22,0x9d,0x86,0x5e,0xa3,0xe9,0x92,0xc7,0xfb,0xc4,0xd0,0x3c,0x65,0x51,0x72, + 0x9e,0x26,0x03,0x4e,0x95,0xdd,0x71,0xda,0x31,0x23,0x40,0xe4,0x05,0x1c,0x9d,0xd9, + 0xb1,0x2f,0x77,0x00,0xa8,0x21,0xfe,0x3b,0x7c,0x37,0x78,0x5d,0x51,0x06,0x35,0x0b, + 0x66,0x7a,0xc2,0x55,0xa5,0x7c,0x13,0xda,0x58,0x42,0xd9,0x0b,0xca,0xde,0xa9,0xe6, + 0xb1,0xf7,0x20,0xc6,0x07,0xd6,0x89,0x3a,0x2c,0xaa,0x3c,0x5f,0x3c,0x40,0x74,0xe9, + 0x14,0x45,0x1a,0x45,0x38,0x0a,0x76,0x7c,0x29,0x1a,0x67,0xca,0xc3,0xf1,0xca,0xb1, + 0xfb,0xd0,0x5a,0xdc,0x37,0x03,0x68,0x56,0xa8,0x40,0x4e,0x7c,0xea,0x36,0x54,0x01, + 0x94,0x66,0xde,0x44,0x9a,0xd6,0xe9,0x2b,0x27,0x25,0x4f,0x3d,0x25,0x94,0x9b,0x1b, + 0x86,0x00,0x65,0x40,0x64,0x55,0xa1,0x3d,0xb7,0xc5,0xfe,0x25,0xd1,0xaf,0x7a,0x84, + 0xcd,0xdf,0x77,0x92,0xc6,0x4e,0x16,0x26,0x0c,0x95,0x0d,0x60,0xbd,0x86,0xd0,0x05, + 0x92,0x41,0x48,0xad,0x09,0x7c,0x12,0x6b,0x84,0x94,0x7a,0xb6,0xe8,0x9d,0x48,0xf6, + 0x1e,0x71,0x1d,0x62,0x52,0x2b,0x6e,0x48,0xf1,0x61,0x86,0xd1,0x33,0x9e,0x6a,0xb3, + 0xf5,0x8c,0x35,0x9e,0xb2,0x4c,0xb6,0x80,0x43,0x73,0x75,0x91,0xcd,0x7d,0x93,0x90, + 0xa4,0x68,0xc0,0x02,0x2b,0x3b,0x25,0x3b,0xe5,0x2f,0x1a,0x7f,0xc4,0x08,0xf8,0x4e, + 0x9f,0xfb,0x4c,0x34,0xfa,0x9e,0x01,0x60,0x58,0x51,0xd6,0x58,0x3a,0xa1,0x30,0x32), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x07,0x48,0x5b), + .m = chunk_from_chars( + 0x03,0xd2,0xf0,0x69,0x35,0x17,0xcf,0xfb,0x2b,0x72,0x4c,0x1f,0x30,0x50,0x2c,0x53, + 0x59,0xc0,0x51,0xc1,0xbc,0xd8,0x8d,0xc1,0xdd,0x54,0xb8,0x9e,0x69,0x81,0x00,0x9d, + 0x27,0x5a,0x81,0x3b,0x2b,0xf0,0x16,0xb7,0x4d,0x0f,0x6e,0xd0,0xd9,0x1e,0x62,0xd0, + 0x88,0x47,0x85,0xc9,0xaf,0xd8,0xfd,0x1f,0xb7,0xe9,0x92,0x46,0xcd,0x40,0x05,0xcd, + 0xda,0x71,0xa3,0x9c,0xb6,0x49,0x19,0x7a,0x99,0x6d,0x8a,0xd2,0xd2,0x3f,0xdf,0xb6, + 0xbb,0x01,0x5f,0x24,0xec,0x3d,0x7f,0x88,0xaf,0x64,0xfb,0x83,0xb4,0xb5,0x25,0xeb, + 0x06,0x60,0x7d,0x13,0x3e,0xec,0x83,0x4c,0xf7,0xd6,0xc9,0xab,0x81,0x7b,0x4c,0x0d, + 0xda,0x37,0x04,0x59,0xd9,0xcf,0xba,0x05,0xad,0x0c,0x1a,0xdc,0x86,0xa9,0x09,0xfe), + .s = chunk_from_chars( + 0x51,0x1a,0xbd,0x82,0x21,0x8c,0xab,0x34,0x49,0x79,0xb2,0x88,0x7b,0x02,0x60,0x0d, + 0x24,0x27,0xf1,0xeb,0x12,0xac,0x01,0xd9,0x76,0x84,0xc2,0xa4,0x43,0xa9,0x27,0x28, + 0x34,0xc3,0xf7,0x9c,0xde,0xd0,0x7a,0x39,0xdb,0xee,0x37,0x70,0xdd,0xe8,0x27,0xa7, + 0x4d,0xc9,0x94,0xb1,0x7b,0xfd,0x8a,0x26,0xd0,0x7b,0x23,0x9d,0x26,0xd5,0x8c,0x42, + 0xf7,0x9d,0x56,0x02,0x64,0xc3,0x1b,0x7e,0x1c,0x3d,0xdd,0xef,0x6d,0x75,0x56,0xf2, + 0x28,0xc3,0x94,0x41,0x4f,0x4c,0xec,0x56,0x1c,0x3d,0xa2,0x68,0x6a,0x8e,0xeb,0xec, + 0x77,0x02,0xf3,0x28,0x50,0x80,0x9a,0x93,0xde,0xeb,0x84,0xb2,0xa0,0x2f,0xcd,0xba, + 0x22,0x4d,0x2f,0xd9,0xef,0xb8,0xe0,0x56,0xe7,0x96,0xf4,0x9b,0x57,0xd5,0x6e,0x9f, + 0x3e,0x90,0xd0,0xb4,0x9b,0x08,0xbd,0xee,0x93,0xa2,0xe1,0x2e,0x67,0x6f,0xb4,0xd4, + 0xfa,0x83,0x8c,0x5b,0xd8,0x8e,0xda,0x00,0x8f,0x1b,0x59,0x2a,0x72,0x46,0x55,0x87, + 0xbe,0x0a,0xe1,0x7d,0x9b,0x15,0x6b,0x90,0x4f,0x44,0xa7,0xe0,0x4d,0x3b,0x58,0xd2, + 0x4a,0xd6,0x7b,0x71,0xb0,0xf4,0xc6,0x99,0xfa,0x51,0x63,0x95,0x46,0xb6,0x2b,0x9f, + 0x83,0x59,0x7f,0xf0,0x3d,0x46,0x5f,0x1b,0xb3,0x96,0xae,0x15,0xe9,0x2d,0x0e,0x92, + 0xe8,0x56,0x47,0xd5,0xdf,0x11,0x3e,0x2c,0x75,0x18,0xd0,0xe3,0xad,0x2e,0x7a,0xa7, + 0xda,0xc7,0x20,0xc9,0x83,0x47,0xaa,0x15,0x1e,0x4f,0x37,0xfe,0xa0,0x81,0xdb,0xed, + 0x35,0x0c,0xc9,0xc9,0x3f,0x60,0x6b,0x38,0xf2,0x1a,0x3e,0x5d,0xe6,0xd1,0x40,0xd2), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xdf,0xfe,0x42,0xbf,0xda,0x88,0x6e,0x1a,0x73,0xfe,0x8a,0x8d,0xfc,0xf7,0x1c,0x9f, + 0xb4,0x4d,0xeb,0x05,0x45,0x88,0xa9,0xbb,0x91,0x99,0xd5,0x54,0xae,0xcc,0xe0,0x8f, + 0x2f,0xf8,0x8f,0x2a,0xa6,0xf8,0xa0,0xfb,0x67,0x5f,0xb0,0x3c,0x8e,0x68,0x5c,0x27, + 0x43,0x2c,0xa7,0xc3,0x3c,0x18,0x9b,0xfd,0x84,0x9d,0x34,0xfa,0x7b,0x29,0x79,0xac, + 0x1f,0x57,0xec,0xa3,0x89,0x63,0x24,0x26,0xba,0xe0,0xb9,0x83,0x98,0xad,0x60,0xa3, + 0x34,0x25,0x57,0xe1,0x4e,0x96,0x04,0x1c,0x1b,0xf4,0xd9,0x0b,0x46,0xcf,0x7a,0xd1, + 0x34,0x83,0x22,0xd2,0x8c,0xaf,0x43,0xc4,0xf7,0xe8,0x6c,0x09,0x24,0xae,0x70,0x3c, + 0x10,0x9e,0xc5,0x0a,0x84,0xea,0x2a,0x43,0xdf,0x07,0x8c,0x30,0x15,0xa5,0x2b,0x28), + .s = chunk_from_chars( + 0x8f,0x4d,0xd4,0x79,0x23,0x9f,0x2d,0x08,0xdc,0x05,0xd7,0xd4,0x05,0x39,0x28,0x8b, + 0x67,0xc4,0xd7,0x72,0x10,0xec,0xb1,0x6b,0xe7,0x6f,0x0b,0x19,0x25,0xe8,0xb0,0x88, + 0x57,0x08,0x31,0xe3,0x61,0xa1,0xca,0x57,0x89,0x31,0x35,0xf8,0xaf,0x64,0xb8,0xe2, + 0x99,0x6b,0x8d,0x63,0x58,0x99,0xda,0x4e,0x04,0xc6,0x8a,0xcb,0x9b,0x1b,0x38,0x13, + 0x69,0x7d,0x57,0xda,0x90,0xc5,0x7f,0x18,0x50,0x9e,0x0a,0xb6,0x70,0x5c,0x70,0x4f, + 0xeb,0x44,0x8c,0xca,0x5c,0x07,0xd2,0x58,0xec,0xd8,0x84,0xab,0x93,0xf5,0x08,0xce, + 0xfd,0xb2,0x5f,0x2b,0xc3,0x06,0x1c,0x40,0x06,0x09,0x9e,0x2e,0x33,0xb2,0x79,0x72, + 0xc3,0xed,0xb0,0xa0,0xa3,0x31,0x14,0xd3,0x81,0xc8,0x2a,0xb5,0x06,0xd0,0x41,0xff, + 0x68,0x0a,0xf5,0x95,0xef,0x34,0x00,0xa8,0xbb,0x67,0x74,0x03,0x0d,0x2e,0x38,0xdd, + 0x30,0x42,0x72,0x09,0x2b,0xd3,0x2a,0x55,0x30,0x17,0xf7,0xbd,0xa4,0xb9,0x98,0xb2, + 0x7a,0xa8,0xac,0xa1,0x2d,0xef,0x32,0x7b,0x1f,0x11,0x06,0x3a,0x53,0x42,0xb0,0xd5, + 0x57,0x38,0x18,0x34,0x17,0xd3,0x21,0xc5,0x68,0x2f,0xc4,0xab,0x64,0xe7,0x91,0x74, + 0x21,0x6f,0xee,0xbb,0x98,0x95,0x21,0xe1,0xe3,0xd8,0x27,0x64,0x70,0x68,0x00,0x3b, + 0xe3,0x4f,0xe1,0xd0,0x93,0x96,0x4d,0x28,0xf4,0x87,0x7c,0x49,0xb4,0x06,0x56,0x72, + 0x44,0x85,0x97,0xa8,0x9b,0x91,0x91,0x9c,0xfb,0x55,0xca,0x13,0x83,0x6e,0x7e,0x6f, + 0x3b,0x3f,0xd0,0x4f,0x41,0x7c,0xf1,0xc1,0x6d,0x98,0x72,0x53,0x8b,0xf4,0xe8,0x7a), + }, + { + .exp = FALSE, + .e = chunk_from_chars(0x49,0xd2,0xa1), + .m = chunk_from_chars( + 0xcf,0xe9,0x97,0x88,0xf5,0x5e,0xc6,0x94,0x49,0x42,0xbd,0x0a,0x18,0x7d,0x51,0xb8, + 0x0f,0xd8,0xbd,0x40,0x51,0xbd,0x4f,0x07,0xc7,0x3e,0x61,0x4e,0xb7,0x5a,0x8b,0x9f, + 0x99,0x7b,0x17,0x6b,0x26,0x42,0xb5,0xf1,0xb1,0x87,0x70,0x61,0xba,0x9c,0xe1,0x42, + 0xc1,0xd2,0xa3,0x11,0x58,0x3f,0x07,0x2b,0x7c,0xbe,0x08,0xed,0x25,0x36,0x81,0x19, + 0x1c,0x20,0x9d,0x7b,0x0d,0x43,0x8f,0xcd,0xdd,0xc2,0x84,0xd9,0x3d,0x59,0xd6,0xdd, + 0x80,0xe4,0x83,0x33,0xa9,0x21,0xdd,0x31,0xc9,0xb6,0x83,0x4f,0x88,0x76,0x8f,0x87, + 0x01,0xe0,0x11,0x02,0xd3,0xe8,0xbd,0xf0,0x74,0xfb,0xe0,0xb8,0xc9,0x3d,0x99,0x51, + 0xf4,0x15,0x45,0xef,0x6e,0xeb,0x3b,0xe3,0x55,0x30,0xba,0xbc,0x07,0x9f,0x1f,0xb3), + .s = chunk_from_chars( + 0x9f,0xd6,0xf6,0x10,0x7e,0x83,0x81,0x07,0xf9,0x06,0xc2,0x6c,0xb2,0x91,0x07,0x04, + 0x59,0x9f,0x17,0x5b,0x6a,0x84,0xdb,0x48,0x5f,0xbc,0x30,0x77,0x6e,0xb7,0xfd,0x53, + 0xbf,0xe2,0x0c,0x38,0xc5,0x37,0xb1,0x54,0xa3,0xe5,0x19,0xb6,0x62,0xbd,0x9f,0xdc, + 0x8e,0x30,0x45,0xe2,0x1f,0x6e,0x5a,0xe9,0x7d,0x0f,0xf6,0xa9,0xd8,0x63,0x28,0x25, + 0x54,0x45,0x25,0xd8,0x4f,0x99,0xf8,0x0e,0x3e,0xd4,0xe6,0x9d,0xc5,0xe2,0x19,0xd5, + 0x9c,0xcf,0xbb,0x37,0xc2,0x3c,0x84,0xfe,0x3b,0x3e,0x6f,0xb2,0x2f,0x40,0x2f,0x94, + 0xe5,0x22,0x5c,0x63,0x87,0xfd,0xf8,0xbc,0xdb,0x35,0x08,0xf8,0x83,0x29,0x08,0xfe, + 0x05,0x77,0x15,0x21,0xe9,0x22,0x34,0x34,0x80,0x04,0xe8,0xfe,0x19,0xa8,0xf2,0x4b, + 0xeb,0xca,0xb9,0xf0,0x74,0x32,0x7c,0x88,0xd0,0x66,0xbc,0x12,0x08,0x17,0x48,0xd6, + 0x96,0xbe,0x61,0x35,0xc6,0xae,0xa3,0x22,0x20,0xea,0x78,0x6e,0xbd,0x78,0x00,0xe6, + 0x93,0x63,0x65,0xff,0x25,0x83,0x1c,0x28,0xcb,0x6c,0x8a,0x59,0x23,0x7f,0xf8,0x4f, + 0x5c,0xf8,0x90,0x36,0xcf,0xf1,0x88,0xee,0x0f,0x9a,0x61,0x95,0xf2,0xb1,0xac,0xa2, + 0xe4,0x44,0x2a,0xf8,0x36,0x9f,0x1b,0x49,0x32,0x2f,0xa2,0xf8,0x91,0xb8,0x3a,0x14, + 0xa9,0x7b,0x60,0xc6,0xae,0xaf,0xd6,0xc2,0x92,0x80,0x47,0xaf,0xfd,0xa9,0xc8,0xd8, + 0x69,0xff,0x52,0x94,0xbb,0x59,0x43,0xad,0x14,0xa6,0xd6,0x4e,0x78,0x4d,0x12,0x6c, + 0x46,0x9d,0x51,0xe2,0x92,0xb9,0xce,0x33,0xe1,0xd8,0x37,0x1b,0xa5,0xf4,0x67,0xb3), + }, + }, +}, +}; + +START_TEST(test_verify_pkcs15) +{ + signature_scheme_t scheme = pkcs15_verify[_i].scheme; + public_key_t *pubkey; + bool result; + int i; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, scheme))) + { + warn("%N not supported, skip test", signature_scheme_names, scheme); + return; + } + for (i = 0; i < countof(pkcs15_verify[_i].tests); i++) + { + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pkcs15_verify[_i].n, + BUILD_RSA_PUB_EXP, pkcs15_verify[_i].tests[i].e, + BUILD_END); + ck_assert(pubkey != NULL); + result = pubkey->verify(pubkey, scheme, NULL, + pkcs15_verify[_i].tests[i].m, + pkcs15_verify[_i].tests[i].s); + fail_unless(result == pkcs15_verify[_i].tests[i].exp, + "verify %N [%d]", signature_scheme_names, scheme, i); + pubkey->destroy(pubkey); + } +} +END_TEST + +/** + * Test vectors from FIPS 186-4 + */ +static struct { + rsa_pss_params_t params; + chunk_t n; + struct { + bool exp; + chunk_t e; + chunk_t m; + chunk_t s; + } tests[6]; +} pss_verify[] = { +{ + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 32, }, + .n = chunk_from_chars( + 0xa4,0x7d,0x04,0xe7,0xca,0xcd,0xba,0x4e,0xa2,0x6e,0xca,0x8a,0x4c,0x6e,0x14,0x56, + 0x3c,0x2c,0xe0,0x3b,0x62,0x3b,0x76,0x8c,0x0d,0x49,0x86,0x8a,0x57,0x12,0x13,0x01, + 0xdb,0xf7,0x83,0xd8,0x2f,0x4c,0x05,0x5e,0x73,0x96,0x0e,0x70,0x55,0x01,0x87,0xd0, + 0xaf,0x62,0xac,0x34,0x96,0xf0,0xa3,0xd9,0x10,0x3c,0x2e,0xb7,0x91,0x9a,0x72,0x75, + 0x2f,0xa7,0xce,0x8c,0x68,0x8d,0x81,0xe3,0xae,0xe9,0x94,0x68,0x88,0x7a,0x15,0x28, + 0x8a,0xfb,0xb7,0xac,0xb8,0x45,0xb7,0xc5,0x22,0xb5,0xc6,0x4e,0x67,0x8f,0xcd,0x3d, + 0x22,0xfe,0xb8,0x4b,0x44,0x27,0x27,0x00,0xbe,0x52,0x7d,0x2b,0x20,0x25,0xa3,0xf8, + 0x3c,0x23,0x83,0xbf,0x6a,0x39,0xcf,0x5b,0x4e,0x48,0xb3,0xcf,0x2f,0x56,0xee,0xf0, + 0xdf,0xff,0x18,0x55,0x5e,0x31,0x03,0x7b,0x91,0x52,0x48,0x69,0x48,0x76,0xf3,0x04, + 0x78,0x14,0x41,0x51,0x64,0xf2,0xc6,0x60,0x88,0x1e,0x69,0x4b,0x58,0xc2,0x80,0x38, + 0xa0,0x32,0xad,0x25,0x63,0x4a,0xad,0x7b,0x39,0x17,0x1d,0xee,0x36,0x8e,0x3d,0x59, + 0xbf,0xb7,0x29,0x9e,0x46,0x01,0xd4,0x58,0x7e,0x68,0xca,0xaf,0x8d,0xb4,0x57,0xb7, + 0x5a,0xf4,0x2f,0xc0,0xcf,0x1a,0xe7,0xca,0xce,0xd2,0x86,0xd7,0x7f,0xac,0x6c,0xed, + 0xb0,0x3a,0xd9,0x4f,0x14,0x33,0xd2,0xc9,0x4d,0x08,0xe6,0x0b,0xc1,0xfd,0xef,0x05, + 0x43,0xcd,0x29,0x51,0xe7,0x65,0xb3,0x82,0x30,0xfd,0xd1,0x8d,0xe5,0xd2,0xca,0x62, + 0x7d,0xdc,0x03,0x2f,0xe0,0x5b,0xbd,0x2f,0xf2,0x1e,0x2d,0xb1,0xc2,0xf9,0x4d,0x8b), + .tests = { + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0x75,0x18,0xc8,0x5b,0x67,0xe7,0xae,0xf7,0xf2,0x6b,0xf0,0x06,0x89,0x9f,0xae,0xf7, + 0x6e,0x07,0x6f,0x0c,0x6c,0x94,0x6e,0x5d,0xc9,0xc8,0x35,0x21,0x77,0x1a,0x6d,0x29, + 0x8a,0x9c,0xf5,0xad,0xef,0xdb,0x31,0x4b,0x5a,0x07,0xa5,0x4d,0x80,0x54,0xc2,0x2b, + 0x87,0x9f,0xff,0x50,0xba,0x55,0x2c,0x21,0x82,0x91,0x03,0x3c,0x91,0x84,0x01,0xfd, + 0x61,0x1a,0x74,0x47,0xdd,0xda,0xd4,0x81,0x5e,0x0f,0x56,0xde,0xd8,0x25,0xbf,0xe2, + 0x56,0x55,0x76,0x22,0xa3,0x85,0xde,0x4b,0x4a,0x69,0xe2,0x65,0xc1,0xef,0xd2,0x59, + 0xe2,0xda,0x6d,0xb1,0x9a,0xac,0x3f,0xa0,0xe5,0xca,0x2d,0x42,0xfa,0xdb,0x4e,0x24, + 0xc2,0x71,0xfc,0x07,0x8f,0xeb,0x2b,0xe1,0x0b,0x9a,0xfa,0x25,0x6f,0x22,0x88,0x44), + .s = chunk_from_chars( + 0x99,0x2d,0x48,0xb2,0x1b,0xb3,0xd2,0x21,0x9b,0x44,0xe8,0xfc,0xc8,0x63,0x3c,0xf3, + 0xae,0xb5,0x91,0xde,0x90,0xf4,0x38,0x64,0x96,0xac,0x7e,0xcd,0x28,0x4c,0xb6,0x3d, + 0x7d,0xff,0x81,0xa5,0x0b,0x8c,0x4f,0xed,0x9f,0x2e,0xf7,0x37,0x69,0x2e,0xa6,0xbe, + 0x05,0x24,0x8c,0xa1,0x38,0x94,0x7b,0x49,0xb4,0xe7,0xf3,0xcc,0xe6,0x64,0x0e,0x04, + 0x9a,0xc2,0x15,0x4c,0x40,0xf5,0x7e,0x22,0xfa,0x14,0xf9,0x7e,0x7a,0x95,0x07,0xe1, + 0xdc,0x98,0xb2,0x06,0xce,0x6e,0xa0,0xe1,0x80,0x03,0x91,0x99,0xd1,0xbe,0x0a,0x15, + 0xd1,0xf5,0x09,0x3a,0x45,0x9e,0x51,0x01,0xaa,0xca,0x2a,0x23,0xcb,0x1f,0x59,0xca, + 0xd2,0xf1,0xfb,0x99,0xdc,0x95,0x6b,0x9d,0x43,0x44,0xba,0xd2,0xc1,0x12,0x1d,0x63, + 0xb9,0x15,0x00,0x4a,0xcb,0xfc,0x7a,0xc6,0x0a,0xc9,0xa7,0xb0,0xb1,0xc6,0x81,0x2b, + 0x30,0xbf,0xe0,0x87,0xf7,0xf0,0xc7,0xd1,0x62,0x5f,0x9c,0x4f,0x45,0x85,0x15,0xe1, + 0x14,0x78,0xe3,0x60,0x4a,0xa3,0x9d,0x14,0xd0,0x8b,0xea,0x30,0xb0,0x1f,0xcd,0x61, + 0x89,0xe6,0xf9,0xb7,0x01,0xd3,0x60,0xe4,0x71,0x4d,0x45,0x55,0x6b,0x29,0x81,0x5c, + 0x8d,0x8f,0xa8,0xe4,0x6e,0x10,0x74,0x9b,0xa5,0xe8,0xd4,0x45,0xa4,0xc0,0xf4,0x87, + 0xe7,0x0a,0xb5,0x89,0x0b,0x7c,0xcc,0x16,0x51,0x28,0x2a,0x54,0xe8,0x7e,0x7d,0xb4, + 0xbb,0x2f,0x7d,0x4a,0x67,0x1e,0x71,0xc4,0x3c,0x55,0xcf,0x64,0x86,0x41,0x6f,0x17, + 0x1d,0x19,0x55,0x03,0x74,0x74,0xd0,0x6a,0x71,0xdd,0x07,0x87,0x67,0x84,0x8e,0x5d), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xe0,0x02,0x37,0x7a,0xff,0xb0,0x4f,0x0f,0xe4,0x59,0x8d,0xe9,0xd9,0x2d,0x31,0xd6, + 0xc7,0x86,0x04,0x0d,0x57,0x76,0x97,0x65,0x56,0xa2,0xcf,0xc5,0x5e,0x54,0xa1,0xdc, + 0xb3,0xcb,0x1b,0x12,0x6b,0xd6,0xa4,0xbe,0xd2,0xa1,0x84,0x99,0x0c,0xce,0xa7,0x73, + 0xfc,0xc7,0x9d,0x24,0x65,0x53,0xe6,0xc6,0x4f,0x68,0x6d,0x21,0xad,0x41,0x52,0x67, + 0x3c,0xaf,0xec,0x22,0xae,0xb4,0x0f,0x6a,0x08,0x4e,0x8a,0x5b,0x49,0x91,0xf4,0xc6, + 0x4c,0xf8,0xa9,0x27,0xef,0xfd,0x0f,0xd7,0x75,0xe7,0x1e,0x83,0x29,0xe4,0x1f,0xdd, + 0x44,0x57,0xb3,0x91,0x11,0x73,0x18,0x7b,0x4f,0x09,0xa8,0x17,0xd7,0x9e,0xa2,0x39, + 0x7f,0xc1,0x2d,0xfe,0x3d,0x9c,0x9a,0x02,0x90,0xc8,0xea,0xd3,0x1b,0x66,0x90,0xa6), + .s = chunk_from_chars( + 0x4f,0x9b,0x42,0x5c,0x20,0x58,0x46,0x0e,0x4a,0xb2,0xf5,0xc9,0x63,0x84,0xda,0x23, + 0x27,0xfd,0x29,0x15,0x0f,0x01,0x95,0x5a,0x76,0xb4,0xef,0xe9,0x56,0xaf,0x06,0xdc, + 0x08,0x77,0x9a,0x37,0x4e,0xe4,0x60,0x7e,0xab,0x61,0xa9,0x3a,0xdc,0x56,0x08,0xf4, + 0xec,0x36,0xe4,0x7f,0x2a,0x0f,0x75,0x4e,0x8f,0xf8,0x39,0xa8,0xa1,0x9b,0x1d,0xb1, + 0xe8,0x84,0xea,0x4c,0xf3,0x48,0xcd,0x45,0x50,0x69,0xeb,0x87,0xaf,0xd5,0x36,0x45, + 0xb4,0x4e,0x28,0xa0,0xa5,0x68,0x08,0xf5,0x03,0x1d,0xa5,0xba,0x91,0x12,0x76,0x8d, + 0xfb,0xfc,0xa4,0x4e,0xbe,0x63,0xa0,0xc0,0x57,0x2b,0x73,0x1d,0x66,0x12,0x2f,0xb7, + 0x16,0x09,0xbe,0x14,0x80,0xfa,0xa4,0xe4,0xf7,0x5e,0x43,0x95,0x51,0x59,0xd7,0x0f, + 0x08,0x1e,0x2a,0x32,0xfb,0xb1,0x9a,0x48,0xb9,0xf1,0x62,0xcf,0x6b,0x2f,0xb4,0x45, + 0xd2,0xd6,0x99,0x4b,0xc5,0x89,0x10,0xa2,0x6b,0x59,0x43,0x47,0x78,0x03,0xcd,0xaa, + 0xa1,0xbd,0x74,0xb0,0xda,0x0a,0x5d,0x05,0x3d,0x8b,0x1d,0xc5,0x93,0x09,0x1d,0xb5, + 0x38,0x83,0x83,0xc2,0x60,0x79,0xf3,0x44,0xe2,0xae,0xa6,0x00,0xd0,0xe3,0x24,0x16, + 0x4b,0x45,0x0f,0x7b,0x9b,0x46,0x51,0x11,0xb7,0x26,0x5f,0x3b,0x1b,0x06,0x30,0x89, + 0xae,0x7e,0x26,0x23,0xfc,0x0f,0xda,0x80,0x52,0xcf,0x4b,0xf3,0x37,0x91,0x02,0xfb, + 0xf7,0x1d,0x7c,0x98,0xe8,0x25,0x86,0x64,0xce,0xed,0x63,0x7d,0x20,0xf9,0x5f,0xf0, + 0x11,0x18,0x81,0xe6,0x50,0xce,0x61,0xf2,0x51,0xd9,0xc3,0xa6,0x29,0xef,0x22,0x2d), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xa3,0xbf,0x44,0xca,0xe8,0xaa,0x83,0x47,0xfd,0x07,0xd8,0x4a,0x33,0xee,0xc5,0xdb, + 0xbd,0xd7,0xb6,0x43,0x13,0x68,0x88,0x7c,0x98,0x8c,0x4b,0xe7,0x79,0xc5,0x47,0x3d, + 0xd8,0xc3,0x3e,0xc8,0x2a,0x35,0xf1,0xd3,0xdd,0xdf,0xe5,0x5f,0x3e,0xed,0x67,0x17, + 0x9b,0x87,0xce,0x86,0xa4,0xa5,0x00,0x88,0x17,0x25,0x38,0xfe,0x9d,0x1b,0x06,0xc6, + 0xef,0x68,0x97,0xeb,0x3c,0x8e,0x36,0x18,0xcf,0xc2,0x13,0x53,0xed,0x43,0x43,0xe7, + 0xfc,0xeb,0x09,0xa2,0xeb,0x03,0x54,0x41,0xcd,0x5c,0x88,0x29,0xc7,0x9b,0x81,0x58, + 0x2d,0xd5,0xd6,0x9a,0xe8,0x5c,0x5a,0x00,0x1b,0xd8,0xe9,0x8e,0x06,0x99,0x61,0x34, + 0x2a,0x2b,0xee,0x00,0xad,0x2b,0x8b,0x91,0x01,0x5a,0xc5,0xcf,0xc1,0xf0,0xc2,0xd9), + .s = chunk_from_chars( + 0x87,0x7f,0x20,0xee,0xd6,0x0f,0x8c,0xe2,0x86,0x10,0x8a,0x5d,0xde,0x9b,0x68,0x28, + 0xb3,0x7e,0x3f,0xbd,0xb0,0x8f,0xe1,0x53,0xe5,0x91,0x51,0x38,0x97,0x44,0x0f,0x21, + 0xf8,0x12,0x14,0x59,0x8f,0xba,0x08,0xea,0x07,0x73,0x94,0xba,0x8c,0x2a,0x44,0xaa, + 0x4f,0x0d,0x8f,0x3a,0x5f,0xba,0xec,0x3d,0xc6,0x9b,0x3b,0xdd,0xfb,0xe2,0x83,0x97, + 0xc9,0x0a,0xdf,0x35,0xd0,0x8e,0xa7,0x71,0xc7,0xaa,0xa3,0x1e,0xb0,0x64,0x13,0xc1, + 0xc6,0x2b,0x77,0x61,0x8a,0xf9,0x40,0xf4,0xc7,0x18,0x59,0xfa,0x43,0x84,0xd2,0x9b, + 0x48,0xe5,0xcf,0xc9,0x41,0xd6,0x9b,0xf0,0xa3,0x80,0x4d,0x20,0x08,0xe7,0x58,0x74, + 0x2b,0x8e,0xd6,0x87,0x54,0xbc,0x71,0xd2,0x31,0x62,0x3d,0x18,0x13,0x47,0xc3,0x68, + 0x33,0xa7,0xd7,0x16,0x0f,0x74,0x2a,0x37,0xce,0x7d,0x43,0x2d,0x74,0x8e,0x51,0x4a, + 0xa7,0xd8,0x15,0x6b,0x50,0xc5,0x32,0x15,0x13,0x90,0xd0,0x86,0xcd,0xcf,0x9d,0x59, + 0xf1,0x22,0xc6,0xd9,0x7f,0x4c,0xcb,0x73,0x72,0x89,0xf7,0xb0,0x0a,0x23,0x7c,0xb6, + 0xb4,0xaa,0xe6,0xba,0x79,0xd4,0x1f,0xf7,0x3d,0x01,0x9a,0x26,0xb5,0x9a,0xde,0x04, + 0xc9,0x67,0x35,0x6e,0x2a,0xad,0x52,0xf1,0x15,0x35,0x7f,0xfb,0x76,0x76,0xf1,0x90, + 0xdb,0x38,0xdc,0xfc,0x98,0x66,0x6e,0x5b,0x25,0x85,0x59,0xc8,0xc8,0x5f,0xa3,0x29, + 0x42,0xcb,0xcb,0x99,0xd7,0x57,0xe8,0x84,0x7e,0x56,0xa1,0x68,0x7b,0x33,0x02,0x41, + 0x56,0x98,0x70,0x81,0x91,0xb1,0x36,0xd9,0x23,0x34,0x9b,0x02,0xfe,0x38,0xb6,0xbe), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0xe1,0xc4,0x6c,0x30,0x9b,0x63,0x66,0xfb,0x4d,0x56,0xac,0x08,0xc9,0x39,0x3c,0xee, + 0x9a,0x7c,0x95,0xbb,0xe7,0xb7,0xc0,0xe7,0x9a,0x3d,0x91,0x87,0xc0,0xf4,0x2b,0xc3, + 0x33,0x64,0xc2,0x8a,0x77,0x0d,0xa5,0x85,0xe3,0xfe,0x7b,0x49,0x01,0xa3,0xcc,0xd0, + 0x37,0xdf,0xc4,0x2a,0xa6,0x5a,0x34,0x70,0x52,0x1d,0xda,0xfa,0x83,0x5c,0xe2,0xd1, + 0x6c,0x92,0xac,0x67,0x0b,0xd4,0xd0,0x86,0x50,0x5e,0x60,0x87,0x81,0x73,0x6d,0xc4, + 0xdd,0x64,0xcc,0x50,0x80,0xee,0x19,0xe5,0x86,0xc8,0xfd,0x1d,0x73,0x7d,0xad,0xe5, + 0xd3,0x78,0xb3,0x2f,0x1d,0x5d,0xf1,0xe8,0xdd,0xa0,0xe3,0x2a,0x12,0x50,0x24,0xb2, + 0xd5,0x33,0x34,0x94,0x3c,0x18,0x78,0x2d,0x7e,0x69,0x82,0x5a,0x58,0x00,0x93,0xe7), + .s = chunk_from_chars( + 0x8e,0xd1,0xf2,0x8f,0xd1,0x6d,0x45,0xd4,0x16,0xa2,0x15,0x54,0xe1,0x04,0xc0,0x06, + 0xfd,0x78,0x68,0xe5,0x89,0x5e,0x8b,0x99,0x83,0x1a,0xe0,0x93,0x81,0x35,0xb5,0x43, + 0x61,0x0d,0xf6,0x4a,0x8c,0x35,0x74,0xd0,0x81,0x18,0xbf,0xe3,0x96,0xf9,0xa5,0x60, + 0x9a,0x8d,0xbd,0xa2,0x1b,0x9a,0x85,0x30,0xff,0x0b,0xa9,0x0e,0x62,0x9d,0x6a,0xbe, + 0x30,0xd2,0xc1,0xb5,0x90,0x60,0x0d,0xb9,0x71,0xfc,0xda,0x80,0xe6,0xea,0xa8,0x40, + 0x17,0xe2,0x09,0xb9,0xbd,0x3b,0x64,0x1f,0x3c,0x81,0xd5,0xd2,0x7f,0x84,0x2b,0xec, + 0x80,0x19,0x79,0x0e,0xd9,0x9a,0x0e,0x5d,0xb4,0xae,0xdc,0x1c,0x07,0x0b,0x04,0x7c, + 0x19,0x41,0x0c,0xbc,0x56,0xe9,0xa0,0xff,0x12,0xd8,0xf6,0xe5,0xd7,0x37,0x1b,0x10, + 0x11,0xec,0xfe,0xcf,0x7b,0xe7,0xa7,0x4f,0x94,0x40,0x35,0x90,0xa5,0x2f,0x95,0x23, + 0x8d,0xd6,0x9e,0x0b,0x5f,0x4c,0x1f,0xcd,0xe9,0x7e,0xcf,0xdb,0x1a,0xcc,0x38,0x03, + 0xe5,0x9a,0xd8,0xb3,0x08,0x8b,0x2b,0xc5,0x09,0xe3,0xdd,0x12,0xd4,0x0d,0x87,0x56, + 0x25,0xdc,0x83,0x62,0xc5,0x79,0x17,0x67,0x99,0xc7,0x5e,0x4f,0xad,0xcd,0xb3,0x92, + 0xc6,0x8f,0x40,0x1f,0x68,0xd8,0x54,0xe4,0x63,0x77,0xf0,0x84,0xc0,0x81,0xf9,0xd8, + 0x37,0x43,0x03,0x9f,0x69,0x34,0x72,0x2e,0x30,0xef,0x3f,0x02,0x26,0xbc,0x84,0x1d, + 0x79,0xa4,0xeb,0x68,0xc5,0xcc,0xcb,0xb6,0xae,0x0e,0x92,0x00,0x44,0x4e,0x50,0xff, + 0x0d,0x09,0x53,0x04,0x7e,0xf9,0x55,0xd2,0xd3,0x9a,0x70,0xc3,0xb8,0x37,0xc5,0xf4), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x10,0xe4,0x3f), + .m = chunk_from_chars( + 0x92,0x5d,0x59,0xf9,0x53,0xcb,0x3f,0xfb,0x6d,0x5a,0x3a,0x55,0xc0,0x79,0xcb,0x10, + 0x83,0x99,0x75,0x36,0xe3,0x3d,0x7c,0x8a,0xed,0x50,0xed,0x76,0xae,0xbc,0xde,0x45, + 0x99,0x38,0xf7,0x92,0x29,0x61,0x32,0x00,0xc7,0x0d,0xde,0x2c,0xed,0xdc,0xea,0xe0, + 0x8c,0x10,0x60,0x8a,0xab,0x9e,0x30,0xec,0x51,0x84,0x2f,0x14,0xa6,0x5e,0x5f,0x8f, + 0x55,0x34,0x71,0xda,0x34,0x97,0x88,0x19,0x27,0xec,0x40,0x0b,0x42,0x07,0xef,0x3e, + 0x2d,0xfc,0x2b,0x7f,0xcd,0x31,0x8c,0x95,0x20,0xb8,0xb2,0x2f,0x69,0xdc,0x8a,0x1a, + 0x8e,0xfa,0xce,0xb7,0xbe,0x93,0xcb,0xad,0x56,0x9e,0x67,0xdb,0x06,0x23,0x62,0x91, + 0x30,0x05,0xdc,0xff,0x90,0x20,0x18,0xed,0x22,0x93,0x7f,0xad,0x40,0x5f,0xe8,0x4e), + .s = chunk_from_chars( + 0x62,0xb0,0x7f,0x6d,0x1b,0x8f,0x13,0x65,0x1d,0x7f,0x22,0xce,0x2c,0xe0,0x10,0x61, + 0x09,0x00,0x29,0xdb,0x5a,0xf7,0xdc,0xec,0xfe,0xaf,0xef,0x20,0x62,0x1d,0xd9,0xe2, + 0x54,0xa0,0xfb,0x91,0x4f,0x76,0xa3,0xd7,0x96,0x62,0x25,0x74,0x89,0xcb,0x81,0x22, + 0x70,0x85,0x83,0xd3,0x07,0x78,0x79,0x1a,0x77,0xda,0x83,0xc7,0xbe,0xa8,0x11,0x40, + 0xc6,0x1e,0x4d,0x04,0x84,0x80,0x6e,0x20,0xfb,0x85,0xf2,0x4d,0x1b,0xbf,0x77,0x4e, + 0xf2,0xed,0x38,0x80,0x9c,0x9b,0x14,0xf2,0xa5,0x8c,0x6e,0x86,0x49,0xb7,0x60,0xba, + 0xa9,0x01,0x54,0x45,0x22,0xed,0x94,0xbd,0x40,0x5c,0x77,0x20,0x1d,0x07,0xc8,0xd1, + 0x28,0x64,0xa8,0xd1,0xe9,0x7a,0x4d,0x32,0x2c,0x29,0x99,0x4b,0x21,0x4f,0xc8,0x3c, + 0x2e,0xcd,0x5c,0x95,0x5b,0x9b,0xde,0xc4,0x24,0xe7,0xca,0x5a,0x13,0x25,0xec,0x0a, + 0xae,0x4a,0xb0,0xc2,0x02,0xb9,0x80,0xa2,0x18,0x7f,0x09,0x6a,0xaa,0xaa,0x5e,0x85, + 0x55,0x0e,0xbd,0x32,0x57,0x99,0xf4,0xf3,0x0e,0xf2,0xea,0xd0,0x7e,0x79,0xc7,0xa4, + 0x75,0x66,0x7f,0x59,0x65,0xe6,0xb5,0x02,0x69,0x51,0x36,0x59,0xab,0x59,0x62,0xa3, + 0x91,0xc4,0x3c,0xbc,0x3a,0x3d,0xa3,0x4c,0x0f,0xdd,0x15,0x46,0xc4,0x0e,0xa7,0xe2, + 0xeb,0x53,0x52,0xce,0x6a,0x06,0xce,0x6a,0x63,0x85,0xca,0x0d,0xdd,0x5d,0x16,0x2c, + 0x13,0x78,0x36,0xdf,0x9e,0xa1,0xf8,0x9c,0xfa,0x00,0xc3,0xeb,0x16,0x71,0xa4,0x3b, + 0xd6,0x25,0x52,0x6f,0x3b,0x6b,0xa8,0xe4,0x8a,0x7a,0x2d,0x56,0xfb,0x4f,0x01,0xc6), + }, + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0x3c,0x6c,0xd1), + .m = chunk_from_chars( + 0x08,0xd3,0xac,0x24,0xa5,0x95,0xda,0x81,0x1c,0xc9,0xbb,0xa7,0x88,0x28,0xf1,0x45, + 0x2f,0xf3,0x90,0xae,0x65,0x3f,0x22,0xd1,0xad,0x91,0xef,0x6b,0x22,0xaa,0x7b,0x7b, + 0x15,0xa4,0x4f,0xf7,0xf8,0x3e,0xfc,0xbd,0x7a,0x75,0x5e,0xcc,0xf4,0x54,0x1e,0xb4, + 0x04,0x0c,0x7a,0x4b,0x77,0x47,0x49,0xa2,0x6d,0xba,0x39,0x37,0xb7,0xf9,0x5c,0x6c, + 0x84,0x90,0xe3,0x38,0x3d,0x4f,0x29,0x1d,0xad,0xe5,0xf3,0x5a,0x65,0xb1,0xf6,0x61, + 0x5f,0xd4,0x99,0x8b,0xe1,0x8b,0xfd,0x0b,0xa4,0xbc,0x3a,0x21,0x36,0xce,0xec,0x90, + 0x9d,0xbe,0xef,0x51,0x3d,0x6f,0x66,0x89,0xfc,0x42,0x02,0xb9,0xa3,0xe7,0x81,0x34, + 0x87,0x73,0x74,0xd7,0x6a,0xb2,0x46,0xf4,0x9c,0xbe,0x7a,0x8f,0x65,0xd0,0x34,0xcd), + .s = chunk_from_chars( + 0x72,0xea,0x7d,0x66,0x9a,0xc6,0x99,0xa1,0x49,0xc1,0x3a,0xa1,0x68,0xeb,0x3e,0x14, + 0x8f,0x59,0x0b,0xbc,0x04,0x24,0x95,0x1f,0x1c,0x31,0x44,0xc5,0x41,0x91,0x55,0x73, + 0xec,0xf0,0x5c,0xab,0xb5,0x27,0x54,0x88,0xc9,0x8d,0x0e,0xbe,0x55,0xb1,0xf1,0xaf, + 0x49,0xef,0x8c,0xc7,0x2c,0xf0,0x0e,0x84,0x98,0x97,0xc6,0xaf,0xa5,0x38,0x33,0xca, + 0xf9,0xff,0xc0,0x0e,0xb8,0x4c,0xfe,0x55,0xb8,0x27,0x7e,0x93,0xa6,0xac,0x3e,0x04, + 0xb1,0x11,0xc9,0xd0,0x7a,0xd6,0x20,0x82,0xca,0x32,0x85,0x4c,0x40,0xde,0x1e,0x09, + 0x56,0xa1,0x8f,0x84,0x60,0x43,0x84,0x84,0x40,0x3a,0xbb,0x91,0xe6,0xfa,0xd1,0x2b, + 0x28,0xf1,0x14,0x15,0x7f,0x1b,0x6e,0xf5,0x63,0xd2,0xfa,0x43,0x8c,0xcb,0x8a,0x16, + 0xaa,0x3a,0xfe,0x6e,0xc5,0xe9,0x83,0x65,0xc3,0x0d,0x9a,0x35,0x5e,0x7e,0x14,0xb0, + 0x39,0xbb,0xde,0xcf,0x59,0xf9,0x12,0x48,0xd0,0xf1,0xe3,0x17,0xd2,0xe3,0xc8,0x19, + 0x09,0x6e,0xd6,0x8c,0xf9,0x83,0x61,0xd7,0xf9,0x31,0x0b,0x35,0x4f,0x4f,0x45,0xe2, + 0xf7,0xc4,0xdf,0xb8,0x2c,0x21,0x8c,0xd4,0x38,0xf3,0x17,0x4a,0x6f,0x01,0x7f,0x0f, + 0x14,0x8a,0x71,0xc4,0x0a,0xd5,0xb7,0xe2,0xc8,0x08,0x1d,0xdb,0xae,0xaa,0x76,0x4d, + 0x60,0x1b,0xb2,0xe0,0x75,0xeb,0x36,0x18,0xaa,0xba,0xa4,0xb5,0x06,0x00,0x22,0xc6, + 0xd2,0x3e,0xf0,0x72,0x64,0x36,0x86,0xa7,0x59,0x22,0x7d,0xae,0xf0,0x33,0x1b,0x28, + 0xee,0x76,0xda,0x4a,0xb3,0xb5,0xad,0x5d,0xda,0x89,0x91,0xb9,0x93,0x7d,0x1a,0x59), + }, + }, +},{ + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = 64, }, + .n = chunk_from_chars( + 0xa6,0x77,0x52,0x5e,0x1a,0x69,0x54,0x6a,0x96,0xdc,0x7b,0x11,0x23,0x50,0xd5,0xe4, + 0x86,0x4f,0x0f,0x82,0xe9,0x99,0xa7,0x14,0xfa,0x9f,0x43,0xac,0x68,0x15,0x17,0xd3, + 0x97,0x59,0x10,0xc2,0xd8,0x06,0xbb,0x3e,0xe6,0xdb,0xf5,0xdb,0xa1,0xd9,0x69,0xb3, + 0x88,0x89,0xe1,0x13,0xc2,0xda,0x76,0xee,0xf4,0x41,0x2a,0x60,0xcb,0xd8,0x9f,0xaf, + 0x35,0xb2,0xbd,0xcb,0x0d,0xe3,0x6a,0x2c,0xb7,0x62,0xcd,0x8f,0x2f,0x29,0xae,0xd9, + 0x98,0x2a,0x9a,0xb6,0x08,0x86,0xcc,0x8f,0xbf,0xee,0x9b,0x2a,0xe0,0x9c,0x88,0x16, + 0x1e,0x91,0x59,0xd4,0xfc,0x83,0x3a,0xdc,0x4f,0x80,0xe4,0xbf,0x62,0x9d,0x5a,0x95, + 0x51,0xac,0xce,0x7a,0x39,0x38,0x63,0x0c,0x2b,0xf9,0x95,0x60,0x97,0x64,0x2e,0x3b, + 0xc6,0x0a,0xc6,0x52,0x20,0x17,0x84,0x1b,0x65,0xc7,0xa2,0x51,0x97,0x86,0x5e,0x69, + 0x77,0x53,0xb0,0x81,0x69,0x85,0x36,0x81,0x91,0x14,0x43,0xa2,0xb2,0x5f,0x1b,0x7c, + 0x46,0x96,0xf9,0x46,0x15,0x5b,0x26,0x64,0xb6,0x7b,0x40,0x87,0x8d,0x3b,0x45,0xc3, + 0xe0,0xd7,0x03,0x4d,0x5b,0x5e,0xe6,0xf5,0xba,0x8f,0xb3,0xca,0xe7,0x79,0x7e,0x85, + 0x78,0x99,0x02,0xcf,0x8f,0x9f,0x86,0xed,0x3e,0xf2,0x5a,0xe0,0x73,0x61,0x78,0xaa, + 0xe2,0x60,0xfe,0x87,0x5b,0xfe,0xf5,0xbc,0xde,0x9e,0xc0,0x5f,0x11,0xe1,0x8f,0xc7, + 0x37,0x5e,0xdc,0xd4,0xa5,0x53,0x36,0x18,0xe6,0xf9,0x91,0xdd,0x48,0xaa,0x30,0x62, + 0xe6,0x03,0x1e,0x29,0x1d,0xfc,0xdc,0x6e,0x7f,0xc1,0x4e,0xc6,0x0e,0x53,0x9f,0xcb), + .tests = { + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xea,0xc8,0x39), + .m = chunk_from_chars( + 0x9c,0x3d,0x5d,0x23,0xd2,0x74,0x6d,0x15,0xd6,0x16,0xbe,0xbf,0x3c,0xf7,0x20,0xc6, + 0xe6,0x01,0x2a,0x71,0xca,0xe2,0x20,0x02,0xf5,0x02,0x1a,0x47,0xd0,0xb8,0x63,0x6c, + 0xa3,0xbd,0x20,0x13,0x57,0xe1,0x32,0xa6,0x80,0xfc,0x5d,0xec,0x9b,0x28,0xa9,0xdb, + 0x93,0x2d,0x08,0xae,0x8b,0x3d,0x3a,0x37,0xd7,0xe2,0xee,0x75,0x4b,0x34,0x2a,0x69, + 0xb9,0x4f,0xec,0x26,0xb5,0x04,0x12,0x28,0x9b,0xcf,0x77,0xe6,0xd4,0x09,0x5f,0xaa, + 0x54,0x5f,0x15,0xa1,0x67,0x83,0xd2,0x2e,0xae,0x21,0xe1,0x84,0x64,0x15,0x01,0x74, + 0xe6,0xdb,0x0b,0x83,0x73,0x47,0xd4,0x40,0x30,0x76,0x55,0xd5,0x6f,0x04,0x09,0xdb, + 0x30,0x7f,0x97,0x73,0xe8,0x1c,0xb1,0x92,0x82,0xa9,0x3c,0x9c,0xa4,0xc3,0xb1,0x35), + .s = chunk_from_chars( + 0x98,0x65,0x7f,0xd8,0x16,0x39,0x67,0xfa,0x7d,0x26,0x3b,0xd4,0x5b,0xb8,0x90,0x03, + 0x5a,0xdb,0xcd,0xd1,0x64,0x5f,0xd4,0x8b,0x28,0xfe,0xbf,0xb9,0xb4,0xe1,0x51,0x72, + 0x54,0x0e,0x38,0xb7,0xc2,0xf6,0x73,0xc4,0x0a,0x20,0x5f,0xd4,0x0b,0x08,0xb6,0x0b, + 0x4b,0x81,0xed,0x6e,0x23,0x6c,0xdf,0x08,0xf0,0xd6,0xb1,0x1f,0x50,0xdc,0x74,0xc6, + 0x0d,0xc4,0x66,0xac,0x37,0x2e,0x0f,0x46,0x78,0x83,0xaa,0x9a,0x39,0x8f,0x4a,0xee, + 0xf8,0x7b,0x04,0x0e,0x14,0xa5,0x15,0x02,0xdd,0x46,0x7e,0x8e,0x8d,0xd8,0x98,0x12, + 0xdf,0xaf,0x6b,0x1d,0xc1,0xc2,0xf6,0xc2,0x84,0x48,0xaf,0x08,0x45,0x90,0xc0,0x5a, + 0xec,0x49,0x9d,0xd3,0xb1,0x48,0xe6,0x6f,0x3d,0x71,0xcf,0x75,0xe2,0x39,0xdb,0x6d, + 0x21,0xf4,0x07,0x4b,0x8b,0xd9,0xa6,0xbd,0xe5,0xca,0x66,0x86,0x34,0xbd,0x47,0x95, + 0x32,0x76,0xff,0x2d,0x0e,0xbb,0xe0,0x1a,0xfc,0xfe,0x0e,0x38,0x19,0x03,0x73,0x6d, + 0x6a,0x6c,0x67,0x2a,0x45,0xfb,0xa4,0xee,0x32,0x6e,0x34,0x2d,0xc5,0x92,0x51,0x69, + 0x51,0x7c,0x5f,0x57,0xe9,0x29,0x07,0x24,0x57,0x6a,0x22,0x5b,0xa8,0x9c,0xb4,0xdd, + 0x09,0x1f,0x4e,0x65,0x13,0xbe,0x10,0xdd,0x41,0x81,0x85,0x5b,0xb4,0x04,0x5d,0x6e, + 0xf6,0x43,0x7c,0x16,0xd3,0xb5,0x58,0x9e,0xf9,0xd6,0x83,0x66,0x82,0x71,0x1c,0x7d, + 0x66,0x02,0x5a,0xe3,0x7b,0x52,0x55,0x80,0xf0,0xdf,0xcf,0x3d,0xb7,0xfe,0x57,0xd7, + 0xc6,0xb1,0x57,0x77,0xcc,0x41,0x60,0x03,0x07,0xe5,0x8a,0x17,0x21,0xb6,0xf7,0xbc), + }, + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x77,0x59,0x42,0x0c,0x8d,0x1a,0x39,0xba,0x0e,0x3e,0x16,0x81,0xd9,0xb7,0x57,0xfc, + 0xf3,0x0c,0xb4,0x0d,0x84,0x4f,0x4a,0x71,0x22,0x4f,0xf9,0x98,0x52,0x0e,0x0b,0xb4, + 0x4c,0x76,0x16,0x11,0xff,0x47,0x23,0xa4,0x55,0x54,0x0f,0xe6,0xb8,0xef,0x32,0xe3, + 0xd5,0xa2,0x3f,0x8d,0xa0,0x20,0x6b,0x57,0x98,0x7a,0xd2,0xff,0x4c,0x96,0x16,0xab, + 0x1e,0xde,0x49,0x38,0x47,0x35,0x0d,0xcf,0x1b,0x2f,0xf9,0xb9,0x8e,0x81,0x3f,0x74, + 0xf8,0xb6,0x8c,0x06,0x15,0x24,0x30,0x91,0x50,0x1f,0x7f,0x28,0x41,0x6c,0x77,0xe1, + 0x74,0xf8,0xa3,0x2b,0x6c,0xca,0x3e,0x62,0xe7,0x37,0x9c,0xa1,0x64,0x55,0xc6,0xd8, + 0xe3,0xb2,0x65,0x1e,0xec,0x45,0xe1,0x48,0xd2,0xa4,0xc9,0xba,0x39,0x78,0x76,0x7d), + .s = chunk_from_chars( + 0x91,0xce,0x8e,0x92,0x1f,0x85,0xde,0x84,0x5b,0x9b,0xf7,0x50,0x3d,0xc6,0x5a,0x32, + 0x82,0x24,0xd1,0x5b,0x23,0xe8,0xea,0x65,0xdc,0x3d,0xa6,0xd8,0x04,0xfb,0xef,0x19, + 0x6c,0x30,0x5e,0x0f,0xba,0x05,0x9a,0x7d,0x84,0x2c,0x8c,0x0f,0x58,0x08,0x60,0xcc, + 0xe7,0x76,0x52,0xd4,0xdc,0x77,0x90,0x73,0xd6,0xa3,0xb0,0xa9,0x2b,0xf2,0xdd,0x3e, + 0xc6,0xc0,0x61,0x8d,0xa1,0x48,0x50,0x36,0xfd,0x59,0x4b,0xd9,0x62,0xf7,0xb5,0xa1, + 0xc6,0x1d,0x53,0xf1,0x62,0x69,0x12,0xc7,0xe3,0x12,0xaa,0x83,0xeb,0x43,0x26,0x28, + 0x8a,0x52,0x43,0x7c,0x73,0x87,0x91,0x6b,0xcb,0x11,0x08,0x4a,0x40,0xc2,0x19,0xc8, + 0x4c,0xab,0x2f,0xf6,0x6e,0x83,0x14,0x3f,0x85,0x86,0x47,0xf2,0xdc,0x91,0x4d,0xa0, + 0xc7,0x85,0x8b,0xa3,0x9a,0xa8,0xad,0x81,0x47,0xea,0x5c,0x9c,0x52,0x06,0x9e,0xb2, + 0xb2,0xca,0x94,0x1d,0x8a,0x50,0x23,0x74,0x8d,0xc4,0x01,0xe7,0x66,0x45,0x00,0x84, + 0x6c,0x85,0xca,0xdf,0x02,0x87,0xe3,0x9b,0x8b,0x8b,0x46,0x79,0x4a,0x82,0xbf,0xff, + 0xa7,0x52,0x96,0x0a,0xb3,0xb9,0xea,0xa0,0x25,0x30,0xb5,0x90,0x3c,0x24,0xae,0xfa, + 0x10,0x8f,0x10,0xae,0xe3,0x5b,0x6a,0x8a,0x3c,0xdf,0x87,0x95,0xa1,0x82,0xe5,0xc0, + 0x4e,0xd3,0x6b,0xb6,0x8c,0x18,0x78,0x56,0x23,0xb4,0x2f,0x09,0x79,0xff,0xf3,0x19, + 0x11,0x2e,0x15,0x14,0xce,0xe5,0x1d,0xb4,0x37,0xee,0x32,0x28,0x9f,0x61,0xde,0xd6, + 0x11,0x86,0xc6,0xed,0x44,0xad,0x72,0x2d,0x18,0xd5,0x56,0x82,0x1f,0x88,0x82,0x21), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x86,0x4f,0x4f,0x58,0x90,0xa0,0x36,0x53,0xd0,0x8d,0xaa,0x83,0xd9,0xe2,0x99,0x2f, + 0xab,0x33,0x93,0xb7,0xee,0x15,0x2d,0x6f,0x7b,0x8e,0xa3,0xad,0x1e,0xc9,0xc1,0x21, + 0x9a,0x0e,0x03,0x65,0xee,0xf2,0xfb,0xd5,0xd7,0xcb,0xf3,0xa1,0x96,0x67,0xd4,0x21, + 0xf3,0xfe,0x46,0x68,0x82,0x64,0x19,0x1b,0x25,0x83,0xe4,0x84,0xd2,0x09,0xeb,0xe2, + 0x97,0x5e,0x46,0x03,0xdb,0xd9,0x40,0x15,0xe6,0x33,0xfe,0xba,0xa4,0x3c,0x61,0x5a, + 0xa5,0xcc,0x2c,0xbd,0x69,0xfd,0x6a,0xd9,0xdb,0x97,0x0a,0xe8,0x1b,0xcc,0xcd,0xbe, + 0x80,0x26,0x62,0x5a,0xde,0xbd,0xcf,0xbb,0x04,0xad,0x12,0xf5,0x89,0xc7,0x08,0x83, + 0xc9,0x87,0x8f,0xdf,0x2a,0x46,0xe7,0x50,0xa4,0xb1,0x5f,0x03,0x80,0x7a,0x2d,0x5e), + .s = chunk_from_chars( + 0x24,0x5f,0xda,0x2e,0x66,0xd2,0xba,0xb1,0x02,0xd0,0xda,0x40,0x98,0xd7,0x51,0x65, + 0x0f,0x5e,0xf4,0x73,0x8d,0x14,0xda,0xbe,0x86,0x6c,0x78,0x20,0x09,0xea,0xd9,0xd6, + 0xd0,0x5d,0x43,0xac,0x0a,0x30,0x14,0xa3,0x82,0xd6,0x2a,0xc9,0x71,0xee,0x19,0x79, + 0x8f,0x3b,0x8e,0xf4,0x9f,0x9b,0xc2,0x47,0xfa,0x07,0xb3,0x68,0xac,0x2d,0x0e,0x8a, + 0x4f,0xb2,0x10,0xaf,0x5a,0xcd,0x87,0xb6,0xb5,0x12,0xe1,0x35,0x86,0x1b,0x30,0x10, + 0x34,0x03,0x30,0x47,0x32,0xa1,0x0b,0x75,0xc9,0xa1,0x49,0x55,0x2d,0x1c,0xcf,0x0f, + 0x99,0x12,0x96,0x8c,0x64,0x31,0x39,0x8b,0x7d,0x48,0xdf,0xf4,0x8c,0xc7,0xcb,0x71, + 0x84,0xe7,0x6a,0x0a,0xb9,0x4a,0xc9,0xa6,0xb0,0x03,0x5b,0x91,0xb3,0xee,0xb2,0xd1, + 0x32,0x6e,0xbd,0xdf,0xc1,0x32,0x50,0x22,0x45,0x38,0xc1,0x43,0xfc,0x0d,0xfa,0x39, + 0x95,0x92,0x64,0x15,0xa6,0x58,0xdb,0x8e,0x66,0x91,0x50,0x40,0x50,0xa1,0xa3,0x0e, + 0x34,0xb2,0x1a,0xf8,0xd1,0x27,0x07,0xbc,0x44,0x54,0xf1,0x74,0x38,0x5c,0xd8,0x4c, + 0x72,0x9e,0x2d,0xdf,0xc5,0xcc,0x91,0x78,0x81,0x20,0x59,0xb5,0xda,0x4a,0x1a,0x60, + 0x5a,0x2a,0x81,0x64,0x2c,0xcc,0x1b,0xc5,0xcf,0x95,0x39,0x65,0xf7,0x05,0x67,0x3b, + 0x12,0xc5,0xb4,0x6a,0xc8,0xc1,0xa0,0x3c,0x10,0x01,0xae,0x4d,0xf1,0xc3,0x9c,0xc8, + 0x3c,0xb5,0x4b,0x10,0xcb,0x7d,0x33,0xcd,0x51,0x08,0x03,0x3c,0x26,0x8c,0xee,0xeb, + 0xba,0x6c,0x6a,0xda,0x92,0x88,0x2f,0x46,0x56,0x2d,0xc6,0x58,0xd3,0x52,0x55,0x74), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x71,0xab,0xf8,0x95,0xe5,0x6b,0xa8,0xf6,0xae,0x8d,0x0e,0x9e,0x66,0x90,0xc0,0x9c, + 0x75,0x92,0x70,0xa7,0x3d,0xb8,0xc1,0xaa,0x95,0xd0,0x59,0x80,0x79,0x35,0x37,0xfb, + 0xff,0xf3,0x47,0x2c,0x8d,0x2c,0x34,0xde,0x4a,0xbb,0x7e,0x64,0xd2,0x16,0xcc,0x95, + 0x2e,0x79,0x83,0x14,0x03,0x41,0x97,0xd5,0x09,0x96,0xa2,0xdc,0xbf,0x4c,0x33,0x48, + 0x5e,0x0b,0x68,0x91,0x0b,0xae,0xbf,0x0e,0x50,0xea,0x29,0xba,0xcd,0x30,0x60,0x37, + 0x2b,0xd4,0x7b,0x13,0x52,0x6e,0xc0,0x4b,0xdc,0x81,0xb9,0x0d,0xc9,0x5a,0x8a,0xc2, + 0x74,0x3b,0x81,0x4c,0xc5,0xb9,0xef,0x8c,0xa9,0x63,0x36,0x28,0xbf,0xa4,0x24,0x8b, + 0x55,0xeb,0x7f,0x2d,0x92,0x08,0xe1,0x14,0xf4,0xda,0xc6,0x9b,0xfe,0x27,0xe4,0x72), + .s = chunk_from_chars( + 0x24,0x3c,0x57,0x0c,0xd1,0xbd,0x85,0x52,0x2e,0x64,0x81,0x73,0x61,0xcb,0xb9,0x49, + 0xc8,0x38,0x76,0xd7,0xa3,0x60,0x95,0x13,0xae,0xbf,0x50,0x6f,0xc0,0x67,0x50,0xba, + 0x38,0xe8,0x20,0x23,0x2c,0x98,0xac,0xbe,0x00,0xff,0xa5,0x0b,0x36,0xc5,0x38,0x56, + 0x00,0x69,0xfd,0x13,0x99,0x2c,0xa0,0xdf,0x7d,0x9f,0x6d,0x95,0x6b,0x88,0x33,0x34, + 0xf1,0xc3,0xaf,0x8a,0x74,0xad,0xee,0xd5,0xbe,0x15,0xb0,0x33,0xd8,0x5b,0x20,0x7b, + 0xe2,0xfe,0x60,0x0a,0x99,0x02,0xd6,0x99,0xcc,0xef,0x1f,0x4a,0x8d,0x58,0x86,0x72, + 0xc4,0x46,0x40,0x1e,0xb3,0x90,0xd1,0x74,0xd5,0x72,0xb9,0x18,0xf9,0xb3,0x49,0xe2, + 0xe7,0x04,0x77,0x53,0x00,0x02,0x38,0x50,0xa5,0x34,0xcd,0x14,0xe0,0x04,0x6e,0x38, + 0x51,0x81,0xd3,0x45,0xa0,0x1d,0xbd,0x23,0x0c,0x79,0x65,0xff,0xfd,0x71,0xd4,0xe9, + 0xf9,0xbd,0x27,0x4d,0x2e,0xf4,0x6c,0x55,0x6c,0x73,0x32,0x12,0x13,0x62,0xe7,0x17, + 0x06,0xc3,0x9f,0x08,0x91,0x9e,0xfa,0x3a,0x4f,0x2f,0x14,0x21,0x50,0xc8,0xce,0xf4, + 0xb3,0x0e,0xf7,0x88,0xf6,0xff,0xfc,0x2e,0xd2,0xac,0xa0,0x26,0x2e,0xba,0x87,0x3a, + 0x25,0x17,0x95,0x84,0x5d,0xa5,0x26,0xb7,0x8e,0x2b,0x24,0xd6,0x6f,0x21,0xd4,0x0d, + 0x5f,0xcb,0xe5,0x54,0x2a,0x75,0x53,0xa9,0x17,0x8b,0xe5,0xa9,0x80,0x5b,0xb5,0x35, + 0x79,0xbd,0x10,0x8c,0xff,0x73,0x3b,0x37,0x64,0x07,0x89,0x31,0x8d,0xb6,0x20,0xa6, + 0xa9,0x44,0x44,0xe9,0x20,0x39,0x23,0xae,0x32,0x55,0x00,0xb6,0x76,0xb1,0x47,0x98), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x4b,0x64,0x8d,0xe2,0xe3,0x90,0x67,0x7c,0xe1,0x72,0x71,0x91,0x49,0x8b,0x76,0xd2, + 0xd2,0x43,0x8d,0x0c,0xed,0xdf,0x3d,0xb5,0x02,0xad,0xe5,0xc5,0xfd,0x81,0x5b,0xc7, + 0x09,0x65,0xd4,0x2f,0x9b,0x8d,0x04,0xee,0xb3,0x89,0x86,0x44,0x5f,0xbe,0x7d,0xd5, + 0x80,0x17,0x7c,0x00,0xd0,0xf8,0xa3,0x6c,0x24,0x74,0x0b,0xe3,0xef,0xbf,0x65,0x64, + 0x08,0xe6,0xdd,0x73,0xad,0xbd,0x45,0xb4,0xc7,0x19,0x6f,0xb8,0x6f,0x40,0xda,0x17, + 0xb2,0x9e,0x91,0xbf,0x91,0xba,0x51,0x8b,0x4c,0x68,0xea,0x18,0xe1,0x3f,0xe7,0xd4, + 0xcf,0x4d,0x71,0x57,0x1f,0x0a,0x71,0xf7,0xa5,0x8b,0xf5,0x96,0x84,0xf8,0xd5,0xbf, + 0xf0,0x40,0x96,0xf2,0x38,0x0b,0x8e,0x3b,0x03,0xf1,0x49,0x09,0xd9,0xe9,0x2c,0x3e), + .s = chunk_from_chars( + 0x27,0x7f,0xe8,0x1a,0x15,0x40,0x34,0x1c,0x9c,0x04,0xfb,0x5d,0x3c,0x8f,0x70,0xc1, + 0xe7,0x2f,0x87,0xfa,0x7d,0x04,0xb9,0x3e,0xe5,0x4d,0x56,0xd1,0x18,0x4c,0x14,0x1e, + 0xc4,0xe1,0x25,0xe2,0xe5,0xcf,0xd0,0xac,0xff,0x10,0x55,0xc7,0x66,0x97,0xa1,0xc3, + 0x07,0x9c,0x37,0x1c,0xce,0x0b,0xd8,0x4e,0xe4,0x43,0x7b,0xfa,0x18,0x06,0xaa,0x76, + 0xdf,0x29,0x55,0x93,0x53,0x31,0x91,0x5f,0xff,0x87,0x9d,0x87,0xc7,0x37,0x2e,0x75, + 0xe5,0xe8,0xfe,0xcc,0x90,0x6f,0x9d,0x34,0xa5,0xad,0xc0,0xb7,0x54,0x09,0xa8,0x7f, + 0xb6,0x41,0x1e,0x29,0x90,0xcd,0x23,0x7a,0xc8,0x22,0x3f,0x72,0x23,0x44,0x4f,0x5d, + 0x52,0x7a,0x11,0x5c,0x85,0xb9,0xba,0x10,0x28,0x7f,0x3e,0x82,0x5e,0x1d,0xc5,0x8e, + 0xb3,0x7c,0x8a,0x9c,0xa0,0x55,0x15,0x5f,0xf6,0xa5,0xaa,0xa6,0x56,0x56,0x90,0xdc, + 0xee,0xf6,0xf6,0x47,0x72,0x9d,0x07,0x1c,0xdd,0x9f,0x06,0x88,0xc7,0xfe,0xe8,0xf9, + 0x29,0x3a,0xbe,0x65,0x8d,0x0e,0x1e,0xf8,0x55,0xc8,0x6a,0x28,0xd8,0xd0,0xf8,0xf8, + 0x2f,0x72,0x17,0x31,0x86,0x35,0x30,0x80,0xb8,0x4f,0x14,0x2f,0x96,0x59,0x07,0x37, + 0x71,0x78,0xfc,0x1e,0xa0,0x08,0x19,0xd8,0x1a,0xfc,0x24,0x74,0xbe,0xcf,0x79,0xe1, + 0xe3,0xb7,0x0c,0x7c,0x2a,0x84,0x07,0xd5,0x07,0x95,0xc3,0x13,0x1b,0xb6,0xdf,0x78, + 0x72,0x0c,0x31,0xb2,0xf8,0xc4,0x3f,0x70,0x54,0x64,0xd8,0x98,0x20,0x43,0xc4,0x5f, + 0x04,0xe3,0x39,0xaa,0x1c,0x6f,0x4e,0x26,0xaa,0x70,0x92,0xb3,0xe6,0x26,0x12,0x99), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x8d,0x88,0x53), + .m = chunk_from_chars( + 0x78,0x11,0xa4,0x07,0xfe,0x65,0x3a,0xd2,0x34,0x3d,0x83,0xc0,0x49,0x9f,0xc1,0x1e, + 0x29,0x51,0xef,0x0a,0x47,0x91,0xa3,0xcd,0x9a,0x06,0x39,0x6b,0xe5,0xf7,0x2e,0x78, + 0x3c,0xbb,0xca,0x2c,0xc4,0x70,0x02,0xba,0xba,0xf0,0x9c,0xde,0xb7,0x01,0x94,0xb5, + 0x32,0xcc,0xbf,0xd2,0x46,0x91,0xae,0x8e,0xb5,0x98,0xd5,0x9f,0x2e,0x6b,0xec,0xed, + 0xcb,0x42,0x96,0xa1,0xde,0xbf,0x41,0x7e,0xed,0xdb,0x4d,0x74,0xfb,0x21,0x70,0x72, + 0x09,0x1a,0x59,0x7d,0xdd,0x08,0x93,0xff,0x02,0xd6,0xad,0x61,0x10,0x50,0x98,0xdb, + 0x2e,0x90,0x50,0x8b,0xd4,0xb8,0xbe,0xc5,0xd6,0xe7,0xde,0xab,0x9e,0x65,0x1d,0xfd, + 0xb8,0x21,0x05,0x32,0x95,0x5e,0x1b,0xc7,0x88,0xa9,0x08,0xd7,0x15,0x0e,0xf8,0xec), + .s = chunk_from_chars( + 0x3a,0xd1,0xf0,0xfa,0xa9,0xa3,0x65,0x86,0x15,0x4a,0x38,0x2a,0x1f,0x2c,0x10,0xe8, + 0x19,0xdc,0x31,0x8a,0x68,0xbe,0x35,0xf5,0x4f,0x95,0x40,0x1b,0x0e,0xf2,0xba,0x5c, + 0xc8,0x95,0xf0,0xd6,0xbd,0xe2,0x8c,0x8d,0x3b,0x36,0x4f,0x60,0xde,0x03,0xce,0x75, + 0xa7,0xaf,0x29,0xe5,0x80,0x7c,0x1e,0xec,0x4c,0xd7,0x06,0x24,0x75,0x6e,0x26,0x31, + 0xeb,0x46,0xaf,0x01,0x0c,0xa8,0xcf,0x93,0xee,0x7d,0x86,0xa4,0xaf,0x3c,0xed,0x5d, + 0xd2,0xa8,0xa4,0x1c,0x1f,0xee,0xe6,0xb4,0x57,0x20,0x70,0x87,0x39,0x39,0xae,0x7a, + 0x2c,0xe7,0x51,0x93,0x94,0x59,0x37,0x46,0x1d,0x00,0x64,0xee,0xba,0x07,0x76,0x0c, + 0x49,0x5c,0x5c,0x70,0xbd,0xb0,0x4d,0x89,0x95,0x1d,0xe3,0xf9,0x65,0x25,0xf8,0xe4, + 0x46,0x12,0x49,0x3d,0x49,0x07,0x31,0xe7,0xef,0x76,0x79,0xa2,0x4b,0x0b,0x1e,0x2b, + 0x24,0xc8,0x00,0x3c,0x2f,0x94,0x11,0x4e,0x41,0x93,0xd6,0xe5,0x4c,0x0a,0xf9,0xe8, + 0x70,0x53,0x0b,0x00,0x85,0x30,0x21,0x0a,0xc0,0xb0,0xe4,0xc7,0xc7,0x9f,0x37,0x93, + 0x84,0xe1,0xbb,0x31,0x9b,0x5f,0x2a,0x0b,0x62,0x25,0x17,0xae,0x5d,0x27,0xf0,0xea, + 0xaf,0x79,0x58,0xcb,0x0b,0x41,0x84,0x91,0x26,0x07,0x50,0x92,0xe8,0x6e,0x7e,0x7b, + 0xe5,0xee,0xac,0xef,0x9a,0x8e,0x3e,0xc5,0x95,0x43,0x2e,0xf6,0x19,0x85,0x8f,0xe0, + 0xd0,0x51,0x78,0x71,0xb8,0xb4,0x95,0xc0,0x1a,0xf6,0xf1,0x8d,0x4e,0x6d,0x25,0x0d, + 0xbd,0x19,0x28,0x0e,0xf4,0xf8,0xa3,0x7d,0x1b,0x59,0xa4,0x8f,0xa4,0x1b,0x83,0x1d), + }, + }, +}, +{ + .params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, }, + .n = chunk_from_chars( + 0xce,0x49,0x24,0xff,0x47,0x0f,0xb9,0x9d,0x17,0xf6,0x65,0x95,0x56,0x1a,0x74,0xde, + 0xd2,0x20,0x92,0xd1,0xdc,0x27,0x12,0x2a,0xe1,0x5c,0xa8,0xca,0xc4,0xbf,0xae,0x11, + 0xda,0xa9,0xe3,0x7a,0x94,0x14,0x30,0xdd,0x1b,0x81,0xaa,0xf4,0x72,0xf3,0x20,0x83, + 0x5e,0xe2,0xfe,0x74,0x4c,0x83,0xf1,0x32,0x08,0x82,0xa8,0xa0,0x23,0x16,0xce,0xb3, + 0x75,0xf5,0xc4,0x90,0x92,0x32,0xbb,0x2c,0x65,0x20,0xb2,0x49,0xc8,0x8b,0xe4,0xf4, + 0x7b,0x8b,0x86,0xfd,0xd9,0x36,0x78,0xc6,0x9e,0x64,0xf5,0x00,0x89,0xe9,0x07,0xa5, + 0x50,0x4f,0xdd,0x43,0xf0,0xca,0xd2,0x4a,0xaa,0x9e,0x31,0x7e,0xf2,0xec,0xad,0xe3, + 0xb5,0xc1,0xfd,0x31,0xf3,0xc3,0x27,0xd7,0x0a,0x0e,0x2d,0x48,0x67,0xe6,0xfe,0x3f, + 0x26,0x27,0x2e,0x8b,0x6a,0x3c,0xce,0x17,0x84,0x3e,0x35,0x9b,0x82,0xeb,0x7a,0x4c, + 0xad,0x8c,0x42,0x46,0x01,0x79,0xcb,0x6c,0x07,0xfa,0x25,0x2e,0xfa,0xec,0x42,0x8f, + 0xd5,0xca,0xe5,0x20,0x8b,0x29,0x8b,0x25,0x51,0x09,0x02,0x6e,0x21,0x27,0x24,0x24, + 0xec,0x0c,0x52,0xe1,0xe5,0xf7,0x2c,0x5a,0xb0,0x6f,0x5d,0x2a,0x05,0xe7,0x7c,0x19, + 0x3b,0x64,0x7e,0xc9,0x48,0xbb,0x84,0x4e,0x0c,0x2e,0xf1,0x30,0x7f,0x53,0xcb,0x80, + 0x0d,0x4f,0x55,0x52,0x3d,0x86,0x03,0x8b,0xb9,0xe2,0x10,0x99,0xa8,0x61,0xb6,0xb9, + 0xbc,0xc9,0x69,0xe5,0xdd,0xdb,0xdf,0x71,0x71,0xb3,0x7d,0x61,0x63,0x81,0xb7,0x8c, + 0x3b,0x22,0xef,0x66,0x51,0x0b,0x27,0x65,0xd9,0x61,0x75,0x56,0xb1,0x75,0x59,0x98, + 0x79,0xd8,0x55,0x81,0x00,0xad,0x90,0xb8,0x30,0xe8,0x7a,0xd4,0x60,0xa2,0x21,0x08, + 0xba,0xa5,0xed,0x0f,0x2b,0xa9,0xdf,0xc0,0x51,0x67,0xf8,0xab,0x61,0xfc,0x9f,0x8a, + 0xe0,0x16,0x03,0xf9,0xdd,0x5e,0x66,0xce,0x1e,0x64,0x2b,0x60,0x4b,0xca,0x92,0x94, + 0xb5,0x7f,0xb7,0xc0,0xd8,0x3f,0x05,0x4b,0xac,0xf4,0x45,0x4c,0x29,0x8a,0x27,0x2c, + 0x44,0xbc,0x71,0x8f,0x54,0x60,0x5b,0x91,0xe0,0xbf,0xaf,0xd7,0x72,0xae,0xba,0xf3, + 0x82,0x88,0x46,0xc9,0x30,0x18,0xf9,0x8e,0x31,0x57,0x08,0xd5,0x0b,0xe8,0x40,0x1e, + 0xb9,0xa8,0x77,0x8d,0xcb,0xd0,0xd6,0xdb,0x93,0x70,0x86,0x04,0x11,0xb0,0x04,0xcd, + 0x37,0xfb,0xb8,0xb5,0xdf,0x87,0xed,0xee,0x7a,0xae,0x94,0x9f,0xff,0x34,0x60,0x7b), + .tests = { + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xfe,0x30,0x79), + .m = chunk_from_chars( + 0xe4,0x9f,0x58,0x5e,0xec,0xcf,0x2b,0xf7,0x26,0x56,0x41,0xfb,0x8c,0x0f,0x94,0xc7, + 0x17,0xe2,0xff,0x1d,0x90,0x45,0xae,0xca,0xa3,0x02,0xd2,0x85,0x35,0x3b,0x99,0x1b, + 0xf7,0xac,0x5d,0xc9,0x3b,0x31,0x1c,0xe9,0x07,0x88,0x28,0xd2,0x68,0x57,0x1f,0xf9, + 0x09,0x71,0x1e,0x5c,0x04,0x55,0x32,0x20,0xf8,0xf8,0x0f,0x78,0x5c,0xc4,0x05,0xca, + 0x13,0xe0,0x2f,0x0d,0x40,0xb2,0xee,0x76,0x5b,0xa2,0x95,0x53,0x85,0x21,0x66,0x37, + 0x18,0xea,0xbe,0x57,0x83,0x88,0x8c,0x34,0x55,0x19,0x07,0x7a,0x97,0x51,0xa1,0x28, + 0x5f,0xc2,0x36,0xf2,0xa2,0x5a,0x8a,0xe4,0x4a,0x2d,0xf2,0x47,0x88,0x74,0x51,0xc8, + 0x6c,0xd6,0x46,0xd7,0xb3,0xe7,0xa4,0x4e,0xe0,0xef,0x23,0x53,0x8e,0xec,0x55,0x7f), + .s = chunk_from_chars( + 0x4e,0x85,0xf6,0x8a,0x5b,0x06,0xb0,0x6a,0x17,0xd0,0xf3,0xf2,0x7b,0x3a,0x5a,0x11, + 0x9e,0x7d,0xb0,0x2a,0xbc,0x2d,0x9b,0x4a,0xfc,0x69,0x82,0x20,0xda,0x11,0x52,0x4a, + 0x88,0x5f,0x33,0xcd,0x7a,0x10,0xae,0x89,0xc9,0x8b,0x02,0x7b,0x69,0x22,0x4a,0xce, + 0xf4,0x71,0x3a,0x14,0x63,0xf1,0x68,0xc8,0xbe,0xf5,0x51,0xef,0x8f,0xed,0xb2,0x19, + 0xb6,0xad,0x0b,0x3e,0x99,0xd6,0x21,0x66,0x43,0xe5,0x8a,0x51,0xbb,0x2a,0xe9,0x3b, + 0xbe,0xf7,0x69,0x61,0x49,0x14,0xea,0xb1,0x37,0xc1,0x99,0x3b,0x14,0x91,0x71,0xb8, + 0x63,0x3f,0x4a,0x31,0x8f,0x69,0x77,0x29,0x96,0xef,0x7d,0xc3,0xf7,0x74,0x8f,0x37, + 0x56,0xd5,0x8e,0xcd,0xc3,0x93,0x76,0x32,0x71,0x7f,0xb4,0x0c,0xb7,0xed,0x6e,0x5c, + 0x72,0xe1,0x72,0xac,0x58,0xec,0x01,0xf4,0xe3,0x2f,0xff,0xc4,0x45,0xb6,0x0f,0x98, + 0xa6,0x28,0xfc,0x1b,0x0f,0xa4,0xcf,0xb6,0x68,0x6d,0xeb,0x12,0x59,0x50,0xb8,0x62, + 0xf3,0x47,0xe9,0xeb,0x81,0x20,0xfb,0x2b,0x5a,0xa2,0x3d,0x6d,0x86,0xea,0xf1,0xed, + 0xeb,0xeb,0x13,0x37,0x93,0x54,0x1c,0x4d,0xbe,0xa0,0xf1,0x4a,0x9f,0x74,0x73,0x3d, + 0xa4,0xed,0x11,0xd1,0x27,0x4d,0x46,0x4e,0x09,0xa5,0x78,0x08,0x43,0xd6,0x75,0x0b, + 0xac,0xe0,0xe9,0x70,0x29,0x30,0x82,0x87,0xdd,0x39,0x6e,0xfa,0x0f,0x32,0x62,0x81, + 0x71,0xfc,0x5e,0xc2,0x0d,0x3c,0x82,0x61,0x9b,0x78,0x4e,0x4c,0xdb,0x66,0xcb,0xdb, + 0x28,0xcd,0xd2,0x63,0xa4,0x6a,0x3e,0xc6,0x3e,0x1c,0xad,0x76,0x59,0xdc,0x3b,0x33, + 0x80,0x14,0x32,0xd2,0xb5,0xb5,0xe1,0x0a,0x77,0x00,0x83,0xb9,0x33,0xa8,0x05,0xa9, + 0xc7,0x6c,0xc2,0x6c,0x91,0x2f,0x95,0x2c,0xec,0x5f,0xd8,0x41,0x3a,0x8c,0x1a,0xda, + 0xee,0x80,0x14,0x9f,0xa1,0x98,0x55,0x31,0x50,0x75,0x82,0x52,0x92,0xdb,0x24,0xde, + 0x32,0x5f,0xa6,0xbf,0x3b,0x4c,0x06,0x65,0x2f,0xc8,0x32,0x0d,0xef,0x42,0x36,0xc0, + 0x88,0xdd,0x5a,0xe4,0x33,0x15,0xe0,0x36,0x72,0xfb,0x99,0x9c,0x35,0x4e,0xf6,0x1a, + 0xc3,0x80,0xb1,0xb1,0xc9,0x6d,0x71,0x1f,0xc7,0x77,0xe3,0x45,0xcc,0xb9,0x45,0x36, + 0x35,0x5a,0x32,0x14,0x66,0xee,0xdc,0xf2,0x35,0x5d,0xd5,0x1f,0x68,0x80,0x23,0xd6, + 0xb5,0x99,0x39,0x0f,0x3a,0xff,0x62,0x01,0x36,0x9d,0x81,0x03,0xaf,0x92,0x6c,0x83), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x46,0x21,0xb1,0x7c,0xd9,0xf5,0xb6,0x23,0xfe,0x73,0xb5,0xfe,0x28,0x0c,0xe9,0xac, + 0x84,0x08,0x05,0x60,0x8a,0xcd,0x6e,0x41,0xd5,0x5e,0xa7,0x11,0x32,0x22,0x0c,0x0d, + 0xf7,0xe7,0xc4,0x15,0x96,0x26,0xf1,0x0d,0x71,0x88,0x29,0x83,0xf0,0xaa,0x2a,0x92, + 0xd1,0x1d,0xc9,0x06,0xc0,0xb2,0x2c,0xc0,0x28,0xf4,0x39,0x5d,0x48,0xf5,0x4e,0x12, + 0x89,0x4e,0x33,0xda,0x0f,0x61,0x4d,0xd4,0x8e,0xe1,0x14,0xe6,0x5f,0x95,0xc7,0xa7, + 0xd3,0x58,0x5e,0x7c,0xc7,0x65,0xc0,0x01,0x78,0xd1,0x36,0xaa,0x99,0x59,0x1f,0xaa, + 0xa3,0x5e,0xe6,0x13,0x6d,0x2e,0x32,0x3f,0xfc,0x85,0x5c,0x70,0x9c,0x54,0x26,0xb3, + 0x2f,0xc0,0xaa,0x0a,0xc6,0x6e,0x90,0xc9,0x6e,0xfe,0x84,0x41,0x4d,0xd5,0xe7,0x9c), + .s = chunk_from_chars( + 0xb6,0x0a,0x4d,0xd6,0x29,0xd6,0x03,0x0f,0xe6,0x52,0x2f,0x6b,0x75,0x4f,0x0e,0x75, + 0x1d,0xe4,0xb2,0x55,0x2c,0x60,0x7e,0xfc,0xcb,0x2f,0x90,0xda,0x91,0x78,0x75,0x83, + 0xb6,0xfc,0x51,0xbc,0xb6,0x0a,0xb2,0x19,0x38,0xa4,0x8c,0xa6,0xab,0x3e,0xf8,0xab, + 0x75,0xb5,0x6a,0xbb,0x9d,0xf1,0xfa,0xa4,0xdb,0xd8,0x4b,0x41,0x20,0x66,0xf3,0xf9, + 0x2b,0xff,0x77,0x8a,0x89,0xf7,0xdf,0x4f,0x55,0x31,0x7c,0xbc,0x40,0xa7,0x80,0xfb, + 0x87,0xf0,0xc8,0x44,0xc2,0xd6,0x4e,0x23,0x24,0x74,0xa3,0xe9,0x31,0xc1,0x68,0xb3, + 0x30,0x86,0x65,0x79,0x68,0x5c,0x51,0xa5,0x93,0x7a,0x2e,0x80,0xea,0x2c,0x6e,0xd0, + 0x0f,0xe1,0x23,0xf1,0x4b,0xbe,0xf5,0x5c,0x97,0x74,0xbd,0x62,0x0e,0x1e,0x82,0x1e, + 0x01,0x28,0xcf,0x49,0xda,0xb6,0xf8,0x85,0x3c,0x08,0x80,0x1c,0x8a,0x00,0x91,0x9a, + 0x6c,0x01,0x3c,0x3a,0x83,0xf9,0x99,0xc6,0x6a,0x5c,0xb4,0x9c,0x91,0x86,0x5d,0xf6, + 0x0d,0xb8,0xbe,0x81,0x3b,0xc3,0xd8,0xb3,0x5d,0x85,0xd7,0x9c,0xf0,0x1a,0xbe,0xd2, + 0xf6,0x0f,0x60,0xed,0xc9,0x71,0x53,0x78,0x0c,0x0c,0x12,0xfe,0x45,0xe5,0xe4,0x87, + 0xfd,0x95,0x93,0x93,0x07,0x9d,0xbe,0xe5,0xaf,0x46,0xc0,0xa7,0xc4,0x21,0x4f,0xab, + 0x75,0xc5,0xb5,0xdd,0xd6,0xf0,0x28,0x86,0x69,0xe0,0xa9,0xbe,0x33,0xf4,0xb5,0x78, + 0x25,0x24,0xe8,0x38,0x31,0x5c,0xc0,0x31,0xd9,0x7b,0xeb,0x15,0x96,0x02,0x6f,0x12, + 0x9a,0x21,0xe9,0x61,0xdd,0xe6,0xbc,0x34,0xc4,0x92,0xf3,0x02,0x6a,0xf7,0xf5,0x03, + 0xb8,0xff,0x87,0xb7,0x77,0x56,0x19,0xf8,0xd1,0xe1,0x7f,0x97,0x2c,0x85,0x94,0x0a, + 0xff,0xbb,0x64,0xd3,0x31,0x0f,0xb9,0xf7,0x4d,0x9d,0x16,0xae,0xb0,0x77,0xb8,0xb9, + 0x97,0xb1,0x80,0x20,0xeb,0x99,0x2a,0xb6,0x13,0x22,0x84,0x7f,0xe6,0xcb,0x62,0xf7, + 0x3d,0x0a,0xbd,0x81,0x63,0x3a,0xc5,0xc5,0xbe,0x65,0x19,0xdd,0xbc,0x93,0x34,0xbb, + 0x56,0x44,0x9b,0xdf,0x96,0x93,0x0d,0x65,0xd8,0x06,0x1d,0xb8,0x91,0x1d,0x4e,0xd6, + 0xa5,0x9a,0xe8,0xd2,0x27,0x6d,0x04,0x59,0x6a,0x38,0x8e,0x75,0x2c,0xf9,0x9c,0xbd, + 0x39,0x5b,0x83,0x7e,0x7c,0x5a,0xee,0x27,0x8a,0x7c,0x4b,0x43,0xc7,0x8d,0x3d,0x74, + 0xc8,0x8f,0x49,0xcb,0xc8,0xd8,0x16,0xf5,0x3c,0xca,0x15,0x69,0x27,0xfb,0x92,0xd4), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x08,0x97,0xd4,0x0e,0x7c,0x0f,0x2d,0xfc,0x07,0xb0,0xc7,0xfd,0xda,0xf5,0xfd,0x8f, + 0xcc,0x6a,0xf9,0xc1,0xfd,0xc1,0x7b,0xeb,0xb9,0x23,0xd5,0x9c,0x9f,0xc4,0x3b,0xd4, + 0x02,0xba,0x39,0x73,0x8f,0x0f,0x85,0xf2,0x30,0x15,0xf7,0x51,0x31,0xf9,0xd6,0x50, + 0xa2,0x9b,0x55,0xe2,0xfc,0x9d,0x5d,0xdf,0x07,0xbb,0x8d,0xf9,0xfa,0x5a,0x80,0xf1, + 0xe4,0x63,0x4e,0x0b,0x4c,0x51,0x55,0xbf,0x14,0x89,0x39,0xb1,0xa4,0xea,0x29,0xe3, + 0x44,0xa6,0x64,0x29,0xc8,0x50,0xfc,0xde,0x73,0x36,0xda,0xd6,0x16,0xf0,0x03,0x93, + 0x78,0x39,0x1a,0xbc,0xfa,0xfe,0x25,0xca,0x7b,0xb5,0x94,0x05,0x7a,0xf0,0x7f,0xaf, + 0x7a,0x32,0x2f,0x7f,0xab,0x01,0xe0,0x51,0xc6,0x3c,0xc5,0x1b,0x39,0xaf,0x4d,0x23), + .s = chunk_from_chars( + 0x8e,0xbe,0xd0,0x02,0xd4,0xf5,0x4d,0xe5,0x89,0x8a,0x5f,0x2e,0x69,0xd7,0x70,0xed, + 0x5a,0x5c,0xe1,0xd4,0x5a,0xd6,0xdd,0x9c,0xe5,0xf1,0x17,0x9d,0x1c,0x46,0xda,0xa4, + 0xd0,0x39,0x4e,0x21,0xa9,0x9d,0x80,0x33,0x58,0xd9,0xab,0xfd,0x23,0xbb,0x53,0x16, + 0x63,0x94,0xf9,0x97,0xb9,0x09,0xe6,0x75,0x66,0x20,0x66,0x32,0x4c,0xa1,0xf2,0xb7, + 0x31,0xde,0xba,0x17,0x05,0x25,0xc4,0xee,0x8f,0xa7,0x52,0xd2,0xd7,0xf2,0x01,0xb1, + 0x02,0x19,0x48,0x9f,0x57,0x84,0xe3,0x99,0xd9,0x16,0x30,0x2f,0xd4,0xb7,0xad,0xf8, + 0x84,0x90,0xdf,0x87,0x65,0x01,0xc4,0x67,0x42,0xa9,0x3c,0xfb,0x3a,0xaa,0xb9,0x60, + 0x2e,0x65,0xd7,0xe6,0x0d,0x7c,0x4c,0xea,0xdb,0x7e,0xb6,0x7e,0x42,0x1d,0x18,0x03, + 0x23,0xa6,0xd3,0x8f,0x38,0xb9,0xf9,0x99,0x21,0x3e,0xbf,0xcc,0xc7,0xe0,0x4f,0x06, + 0x0f,0xbd,0xb7,0xc2,0x10,0x20,0x65,0x22,0xb4,0x94,0xe1,0x99,0xe9,0x8c,0x6c,0x24, + 0xe4,0x57,0xf8,0x69,0x66,0x44,0xfd,0xca,0xeb,0xc1,0xb9,0x03,0x1c,0x81,0x83,0x22, + 0xc2,0x9d,0x13,0x5e,0x11,0x72,0xfa,0x0f,0xdf,0x7b,0xe1,0x00,0x7d,0xab,0xca,0xab, + 0x49,0x66,0x33,0x2e,0x7e,0xa1,0x45,0x6b,0x6c,0xe8,0x79,0xcd,0x91,0x0c,0x91,0x10, + 0x10,0x4f,0xc7,0xd3,0xdc,0xab,0x07,0x6f,0x2b,0xd1,0x82,0xbb,0x83,0x27,0xa8,0x63, + 0x25,0x45,0x70,0xcd,0xf2,0xab,0x38,0xe0,0xcd,0xa3,0x17,0x79,0xde,0xaa,0xd6,0x16, + 0xe3,0x43,0x7e,0xd6,0x59,0xd7,0x4e,0x5a,0x4e,0x04,0x5a,0x70,0x13,0x38,0x90,0xb8, + 0x1b,0xc4,0xf2,0x4a,0xb6,0xda,0x67,0xa2,0xee,0x0c,0xe1,0x5b,0xab,0xa3,0x37,0xd0, + 0x91,0xcb,0x5a,0x1c,0x44,0xda,0x69,0x0f,0x81,0x14,0x5b,0x02,0x52,0xa6,0x54,0x9b, + 0xbb,0x20,0xcd,0x5c,0xc4,0x7a,0xfe,0xc7,0x55,0xeb,0x37,0xfe,0xd5,0x5a,0x9a,0x33, + 0xd3,0x65,0x57,0x42,0x45,0x03,0xd8,0x05,0xa0,0xa1,0x20,0xb7,0x69,0x41,0xf4,0x15, + 0x0d,0x89,0x34,0x2d,0x7a,0x7f,0xa3,0xa2,0xb0,0x8c,0x51,0x5e,0x6f,0x68,0x42,0x9c, + 0xf7,0xaf,0xd1,0xa3,0xfc,0xe0,0xf4,0x28,0x35,0x1a,0x6f,0x9e,0xda,0x3a,0xb2,0x4a, + 0x7e,0xf5,0x91,0x99,0x4c,0x21,0xfb,0xf1,0x00,0x1f,0x99,0x23,0x9e,0x88,0x34,0x0f, + 0x9b,0x35,0x9e,0xc7,0x2e,0x8a,0x21,0x2a,0x19,0x20,0xe6,0xcf,0x99,0x3f,0xf8,0x48), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x78,0x67,0xb6,0x5e,0xd9,0x82,0xed,0x6c,0xdd,0x2d,0x06,0x11,0x57,0xbe,0x90,0xf8, + 0x5b,0xcd,0x58,0x03,0x50,0xf1,0x25,0x31,0x45,0xcb,0xa5,0xc5,0x89,0x46,0xa8,0xa5, + 0x75,0x1c,0x8c,0x00,0x8d,0x9d,0xf8,0x33,0xc8,0xac,0xce,0xee,0x2b,0x0a,0x5a,0x92, + 0x9c,0xd7,0xd0,0xde,0xf6,0x55,0xf5,0xcb,0x59,0xf0,0x1c,0xb4,0xc4,0x7b,0x54,0xba, + 0xe5,0xbd,0xe0,0x67,0x2f,0x2c,0xe7,0x92,0x2e,0xf8,0x6d,0x82,0x17,0x4b,0x82,0x56, + 0xa4,0xd0,0xb9,0xa3,0x1e,0x72,0xdc,0x60,0xbb,0x66,0xde,0xff,0x2b,0x6b,0x11,0xdd, + 0x6e,0x50,0x99,0xdc,0xe8,0xb7,0x21,0x4e,0xb7,0x1a,0xcd,0x16,0x44,0x0b,0x6f,0x09, + 0x18,0xc0,0xfd,0x9b,0xf2,0xce,0x43,0xb7,0x16,0x35,0xd5,0xee,0xe7,0x9d,0x48,0xd4), + .s = chunk_from_chars( + 0x0a,0x61,0x70,0x81,0xdd,0x97,0x94,0xc9,0x37,0xe4,0xc7,0x16,0x3e,0x28,0x65,0x43, + 0x95,0x58,0xd4,0x1e,0x68,0x8b,0x23,0x0c,0x20,0xa1,0xea,0x71,0x84,0x66,0x43,0xb8, + 0x32,0x1d,0x77,0xca,0xd5,0x82,0xec,0x9a,0x70,0xf4,0x0d,0x7a,0x8e,0xd9,0xf7,0x22, + 0xc5,0xb9,0x01,0x2f,0x43,0x6c,0x7a,0x61,0x7d,0xed,0x2a,0xd1,0x86,0x43,0x45,0x7b, + 0x6f,0xd3,0x30,0x35,0xfc,0x2a,0x2c,0xbd,0x52,0xf3,0xda,0x41,0x58,0x01,0x5e,0x01, + 0xfa,0xb5,0x5b,0x4e,0x26,0xe2,0xde,0x96,0x02,0x10,0x1d,0xdb,0x86,0xe8,0xd2,0xae, + 0xb8,0x9b,0xf4,0x00,0x69,0x33,0xa1,0x1b,0x5f,0xbc,0xe2,0xbd,0x09,0xe3,0x1f,0xda, + 0x18,0xa8,0x2e,0xc4,0x05,0x91,0x0d,0xd3,0xd1,0xcf,0x1e,0x46,0x5c,0x17,0x68,0x72, + 0xda,0x3d,0xb1,0xc2,0xb3,0x08,0x9b,0x48,0xe7,0x68,0xef,0x15,0x5a,0xd5,0xf5,0x64, + 0x17,0x49,0x7a,0x64,0x8e,0xd0,0x42,0x7d,0x45,0xec,0xdd,0x03,0x8d,0x3c,0xc8,0xc8, + 0x7c,0xe9,0x9a,0x92,0xf0,0x8c,0x76,0x41,0xf7,0xfa,0x39,0xce,0xb4,0xec,0x83,0xec, + 0xe0,0x99,0x4a,0xc6,0x84,0x8b,0xb6,0xef,0xb4,0xe7,0x93,0x27,0x14,0x5e,0x53,0x96, + 0xb1,0x0f,0xaa,0x1a,0xc3,0xa6,0x3e,0xcd,0x4a,0x4a,0x2c,0x9c,0xba,0x94,0x6b,0x0e, + 0x5f,0x18,0x5b,0x2c,0xd1,0xa0,0x42,0x93,0xee,0x46,0x39,0x3d,0x37,0x4d,0xb8,0xbe, + 0x0a,0x84,0x93,0x77,0xeb,0x11,0x06,0x7e,0xad,0x3b,0x76,0xe5,0x14,0x55,0x1d,0x48, + 0x4d,0x5c,0x51,0x54,0x4a,0x1d,0x0d,0xa9,0x6c,0x17,0xb5,0xb2,0xef,0x95,0x3d,0xcd, + 0xc1,0xc6,0xd5,0x92,0x03,0x0e,0x46,0x8e,0xb8,0x18,0x6a,0x5b,0xf6,0x60,0xb7,0x1d, + 0xa5,0xd9,0x82,0xbc,0x54,0x24,0xcf,0x1a,0x4f,0x8c,0xe9,0x52,0xbc,0x76,0x3b,0x4e, + 0xaa,0xdb,0x2a,0x3f,0x78,0x7c,0x8a,0xf0,0x1d,0xf2,0xf4,0x3d,0xb5,0xe0,0xad,0x71, + 0x18,0x24,0xac,0xec,0xe2,0xd9,0x9d,0x5b,0xf9,0xfd,0xee,0x0f,0xdf,0x1f,0xdd,0x37, + 0x0e,0xc7,0x91,0xa9,0x46,0xa4,0xb6,0xaf,0x20,0xb2,0x77,0x47,0x9a,0x83,0x87,0x76, + 0xe9,0xc0,0x92,0x30,0xc3,0x63,0x25,0xb8,0xc8,0xef,0x84,0xdb,0x28,0x2f,0xe8,0x9c, + 0xed,0x24,0xb0,0xd7,0x86,0x9b,0x5d,0x24,0x6f,0xb3,0xc6,0x0f,0xcb,0x26,0x13,0x09, + 0x89,0x77,0x14,0xe8,0x70,0x19,0x5b,0x9b,0xee,0xd0,0xb2,0x65,0x80,0x0f,0xc6,0xe6), + }, + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0x4d,0x36,0xeb,0x2c,0x3a,0xd2,0x33,0x43,0x69,0x23,0xe5,0x80,0xfa,0xdd,0xb4,0x5a, + 0xd3,0x59,0x67,0x10,0x8b,0xe8,0xd9,0x9a,0x87,0x67,0x45,0xdf,0x62,0x13,0xc0,0x28, + 0x92,0x9f,0x07,0xd5,0x49,0x84,0x7b,0x4f,0x9a,0x99,0x6a,0x3d,0xdd,0xe3,0x90,0xfb, + 0x54,0xae,0xde,0x47,0x0f,0xdc,0x7a,0x3e,0x0c,0x7e,0x06,0x88,0xa3,0xa1,0x25,0xcf, + 0x21,0x6a,0x3b,0x75,0xb4,0x66,0x75,0x86,0x87,0x1b,0x0a,0xeb,0x2d,0xe3,0xc0,0xe1, + 0x43,0xfa,0xb1,0xaa,0x51,0xd5,0x4f,0x82,0xf2,0xb5,0xa6,0xd5,0x35,0x7d,0xe1,0xaf, + 0x42,0xc0,0x10,0x74,0x41,0x1f,0x28,0xd1,0x77,0xd2,0x4b,0xf2,0xb2,0x84,0x4a,0xf6, + 0xe8,0x64,0x69,0xa0,0x1b,0x79,0x62,0x4f,0x7f,0x35,0xac,0x30,0xdf,0x4e,0xfc,0xb2), + .s = chunk_from_chars( + 0x81,0x38,0x92,0x2f,0xd1,0xa8,0x73,0x33,0xf1,0x31,0x6e,0x20,0x7e,0x58,0x51,0xaf, + 0x65,0xf2,0x7d,0x9f,0x5c,0xda,0x0f,0x7b,0x7c,0xab,0x00,0x54,0xa2,0xde,0xab,0x0a, + 0x5c,0x24,0x6f,0x18,0x34,0xb8,0xfa,0x0a,0x9a,0xe7,0x55,0xb6,0xad,0xd3,0xb6,0xdd, + 0x93,0xc6,0x94,0xfa,0x49,0xbe,0xa2,0x8a,0x56,0x35,0xe5,0x6d,0x98,0x41,0xd2,0x83, + 0x32,0x0e,0x7a,0x6f,0x98,0x12,0xc1,0x02,0xa6,0x0f,0xc2,0x50,0x5a,0x08,0x1e,0xe3, + 0x84,0x9f,0x81,0x51,0x91,0xb9,0xd7,0xa6,0xc4,0x1d,0xb6,0x7a,0xa1,0xa0,0x53,0xf2, + 0x2d,0x15,0x14,0x22,0x6a,0xad,0x39,0x22,0xcb,0x0b,0x5b,0xe7,0xdc,0x86,0xd6,0xcd, + 0x5d,0xaf,0x28,0xba,0xda,0x17,0x9f,0xbe,0xda,0x50,0x37,0x2b,0xce,0xe5,0xfd,0x8b, + 0x56,0x7c,0xa1,0x82,0x6b,0x08,0x1c,0xc0,0xe6,0xcf,0x58,0xcd,0x7e,0xd9,0x35,0xc6, + 0x92,0x2b,0x92,0x4b,0xed,0xd7,0xe4,0xf3,0xd4,0x8f,0x19,0x95,0xa5,0x6b,0xb1,0xd8, + 0xaf,0xf5,0x50,0x5e,0xa9,0x7c,0x56,0xcd,0xcb,0xaa,0x8e,0x93,0x25,0x4e,0x8c,0x6a, + 0x39,0xdb,0x12,0x76,0xc6,0xf5,0x3a,0x65,0x51,0xf1,0x62,0xf4,0x03,0x18,0x2b,0x4b, + 0xca,0x89,0x2a,0x6c,0xf5,0x27,0xc4,0xf9,0x62,0x96,0xb2,0xce,0x17,0xff,0xdf,0xa0, + 0x34,0x7d,0x52,0x90,0x94,0x0d,0x81,0xed,0x99,0xa3,0xe8,0xb0,0x0e,0x85,0x9d,0xc0, + 0xbc,0xb8,0x3e,0x90,0xe9,0xcd,0x9a,0x5b,0x64,0xcb,0x9d,0xb1,0xf3,0xf0,0x1d,0x26, + 0xd0,0x88,0x35,0xff,0xdf,0xe4,0x05,0x3d,0x9c,0x79,0x20,0x96,0x3b,0x07,0xfb,0x19, + 0x9e,0x5c,0x01,0xd4,0x4d,0x41,0x82,0x58,0x61,0x04,0x85,0x02,0x13,0xf8,0xca,0x60, + 0xc0,0x08,0x1e,0x62,0xb5,0xfe,0xcb,0xad,0x7e,0xce,0xd9,0x3c,0x35,0xa1,0x37,0x4d, + 0x27,0xb6,0x71,0x50,0xdd,0xfb,0x44,0xac,0x68,0xf6,0xaa,0x00,0xb5,0x5e,0x38,0xe6, + 0x81,0xb4,0x56,0xe6,0x06,0x55,0x26,0x1d,0x8d,0xae,0x04,0x7d,0x67,0xa4,0xee,0x2c, + 0x55,0xec,0xf2,0x13,0x57,0x1d,0xa1,0xdf,0x54,0x9a,0x48,0x89,0xea,0x3a,0x28,0x5b, + 0x5b,0x2f,0xe0,0x70,0x7d,0x74,0xd4,0x70,0xc7,0xec,0xe3,0xa2,0x15,0x26,0xf5,0xd4, + 0xaf,0x70,0x85,0xdd,0x11,0xe6,0xaf,0x40,0x51,0x52,0xa0,0x51,0x10,0xfc,0xd6,0xaa, + 0x06,0xce,0x93,0xf1,0xd2,0xba,0xba,0x3e,0xd5,0xdb,0x73,0x29,0x3f,0x97,0x7e,0xf1), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x73,0xb1,0x93), + .m = chunk_from_chars( + 0xe2,0xa9,0x2b,0x14,0x3c,0x8a,0x00,0x6c,0xee,0x8a,0xfe,0xbb,0x66,0x31,0x19,0x74, + 0x5d,0x26,0xf4,0xff,0xac,0xaa,0x53,0x5c,0x61,0x65,0xd3,0x0a,0x12,0x65,0xd9,0x27, + 0x71,0x64,0xc8,0xd8,0x21,0x49,0x77,0xeb,0xc8,0xf2,0xe2,0xbb,0x66,0x31,0x1f,0x54, + 0xe5,0x14,0x94,0xd8,0xf1,0x6a,0x68,0x22,0x09,0x82,0x37,0xa8,0xd6,0x36,0x0a,0xa6, + 0xbc,0x28,0x86,0x79,0xb0,0x4c,0x63,0x48,0x49,0xa7,0x20,0xea,0x19,0x56,0xf5,0x04, + 0x3d,0xd1,0x0a,0x72,0x33,0x71,0xe6,0xe9,0xec,0x30,0x2a,0xda,0x22,0xb1,0x7f,0x99, + 0xec,0x80,0xcd,0xbe,0x90,0x9a,0xae,0xcc,0x98,0x30,0x22,0x10,0x28,0xa8,0x84,0xcc, + 0x8e,0xe5,0xbc,0x95,0x1b,0xc8,0xb7,0xfa,0x31,0xf6,0x14,0x66,0x9e,0xdc,0x20,0x48), + .s = chunk_from_chars( + 0xc8,0x1a,0xc3,0x94,0xf8,0x2c,0xb2,0x7d,0x75,0x95,0x07,0x59,0x22,0x4b,0x17,0x87, + 0xf8,0x72,0x25,0xae,0x55,0x49,0xbe,0x13,0xdc,0x1f,0x74,0x32,0x6e,0xb6,0x68,0xe5, + 0xe0,0x9d,0x03,0xe0,0x3e,0xcf,0x03,0x9f,0xd0,0x8d,0xc3,0x01,0xe7,0x0b,0xd0,0x79, + 0x92,0xb2,0x0a,0x27,0x57,0xb5,0x76,0x6b,0xf6,0x22,0x05,0x2d,0x69,0xfb,0xfb,0xfa, + 0xca,0x96,0x4d,0xa3,0x3a,0xf7,0x1c,0x87,0x87,0xeb,0xa9,0xed,0x5c,0xaf,0x1b,0xf8, + 0x6e,0x48,0x58,0x7d,0x26,0xb2,0x1f,0x9f,0x1b,0xe6,0x01,0x24,0x6e,0x1d,0x9c,0xdc, + 0xea,0x9a,0xf7,0x79,0x6a,0xe3,0x0d,0xd6,0xbc,0xbf,0x1b,0x25,0x73,0x4f,0x89,0xe8, + 0x6a,0xe9,0x05,0x1c,0x7a,0x2c,0xf3,0x73,0x09,0x14,0x40,0x6f,0x15,0x41,0xbe,0xed, + 0x81,0x2a,0xc6,0xc9,0xe1,0x8c,0xfd,0x5b,0xf2,0x65,0x52,0x33,0x60,0x01,0x88,0x60, + 0x14,0x1b,0xcf,0xc5,0x1c,0x89,0xef,0x87,0x96,0x36,0xae,0x2d,0x7f,0x7e,0x41,0xe3, + 0x13,0x37,0xf7,0xaf,0xc3,0xe2,0x01,0xc6,0x80,0x5a,0x76,0xaf,0x89,0xdc,0x9e,0xa7, + 0x74,0x13,0xbe,0x1f,0x13,0x38,0xe8,0x45,0xe9,0xd1,0x6c,0xf8,0x6e,0x5e,0x04,0xa5, + 0x2d,0x8b,0x57,0x94,0x21,0x29,0x6f,0xa7,0x02,0xad,0x07,0xec,0xbf,0xa0,0x23,0x7a, + 0xc9,0x96,0xee,0x2e,0x91,0xee,0xac,0x8e,0xf4,0x89,0x02,0xa7,0x6c,0x94,0x7b,0x50, + 0x1e,0x26,0x5c,0x4b,0x3f,0xbd,0x0c,0x51,0x6a,0x04,0x16,0xea,0x13,0xc7,0x9b,0x7e, + 0x5d,0x5b,0x94,0x35,0xae,0xf3,0xf3,0x71,0xd3,0x8f,0xf9,0xdf,0x8f,0xdd,0xed,0x2f, + 0x26,0x5b,0x27,0xda,0x5a,0x84,0xfe,0x54,0x43,0x63,0x5e,0x26,0x08,0x07,0xdb,0x9a, + 0x15,0x51,0x38,0x7e,0x6c,0x9c,0x59,0x64,0x98,0xd2,0x80,0xd9,0x17,0x0d,0xaa,0x62, + 0x95,0x4e,0xd3,0x2b,0x14,0xd0,0x44,0x98,0x0e,0xca,0x76,0xa8,0xdb,0x63,0x48,0x3d, + 0x8c,0x4c,0xbf,0xa6,0x69,0xec,0x14,0x0e,0x7c,0x4a,0x30,0x4c,0xc1,0x5e,0x46,0x8d, + 0x96,0xff,0xf3,0x4d,0x77,0x69,0x25,0x81,0xb1,0x0e,0x7d,0x25,0xef,0x07,0x5d,0x65, + 0x27,0x58,0xf5,0x0e,0x9a,0xc4,0xcf,0x98,0x48,0x46,0x63,0x88,0x05,0x15,0x18,0xcf, + 0x93,0xe1,0x83,0xf9,0x10,0xa4,0xf5,0x03,0xfb,0xeb,0x65,0x4f,0x4b,0x94,0x24,0xdb, + 0xad,0xf6,0x1d,0x2d,0x50,0xf6,0x0f,0x8f,0x02,0xb4,0xea,0x0e,0x7b,0xc3,0xb3,0x98), + }, + }, +}, +{ + .params = { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, }, + .n = chunk_from_chars( + 0x99,0xa5,0xc8,0xd0,0x94,0xa5,0xf9,0x17,0x03,0x46,0x67,0xa0,0x40,0x8b,0x7e,0xcf, + 0xca,0xac,0xc3,0xf9,0x78,0x44,0x44,0xe2,0x17,0x73,0xc3,0x46,0x1e,0xc3,0x55,0xf0, + 0xd0,0xf5,0x2a,0x5d,0xb0,0x56,0x8a,0x71,0xd3,0x88,0x69,0x67,0x88,0xef,0x66,0xae, + 0x73,0x40,0xc6,0xb2,0x8d,0xbf,0x92,0x5f,0xe8,0x35,0x57,0x98,0x65,0x75,0xf7,0x9c, + 0xca,0x69,0x21,0x72,0x21,0x39,0x7e,0xd5,0x80,0x8a,0x26,0xf7,0xe7,0xe7,0x14,0xc9, + 0x32,0x35,0xf9,0x14,0xd4,0x5c,0x4a,0x9a,0xf4,0x61,0x9b,0x20,0xf5,0x11,0xad,0x64, + 0x4b,0xd3,0x41,0x2d,0xfd,0xf0,0xff,0x71,0x7f,0x7a,0xac,0x74,0x6f,0x31,0x0b,0xfa, + 0x9a,0x14,0x1a,0xc3,0xdb,0xf0,0x1c,0x1f,0xc7,0x4f,0xeb,0xd1,0x97,0x93,0x84,0x19, + 0xc2,0x62,0x29,0x35,0x05,0xc3,0x5f,0x40,0x2f,0x90,0x53,0xad,0x13,0xc5,0x1a,0x59, + 0x60,0xec,0xde,0x55,0xec,0x82,0x9e,0x95,0x3f,0x94,0x1a,0xf7,0x33,0xe5,0x87,0x05, + 0x91,0x37,0x67,0xe7,0xa7,0x20,0x0d,0x1d,0x09,0xe7,0xe7,0xe2,0xd2,0x69,0xfa,0x29, + 0xa5,0x58,0xbb,0x16,0x30,0x4b,0x05,0x9f,0x13,0xf4,0xca,0x56,0x0a,0x81,0x01,0xfe, + 0x37,0x20,0xb4,0xa7,0x79,0xec,0x12,0x64,0x27,0x32,0x6c,0xaa,0x13,0x2a,0x3d,0x36, + 0x11,0xd7,0xdb,0xc5,0x03,0x36,0xfa,0xc7,0x89,0xec,0x40,0x6b,0x39,0x7e,0x1e,0x36, + 0xd7,0xda,0xf9,0xb6,0x24,0xbf,0x63,0x9c,0x82,0xb8,0x59,0x28,0x87,0x47,0x69,0x0c, + 0x73,0x0c,0x98,0x0b,0x2f,0x5a,0x23,0x9d,0xd9,0x5a,0xd5,0x38,0x9a,0x2e,0xc9,0x0c, + 0x57,0x78,0x60,0x47,0x13,0x71,0x03,0x83,0xae,0x55,0xd4,0xd2,0x8c,0x06,0xd4,0xac, + 0x26,0xf0,0xd1,0x23,0x1f,0x1d,0x67,0x62,0xc8,0xe0,0xd9,0x18,0x11,0x81,0x56,0xbc, + 0x63,0x77,0x60,0xda,0xea,0x18,0x47,0x46,0xb8,0xdc,0xf6,0xf6,0x1d,0xb2,0x74,0xa7, + 0xdd,0xce,0xaa,0x07,0x49,0x37,0xab,0xab,0xad,0x45,0x49,0xb9,0x7a,0xb9,0x92,0x49, + 0x4a,0x80,0x72,0x08,0xab,0xd7,0x89,0x82,0x3f,0x5d,0x75,0xc4,0xb9,0x94,0x08,0x9c, + 0x80,0x72,0xcf,0xc2,0x54,0xe0,0xd8,0x20,0x2f,0xd8,0x96,0x47,0x6e,0x96,0xad,0x9d, + 0x30,0x9a,0x0e,0x8e,0x73,0x01,0x28,0x2f,0x07,0xeb,0x2a,0xe8,0xed,0xef,0xb7,0xdb, + 0xbe,0x13,0xb9,0x6e,0x8b,0x40,0x24,0xc6,0xb8,0x4d,0xe0,0xa0,0x5e,0x15,0x02,0x85), + .tests = { + { /* Format of the EM is incorrect - hash moved to left */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x4d,0x44,0x66,0x5e,0x0e,0x29,0x87,0xcf,0x7d,0xd1,0xe9,0xd6,0x20,0x01,0x51,0xf5, + 0x00,0xea,0x3b,0x85,0xa2,0x4f,0x72,0xfb,0x38,0xe5,0xdd,0x69,0x19,0xff,0x9c,0x48, + 0x6f,0x6a,0x54,0x74,0x2f,0x96,0xc6,0x78,0x4f,0xf7,0xa7,0x0c,0x33,0xab,0xab,0xdc, + 0x68,0x5d,0xe4,0x8b,0x94,0x69,0x4a,0xf8,0xad,0x41,0x9b,0xc0,0x6a,0x0f,0x65,0x04, + 0xf7,0x9c,0x60,0x6c,0xed,0x70,0x02,0x6b,0x81,0x3b,0x4e,0xc5,0xfc,0x73,0xed,0x4f, + 0x6b,0x3f,0x7f,0xf6,0x97,0x94,0x33,0x03,0x37,0x9d,0x95,0x9e,0x65,0x61,0xa8,0x90, + 0x4f,0xa0,0x35,0x4d,0x2f,0xfd,0x62,0x31,0x7d,0x63,0x86,0x0a,0x62,0xa1,0x3c,0xd7, + 0x71,0x57,0xb7,0xcf,0x92,0x16,0x55,0xa5,0x3e,0xc3,0x76,0x0b,0xf2,0x3c,0x8e,0x75), + .s = chunk_from_chars( + 0x4f,0x48,0xe5,0x1a,0x04,0x1e,0x40,0xa0,0x29,0xd5,0x86,0xcb,0x7a,0xfd,0x7e,0xc1, + 0x10,0x31,0xf8,0x6d,0x7b,0xee,0x58,0xfc,0x13,0xa9,0x22,0x7d,0xd2,0x09,0xf1,0xd7, + 0xbe,0xcf,0x32,0x09,0xcd,0x43,0x05,0x5e,0x93,0x16,0x5f,0x04,0xf2,0x32,0x76,0xd4, + 0x6b,0x0b,0x64,0x66,0x9b,0x88,0xc2,0xba,0x54,0xad,0x6b,0xcb,0x5e,0x9d,0xa8,0x18, + 0x10,0x01,0x4e,0x14,0x0e,0xd0,0xa1,0x42,0x34,0xb1,0xfc,0x0f,0xa4,0xcf,0xa4,0xf2, + 0x58,0xa7,0xb5,0xcf,0x73,0xa3,0x36,0x53,0x4f,0x37,0x58,0x0a,0x38,0x30,0x87,0x5f, + 0x31,0x19,0x09,0x2e,0x48,0x54,0xfa,0x80,0xd8,0x78,0x33,0xf7,0xe9,0x62,0x7a,0xb5, + 0x1e,0x05,0x6a,0x8d,0xef,0xf3,0xa4,0x51,0xe8,0xaa,0xd7,0x83,0x35,0x81,0x6b,0x53, + 0xae,0x0d,0x89,0x9b,0x06,0x07,0x40,0x3b,0xf0,0x8e,0x8c,0x32,0xe1,0xcf,0x0b,0xaa, + 0x8f,0xe0,0xd7,0x8d,0x1b,0x8d,0x72,0xf8,0x5f,0x17,0xc1,0xc5,0xb8,0x87,0x0c,0xec, + 0x49,0x94,0x97,0xb4,0x2d,0xe9,0x82,0x40,0x8f,0xba,0xdb,0xe3,0xb4,0x5a,0x13,0xb4, + 0xb5,0x37,0x1c,0xe2,0xa4,0xd9,0x60,0x0b,0x7d,0x14,0x01,0x16,0x25,0xcb,0xe7,0x3a, + 0x79,0x31,0x39,0x54,0xf4,0xf3,0xec,0x0b,0x3b,0xf6,0xdc,0x94,0x52,0x97,0x32,0x5e, + 0x3a,0xaf,0x5b,0xc8,0x9a,0x27,0x67,0x0f,0x5b,0x25,0x36,0xa5,0x4c,0xae,0xa3,0xbc, + 0x66,0x41,0xae,0x62,0x8a,0x9a,0x4d,0xa6,0x1d,0xe7,0x49,0x66,0x1a,0x93,0xb6,0xae, + 0x68,0x72,0x2d,0x10,0xd7,0x90,0x2b,0x39,0x1f,0x9e,0x9e,0xbf,0x3a,0xb9,0xc1,0x86, + 0x01,0x7b,0x52,0xea,0xc6,0xfd,0x44,0x2a,0x25,0x6f,0xe7,0xc9,0x50,0x01,0x65,0xe3, + 0xc7,0xa4,0x02,0xaa,0x01,0x74,0xe6,0xb6,0xf3,0x5e,0x4e,0x12,0xe3,0x5a,0x9d,0x42, + 0x9b,0x21,0xf6,0xcc,0x98,0xeb,0xa7,0x3c,0x80,0xed,0x8a,0xc3,0x3a,0xcd,0x79,0x48, + 0x8e,0x62,0x0b,0x27,0x49,0x23,0xe7,0x8c,0xe5,0xd9,0x1a,0x61,0x96,0xca,0x59,0x05, + 0x4f,0xa7,0x7c,0xd6,0x7e,0x0d,0x3f,0xc0,0x4d,0x71,0xb9,0x4b,0x0c,0xda,0x54,0x78, + 0xf1,0xb3,0xd6,0x91,0x50,0xf4,0x09,0x27,0xc1,0xab,0x39,0x20,0x36,0x58,0x36,0x09, + 0xd8,0xef,0xda,0x3f,0xe4,0x86,0x43,0xef,0x2f,0x75,0xf1,0x16,0x4e,0xa7,0xf2,0x55, + 0x89,0xb5,0xbb,0xb5,0x60,0xc9,0xa0,0x42,0x40,0x8f,0x85,0x94,0x4c,0xa0,0x8f,0x92), + }, + { /* Format of the EM is incorrect - 00 on end of pad removed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x1a,0xbc,0xa8,0xd8,0x1c,0xc9,0x8a,0x5d,0x50,0x20,0xe9,0x50,0x80,0xb5,0xfc,0xe5, + 0x9f,0xfe,0x70,0xdc,0xff,0x54,0x48,0x02,0xc4,0x9d,0xe7,0xfa,0x99,0x28,0x6b,0x3d, + 0xa1,0xd8,0x3d,0x60,0xb0,0x85,0xe6,0x96,0xbc,0x9f,0x25,0x75,0x8e,0x14,0x3e,0xfd, + 0xbd,0x74,0x94,0xd6,0xdd,0x54,0x7a,0xd9,0xf4,0xf0,0x47,0xd2,0x2d,0x14,0xa8,0x84, + 0xd1,0x3c,0x3b,0xee,0x72,0xfa,0x59,0xcd,0x6a,0x98,0x33,0x62,0x84,0xfe,0x20,0x75, + 0xf8,0xd7,0x35,0x9a,0x9d,0xf0,0x17,0xb3,0x5a,0xe0,0x0d,0xb6,0xdd,0xee,0x59,0xb1, + 0x90,0x2f,0xc9,0x0b,0xc9,0xef,0x89,0x0c,0x42,0x52,0x3b,0x9f,0xc8,0x3b,0x49,0x57, + 0x37,0x6d,0x7a,0xb1,0xa5,0xf1,0xc4,0x99,0xde,0xb7,0x62,0x2f,0x11,0x80,0x26,0xca), + .s = chunk_from_chars( + 0x85,0xe1,0x57,0x65,0xa4,0x01,0xc1,0x0d,0x86,0xac,0xf3,0xa0,0x5f,0xab,0x14,0xe0, + 0x54,0x87,0xb7,0x93,0x56,0x9a,0xe6,0x80,0xf7,0x7d,0x20,0xc2,0x5b,0x17,0x63,0xd1, + 0x84,0x63,0x4f,0xa0,0xb0,0x1d,0x97,0x9d,0xce,0x9d,0x80,0x36,0x70,0xd7,0xf9,0xf6, + 0xad,0xcd,0x59,0x47,0x6f,0xb1,0xc8,0xc3,0xaa,0xe5,0x12,0xf9,0x4a,0x9c,0xcf,0x6e, + 0x57,0x3a,0xee,0x6a,0x28,0xc0,0xdc,0xfd,0x2d,0xae,0x85,0x22,0x68,0x5f,0x03,0xec, + 0xec,0x8c,0x04,0x50,0x36,0xd1,0xcb,0x05,0x4a,0x08,0x64,0x54,0xa2,0x83,0x26,0xd5, + 0x31,0x9b,0xc7,0x00,0x4b,0xc8,0x7c,0x75,0x66,0xa5,0x68,0x52,0x55,0x8f,0x58,0x3a, + 0x38,0xa4,0xe7,0xe7,0xbe,0x79,0x81,0xdc,0xf3,0xec,0x41,0xc1,0x23,0x45,0xf8,0x45, + 0x40,0x97,0x92,0xed,0x87,0xb3,0xf1,0xb8,0xfc,0x89,0xc2,0x88,0xa2,0x96,0x8e,0x73, + 0x27,0x3a,0x36,0xf2,0xb6,0x72,0x58,0xfc,0x67,0xe8,0x88,0x60,0x85,0x66,0xa2,0x3a, + 0x6a,0x56,0x45,0x32,0x8f,0x1e,0xdd,0x8c,0x10,0x59,0x93,0xb4,0x86,0xeb,0x33,0x35, + 0x23,0x22,0x12,0xa1,0xdc,0xfd,0x5d,0xa4,0x0f,0xb3,0x90,0x2f,0xd2,0xcf,0xa8,0x6e, + 0x85,0x88,0xeb,0x3c,0x40,0xdf,0x8d,0x9e,0xdf,0x3c,0x41,0x93,0x4c,0xe9,0x1b,0x50, + 0xc0,0xd5,0xca,0x1a,0x38,0x40,0xca,0x40,0xe3,0xc8,0x41,0xb3,0x95,0x20,0xcb,0x5e, + 0x56,0x54,0xaf,0x39,0x61,0xec,0x94,0x08,0xd2,0x2e,0xdb,0x34,0x50,0x27,0xee,0xa7, + 0x11,0x9d,0xd5,0x52,0x65,0x63,0x42,0xe3,0x16,0xc6,0x0c,0x5f,0x5d,0xa0,0x28,0x30, + 0x8b,0x03,0x1b,0xac,0xc7,0x4d,0x1f,0xdd,0x69,0x07,0xbc,0x69,0x44,0xfb,0x85,0x60, + 0x82,0xcb,0x14,0xf1,0x2c,0xb5,0x09,0xca,0x4e,0xfb,0x51,0x6e,0xd0,0xc6,0x08,0x96, + 0x77,0x1b,0x47,0x84,0x42,0x02,0x69,0x13,0xe6,0x1a,0x32,0x61,0x1d,0xde,0x1a,0x88, + 0x07,0xf2,0xe1,0xcb,0x76,0xd0,0xc0,0xc6,0x9c,0x70,0x5b,0xeb,0x8f,0xe7,0x13,0xe8, + 0x48,0xcc,0x03,0xb1,0xef,0x89,0x65,0x26,0x7c,0xfc,0x3e,0xbd,0x43,0xf0,0x00,0x1b, + 0x33,0xb9,0xe9,0xad,0x41,0x8e,0xe0,0xd5,0x92,0xf1,0x84,0xd2,0x02,0x33,0x1d,0x4b, + 0x51,0xa9,0x6a,0x17,0xb0,0x14,0xd4,0x71,0x38,0xf2,0x8c,0xaa,0x39,0xd9,0xdf,0xbd, + 0xa6,0x08,0x94,0x95,0x6d,0x0c,0x04,0x3e,0x42,0x92,0x87,0x7f,0x04,0x4b,0x55,0xa2), + }, + { /* Signature changed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x20,0x85,0xe8,0xb9,0x46,0xd2,0x05,0x97,0x52,0xf8,0xf0,0xfe,0xe5,0x28,0xe7,0xc4, + 0xcc,0x0a,0xc1,0xfa,0x24,0x53,0x2c,0x1e,0xc2,0x9a,0x3a,0x92,0xd2,0x68,0x1c,0x4d, + 0xbd,0x8e,0x2d,0xd1,0x51,0xbb,0x32,0x5d,0x1c,0x4d,0xdf,0x63,0x18,0x68,0x9e,0x3c, + 0x8e,0x45,0x8d,0x1b,0x34,0xcd,0xc5,0x40,0x98,0x67,0xe2,0x6e,0xc2,0x0e,0xc0,0x9e, + 0x15,0xa6,0x82,0xf5,0x77,0x90,0xd9,0xf4,0xb2,0x7c,0x83,0xef,0x19,0x7e,0x11,0xc0, + 0x6e,0x65,0xee,0xbc,0x03,0x48,0x9d,0xe6,0x20,0x61,0x42,0x63,0xa5,0x1e,0x64,0x2e, + 0xf0,0x76,0xf1,0x0d,0x01,0x7a,0x82,0xc4,0xdc,0x2c,0xe1,0x88,0x2f,0x93,0xc9,0xb6, + 0x35,0x0f,0xec,0xc5,0xda,0xeb,0x3a,0x7a,0x20,0x31,0x61,0x5a,0xc1,0xc2,0x90,0x65), + .s = chunk_from_chars( + 0x65,0xbd,0x57,0xd4,0xa3,0x74,0x95,0xd5,0x4e,0xec,0x7f,0x63,0x21,0xf7,0x10,0x1a, + 0x46,0x43,0xd9,0x43,0x2a,0x2a,0xfc,0x8e,0xaa,0x14,0x7f,0xb2,0x9e,0x7a,0xb1,0x10, + 0x6e,0xb3,0x1a,0x6e,0xa7,0xae,0x3b,0x48,0xe4,0x0d,0xe6,0x3c,0xc3,0x68,0xe7,0xa6, + 0xdf,0x4c,0x99,0x82,0x59,0xc5,0x9c,0xe4,0x0b,0x8a,0xc2,0xf8,0x76,0x3b,0xee,0x91, + 0x92,0x41,0x7d,0x20,0x20,0xcb,0xe1,0x79,0xbb,0xa8,0xae,0xe9,0xbe,0x89,0x71,0x46, + 0x6f,0x5e,0x53,0xb3,0xf8,0x20,0x04,0xab,0x6a,0xa5,0x29,0xd0,0x85,0x45,0xbd,0x89, + 0x44,0x35,0xd8,0xdc,0xee,0xb3,0xa8,0xe9,0x05,0x91,0x6b,0xbd,0xb0,0x15,0xbf,0xf6, + 0x5e,0x9e,0x79,0x2a,0x88,0xe1,0xc8,0x44,0x9f,0x41,0x1e,0xda,0xcb,0xa5,0x04,0xcd, + 0x07,0x30,0x60,0x5d,0xc8,0x3f,0xee,0x64,0xf8,0xdd,0x17,0xf5,0x77,0x07,0x56,0x94, + 0x40,0x2f,0x18,0x62,0x79,0x0d,0x96,0x29,0xf9,0xfa,0x8a,0xc3,0xab,0x4e,0xe3,0x41, + 0xdd,0x39,0x79,0xeb,0x17,0x15,0xc4,0xf7,0x42,0xfb,0xd8,0x9b,0xa3,0xb9,0x05,0x65, + 0xea,0x45,0x87,0x43,0x85,0x62,0x49,0x3f,0x61,0x1d,0x5a,0xc9,0x98,0x9f,0xd4,0x05, + 0xa0,0x1d,0x23,0xb1,0x34,0x69,0xa2,0xa7,0xa8,0x5b,0x00,0x47,0x48,0x3a,0x66,0x5c, + 0xe3,0x89,0x9a,0x41,0x21,0x07,0xca,0xcc,0x11,0x08,0x7c,0xb2,0x60,0x7b,0xa9,0xd0, + 0x40,0x91,0xc4,0x18,0x24,0x72,0x42,0xcd,0x8d,0x81,0x9a,0xe1,0x7e,0x49,0xa2,0x1b, + 0xc4,0xf9,0x66,0xac,0x3d,0x37,0xd2,0xa6,0x1a,0x8b,0xfe,0xed,0xe0,0xf2,0xef,0x2d, + 0xa3,0xaa,0x32,0xbc,0x38,0xab,0xb6,0xa1,0x6a,0x44,0x75,0xe9,0x67,0x2c,0x4a,0xaa, + 0x31,0xd2,0xe8,0x27,0x7f,0x3d,0xd9,0x66,0x3f,0x39,0x60,0xf1,0x6c,0x01,0x99,0x8d, + 0x50,0xa9,0x9b,0xcc,0x68,0x1e,0xa0,0x2b,0x13,0x75,0x55,0xaf,0x2c,0xdd,0x28,0xea, + 0x43,0x28,0x15,0x88,0x06,0x6b,0xc5,0x5c,0x8f,0x7a,0xab,0x45,0xde,0xdf,0xa2,0xf6, + 0xbe,0xfb,0x5b,0x13,0x91,0x1c,0xb9,0xce,0xc2,0xb3,0xfb,0x07,0xbc,0x00,0xb2,0xda, + 0xca,0xff,0x82,0x37,0x20,0x1d,0x3e,0xbe,0xac,0x57,0x50,0x83,0x01,0x16,0x24,0xb4, + 0xbe,0x01,0x83,0x79,0x51,0x4d,0xec,0x97,0x20,0x9f,0xaa,0x29,0xb1,0xf9,0x3f,0xda, + 0x75,0xf0,0x77,0x0f,0x3c,0x73,0xe7,0x00,0xa2,0xe4,0x84,0x53,0x06,0x7c,0x90,0x9e), + }, + { + .exp = TRUE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0xcc,0x21,0x59,0x3a,0x6a,0x0f,0x73,0x7e,0x29,0x70,0xb7,0xc0,0x79,0x84,0xb0,0x70, + 0xd7,0x61,0x72,0x62,0x96,0xa0,0x7e,0x24,0xe0,0x56,0xe6,0x8f,0xf8,0x46,0xb2,0x9c, + 0xc1,0x54,0x81,0x79,0x84,0x3d,0x74,0xdc,0xee,0x86,0x47,0x98,0x58,0xb2,0xc1,0x6e, + 0x4c,0xb8,0x4f,0x25,0x44,0xb4,0xec,0xdc,0xb4,0xdd,0x43,0xa0,0x4b,0xb7,0x18,0x3a, + 0x76,0x8a,0xe4,0x4a,0x27,0x12,0xbf,0x9a,0xd4,0x78,0x83,0xac,0xc2,0x81,0x2f,0x95, + 0x83,0x06,0x89,0x0e,0xbe,0xa4,0x08,0xc9,0x2e,0xb4,0xf0,0x01,0xed,0x7d,0xbf,0x55, + 0xf3,0xa9,0xc8,0xd6,0xd9,0xf6,0x1e,0x5f,0xe3,0x2e,0xb3,0x25,0x3e,0x59,0xc1,0x8e, + 0x86,0x31,0x69,0x47,0x8c,0xd6,0x9b,0x91,0x55,0xc3,0x35,0xdb,0x66,0x01,0x6f,0x96), + .s = chunk_from_chars( + 0x0a,0xa5,0x72,0xa6,0x84,0x5b,0x87,0x0b,0x89,0x09,0xa6,0x83,0xbb,0x7e,0x6e,0x76, + 0x16,0xf7,0x7b,0xef,0xf2,0x87,0x46,0x11,0x6d,0x8b,0xc4,0xb7,0x33,0x55,0x46,0xb5, + 0x1e,0x80,0x06,0xed,0x0f,0xc9,0xa0,0xd6,0x6f,0x63,0xce,0x0b,0x9e,0xbf,0x79,0x2d, + 0x7e,0xfd,0x43,0x05,0xd7,0x62,0x4d,0x54,0x54,0x00,0xa5,0xfd,0x6a,0x06,0xb7,0x8f, + 0x17,0x4b,0x86,0x80,0x3f,0x7c,0xd1,0xcc,0x93,0xe3,0xa9,0x72,0x86,0xf0,0xea,0x59, + 0x0e,0x40,0xff,0x26,0x19,0x5a,0xa2,0x19,0xfe,0x15,0x10,0xa0,0x16,0x78,0x52,0x23, + 0x60,0x6d,0x93,0x11,0xa1,0x6c,0x59,0xa8,0xfe,0x4a,0x6d,0xa6,0xec,0xd0,0xc1,0xd7, + 0x77,0x50,0x39,0x29,0x0c,0x2a,0xaa,0x17,0xed,0x1e,0xb1,0xb5,0x43,0x74,0xf7,0xe5, + 0x72,0xdb,0x13,0xcc,0xa3,0xa6,0x38,0x57,0x5f,0x80,0x04,0xaa,0x54,0xa2,0xfa,0x98, + 0x42,0x2f,0xc0,0x7e,0x43,0xad,0x3a,0x20,0xdd,0x93,0x00,0x14,0x93,0x44,0x26,0x77, + 0xd8,0x83,0x91,0x4d,0xc7,0x4e,0xc1,0xcb,0xeb,0xbb,0xd3,0xd2,0xb6,0xba,0xd4,0x66, + 0x6d,0x91,0x45,0x7b,0x69,0xb4,0x6a,0x1a,0x61,0xf2,0x12,0x98,0xf1,0xa6,0x79,0x42, + 0xec,0x86,0xc8,0x76,0x32,0x2d,0xd3,0x66,0xed,0x16,0x78,0x14,0xe9,0xc8,0xfc,0x90, + 0x40,0xc5,0xb4,0xb7,0xa8,0x59,0xbb,0xd8,0x80,0xcb,0x6b,0xc2,0x41,0xb9,0xe3,0x27, + 0xce,0x77,0x9e,0x07,0x83,0xb1,0xcf,0x44,0x5e,0x0b,0x2f,0x57,0x71,0xb3,0xf5,0x82, + 0x2a,0x13,0x64,0x39,0x1c,0x15,0x4d,0xc5,0x06,0xff,0xf1,0xfb,0x9d,0x9a,0x35,0xf8, + 0x01,0x99,0xa6,0xb3,0x0b,0x4b,0x92,0xb9,0x26,0x19,0xa4,0x0e,0x21,0xae,0xa1,0x92, + 0x84,0x01,0x58,0x63,0xc4,0x48,0x66,0xc6,0x1e,0xd9,0x04,0xa7,0xad,0x19,0xee,0x04, + 0xd9,0x66,0xc0,0xaa,0xe3,0x90,0x63,0x62,0x43,0x56,0x55,0x81,0xff,0x20,0xbd,0x6e, + 0x3c,0xfb,0x6e,0x31,0xf5,0xaf,0xba,0x96,0x4b,0x31,0x1d,0xc2,0xd0,0x23,0xa2,0x19, + 0x98,0xc8,0xdd,0x50,0xca,0x45,0x36,0x99,0x19,0x0b,0xd4,0x67,0x42,0x9e,0x2f,0x88, + 0xac,0xe2,0x9c,0x4d,0x1d,0xa4,0xda,0x61,0xaa,0xc1,0xed,0xa2,0x38,0x02,0x30,0xaa, + 0x8d,0xbb,0x63,0xc7,0x5a,0x3c,0x1e,0xc0,0x4d,0xa3,0xa1,0xf8,0x80,0xc9,0xc7,0x47, + 0xac,0xdb,0x74,0xa8,0x39,0x5a,0xf5,0x8f,0x5f,0x04,0x40,0x15,0xcc,0xaf,0x6e,0x94), + }, + { /* Public Key e changed */ + .exp = FALSE, + .e = chunk_from_chars(0xa4,0x5b,0x6b), + .m = chunk_from_chars( + 0xa5,0x89,0xc8,0x78,0x8c,0x95,0x99,0x61,0xfe,0xf9,0x86,0x94,0xbb,0xfe,0xff,0xce, + 0x5d,0x69,0x07,0x18,0x99,0xad,0x96,0x9a,0xc2,0x5f,0x3c,0xb4,0x8e,0xea,0x08,0x4b, + 0x1d,0x84,0xa8,0x61,0x37,0x61,0xd1,0xe9,0xd6,0x26,0xe2,0xd9,0xe4,0xa0,0xc4,0x80, + 0x45,0xb6,0x14,0x1a,0x18,0x9c,0x84,0xa2,0x3a,0x4a,0x7e,0xe7,0x0c,0x2d,0x0b,0xe2, + 0x77,0x1c,0xf4,0x47,0x2d,0x8d,0x27,0x5a,0x31,0x09,0x5b,0x04,0x99,0xdd,0xf7,0x26, + 0x93,0x13,0x30,0x2d,0xa6,0xa0,0x72,0xe7,0x3a,0xdf,0x02,0x95,0x5b,0x3e,0xe1,0x41, + 0xba,0x38,0xf3,0x51,0xf4,0x83,0x60,0x5d,0x17,0x8a,0x3b,0x3e,0x63,0x1d,0x62,0x67, + 0x4d,0x67,0xa5,0x79,0xca,0x21,0x2a,0x11,0xc9,0x06,0x0f,0xe4,0x01,0x87,0x52,0x0f), + .s = chunk_from_chars( + 0x06,0x24,0x18,0x75,0x08,0x45,0xd3,0x29,0x1e,0x63,0x3e,0x47,0x40,0x64,0x80,0xe3, + 0x2f,0xa2,0x98,0x02,0x75,0xf2,0xe4,0xac,0x79,0xd2,0x84,0xad,0x83,0xed,0x11,0x19, + 0x0e,0x7b,0x85,0xbf,0xd6,0xed,0x9b,0xcf,0xf6,0x33,0x45,0x58,0x2f,0xcc,0xd8,0x8a, + 0x57,0x89,0x41,0xab,0xb9,0x87,0xd2,0xdc,0xb5,0x49,0xa0,0xac,0x2e,0xd5,0xfe,0x7c, + 0xe8,0x25,0x7b,0xb1,0xe6,0x28,0x81,0x55,0xff,0xf3,0xdc,0x9b,0xc1,0x14,0x0f,0x27, + 0x77,0xa8,0x45,0x75,0x98,0x63,0x60,0xd0,0x76,0x60,0x5e,0x65,0x5c,0x9d,0x73,0xf9, + 0xbf,0x01,0x0a,0x43,0x7e,0xb7,0xb2,0x80,0xd6,0x10,0x83,0x74,0xce,0x8d,0xa4,0xc7, + 0x02,0xf6,0x6a,0x9d,0x1d,0x01,0xb1,0x41,0xc6,0xa6,0x98,0x72,0x9d,0x0f,0xcd,0xb0, + 0x63,0x1b,0x21,0x57,0x8d,0xde,0xd7,0x21,0xef,0x5c,0x49,0x08,0x12,0x26,0x6c,0xf6, + 0xf0,0x12,0x70,0xa8,0xc6,0xc2,0xf0,0x84,0x66,0xc9,0xb3,0xc6,0x26,0xc0,0xf1,0xed, + 0xeb,0x5b,0x4f,0xb3,0x2e,0x95,0x8a,0x4a,0x38,0x8c,0x6c,0x6e,0x73,0xb5,0x3a,0x50, + 0x61,0x37,0x35,0x43,0x58,0xbd,0x00,0xbb,0xd2,0x05,0x8c,0x9c,0x12,0x79,0x04,0x10, + 0xa4,0x5f,0x43,0x48,0x75,0x48,0x44,0xb3,0x57,0xc4,0xe1,0x7f,0xb3,0x8c,0x8c,0xac, + 0x87,0xa6,0xbe,0x3c,0xd0,0x6a,0x08,0x94,0x3d,0xb0,0xe8,0xb8,0x67,0xd4,0x73,0xe7, + 0xd3,0x58,0x1e,0xd2,0xa3,0x2d,0x25,0xd7,0xb4,0x5e,0xec,0xf8,0xfe,0xa1,0x0d,0x0a, + 0xde,0x1c,0x88,0x85,0x91,0xc7,0x1f,0xc8,0x6a,0xbd,0x14,0x46,0xfa,0xdc,0xa2,0x88, + 0x1d,0xe8,0x7a,0x6d,0x05,0x56,0x6c,0x50,0x00,0xc1,0xe0,0x75,0xb0,0xc1,0xc5,0x48, + 0x1f,0xfb,0x6e,0x98,0x2a,0x3f,0x8f,0x44,0xfa,0x8a,0xd0,0xb6,0xa9,0x2f,0x1c,0xde, + 0xdd,0x9c,0x38,0xd3,0x26,0xa6,0xef,0xad,0x9d,0x03,0x59,0xa6,0x9a,0xf4,0x20,0x34, + 0xb7,0xa4,0xac,0x38,0x8f,0x9c,0x7d,0x35,0x6e,0xdf,0x4d,0x6e,0x45,0x50,0xad,0xde, + 0xcc,0x71,0x92,0x24,0x2b,0x3b,0x1f,0xc4,0x16,0x46,0x02,0x91,0x9d,0x34,0x11,0xed, + 0x43,0xe2,0xb3,0x94,0x86,0x7b,0xf8,0x40,0xea,0x61,0x75,0x0b,0xac,0x4f,0x1b,0x72, + 0xd2,0x8a,0xf3,0x5e,0xb0,0xb3,0xaa,0xf6,0xee,0xd6,0x54,0xd1,0xde,0x88,0x32,0x40, + 0xc0,0xe2,0x23,0x4e,0xa2,0xdd,0xf6,0xf8,0x93,0x4c,0xdc,0xac,0xea,0x80,0x2e,0x26), + }, + { /* Message changed */ + .exp = FALSE, + .e = chunk_from_chars(0x08,0xa6,0x49), + .m = chunk_from_chars( + 0x70,0xa4,0xa8,0x98,0x02,0x85,0x68,0x69,0x9c,0xcd,0x8a,0x53,0x28,0x8a,0x74,0x78, + 0x51,0x88,0x4d,0xb2,0x97,0x1a,0xb1,0x7a,0xa1,0x16,0xa9,0x09,0xd4,0x22,0xda,0xbc, + 0x24,0x2e,0xfc,0xbd,0x2a,0x42,0x8e,0xe0,0x77,0x7a,0xc8,0xcb,0x29,0x4f,0xd2,0x5a, + 0xbc,0x17,0x33,0x42,0x22,0xcf,0x8c,0xf4,0x15,0x19,0x86,0xc4,0xac,0x81,0x09,0x4a, + 0x2c,0x04,0xaf,0x08,0x21,0xd3,0x78,0x4e,0xae,0x54,0xbf,0x5b,0x22,0x6a,0x6c,0xc5, + 0xcb,0xf6,0x6c,0x1b,0x0f,0x9e,0x5e,0xc8,0xb8,0xcd,0x8f,0x3a,0x90,0xfa,0x29,0x44, + 0x2e,0x2e,0xa7,0xc1,0x0f,0xc0,0x8c,0x7b,0xe9,0x63,0x55,0x4b,0x3b,0x64,0xac,0x81, + 0x29,0x2c,0xde,0x85,0x87,0x0c,0x8f,0xbf,0x34,0x3a,0xad,0xb5,0xa9,0x16,0xa2,0x73), + .s = chunk_from_chars( + 0x07,0x88,0x43,0xb0,0x4c,0x98,0x55,0xe6,0x0b,0x09,0x65,0x97,0x0e,0x34,0x85,0xa8, + 0x51,0x70,0x33,0xef,0xb5,0x7b,0x77,0x31,0x50,0x48,0x3e,0x7d,0x79,0xa5,0x49,0xd2, + 0x17,0x15,0x9f,0xc1,0x94,0xc7,0x8d,0x1d,0x7e,0xb8,0x72,0xad,0xe2,0x31,0xd1,0xc9, + 0x5d,0xaf,0xcb,0x7d,0x52,0x92,0xd7,0xb1,0x13,0xa9,0x95,0x67,0xf4,0x92,0xcd,0x84, + 0x6f,0x88,0xcd,0xc1,0xd0,0x35,0xa0,0x4a,0xe6,0xa5,0xef,0x28,0xa8,0x67,0x33,0x87, + 0xa2,0x47,0x9c,0x3e,0x0c,0x5a,0x12,0x04,0xbf,0x13,0x60,0x2b,0x49,0x09,0x7f,0xd4, + 0xbe,0xc1,0x62,0x84,0x56,0x6c,0x36,0xe4,0x5e,0xa3,0x96,0x35,0x67,0xf3,0x6d,0xae, + 0xe1,0xee,0x86,0x69,0x71,0x37,0xcb,0x25,0x82,0x58,0xb5,0xc3,0x18,0x92,0x6f,0xed, + 0x50,0x5c,0xd6,0x78,0x4c,0xcc,0x95,0xde,0x4e,0xdc,0x20,0x34,0xe6,0x45,0x21,0x27, + 0x6f,0x90,0x55,0x82,0x44,0x79,0xb4,0xab,0xd5,0x1a,0x73,0x15,0xe8,0x1e,0x20,0x4d, + 0xc0,0x0f,0x4b,0x07,0x7f,0x26,0xea,0x0a,0x72,0x56,0xbc,0xfb,0x0e,0xdf,0x88,0x62, + 0x4c,0x4e,0x3a,0x05,0x99,0x14,0xb7,0x5d,0xdf,0xcf,0x94,0x5c,0x56,0x20,0xeb,0x6b, + 0x06,0xb3,0x01,0x1e,0x4b,0xab,0xc2,0x68,0x57,0xbd,0xd9,0xbb,0x06,0x5d,0xfd,0xe5, + 0x15,0xc3,0x7e,0xaa,0x6a,0xd8,0x35,0x90,0x53,0x75,0x66,0x68,0x0a,0xd1,0xd7,0x76, + 0x06,0x78,0x27,0x28,0x8c,0x80,0x49,0x7b,0x76,0xc4,0x89,0xcb,0x39,0x76,0x2d,0xc1, + 0x99,0x7f,0xaa,0x41,0x08,0x6b,0x1e,0x37,0x7d,0x3c,0x9c,0xb2,0x9e,0x45,0x99,0xde, + 0xa3,0xb1,0x23,0xd8,0x50,0x46,0x3e,0xd2,0x00,0x87,0xfa,0x74,0x4a,0x54,0x81,0xa4, + 0x53,0x7a,0x62,0x52,0xae,0xa0,0xbc,0x18,0xb2,0xbc,0x96,0x2d,0xeb,0x58,0x9a,0xe5, + 0x3a,0x88,0x23,0x9e,0xac,0x7e,0x79,0x06,0xf4,0xb1,0x6e,0x68,0xc0,0xe7,0xde,0x24, + 0x78,0xc4,0xe4,0xda,0x86,0x90,0x08,0xa6,0x54,0x55,0xc6,0x91,0x54,0x7b,0x16,0xa9, + 0xd9,0x64,0xfe,0x0f,0xaa,0xac,0x4a,0xbb,0x22,0x30,0x9e,0x07,0x53,0x40,0x8e,0x22, + 0xa8,0x66,0x8c,0x0e,0x96,0x68,0x1f,0x0f,0xed,0xf3,0xad,0xeb,0xd7,0xc3,0xc6,0xea, + 0x0b,0x45,0x2e,0x07,0xa6,0xd9,0x4d,0x94,0x37,0xe8,0xb0,0x3e,0x7b,0x26,0x20,0x3a, + 0xff,0x7c,0x17,0x06,0xb5,0x8a,0x20,0x56,0x86,0x42,0xa8,0x71,0x9b,0x98,0x38,0xf0), + }, + }, +}, +}; + +START_TEST(test_verify_pss) +{ + public_key_t *pubkey; + bool result; + int i; + + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PSS))) + { + warn("%N not supported, skip test", signature_scheme_names, + SIGN_RSA_EMSA_PSS); + return; + } + for (i = 0; i < countof(pss_verify[_i].tests); i++) + { + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, + BUILD_RSA_MODULUS, pss_verify[_i].n, + BUILD_RSA_PUB_EXP, pss_verify[_i].tests[i].e, + BUILD_END); + ck_assert(pubkey != NULL); + result = pubkey->verify(pubkey, SIGN_RSA_EMSA_PSS, + &pss_verify[_i].params, + pss_verify[_i].tests[i].m, + pss_verify[_i].tests[i].s); + fail_unless(result == pss_verify[_i].tests[i].exp, + "verify %N [%d]", signature_scheme_names, + SIGN_RSA_EMSA_PSS, i); + pubkey->destroy(pubkey); + } +} +END_TEST + Suite *rsa_suite_create() { Suite *s; @@ -395,5 +5188,23 @@ Suite *rsa_suite_create() tcase_add_loop_test(tc, test_load, 0, countof(keys)); suite_add_tcase(s, tc); + tc = tcase_create("sign"); + tcase_add_checked_fixture(tc, setup_keys, teardown_keys); + tcase_add_loop_test(tc, test_sign_pkcs15_2048, 0, countof(pkcs15_2048)); + tcase_add_loop_test(tc, test_sign_pkcs15_3072, 0, countof(pkcs15_3072)); + suite_add_tcase(s, tc); + + tc = tcase_create("sign pss"); + tcase_add_checked_fixture(tc, setup_keys_pss, teardown_keys_pss); + tcase_add_loop_test(tc, test_sign_pss_2048, 0, countof(pss_sign_2048)); + tcase_add_loop_test(tc, test_sign_pss_3072, 0, countof(pss_sign_3072)); + tcase_add_loop_test(tc, test_sign_pss_no_salt, 0, countof(pss_sign_ns)); + suite_add_tcase(s, tc); + + tc = tcase_create("verify"); + tcase_add_loop_test(tc, test_verify_pkcs15, 0, countof(pkcs15_verify)); + tcase_add_loop_test(tc, test_verify_pss, 0, countof(pss_verify)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c new file mode 100644 index 000000000..38cb5803f --- /dev/null +++ b/src/libstrongswan/tests/suites/test_signature_params.c @@ -0,0 +1,461 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include +#include + +static struct { + chunk_t aid; + rsa_pss_params_t params; +} rsa_pss_parse_tests[] = { + /* from RFC 7427, no parameters (empty sequence) */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* from RFC 7427, default parameters (SHA-1), would actually not be sent + * like this, as corrected in errata */ + { chunk_from_chars(0x30,0x3e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x31,0xa0, + 0x0b,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0xa1,0x18,0x30,0x16, + 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,0x09,0x06,0x05,0x2b, + 0x0e,0x03,0x02,0x1a,0x05,0x00,0xa2,0x03,0x02,0x01,0x14,0xa3,0x03,0x02,0x01,0x01), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* from RFC 7427, SHA-256 */ + { chunk_from_chars(0x30,0x46,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x39,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20,0xa3,0x03,0x02,0x01,0x01), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + /* from RFC 7427, SHA-256 (errata, without trailer, with len corrections) */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, + /* SHA-512 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x40), + { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA512, }}, + /* SHA-256, no salt */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 0, }}, + /* only hash specified */ + { chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, + 0x05,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* only mgf specified */ + { chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA1, }}, + /* only salt specified */ + { chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05,0xa2, + 0x03,0x02,0x01,0x20), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA256, }}, +}; + +START_TEST(test_rsa_pss_params_parse) +{ + rsa_pss_params_t parsed; + chunk_t params; + int oid; + + oid = asn1_parse_algorithmIdentifier(rsa_pss_parse_tests[_i].aid, 0, ¶ms); + ck_assert_int_eq(OID_RSASSA_PSS, oid); + ck_assert(rsa_pss_params_parse(params, 1, &parsed)); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.hash, parsed.hash); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.mgf1_hash, parsed.mgf1_hash); + ck_assert_int_eq(rsa_pss_parse_tests[_i].params.salt_len, parsed.salt_len); +} +END_TEST + +chunk_t rsa_pss_parse_invalid_tests[] = { + /* unknown hash */ + chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x00, + 0x05,0x00), + /* unknown mgf */ + chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x00, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + /* unknown mgf-1 hash */ + chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x00,0x05,0x00), + /* incorrect trailer */ + chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05, + 0xa3,0x03,0x02,0x01,0x02), + /* too long trailer */ + chunk_from_chars(0x30,0x13,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x06, + 0xa3,0x04,0x02,0x02,0x01,0x01), +}; + +START_TEST(test_rsa_pss_params_parse_invalid) +{ + rsa_pss_params_t parsed; + chunk_t params; + int oid; + + oid = asn1_parse_algorithmIdentifier(rsa_pss_parse_invalid_tests[_i], 0, ¶ms); + ck_assert_int_eq(OID_RSASSA_PSS, oid); + ck_assert(!rsa_pss_params_parse(params, 1, &parsed)); +} +END_TEST + +static struct { + chunk_t aid; + rsa_pss_params_t params; +} rsa_pss_build_tests[] = { + /* default parameters -> empty sequence */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* SHA-256 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x20), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-1 */ + { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-224 */ + { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00, + 0xa2,0x03,0x02,0x01,0x1c), + { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* default salt length: SHA-384 */ + { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00, + 0xa2,0x03,0x02,0x01,0x30), + { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* SHA-512 */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x40), + { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + /* SHA-256, no salt */ + { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, + 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, + 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, + 0x02,0x01,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 0, }}, + /* SHA-256, rest default */ + { chunk_from_chars(0x30,0x1e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x11, + 0xa0,0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, + 0x05,0x00), + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, + /* MGF1-SHA-256, rest default */ + { chunk_from_chars(0x30,0x2b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x1e, + 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08, + 0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA1, }}, + /* only salt specified */ + { chunk_from_chars(0x30,0x12,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x05,0xa2, + 0x03,0x02,0x01,0x20), + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA256, }}, +}; + +START_TEST(test_rsa_pss_params_build) +{ + chunk_t params, aid; + + ck_assert(rsa_pss_params_build(&rsa_pss_build_tests[_i].params, ¶ms)); + aid = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_RSASSA_PSS), + params); + ck_assert_chunk_eq(rsa_pss_build_tests[_i].aid, aid); + chunk_free(&aid); +} +END_TEST + +rsa_pss_params_t rsa_pss_build_invalid_tests[] = { + /* unknown hash */ + { .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }, + /* invalid mgf */ + { .hash = HASH_SHA256, .mgf1_hash = HASH_UNKNOWN, .salt_len = HASH_SIZE_SHA256, }, +}; + +START_TEST(test_rsa_pss_params_build_invalid) +{ + chunk_t params; + + ck_assert(!rsa_pss_params_build(&rsa_pss_build_invalid_tests[_i], ¶ms)); +} +END_TEST + +static rsa_pss_params_t rsa_pss_params_sha1 = { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }; +static rsa_pss_params_t rsa_pss_params_sha256 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }; +static rsa_pss_params_t rsa_pss_params_sha256_mgf1 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA256, }; +static rsa_pss_params_t rsa_pss_params_sha256_salt = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }; + +static struct { + bool equal; + bool complies; + signature_params_t a; + signature_params_t b; +} params_compare_tests[] = { + { TRUE, TRUE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA1, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { TRUE, TRUE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_mgf1 }, }, + { FALSE, TRUE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha1 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { FALSE, FALSE, { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, }, }, +}; + +START_TEST(test_params_compare) +{ + bool res; + + res = signature_params_equal(¶ms_compare_tests[_i].a, + ¶ms_compare_tests[_i].b); + ck_assert(res == params_compare_tests[_i].equal); + res = signature_params_comply(¶ms_compare_tests[_i].a, + ¶ms_compare_tests[_i].b); + ck_assert(res == params_compare_tests[_i].complies); + res = signature_params_comply(¶ms_compare_tests[_i].b, + ¶ms_compare_tests[_i].a); + ck_assert(res == params_compare_tests[_i].complies); +} +END_TEST + +START_TEST(test_params_compare_null) +{ + ck_assert(signature_params_equal(NULL, NULL)); + ck_assert(!signature_params_equal(¶ms_compare_tests[0].a, NULL)); + ck_assert(!signature_params_equal(NULL, ¶ms_compare_tests[0].a)); +} +END_TEST + +static struct { + signature_params_t src; + signature_params_t res; +} params_clone_tests[] = { + { { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, }, + { { .scheme = SIGN_RSA_EMSA_PSS }, { .scheme = SIGN_RSA_EMSA_PSS }, }, + { { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256 }, }, + { { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, + { .scheme = SIGN_RSA_EMSA_PSS, .params = &rsa_pss_params_sha256_salt }, }, + { { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, .params = &rsa_pss_params_sha256 }, + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }, }, +}; + +START_TEST(test_params_clone) +{ + signature_params_t *clone = NULL; + + clone = signature_params_clone(¶ms_clone_tests[_i].src); + ck_assert(signature_params_equal(clone, ¶ms_clone_tests[_i].res)); + signature_params_destroy(clone); +} +END_TEST + +START_TEST(test_params_clone_null) +{ + signature_params_t *clone = NULL; + + clone = signature_params_clone(clone); + ck_assert(!clone); + signature_params_destroy(clone); +} +END_TEST + +START_TEST(test_params_clear) +{ + signature_params_t *clone; + + clone = signature_params_clone(¶ms_clone_tests[_i].src); + signature_params_clear(clone); + ck_assert_int_eq(clone->scheme, SIGN_UNKNOWN); + ck_assert(!clone->params); + free(clone); +} +END_TEST + +START_TEST(test_params_clear_null) +{ + signature_params_t *clone = NULL; + + signature_params_clear(clone); +} +END_TEST + +START_TEST(test_params_parse_rsa_pss) +{ + signature_params_t parsed, res = { .scheme = SIGN_RSA_EMSA_PSS, }; + + ck_assert(signature_params_parse(rsa_pss_parse_tests[_i].aid, 0, &parsed)); + res.params = &rsa_pss_parse_tests[_i].params; + ck_assert(signature_params_equal(&parsed, &res)); + signature_params_clear(&parsed); +} +END_TEST + +START_TEST(test_params_parse_rsa_pss_invalid) +{ + signature_params_t parsed; + + ck_assert(!signature_params_parse(rsa_pss_parse_invalid_tests[_i], 0, &parsed)); +} +END_TEST + +static struct { + bool valid; + chunk_t aid; + signature_params_t params; +} params_parse_tests[] = { + { TRUE, chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00), + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }}, + { TRUE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02), + { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }}, + { FALSE, chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0xff), }, +}; + +START_TEST(test_params_parse_other) +{ + signature_params_t parsed; + + if (params_parse_tests[_i].valid) + { + ck_assert(signature_params_parse(params_parse_tests[_i].aid, 0, &parsed)); + ck_assert(signature_params_equal(&parsed, ¶ms_parse_tests[_i].params)); + signature_params_clear(&parsed); + } + else + { + ck_assert(!signature_params_parse(params_parse_tests[_i].aid, 0, &parsed)); + } +} +END_TEST + +START_TEST(test_params_build_rsa_pss) +{ + signature_params_t scheme = { .scheme = SIGN_RSA_EMSA_PSS, }; + chunk_t aid; + + scheme.params = &rsa_pss_build_tests[_i].params; + ck_assert(signature_params_build(&scheme, &aid)); + ck_assert_chunk_eq(rsa_pss_build_tests[_i].aid, aid); + chunk_free(&aid); +} +END_TEST + +START_TEST(test_params_build_rsa_pss_invalid) +{ + signature_params_t scheme = { .scheme = SIGN_RSA_EMSA_PSS, }; + chunk_t aid; + + scheme.params = &rsa_pss_build_invalid_tests[_i]; + ck_assert(!signature_params_build(&scheme, &aid)); +} +END_TEST + +static struct { + bool valid; + signature_params_t params; + chunk_t aid; +} params_build_tests[] = { + { TRUE, { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256, }, + chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00), }, + { TRUE, { .scheme = SIGN_ECDSA_WITH_SHA256_DER, }, + chunk_from_chars(0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02), }, + { FALSE, { .scheme = SIGN_UNKNOWN, }, }, +}; + +START_TEST(test_params_build_other) +{ + chunk_t aid; + + if (params_build_tests[_i].valid) + { + ck_assert(signature_params_build(¶ms_build_tests[_i].params, &aid)); + ck_assert_chunk_eq(params_build_tests[_i].aid, aid); + chunk_free(&aid); + } + else + { + ck_assert(!signature_params_build(¶ms_build_tests[_i].params, &aid)); + } +} +END_TEST + +Suite *signature_params_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("signature params"); + + tc = tcase_create("rsa/pss parse"); + tcase_add_loop_test(tc, test_rsa_pss_params_parse, 0, countof(rsa_pss_parse_tests)); + tcase_add_loop_test(tc, test_rsa_pss_params_parse_invalid, 0, countof(rsa_pss_parse_invalid_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("rsa/pss build"); + tcase_add_loop_test(tc, test_rsa_pss_params_build, 0, countof(rsa_pss_build_tests)); + tcase_add_loop_test(tc, test_rsa_pss_params_build_invalid, 0, countof(rsa_pss_build_invalid_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("params compare"); + tcase_add_loop_test(tc, test_params_compare, 0, countof(params_compare_tests)); + tcase_add_test(tc, test_params_compare_null); + suite_add_tcase(s, tc); + + tc = tcase_create("params clone"); + tcase_add_loop_test(tc, test_params_clone, 0, countof(params_clone_tests)); + tcase_add_test(tc, test_params_clone_null); + suite_add_tcase(s, tc); + + tc = tcase_create("params clear"); + tcase_add_loop_test(tc, test_params_clear, 0, countof(params_clone_tests)); + tcase_add_test(tc, test_params_clear_null); + suite_add_tcase(s, tc); + + tc = tcase_create("parse"); + tcase_add_loop_test(tc, test_params_parse_rsa_pss, 0, countof(rsa_pss_parse_tests)); + tcase_add_loop_test(tc, test_params_parse_rsa_pss_invalid, 0, countof(rsa_pss_parse_invalid_tests)); + tcase_add_loop_test(tc, test_params_parse_other, 0, countof(params_parse_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("build"); + tcase_add_loop_test(tc, test_params_build_rsa_pss, 0, countof(rsa_pss_build_tests)); + tcase_add_loop_test(tc, test_params_build_rsa_pss_invalid, 0, countof(rsa_pss_build_invalid_tests)); + tcase_add_loop_test(tc, test_params_build_other, 0, countof(params_build_tests)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c index a5f30d251..93361f9bf 100644 --- a/src/libstrongswan/tests/suites/test_traffic_selector.c +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -25,6 +25,11 @@ static void verify(const char *str, const char *alt, traffic_selector_t *ts) { char buf[512]; + if (!str) + { + ck_assert_msg(!ts, "traffic selector not null: %R", ts); + return; + } snprintf(buf, sizeof(buf), "%R", ts); DESTROY_IF(ts); if (!streq(buf, str) && (!alt || !streq(buf, alt))) @@ -48,12 +53,14 @@ START_TEST(test_create_from_string) verify("fec1::1..fec1::ffff:ffff:ffff:ffff", NULL, traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE, "fec1::1", 0, "fec1::ffff:ffff:ffff:ffff", 65535)); - - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, 0, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, 0, "10.1.0.0", 80, "10.1.255.255", 80)); - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, "a.b.c.d", 80, "10.1.255.255", 80)); - ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, "10.1.0.0", 80, "a.b.c.d", 80)); } END_TEST @@ -62,13 +69,17 @@ START_TEST(test_create_from_cidr) { verify("10.1.0.0/16", NULL, traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535)); + verify("10.1.0.1/32[udp]", "10.1.0.1/32[17]", + traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, + 0, 65535)); verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]", traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235)); verify("10.1.0.0/16[OPAQUE]", NULL, traffic_selector_create_from_cidr("10.1.0.0/16", 0, 65535, 0)); - ck_assert(!traffic_selector_create_from_cidr("a.b.c.d/16", 0, 0, 65535)); + verify(NULL, NULL, + traffic_selector_create_from_cidr("a.b.c.d/16", 0, 0, 65535)); } END_TEST @@ -78,14 +89,20 @@ START_TEST(test_create_from_bytes) traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); - - ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x0a,0x01,0x00,0x00), 0, + chunk_from_chars(0x0a,0x01,0xff,0xff,0xff), 65535)); + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, chunk_empty, 0, chunk_empty, 65535)); - ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); - ck_assert(!traffic_selector_create_from_bytes(0, 0, + verify(NULL, NULL, + traffic_selector_create_from_bytes(0, 0, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); } @@ -117,6 +134,7 @@ struct { { "128.0.0.0/4", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x80), }, { "172.16.0.0/12", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0xac,0x10), }, { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00), }, + { NULL, 0, chunk_from_chars(0x00), }, /* FIXME: not a correct encoding, so we might want to fail here */ { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, {NULL, 0}, }, { "2001:0:2::/48", TS_IPV6_ADDR_RANGE, chunk_from_chars(0x00,0x20,0x01,0x00,0x00,0x00,0x02),}, @@ -411,6 +429,7 @@ struct { { "0.0.0.0/0", "fec2::1", FALSE }, { "::/0", "1.2.3.4", FALSE }, { "10.0.0.0/16", "10.1.0.0", FALSE }, + { "10.1.0.0/16", "10.0.255.255", FALSE }, { "fec2::/64", "fec2:0:0:1::afaf", FALSE }, }; @@ -469,6 +488,7 @@ struct { } is_host_tests[] = { { "0.0.0.0/0", "192.168.1.2", FALSE, FALSE }, { "::/0", "fec2::1", FALSE, FALSE }, + { "192.168.1.0/24", "192.168.1.0", FALSE, FALSE }, { "192.168.1.2/32", "192.168.1.2", TRUE, TRUE }, { "192.168.1.2/32", "192.168.1.1", FALSE, TRUE }, { "192.168.1.2/32", "fec2::1", FALSE, TRUE }, diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index de7b470d2..353010aaf 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -114,6 +114,54 @@ START_TEST(test_timeval_add_ms) } END_TEST +/******************************************************************************* + * timespan_from_string + */ + +static struct { + char *s; + char *u; + bool v; + time_t t; +} ts_data[] = { + {NULL, NULL, FALSE, 0}, + {"", NULL, FALSE, 0}, + {"a", NULL, FALSE, 0}, + {"0", NULL, TRUE, 0}, + {"5", NULL, TRUE, 5}, + {"5s", NULL, TRUE, 5}, + {"5m", NULL, TRUE, 300}, + {"5ms", NULL, TRUE, 300}, + {"5h", NULL, TRUE, 18000}, + {"5d", NULL, TRUE, 432000}, + {"5x", NULL, FALSE, 0}, + {"5", "", TRUE, 5}, + {"5", "m", TRUE, 300}, + {"5", "ms", TRUE, 300}, + {"5", "x", FALSE, 0}, + {"5x", "m", FALSE, 0}, + {"18446744073709551616", NULL, FALSE, 0}, +}; + +START_TEST(test_timespan_from_string) +{ + time_t val = 42; + + ck_assert(timespan_from_string(ts_data[_i].s, ts_data[_i].u, + NULL) == ts_data[_i].v); + ck_assert(timespan_from_string(ts_data[_i].s, ts_data[_i].u, + &val) == ts_data[_i].v); + if (ts_data[_i].v) + { + ck_assert_int_eq(val, ts_data[_i].t); + } + else + { + ck_assert_int_eq(val, 42); + } +} +END_TEST + /******************************************************************************* * htoun/untoh */ @@ -856,15 +904,20 @@ END_TEST static struct { key_type_t type; int size; - signature_scheme_t expected[4]; + signature_scheme_t expected[7]; } scheme_data[] = { - {KEY_RSA, 1024, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, - SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 2048, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384, - SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 4096, { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + {KEY_RSA, 1024, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_UNKNOWN }}, + {KEY_RSA, 2048, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, + SIGN_UNKNOWN }}, + {KEY_RSA, 4096, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, + SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, - {KEY_RSA, 8192, { SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, + {KEY_RSA, 8192, { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_512, SIGN_UNKNOWN }}, {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, @@ -880,16 +933,16 @@ static struct { START_TEST(test_signature_schemes_for_key) { enumerator_t *enumerator; - signature_scheme_t scheme; + signature_params_t *params; int i; enumerator = signature_schemes_for_key(scheme_data[_i].type, scheme_data[_i].size); for (i = 0; scheme_data[_i].expected[i] != SIGN_UNKNOWN; i++) { - ck_assert(enumerator->enumerate(enumerator, &scheme)); - ck_assert_int_eq(scheme_data[_i].expected[i], scheme); + ck_assert(enumerator->enumerate(enumerator, ¶ms)); + ck_assert_int_eq(scheme_data[_i].expected[i], params->scheme); } - ck_assert(!enumerator->enumerate(enumerator, &scheme)); + ck_assert(!enumerator->enumerate(enumerator, ¶ms)); enumerator->destroy(enumerator); } END_TEST @@ -921,6 +974,10 @@ Suite *utils_suite_create() tcase_add_test(tc, test_timeval_add_ms); suite_add_tcase(s, tc); + tc = tcase_create("timespan_from_string"); + tcase_add_loop_test(tc, test_timespan_from_string, 0, countof(ts_data)); + suite_add_tcase(s, tc); + tc = tcase_create("htoun,untoh"); tcase_add_test(tc, test_htoun); tcase_add_test(tc, test_untoh); diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index ed77b3c86..b9a0fe6d6 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -385,10 +385,29 @@ static void collect_failure_info(array_t *failures, char *name, int i) array_insert(failures, -1, &failure); } +/** + * Collect warning information, add failure_t to array + */ +static bool collect_warning_info(array_t *warnings, char *name, int i) +{ + failure_t warning = { + .name = name, + .i = i, + }; + + warning.line = test_warning_get(warning.msg, sizeof(warning.msg), + &warning.file); + if (warning.line) + { + array_insert(warnings, -1, &warning); + } + return warning.line; +} + /** * Print array of collected failure_t to stderr */ -static void print_failures(array_t *failures) +static void print_failures(array_t *failures, bool warnings) { failure_t failure; @@ -397,8 +416,16 @@ static void print_failures(array_t *failures) while (array_remove(failures, 0, &failure)) { - fprintf(stderr, " %sFailure in '%s': %s (", - TTY(RED), failure.name, failure.msg); + if (warnings) + { + fprintf(stderr, " %sWarning in '%s': %s (", + TTY(YELLOW), failure.name, failure.msg); + } + else + { + fprintf(stderr, " %sFailure in '%s': %s (", + TTY(RED), failure.name, failure.msg); + } if (failure.line) { fprintf(stderr, "%s:%d, ", failure.file, failure.line); @@ -423,9 +450,10 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) enumerator_t *enumerator; test_function_t *tfun; int passed = 0; - array_t *failures; + array_t *failures, *warnings; failures = array_create(sizeof(failure_t), 0); + warnings = array_create(sizeof(failure_t), 0); fprintf(stderr, " Running case '%s': ", tcase->name); fflush(stderr); @@ -470,7 +498,14 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) if (!leaks) { rounds++; - fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF)); + if (!collect_warning_info(warnings, tfun->name, i)) + { + fprintf(stderr, "%s+%s", TTY(GREEN), TTY(DEF)); + } + else + { + fprintf(stderr, "%s~%s", TTY(YELLOW), TTY(DEF)); + } } } else @@ -497,8 +532,10 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init, char *cfg) fprintf(stderr, "\n"); - print_failures(failures); + print_failures(warnings, TRUE); + print_failures(failures, FALSE); array_destroy(failures); + array_destroy(warnings); return passed == array_count(tcase->functions); } diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c index 8541cdaef..412d9fbf6 100644 --- a/src/libstrongswan/tests/test_suite.c +++ b/src/libstrongswan/tests/test_suite.c @@ -49,6 +49,21 @@ static backtrace_t *failure_backtrace; */ static bool worker_failed; +/** + * Warning message buf + */ +static char warning_buf[4096]; + +/** + * Source file warning was issued + */ +static const char *warning_file; + +/** + * Line of source file warning was issued + */ +static int warning_line; + /** * See header. */ @@ -419,6 +434,21 @@ void test_fail_vmsg(const char *file, int line, char *fmt, va_list args) test_failure(); } + +/** + * See header. + */ +void test_warn_msg(const char *file, int line, char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vsnprintf(warning_buf, sizeof(warning_buf), fmt, args); + warning_line = line; + warning_file = file; + va_end(args); +} + /** * See header. */ @@ -446,6 +476,25 @@ int test_failure_get(char *msg, int len, const char **file) return failure_line; } +/** + * See header. + */ +int test_warning_get(char *msg, int len, const char **file) +{ + int line = warning_line; + + if (!line) + { + return 0; + } + strncpy(msg, warning_buf, len - 1); + msg[len - 1] = 0; + *file = warning_file; + /* reset state */ + warning_line = 0; + return line; +} + /** * See header. */ diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h index 97c1b42c1..9b9fcad85 100644 --- a/src/libstrongswan/tests/test_suite.h +++ b/src/libstrongswan/tests/test_suite.h @@ -219,6 +219,17 @@ void test_setup_timeout(int s); */ int test_failure_get(char *msg, int len, const char **file); +/** + * Get info about a warning if one was issued during the test. Resets the + * warning state. + * + * @param msg buffer receiving warning + * @param len size of msg buffer + * @param file pointer receiving source code file + * @return source code line number, 0 if no warning issued + */ +int test_warning_get(char *msg, int len, const char **file); + /** * Get a backtrace for a failure. * @@ -246,6 +257,18 @@ void test_fail_vmsg(const char *file, int line, char *fmt, va_list args); */ void test_fail_msg(const char *file, int line, char *fmt, ...); +/** + * Issue a warning for a particular test with a message using printf style + * arguments. This does not fail the test, and only the last warning for each + * test is kept. + * + * @param file source code file name + * @param line source code line number + * @param fmt printf format string + * @param ... arguments for fmt + */ +void test_warn_msg(const char *file, int line, char *fmt, ...); + /** * Let a test fail if one of the worker threads has failed (only if called from * the main thread). @@ -345,6 +368,7 @@ void test_fail_if_worker_failed(); #define ck_assert_msg test_assert_msg #define ck_assert_str_eq test_str_eq #define ck_assert_chunk_eq test_chunk_eq +#define warn(fmt, ...) test_warn_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__) #define fail(fmt, ...) test_fail_msg(__FILE__, __LINE__, fmt, ##__VA_ARGS__) #define fail_if(x, fmt, ...) \ ({ \ diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index c19cac25a..525bdeb94 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -51,4 +51,5 @@ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256) TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT) TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://") TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519) +TEST_SUITE(signature_params_suite_create) diff --git a/src/libstrongswan/utils/debug.h b/src/libstrongswan/utils/debug.h index f1c8c70ab..3b554487c 100644 --- a/src/libstrongswan/utils/debug.h +++ b/src/libstrongswan/utils/debug.h @@ -24,9 +24,9 @@ typedef enum debug_t debug_t; typedef enum level_t level_t; -#include - +#include #include +#include /** * Debug message group. diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1a4769063..56298a60f 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -72,10 +72,13 @@ static const x501rdn_t x501rdns[] = { {"C", OID_COUNTRY, ASN1_PRINTABLESTRING}, {"L", OID_LOCALITY, ASN1_PRINTABLESTRING}, {"ST", OID_STATE_OR_PROVINCE, ASN1_PRINTABLESTRING}, + {"STREET", OID_STREET_ADDRESS, ASN1_PRINTABLESTRING}, {"O", OID_ORGANIZATION, ASN1_PRINTABLESTRING}, {"OU", OID_ORGANIZATION_UNIT, ASN1_PRINTABLESTRING}, {"T", OID_TITLE, ASN1_PRINTABLESTRING}, {"D", OID_DESCRIPTION, ASN1_PRINTABLESTRING}, + {"postalAddress", OID_POSTAL_ADDRESS, ASN1_PRINTABLESTRING}, + {"postalCode", OID_POSTAL_CODE, ASN1_PRINTABLESTRING}, {"N", OID_NAME, ASN1_PRINTABLESTRING}, {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING}, {"I", OID_INITIALS, ASN1_PRINTABLESTRING}, diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index 33b8d1956..ec994bfc5 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -25,6 +25,7 @@ #define _GNU_SOURCE #include #include +#include #include #include #include diff --git a/src/libstrongswan/utils/utils/time.c b/src/libstrongswan/utils/utils/time.c index 48e5151c0..d96c918da 100644 --- a/src/libstrongswan/utils/utils/time.c +++ b/src/libstrongswan/utils/utils/time.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -23,7 +23,9 @@ #include #include +#include #include +#include /** * Return monotonic time @@ -77,8 +79,62 @@ time_t time_monotonic(timeval_t *tv) #endif /* !WIN32 */ } -/** - * Described in header. +/* + * Described in header + */ +bool timespan_from_string(char *str, char *defunit, time_t *val) +{ + char *endptr, unit; + time_t timeval; + + if (str) + { + errno = 0; + timeval = strtoull(str, &endptr, 10); + if (endptr == str) + { + return FALSE; + } + if (errno == 0) + { + while (isspace(*endptr)) + { + endptr++; + } + unit = *endptr; + if (!unit && defunit) + { + unit = *defunit; + } + switch (unit) + { + case 'd': /* time in days */ + timeval *= 24 * 3600; + break; + case 'h': /* time in hours */ + timeval *= 3600; + break; + case 'm': /* time in minutes */ + timeval *= 60; + break; + case 's': /* time in seconds */ + case '\0': + break; + default: + return FALSE; + } + if (val) + { + *val = timeval; + } + return TRUE; + } + } + return FALSE; +} + +/* + * Described in header */ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) @@ -112,8 +168,8 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900); } -/** - * Described in header. +/* + * Described in header */ int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) diff --git a/src/libstrongswan/utils/utils/time.h b/src/libstrongswan/utils/utils/time.h index 2626d9a33..2e210fbef 100644 --- a/src/libstrongswan/utils/utils/time.h +++ b/src/libstrongswan/utils/utils/time.h @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -70,6 +70,18 @@ static inline void timeval_add_ms(timeval_t *tv, u_int ms) } } +/** + * Parse the given string as time span and return the number of seconds, + * optionally with a default unit ('s' for seconds, 'm' for minutes, 'h' for + * hours, 'd' for days - default is 's'). + * + * @param str value to parse + * @param defunit optional default unit + * @param[out] val parsed value + * @return TRUE if a value was parsed + */ +bool timespan_from_string(char *str, char *defunit, time_t *val); + /** * printf hook for time_t. * diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 292d10f0b..3412ab1cb 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -297,9 +297,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in index 2e2c3debf..c46ca18bd 100644 --- a/src/libtls/tests/Makefile.in +++ b/src/libtls/tests/Makefile.in @@ -241,9 +241,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 05ae62b49..7f7742e88 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1428,7 +1428,7 @@ METHOD(tls_crypto_t, sign, bool, { scheme = hashsig_to_scheme(key->get_type(key), hash, alg); if (scheme != SIGN_UNKNOWN && - key->sign(key, scheme, data, &sig)) + key->sign(key, scheme, NULL, data, &sig)) { done = TRUE; break; @@ -1460,7 +1460,8 @@ METHOD(tls_crypto_t, sign, bool, { return FALSE; } - done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig); + done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash, + &sig); free(hash.ptr); if (!done) { @@ -1469,7 +1470,7 @@ METHOD(tls_crypto_t, sign, bool, DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA"); break; case KEY_ECDSA: - if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig)) + if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, &sig)) { return FALSE; } @@ -1509,7 +1510,7 @@ METHOD(tls_crypto_t, verify, bool, tls_signature_algorithm_names, alg); return FALSE; } - if (!key->verify(key, scheme, data, sig)) + if (!key->verify(key, scheme, NULL, data, sig)) { return FALSE; } @@ -1533,7 +1534,8 @@ METHOD(tls_crypto_t, verify, bool, { return FALSE; } - done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig); + done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, NULL, hash, + sig); free(hash.ptr); if (!done) { @@ -1542,7 +1544,8 @@ METHOD(tls_crypto_t, verify, bool, DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA"); break; case KEY_ECDSA: - if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig)) + if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, NULL, data, + sig)) { return FALSE; } diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c index 918de1e50..f88dbc2b7 100644 --- a/src/libtls/tls_prf.c +++ b/src/libtls/tls_prf.c @@ -17,6 +17,8 @@ typedef struct private_tls_prf12_t private_tls_prf12_t; +#include + /** * Private data of an tls_prf_t object. */ diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in index 9a7639e06..97995800b 100644 --- a/src/libtnccs/Makefile.in +++ b/src/libtnccs/Makefile.in @@ -301,9 +301,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in index 5824c4597..7143a1ce2 100644 --- a/src/libtnccs/plugins/tnc_imc/Makefile.in +++ b/src/libtnccs/plugins/tnc_imc/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index 822df3f27..e88ac42b6 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -354,7 +354,7 @@ imc_t* tnc_imc_create(char *name, char *path) this = tnc_imc_create_empty(name); if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in index 4de4bccb3..a142a7eff 100644 --- a/src/libtnccs/plugins/tnc_imv/Makefile.in +++ b/src/libtnccs/plugins/tnc_imv/Makefile.in @@ -250,9 +250,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c index 9a0304172..e6c53b74f 100644 --- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -350,7 +350,7 @@ imv_t* tnc_imv_create(char *name, char *path) this = tnc_imv_create_empty(name); if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", - lib->ns, FALSE)) + FALSE, lib->ns)) { flag = RTLD_NOW; } diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in index a8607d3b4..72a195eca 100644 --- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in +++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in index eac0e1f63..7e15cb2ff 100644 --- a/src/libtnccs/plugins/tnccs_11/Makefile.in +++ b/src/libtnccs/plugins/tnccs_11/Makefile.in @@ -259,9 +259,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in index 0d1e73aa4..d7d445fd1 100644 --- a/src/libtnccs/plugins/tnccs_20/Makefile.in +++ b/src/libtnccs/plugins/tnccs_20/Makefile.in @@ -262,9 +262,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in index ebe42fe5d..79db1e9b4 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in +++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in @@ -249,9 +249,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in index 1fc797c7f..bd1da8e18 100644 --- a/src/libtncif/Makefile.in +++ b/src/libtncif/Makefile.in @@ -211,9 +211,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c index 2789e7d3e..9c58944bb 100644 --- a/src/libtncif/tncif_pa_subtypes.c +++ b/src/libtncif/tncif_pa_subtypes.c @@ -16,7 +16,7 @@ #include "tncif_pa_subtypes.h" /* IETF PA Subtype names */ -ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SW, +ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SWIMA, "Testing", "Operating System", "Anti-Virus", @@ -26,10 +26,10 @@ ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_SW, "IDPS", "VPN", "NEA Client", - "Software" + "SWIMA" ); ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY, - PA_SUBTYPE_IETF_SW, + PA_SUBTYPE_IETF_SWIMA, "ANY" ); ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY); diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h index 696441029..0eef4ad17 100644 --- a/src/libtncif/tncif_pa_subtypes.h +++ b/src/libtncif/tncif_pa_subtypes.h @@ -43,7 +43,7 @@ typedef enum pa_subtype_ita_t pa_subtype_ita_t; PA_SUBTYPE_IETF_IDPS = 0x06, PA_SUBTYPE_IETF_VPN = 0x07, PA_SUBTYPE_IETF_NEA_CLIENT = 0x08, - PA_SUBTYPE_IETF_SW = 0x09, + PA_SUBTYPE_IETF_SWIMA = 0x09, PA_SUBTYPE_IETF_ANY = 0xff }; diff --git a/src/libtpmtss/Makefile.in b/src/libtpmtss/Makefile.in index 90d5e54f5..50861bcdd 100644 --- a/src/libtpmtss/Makefile.in +++ b/src/libtpmtss/Makefile.in @@ -289,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtpmtss/plugins/tpm/Makefile.in b/src/libtpmtss/plugins/tpm/Makefile.in index f80c0f736..a12c18a35 100644 --- a/src/libtpmtss/plugins/tpm/Makefile.in +++ b/src/libtpmtss/plugins/tpm/Makefile.in @@ -246,9 +246,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c index bd5a8baeb..0df5ee94c 100644 --- a/src/libtpmtss/plugins/tpm/tpm_private_key.c +++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c @@ -76,7 +76,7 @@ METHOD(private_key_t, get_keysize, int, } METHOD(private_key_t, sign, bool, - private_tpm_private_key_t *this, signature_scheme_t scheme, + private_tpm_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { chunk_t pin = chunk_empty; @@ -191,7 +191,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args) if (!tpm) { DBG1(DBG_LIB, "no TPM 2.0 found"); - return NULL; + return NULL; } INIT(this, diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c index dcba05c43..4c0d95fe5 100644 --- a/src/libtpmtss/tpm_tss_tss2.c +++ b/src/libtpmtss/tpm_tss_tss2.c @@ -742,7 +742,7 @@ METHOD(tpm_tss_t, sign, bool, *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; key_type = key_type_from_signature_scheme(scheme); - hash_alg = hasher_from_signature_scheme(scheme); + hash_alg = hasher_from_signature_scheme(scheme, NULL); /* Check if hash algorithm is supported by TPM */ alg_id = hash_alg_to_tpm_alg_id(hash_alg); diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 0c128c1a8..c8450d27f 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -263,9 +263,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/manager/templates/static/jquery.js b/src/manager/templates/static/jquery.js index 7cb68d02f..f0e43fa93 100644 --- a/src/manager/templates/static/jquery.js +++ b/src/manager/templates/static/jquery.js @@ -311,7 +311,7 @@ jQuery.fn = jQuery.prototype = { for ( var i = one ? index : 0, max = one ? index + 1 : options.length; i < max; i++ ) { var option = options[i]; if ( option.selected ) { - // Get the specifc value for the option + // Get the specific value for the option var val = jQuery.browser.msie && !option.attributes["value"].specified ? option.text : option.value; // We don't need an array for one selects diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 6ebe48691..02b5607b1 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -252,9 +252,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 58de24aca..8b369b38d 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -265,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/command.c b/src/pki/command.c index ce704dbb8..f425af7e8 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -191,7 +191,7 @@ void command_register(command_t command) int command_usage(char *error) { FILE *out = stdout; - int i; + int i, indent = 0; if (error) { @@ -221,12 +221,12 @@ int command_usage(char *error) { if (i == 0) { - fprintf(out, " pki --%s %s\n", - cmds[active].cmd, cmds[active].line[i]); + indent = fprintf(out, " pki --%s ", cmds[active].cmd); + fprintf(out, "%s\n", cmds[active].line[i]); } else { - fprintf(out, " %s\n", cmds[active].line[i]); + fprintf(out, "%*s%s\n", indent, "", cmds[active].line[i]); } } for (i = 0; cmds[active].options[i].name; i++) diff --git a/src/pki/command.h b/src/pki/command.h index 449252eb8..a7dade758 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -34,7 +34,7 @@ /** * Maximum number of usage summary lines (+1) */ -#define MAX_LINES 11 +#define MAX_LINES 12 typedef struct command_t command_t; typedef struct command_option_t command_option_t; diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 9e6e80938..d1ea5c65e 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -33,6 +33,7 @@ static int acert() { cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *ac = NULL, *cert = NULL, *issuer =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -44,6 +45,8 @@ static int acert() char *datenb = NULL, *datena = NULL, *dateform = NULL; rng_t *rng; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); groups = linked_list_create(); @@ -60,6 +63,17 @@ static int acert() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -162,10 +176,6 @@ static int acert() error = "loading issuer private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "issuer private key does not match issuer certificate"; @@ -217,6 +227,7 @@ static int acert() error = "parsing user certificate failed"; goto end; } + scheme = get_signature_scheme(private, digest, pss); ac = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, @@ -227,6 +238,7 @@ static int acert() BUILD_AC_GROUP_STRINGS, groups, BUILD_SIGNING_CERT, issuer, BUILD_SIGNING_KEY, private, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!ac) { @@ -252,6 +264,7 @@ end: DESTROY_IF(public); DESTROY_IF(private); groups->destroy(groups); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -279,6 +292,7 @@ static void __attribute__ ((constructor))reg() " --issuercert file [--serial hex] [--lifetime hours]", " [--not-before datetime] [--not-after datetime] [--dateform form]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -293,6 +307,7 @@ static void __attribute__ ((constructor))reg() {"not-after", 'T', 1, "date/time the validity of the AC ends"}, {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index 6f14b5276..203c76542 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -166,7 +166,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { gen, 'g', "gen", "generate a new private key", - {" [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]", + {"[--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]", "[--shares n] [--threshold l] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index e41c56d08..1ccbca89f 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -61,6 +61,7 @@ static int issue() { cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -84,6 +85,8 @@ static int issue() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); cdps = linked_list_create(); @@ -143,6 +146,17 @@ static int issue() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -396,10 +410,6 @@ static int issue() error = "loading CA private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -525,11 +535,12 @@ static int issue() id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk_from_chars(ASN1_SEQUENCE, 0)); } + scheme = get_signature_scheme(private, digest, pss); cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, - BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest, + BUILD_NOT_BEFORE_TIME, not_before, BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks, @@ -542,6 +553,7 @@ static int issue() BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!cert) { @@ -575,6 +587,7 @@ end: mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -614,6 +627,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -646,6 +660,7 @@ static void __attribute__ ((constructor))reg() {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 7b87e6ca6..cfddbc455 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -30,6 +30,7 @@ static int req() cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert = NULL; private_key_t *private = NULL; char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL; @@ -38,6 +39,8 @@ static int req() chunk_t encoding = chunk_empty; chunk_t challenge_password = chunk_empty; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); @@ -77,6 +80,17 @@ static int req() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -153,16 +167,14 @@ static int req() error = "parsing private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } + scheme = get_signature_scheme(private, digest, pss); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, BUILD_SUBJECT, id, BUILD_SUBJECT_ALTNAMES, san, BUILD_CHALLENGE_PWD, challenge_password, - BUILD_DIGEST_ALG, digest, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); if (!cert) { @@ -186,6 +198,7 @@ end: DESTROY_IF(cert); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); + signature_params_destroy(scheme); free(encoding.ptr); if (error) @@ -208,20 +221,22 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "private key input file, default: stdin"}, - {"keyid", 'x', 1, "smartcard or TPM private key object handle"}, - {"type", 't', 1, "type of input key, default: priv"}, - {"dn", 'd', 1, "subject distinguished name"}, - {"san", 'a', 1, "subjectAltName to include in cert request"}, - {"password",'p', 1, "challengePassword to include in cert request"}, - {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"outform", 'f', 1, "encoding of generated request, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "smartcard or TPM private key object handle"}, + {"type", 't', 1, "type of input key, default: priv"}, + {"dn", 'd', 1, "subject distinguished name"}, + {"san", 'a', 1, "subjectAltName to include in cert request"}, + {"password", 'p', 1, "challengePassword to include in cert request"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index bdb22463e..6f7adef0f 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -52,6 +52,7 @@ static int self() cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; certificate_t *cert = NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -70,6 +71,8 @@ static int self() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); san = linked_list_create(); ocsp = linked_list_create(); @@ -119,6 +122,17 @@ static int self() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'i': file = arg; continue; @@ -335,10 +349,6 @@ static int self() error = "loading private key failed"; goto end; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } public = private->get_public_key(private); if (!public) { @@ -367,11 +377,13 @@ static int self() serial.ptr[0] &= 0x7F; rng->destroy(rng); } + scheme = get_signature_scheme(private, digest, pss); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before, BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, - BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags, + BUILD_SIGNATURE_SCHEME, scheme, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san, BUILD_ADDRBLOCKS, addrblocks, BUILD_OCSP_ACCESS_LOCATIONS, ocsp, @@ -412,6 +424,7 @@ end: policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); + signature_params_destroy(scheme); free(encoding.ptr); free(serial.ptr); @@ -441,7 +454,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -450,6 +463,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -478,6 +492,7 @@ static void __attribute__ ((constructor))reg() {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 25a3aac52..50f939687 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -108,15 +108,6 @@ static int read_serial(char *file, char *buf, int buflen) return serial.len; } -/** - * Destroy a CDP - */ -static void cdp_destroy(x509_cdp_t *this) -{ - free(this->uri); - free(this); -} - /** * Sign a CRL */ @@ -129,6 +120,7 @@ static int sign_crl() crl_t *lastcrl = NULL; x509_t *x509; hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; char *basecrl = NULL; char serial[512], *keyid = NULL; @@ -142,6 +134,8 @@ static int sign_crl() x509_cdp_t *cdp; chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty; chunk_t encoding = chunk_empty; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); list = linked_list_create(); cdps = linked_list_create(); @@ -159,6 +153,17 @@ static int sign_crl() goto usage; } continue; + case 'R': + if (streq(arg, "pss")) + { + pss = TRUE; + } + else if (!streq(arg, "pkcs1")) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case 'c': cacert = arg; continue; @@ -341,10 +346,6 @@ static int sign_crl() error = "loading CA private key failed"; goto error; } - if (digest == HASH_UNKNOWN) - { - digest = get_default_digest(private); - } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -399,6 +400,7 @@ static int sign_crl() /* increment the serial number by one */ chunk_increment(crl_serial); + scheme = get_signature_scheme(private, digest, pss); enumerator = enumerator_create_filter(list->create_enumerator(list), filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -406,7 +408,7 @@ static int sign_crl() BUILD_SERIAL, crl_serial, BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, BUILD_REVOKED_ENUMERATOR, enumerator, - BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, + BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme, BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber, BUILD_END); enumerator->destroy(enumerator); @@ -436,10 +438,11 @@ error: DESTROY_IF(private); DESTROY_IF(ca); DESTROY_IF(crl); + signature_params_destroy(scheme); free(encoding.ptr); free(baseCrlNumber.ptr); list->destroy_function(list, (void*)revoked_destroy); - cdps->destroy_function(cdps, (void*)cdp_destroy); + cdps->destroy_function(cdps, (void*)x509_cdp_destroy); if (error) { fprintf(stderr, "%s\n", error); @@ -449,7 +452,7 @@ error: usage: list->destroy_function(list, (void*)revoked_destroy); - cdps->destroy_function(cdps, (void*)cdp_destroy); + cdps->destroy_function(cdps, (void*)x509_cdp_destroy); return command_usage(error); } @@ -462,12 +465,13 @@ static void __attribute__ ((constructor))reg() sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", {"--cacert file --cakey file|--cakeyid hex [--lifetime days]", - " [--lastcrl crl] [--basecrl crl] [--crluri uri]+", - " [[--reason key-compromise|ca-compromise|affiliation-changed|", - " superseded|cessation-of-operation|certificate-hold]", - " [--date timestamp] --cert file|--serial hex]*", - " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - " [--outform der|pem]"}, + "[--lastcrl crl] [--basecrl crl] [--crluri uri]+", + "[[--reason key-compromise|ca-compromise|affiliation-changed|", + " superseded|cessation-of-operation|certificate-hold]", + " [--date timestamp] --cert file|--serial hex]*", + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, @@ -485,6 +489,7 @@ static void __attribute__ ((constructor))reg() {"reason", 'r', 1, "reason for certificate revocation"}, {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index bf8092bd4..533dfcab1 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -202,9 +202,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in index c6ecbb989..6c574f273 100644 --- a/src/pki/man/pki---acert.1.in +++ b/src/pki/man/pki---acert.1.in @@ -16,6 +16,7 @@ pki \-\-acert \- Issue an attribute certificate .OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-outform encoding .OP \-\-debug level .YS @@ -103,6 +104,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 99cc64fa5..8aec65306 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -19,6 +19,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-ca .OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR] .OP \-\-ocsp uri @@ -129,6 +130,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index 09ef0862a..8f7de248c 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -15,6 +15,7 @@ pki \-\-req \- Create a PKCS#10 certificate request .OP \-\-san subjectAltName .OP \-\-password password .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-outform encoding .OP \-\-debug level .YS @@ -72,6 +73,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index aa7e6fabe..5f7e42108 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -19,6 +19,7 @@ pki \-\-self \- Create a self-signed certificate .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-ca .OP \-\-ocsp uri .OP \-\-pathlen len @@ -115,6 +116,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index b901ad084..0abd166a9 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -16,6 +16,7 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific .OP \-\-basecrl crl .OP \-\-crluri uri .OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR .OP \-\-outform encoding .OP \-\-debug level @@ -102,6 +103,10 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is determined based on the type and size of the signature key. .TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. +.TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or \fIpem\fR (Base64 PEM), defaults to \fIder\fR. diff --git a/src/pki/pki.c b/src/pki/pki.c index 0fdab2aab..ec60f7d42 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2012-2014 Tobias Brunner + * Copyright (C) 2012-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -237,20 +237,20 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc) #endif } -/* - * Described in header +/** + * Determine a default hash algorithm for the given key */ -hash_algorithm_t get_default_digest(private_key_t *private) +static hash_algorithm_t get_default_digest(private_key_t *private) { enumerator_t *enumerator; - signature_scheme_t scheme; + signature_params_t *params; hash_algorithm_t alg = HASH_UNKNOWN; enumerator = signature_schemes_for_key(private->get_type(private), private->get_keysize(private)); - if (enumerator->enumerate(enumerator, &scheme)) + if (enumerator->enumerate(enumerator, ¶ms)) { - alg = hasher_from_signature_scheme(scheme); + alg = hasher_from_signature_scheme(params->scheme, params->params); } enumerator->destroy(enumerator); @@ -258,6 +258,42 @@ hash_algorithm_t get_default_digest(private_key_t *private) return alg == HASH_UNKNOWN ? HASH_SHA256 : alg; } +/* + * Described in header + */ +signature_params_t *get_signature_scheme(private_key_t *private, + hash_algorithm_t digest, bool pss) +{ + signature_params_t *scheme; + + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } + if (private->get_type(private) == KEY_RSA && pss) + { + rsa_pss_params_t pss_params = { + .hash = digest, + .mgf1_hash = digest, + .salt_len = RSA_PSS_SALT_LEN_DEFAULT, + }; + signature_params_t pss_scheme = { + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss_params, + }; + scheme = signature_params_clone(&pss_scheme); + } + else + { + INIT(scheme, + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + private->get_type(private))), + ); + } + return scheme; +} + /* * Described in header */ diff --git a/src/pki/pki.h b/src/pki/pki.h index 54be59f8f..3f0793cfd 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -57,12 +58,17 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span, void set_file_mode(FILE *stream, cred_encoding_type_t enc); /** - * Select default digest for signatures with the given key + * Determine the signature scheme and parameters for the given private key and + * hash algorithm and whether to use PSS padding for RSA. * * @param private private key - * @return hash algorithm + * @param digest hash algorithm (if HASH_UNKNOWN a default is determined + * based on the key) + * @param pss use PSS padding for RSA keys + * @return allocated signature scheme and parameters */ -hash_algorithm_t get_default_digest(private_key_t *private); +signature_params_t *get_signature_scheme(private_key_t *private, + hash_algorithm_t digest, bool pss); /** * Create a traffic selector from a CIDR or range string. diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in index 1da001d09..e6815434f 100644 --- a/src/pool/Makefile.in +++ b/src/pool/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pool/pool.c b/src/pool/pool.c index cd9fb6293..b755365ec 100644 --- a/src/pool/pool.c +++ b/src/pool/pool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2016 Tobias Brunner + * Copyright (C) 2011-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -56,28 +56,30 @@ static void do_args(int argc, char *argv[]); /** * Create or replace a pool by name */ -static u_int create_pool(char *name, chunk_t start, chunk_t end, int timeout) +static u_int create_pool(char *name, chunk_t start, chunk_t end, u_int timeout) { enumerator_t *e; int pool; + bool exists; e = db->query(db, "SELECT id FROM pools WHERE name = ?", DB_TEXT, name, DB_UINT); - if (e && e->enumerate(e, &pool)) + exists = e && e->enumerate(e, &pool); + DESTROY_IF(e); + + if (exists) { - if (replace_pool == FALSE) + if (!replace_pool) { fprintf(stderr, "pool '%s' exists.\n", name); - e->destroy(e); exit(EXIT_FAILURE); } del(name); } - DESTROY_IF(e); if (db->execute(db, &pool, "INSERT INTO pools (name, start, end, timeout) VALUES (?, ?, ?, ?)", DB_TEXT, name, DB_BLOB, start, DB_BLOB, end, - DB_INT, timeout*3600) != 1) + DB_UINT, timeout) != 1) { fprintf(stderr, "creating pool failed.\n"); exit(EXIT_FAILURE); @@ -258,7 +260,18 @@ static void status(void) } if (timeout) { - printf("%7dh ", timeout/3600); + if (timeout >= 60 * 300) + { + printf("%7dh ", timeout/3600); + } + else if (timeout >= 300) + { + printf("%7dm ", timeout/60); + } + else + { + printf("%7ds ", timeout); + } } else { @@ -318,7 +331,7 @@ next_pool: /** * ipsec pool --add - add a new pool */ -static void add(char *name, host_t *start, host_t *end, int timeout) +static void add(char *name, host_t *start, host_t *end, u_int timeout) { chunk_t start_addr, end_addr, cur_addr; u_int id, count; @@ -407,7 +420,7 @@ static bool add_address(u_int pool_id, char *address_str, int *family) return TRUE; } -static void add_addresses(char *pool, char *path, int timeout) +static void add_addresses(char *pool, char *path, u_int timeout) { u_int pool_id, count = 0; int family = AF_UNSPEC; @@ -941,7 +954,7 @@ static void do_args(int argc, char *argv[]) char *name = "", *value = "", *filter = ""; char *pool = NULL, *identity = NULL, *addresses = NULL; value_type_t value_type = VALUE_NONE; - int timeout = 0; + time_t timeout = 0; bool utc = FALSE, hexout = FALSE; enum { @@ -1088,8 +1101,7 @@ static void do_args(int argc, char *argv[]) } continue; case 't': - timeout = atoi(optarg); - if (timeout == 0 && strcmp(optarg, "0") != 0) + if (!timespan_from_string(optarg, "h", &timeout)) { fprintf(stderr, "invalid timeout '%s'.\n", optarg); usage(); diff --git a/src/pool/pool_usage.c b/src/pool/pool_usage.c index 7622cfa86..94cc041b5 100644 --- a/src/pool/pool_usage.c +++ b/src/pool/pool_usage.c @@ -44,7 +44,9 @@ Usage:\n\ name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ start: Start address of the pool\n\ end: End address of the pool\n\ - timeout: Lease time in hours, 0 for static leases\n\ + timeout: Lease time in hours (use 'd', 'm', or 's' to alternatively\n\ + configure the time in days, minutes or seconds, respectively),\n\ + 0 for static leases\n\ \n\ ipsec pool --add --addresses [--timeout ]\n\ ipsec pool --replace --addresses [--timeout ]\n\ @@ -57,7 +59,9 @@ Usage:\n\ are read from STDIN. Reading addresses stops at the end of file\n\ or an empty line. Pools created with this command can not be\n\ resized.\n\ - timeout: Lease time in hours, 0 for static leases\n\ + timeout: Lease time in hours (use 'd', 'm', or 's' to alternatively\n\ + configure the time in days, minutes or seconds, respectively),\n\ + 0 for static leases\n\ \n\ ipsec pool --addattr [--pool [--identity ]]\n\ --addr|--mask|--server|--subnet|--string|--hex \n\ diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in index 820bec9f3..1bab5804f 100644 --- a/src/pt-tls-client/Makefile.in +++ b/src/pt-tls-client/Makefile.in @@ -247,9 +247,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in index d7c9dffe5..795054c80 100644 --- a/src/pt-tls-client/pt-tls-client.1.in +++ b/src/pt-tls-client/pt-tls-client.1.in @@ -20,7 +20,7 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information .OP \-\-client client-id .OP \-\-secret password .OP \-\-mutual -.OP \-\-optionsfrom filename +.OP \-\-options filename .OP \-\-quiet .OP \-\-debug level .YS @@ -92,7 +92,7 @@ Set debug level, default: 1. .B "\-q, \-\-quiet Disable debug output to stderr. .TP -.BI "\-+, \-\-optionsfrom " file +.BI "\-+, \-\-options " file Read command line options from \fIfile\fR. . .SH "EXAMPLES" diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index d7e78c497..841724eb3 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -45,7 +45,7 @@ static void usage(FILE *out) " [--cert ]+ [--keyid |--key ]\n" " [--key-type rsa|ecdsa] [--client ]\n" " [--secret ] [--mutual] [--quiet]\n" - " [--debug ] [--optionsfrom ]\n"); + " [--debug ] [--options ]\n"); } /** @@ -289,6 +289,7 @@ int main(int argc, char *argv[]) {"mutual", no_argument, NULL, 'm' }, {"quiet", no_argument, NULL, 'q' }, {"debug", required_argument, NULL, 'd' }, + {"options", required_argument, NULL, '+' }, {"optionsfrom", required_argument, NULL, '+' }, {0,0,0,0 } }; diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 85522ad7b..1d5e53241 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -244,9 +244,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/sec-updater/Makefile.am b/src/sec-updater/Makefile.am new file mode 100644 index 000000000..5546cb8f8 --- /dev/null +++ b/src/sec-updater/Makefile.am @@ -0,0 +1,18 @@ +if !USE_WINDOWS + +sbin_PROGRAMS = sec-updater + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -DPLUGINS=\""sqlite"\" + +sec_updater_SOURCES = sec-updater.c +sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +sec-updater.o : $(top_builddir)/config.status + +EXTRA_DIST = sec-updater.sh + +man8_MANS = sec-updater.8 +CLEANFILES = $(man8_MANS) + +endif diff --git a/src/sec-updater/Makefile.in b/src/sec-updater/Makefile.in new file mode 100644 index 000000000..a434b9d34 --- /dev/null +++ b/src/sec-updater/Makefile.in @@ -0,0 +1,845 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@USE_WINDOWS_FALSE@sbin_PROGRAMS = sec-updater$(EXEEXT) +subdir = src/sec-updater +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = sec-updater.8 +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) +am__sec_updater_SOURCES_DIST = sec-updater.c +@USE_WINDOWS_FALSE@am_sec_updater_OBJECTS = sec-updater.$(OBJEXT) +sec_updater_OBJECTS = $(am_sec_updater_OBJECTS) +@USE_WINDOWS_FALSE@sec_updater_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(sec_updater_SOURCES) +DIST_SOURCES = $(am__sec_updater_SOURCES_DIST) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man8_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/sec-updater.8.in \ + $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +@USE_WINDOWS_FALSE@AM_CPPFLAGS = \ +@USE_WINDOWS_FALSE@ -I$(top_srcdir)/src/libstrongswan \ +@USE_WINDOWS_FALSE@ -DPLUGINS=\""sqlite"\" + +@USE_WINDOWS_FALSE@sec_updater_SOURCES = sec-updater.c +@USE_WINDOWS_FALSE@sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +@USE_WINDOWS_FALSE@EXTRA_DIST = sec-updater.sh +@USE_WINDOWS_FALSE@man8_MANS = sec-updater.8 +@USE_WINDOWS_FALSE@CLEANFILES = $(man8_MANS) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/sec-updater/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/sec-updater/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +sec-updater.8: $(top_builddir)/config.status $(srcdir)/sec-updater.8.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +sec-updater$(EXEEXT): $(sec_updater_OBJECTS) $(sec_updater_DEPENDENCIES) $(EXTRA_sec_updater_DEPENDENCIES) + @rm -f sec-updater$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sec_updater_OBJECTS) $(sec_updater_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sec-updater.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) + @$(NORMAL_INSTALL) + @list1='$(man8_MANS)'; \ + list2=''; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS)'; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-man uninstall-man8 uninstall-sbinPROGRAMS + +.PRECIOUS: Makefile + +@USE_WINDOWS_FALSE@sec-updater.o : $(top_builddir)/config.status + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/sec-updater/sec-updater.8.in b/src/sec-updater/sec-updater.8.in new file mode 100644 index 000000000..f17198f56 --- /dev/null +++ b/src/sec-updater/sec-updater.8.in @@ -0,0 +1,84 @@ +.TH SEC-UPDATER 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +sec-updater \- Extracts security update information of Linux distributions +. +.SH "SYNOPSIS" +. +.SY "sec-updater" +.OP \-\-debug level +.OP \-\-quiet +.OP \-\-security +.BI \-\-os " string" +.BI \-\-arch " string" +.BI \-\-uri " uri" +.BI \-\-file " filename" +.YS +. +.SY "sec-updater" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +.B sec-updater +extracts information about security updates and backports of Linux repositories +(e.g. Debian or Ubuntu). This information is used to update the package version +information stored in the strongTNC SQLite database. The "dbkg --compare-versions" +command is used to determine which package versions are affected by a given +security update. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Prints usage information and a short summary of the available commands. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.B "\-q, \-\-quiet" +Disable debug output to stderr. +.TP +.B "\-s, \-\-security" +Set when parsing a distributions file with security updates. +.TP +.BI "\-o, \-\-os " string +Name of operating system (OS). eg. "Ubuntu 16.04". +.TP +.BI "\-o, \-\-arch " string +Name of HW architecture. eg. "x86_64". +.TP +.BI "\-o, \-\-uri " uri +URI where to download deb package from. +.TP +.BI "\-f, \-\-file " filename +Linux package information file to parse. +. +.SH "CONFIGURATION" +. +The following parameters can be configured in strongswan.conf: +.P + sec-updater { + database = sqlite:///etc/pts/config.db + swid_gen { + command = /usr/local/bin/swid_generator + tag_creator { + name = strongSwan Project + regid = strongswan.org + } + } + tnc_manage_command = /var/www/tnc/manage.py + tmp { + deb_file = /tmp/sec-updater.deb + tag_file = /tmp/sec-updater.tag + } + } +. +.SH "SEE ALSO" +. +.BR strongswan.conf (5) + diff --git a/src/sec-updater/sec-updater.c b/src/sec-updater/sec-updater.c new file mode 100644 index 000000000..e1d2baea2 --- /dev/null +++ b/src/sec-updater/sec-updater.c @@ -0,0 +1,565 @@ +/* + * Copyright (C) 2012-2017 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#define EXIT_NO_UPDATES 80 +#define TMP_DEB_FILE "/tmp/sec-updater.deb" +#define TMP_TAG_FILE "/tmp/sec-updater.tag" +#define SWID_GEN_CMD "/usr/local/bin/swid_generator" +#define TNC_MANAGE_CMD "/var/www/tnc/manage.py" + +typedef enum sec_update_state_t sec_update_state_t; + +enum sec_update_state_t { + SEC_UPDATE_STATE_BEGIN_PACKAGE, + SEC_UPDATE_STATE_VERSION, + SEC_UPDATE_STATE_FILENAME, + SEC_UPDATE_STATE_END_PACKAGE +}; + +typedef struct stats_t stats_t; + +struct stats_t { + time_t release; + int product; + int packages; + int new_versions; + int updated_versions; +}; + +/** + * global debug output variables + */ +static int debug_level = 1; +static bool stderr_quiet = FALSE; + +/** + * sec_updater dbg function + */ +static void sec_updater_dbg(debug_t group, level_t level, char *fmt, ...) +{ + int priority = LOG_INFO; + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (level <= debug_level) + { + if (!stderr_quiet) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + va_end(args); + } + + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(priority, "%s\n", current); + current = next; + } + } +} + +/** + * atexit handler to close everything on shutdown + */ +static void cleanup(void) +{ + closelog(); + library_deinit(); +} + +static void usage(void) +{ + printf("\ +Usage:\n\ + sec-updater --help\n\ + sec-updater [--debug ] [--quiet] [--security] --os \n\ + --arch --uri --file \n\n\ + Options:\n\ + --help print usage information\n\ + --debug set debug level\n\ + --quiet suppress debug output to stderr\n\ + --os operating system\n\ + --arch hw architecture\n\ + --security set when parsing a file with security updates\n\ + --file package information file to parse\n\ + --uri uri where to download deb package from\n"); + } + +/** + * Update the package database + */ +static bool update_database(database_t *db, char *package, char *version, + bool security, stats_t *stats, bool *new) +{ + int pid = 0, vid = 0, sec_flag; + bool first = TRUE, found = FALSE; + char *release; + enumerator_t *e; + + /* increment package count */ + stats->packages++; + + /* set new output variable */ + *new = FALSE; + + /* check if package is already in database */ + e = db->query(db, "SELECT id FROM packages WHERE name = ?", + DB_TEXT, package, DB_INT); + if (!e) + { + return FALSE; + } + if (!e->enumerate(e, &pid)) + { + pid = 0; + } + e->destroy(e); + + if (!pid) + { + return TRUE; + } + + /* retrieve all package versions stored in database */ + e = db->query(db, + "SELECT id, release, security FROM versions " + "WHERE product = ? AND package = ?", + DB_INT, stats->product, DB_INT, pid, DB_INT, DB_TEXT, DB_INT); + if (!e) + { + return FALSE; + } + + while (e->enumerate(e, &vid, &release, &sec_flag)) + { + char command[BUF_LEN]; + char found_char = ' '; + bool update_version = FALSE; + + if (streq(version, release)) + { + found = TRUE; + found_char = '*'; + } + else if (security) + { + snprintf(command, BUF_LEN, "dpkg --compare-versions %s lt %s", + release, version); + if (system(command) == 0) + { + found_char = '!'; + if (!sec_flag) + { + if (db->execute(db, NULL, "UPDATE versions " + "SET security = 1 WHERE id = ?", DB_INT, vid) != 1) + { + DBG1(DBG_IMV, " could not update version"); + e->destroy(e); + return FALSE; + } + update_version = TRUE; + stats->updated_versions++; + } + } + } + if (debug_level < 2 && !update_version) + { + continue; + } + if (first) + { + DBG1(DBG_IMV, "%s", package); + first = FALSE; + } + DBG1(DBG_IMV, " %c%s %s", found_char , sec_flag ? "s" : " ", release); + } + e->destroy(e); + + if (!found) + { + if (first) + { + DBG1(DBG_IMV, "%s", package); + } + DBG1(DBG_IMV, " + %s", version); + + if (db->execute(db, &vid, + "INSERT INTO versions " + "(package, product, release, security, time) " + "VALUES (?, ?, ?, 0, ?)", DB_INT, pid, DB_INT, stats->product, + DB_TEXT, version, DB_INT, stats->release) != 1) + { + DBG1(DBG_IMV, " could not store version to database"); + return FALSE; + } + stats->new_versions++; + *new = TRUE; + } + + return TRUE; +} + +/** + * Process a package file and store updates in the database + */ +static int process_packages(char *path, char *os, char *arch, char *uri, + bool security) +{ + char line[BUF_LEN], product[BUF_LEN], command[BUF_LEN]; + char *db_uri, *download_uri = NULL, *swid_regid, *swid_entity; + char *pos, *package = NULL, *version = NULL, *filename = NULL; + char *swid_gen_cmd, *tnc_manage_cmd, *tmp_deb_file, *tmp_tag_file; + sec_update_state_t state; + enumerator_t *e; + database_t *db; + int len, pid; + chunk_t deb = chunk_empty; + FILE *file; + stats_t stats; + bool success = TRUE, new; + + /* initialize statistics */ + memset(&stats, 0x00, sizeof(stats_t)); + + /* Set release date to current time */ + stats.release = time(NULL); + + /* opening package file */ + file = fopen(path, "r"); + if (!file) + { + DBG1(DBG_IMV, " could not open \"%s\"", path); + exit(EXIT_FAILURE); + } + + /* connect package database */ + db_uri = lib->settings->get_str(lib->settings, "sec-updater.database", NULL); + if (!db_uri) + { + DBG1(DBG_IMV, "database URI sec-updater.database not set"); + fclose(file); + exit(EXIT_FAILURE); + } + db = lib->db->create(lib->db, db_uri); + if (!db) + { + DBG1(DBG_IMV, "could not connect to database '%s'", db_uri); + fclose(file); + exit(EXIT_FAILURE); + } + + /* form product name by concatenating os and arch strings */ + snprintf(product, BUF_LEN, "%s %s", os, arch); + + /* check if product is already in database */ + e = db->query(db, "SELECT id FROM products WHERE name = ?", + DB_TEXT, product, DB_INT); + if (e) + { + if (e->enumerate(e, &pid)) + { + stats.product = pid; + } + e->destroy(e); + } + if (!stats.product) + { + if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", + DB_TEXT, product) != 1) + { + DBG1(DBG_IMV, "could not store product '%s' to database", + product); + fclose(file); + db->destroy(db); + exit(EXIT_FAILURE); + } + stats.product = pid; + } + + /* get settings for the loop */ + swid_regid = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.tag_creator.regid", + "strongswan.org"); + swid_entity = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.tag_creator.name", + "strongSwan Project"); + swid_gen_cmd = lib->settings->get_str(lib->settings, + "sec-updater.swid_gen.command", SWID_GEN_CMD); + tnc_manage_cmd = lib->settings->get_str(lib->settings, + "sec-updater.tnc_manage_command", TNC_MANAGE_CMD); + tmp_deb_file = lib->settings->get_str(lib->settings, + "sec-updater.tmp.deb_file", TMP_DEB_FILE); + tmp_tag_file = lib->settings->get_str(lib->settings, + "sec-updater.tmp.tag_file", TMP_TAG_FILE); + + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; + + while (fgets(line, sizeof(line), file)) + { + /* set read pointer to beginning of line */ + pos = line; + + switch (state) + { + case SEC_UPDATE_STATE_BEGIN_PACKAGE: + pos = strstr(pos, "Package: "); + if (!pos) + { + continue; + } + pos += 9; + package = pos; + pos = strchr(pos, '\n'); + if (pos) + { + package = strndup(package, pos - package); + state = SEC_UPDATE_STATE_VERSION; + } + break; + case SEC_UPDATE_STATE_VERSION: + pos = strstr(pos, "Version: "); + if (!pos) + { + continue; + } + pos += 9; + version = pos; + pos = strchr(pos, '\n'); + if (pos) + { + version = strndup(version, pos - version); + success = update_database(db, package, version, security, + &stats, &new); + state = (success && new) ? SEC_UPDATE_STATE_FILENAME : + SEC_UPDATE_STATE_END_PACKAGE; + } + break; + case SEC_UPDATE_STATE_FILENAME: + pos = strstr(pos, "Filename: "); + if (!pos) + { + continue; + } + state = SEC_UPDATE_STATE_END_PACKAGE; + + pos += 10; + filename = pos; + pos = strchr(pos, '\n'); + if (!pos) + { + break; + } + len = pos - filename; + if (asprintf(&download_uri, "%s/%.*s", uri, len, filename) == -1) + { + break; + } + + /* retrieve deb package file from linux repository */ + if (lib->fetcher->fetch(lib->fetcher, download_uri, + &deb, FETCH_END) != SUCCESS) + { + DBG1(DBG_IMV, " %s failed", download_uri); + break; + } + DBG1(DBG_IMV, " %s (%u bytes)", download_uri, deb.len); + + /* store deb package file to temporary location */ + if (!chunk_write(deb, tmp_deb_file, 0022, TRUE)) + { + DBG1(DBG_IMV, " save to '%s' failed", tmp_deb_file); + break; + } + + /* generate SWID tag for downloaded deb package */ + snprintf(command, BUF_LEN, "%s swid --full --package-file %s " + "--regid %s --entity-name '%s' --os '%s' --arch '%s' " + ">> %s", swid_gen_cmd, tmp_deb_file, swid_regid, + swid_entity, os, arch, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, " tag generation failed"); + break; + } + break; + case SEC_UPDATE_STATE_END_PACKAGE: + if (*pos != '\n') + { + continue; + } + free(package); + free(version); + free(download_uri); + chunk_free(&deb); + package = version = download_uri = NULL; + + if (!success) + { + fclose(file); + db->destroy(db); + exit(EXIT_FAILURE); + } + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; + } + } + + free(package); + free(version); + free(download_uri); + fclose(file); + db->destroy(db); + + /* import swid tags into strongTNC */ + if (stats.new_versions > 0) + { + snprintf(command, BUF_LEN, "%s importswid %s", + tnc_manage_cmd, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, "tag import failed"); + } + snprintf(command, BUF_LEN, "rm %s %s", + tmp_deb_file, tmp_tag_file); + if (system(command) != 0) + { + DBG1(DBG_IMV, "removing temporary files failed"); + } + } + + DBG1(DBG_IMV, "processed \"%s\": %d packages, %d new versions, " + "%d updated versions", path, stats.packages, + stats.new_versions, stats.updated_versions); + + return (stats.new_versions + stats.updated_versions) ? + EXIT_SUCCESS : EXIT_NO_UPDATES; +} + +static int do_args(int argc, char *argv[]) +{ + char *filename = NULL, *arch = NULL, *os = NULL, *uri = NULL; + bool security = FALSE; + + /* reinit getopt state */ + optind = 0; + + while (TRUE) + { + int c; + + struct option long_opts[] = { + { "help", no_argument, NULL, 'h' }, + { "arch", required_argument, NULL, 'a' }, + { "debug", required_argument, NULL, 'd' }, + { "file", required_argument, NULL, 'f' }, + { "os", required_argument, NULL, 'o' }, + { "quiet", no_argument, NULL, 'q' }, + { "security", no_argument, NULL, 's' }, + { "uri", required_argument, NULL, 'u' }, + { 0,0,0,0 } + }; + + c = getopt_long(argc, argv, "ha:d:f:o:qsu:", long_opts, NULL); + switch (c) + { + case EOF: + break; + case 'h': + usage(); + exit(EXIT_SUCCESS); + case 'a': + arch = optarg; + continue; + case 'd': + debug_level = atoi(optarg); + continue; + case 'f': + filename = optarg; + continue; + case 'o': + os = optarg; + continue; + case 'q': + stderr_quiet = TRUE; + continue; + case 's': + security = TRUE; + continue; + case 'u': + uri = optarg; + continue; + } + break; + } + + if (filename && os && arch && uri) + { + return process_packages(filename, os, arch, uri, security); + } + else + { + usage(); + exit(EXIT_FAILURE); + } +} + +int main(int argc, char *argv[]) +{ + /* enable attest debugging hook */ + dbg = sec_updater_dbg; + openlog("sec-updater", 0, LOG_DEBUG); + + atexit(cleanup); + + /* initialize library */ + if (!library_init(NULL, "sec-updater")) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (!lib->plugins->load(lib->plugins, + lib->settings->get_str(lib->settings, "sec-updater.load", + "sqlite curl"))) + { + exit(SS_RC_INITIALIZATION_FAILED); + } + exit(do_args(argc, argv)); +} + diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh new file mode 100755 index 000000000..ca7b89841 --- /dev/null +++ b/src/sec-updater/sec-updater.sh @@ -0,0 +1,168 @@ +#!/bin/sh + +DIR="/etc/pts" +DISTS_DIR="$DIR/dists" +DATE=`date +%Y%m%d-%H%M` +UBUNTU="http://security.ubuntu.com/ubuntu" +UBUNTU_VERSIONS="xenial" +UBUNTU_DIRS="main multiverse restricted universe" +UBUNTU_ARCH="binary-amd64" +DEBIAN="http://security.debian.org" +DEBIAN_VERSIONS="jessie wheezy" +DEBIAN_DIRS="main contrib non-free" +DEBIAN_ARCH="binary-amd64 binary-armhf" +RASPIAN="http://archive.raspberrypi.org/debian" +RASPIAN_VERSIONS="jessie wheezy" +RASPIAN_DIRS="main" +RASPIAN_ARCH="binary-armhf" +CMD=/usr/sbin/sec-updater +CMD_LOG="$DIR/logs/$DATE-sec-update.log" +DEL_LOG=1 + +mkdir -p $DIR/dists +cd $DIR/dists + +# Download Ubuntu distribution information + +for v in $UBUNTU_VERSIONS +do + for a in $UBUNTU_ARCH + do + mkdir -p $v-security/$a $v-updates/$a + for d in $UBUNTU_DIRS + do + wget -nv $UBUNTU/dists/$v-security/$d/$a/Packages.xz -O $v-security/$a/Packages-$d.xz + unxz -f $v-security/$a/Packages-$d.xz + wget -nv $UBUNTU/dists/$v-updates/$d/$a/Packages.xz -O $v-updates/$a/Packages-$d.xz + unxz -f $v-updates/$a/Packages-$d.xz + done + done +done + +# Download Debian distribution information + +for v in $DEBIAN_VERSIONS +do + for a in $DEBIAN_ARCH + do + mkdir -p $v-updates/$a + for d in $DEBIAN_DIRS + do + wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 + bunzip2 -f $v-updates/$a/Packages-$d.bz2 + done + done +done + +# Download Raspian distribution information + +for v in $RASPIAN_VERSIONS +do + for a in $RASPIAN_ARCH + do + mkdir -p $v-raspian/$a + for d in $RASPIAN_DIRS + do + wget -nv $RASPIAN/dists/$v/$d/$a/Packages.gz -O $v-raspian/$a/Packages-$d.gz + gunzip -f $v-raspian/$a/Packages-$d.gz + done + done +done + +# Run sec-updater in distribution information + +for f in xenial-security/binary-amd64/* +do + echo "security: $f" + $CMD --os "Ubuntu 16.04" --arch "x86_64" --file $f --security \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in xenial-updates/binary-amd64/* +do + echo "updates: $f" + $CMD --os "Ubuntu 16.04" --arch "x86_64" --file $f \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-updates/binary-amd64/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "x86_64" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-updates/binary-amd64/* +do + echo "security: $f" + $CMD --os "Debian 7.0" --arch "x86_64" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-updates/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "armhf" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-updates/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 7.0" --arch "armhf" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in jessie-raspian/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 8.0" --arch "armv7l" --file $f --security \ + --uri $RASPIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in wheezy-raspian/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 7.11" --arch "armv7l" --file $f --security \ + --uri $RASPIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +# Delete log file if no security updates were found + +if [ $DEL_LOG -eq 1 ] +then + rm $CMD_LOG + echo "no security updates found" +fi diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index a3c58126e..457c0650e 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -39,15 +39,21 @@ starter_LDADD = \ libstarter.la \ $(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB) -EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk -MAINTAINERCLEANFILES = keywords.c -BUILT_SOURCES = keywords.c parser/parser.h +EXTRA_DIST = keywords.h.in keywords.txt ipsec.conf ipsec.secrets Android.mk +MAINTAINERCLEANFILES = keywords.h keywords.c +BUILT_SOURCES = keywords.h keywords.c parser/parser.h if USE_LOAD_WARNING AM_CPPFLAGS += -DLOAD_WARNING endif -keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h +keywords.h: $(srcdir)/keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +keywords.c: $(srcdir)/keywords.txt keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 2fa22ae97..80fd2c68d 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -289,9 +289,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -524,9 +526,9 @@ starter_LDADD = \ libstarter.la \ $(SOCKLIB) $(PTHREADLIB) $(ATOMICLIB) -EXTRA_DIST = keywords.txt ipsec.conf ipsec.secrets Android.mk -MAINTAINERCLEANFILES = keywords.c -BUILT_SOURCES = keywords.c parser/parser.h +EXTRA_DIST = keywords.h.in keywords.txt ipsec.conf ipsec.secrets Android.mk +MAINTAINERCLEANFILES = keywords.h keywords.c +BUILT_SOURCES = keywords.h keywords.c parser/parser.h all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -995,7 +997,13 @@ uninstall-am: uninstall-ipsecPROGRAMS .PRECIOUS: Makefile -keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h +keywords.h: $(srcdir)/keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +keywords.c: $(srcdir)/keywords.txt keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/confread.c b/src/starter/confread.c index f98fc8936..f154f8951 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -40,16 +40,8 @@ #define SA_REPLACEMENT_RETRIES_DEFAULT 3 #define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */ -static const char ike_defaults[] = "aes128-sha256-curve25519"; -static const char esp_defaults[] = "aes128-sha256"; - static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables"; -/** - * Provided by GPERF - */ -extern kw_entry_t *in_word_set (char *str, unsigned int len); - /** * Process deprecated keywords */ @@ -95,7 +87,7 @@ static void load_setup(starter_config_t *cfg, conf_parser_t *parser) { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; char *key, *value; DBG2(DBG_APP, "Loading config setup"); @@ -146,7 +138,7 @@ static void load_ca(starter_ca_t *ca, starter_config_t *cfg, { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; kw_token_t token; char *key, *value; @@ -211,7 +203,6 @@ static void conn_defaults(starter_conn_t *conn) conn->mode = MODE_TUNNEL; conn->options = SA_OPTION_MOBIKE; - conn->ike = strdupnull(ike_defaults); /* esp defaults are set after parsing the conn section */ conn->sa_ike_life_seconds = IKE_LIFETIME_DEFAULT; conn->sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT; @@ -559,7 +550,7 @@ static void load_conn(starter_conn_t *conn, starter_config_t *cfg, { enumerator_t *enumerator; dictionary_t *dict; - kw_entry_t *entry; + const kw_entry_t *entry; kw_token_t token; char *key, *value; @@ -627,11 +618,6 @@ static void load_conn(starter_conn_t *conn, starter_config_t *cfg, handle_firewall("left", &conn->left, cfg); handle_firewall("right", &conn->right, cfg); - - if (!conn->esp && !conn->ah) - { - conn->esp = strdupnull(esp_defaults); - } } /* diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 505b66010..0e2d0fb4b 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -47,6 +47,7 @@ error "gperf generated tables don't work with this execution character set. Plea #include +#define IN_GPERF_GENERATED_FILE #include "keywords.h" struct kw_entry { diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 0cb46a740..27d16b0b8 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -196,4 +196,8 @@ struct kw_entry_t { kw_token_t token; }; +#ifndef IN_GPERF_GENERATED_FILE +const kw_entry_t *in_word_set(register const char*, register unsigned); +#endif + #endif /* _KEYWORDS_H_ */ diff --git a/src/starter/keywords.h.in b/src/starter/keywords.h.in new file mode 100644 index 000000000..d2b08f2cf --- /dev/null +++ b/src/starter/keywords.h.in @@ -0,0 +1,203 @@ +/* + * Copyright (C) 2005 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _KEYWORDS_H_ +#define _KEYWORDS_H_ + +typedef enum kw_token_t kw_token_t; +typedef struct kw_entry_t kw_entry_t; + +enum kw_token_t { + /* config setup keywords */ + KW_CHARONDEBUG, + KW_UNIQUEIDS, + KW_CACHECRLS, + KW_STRICTCRLPOLICY, + KW_PKCS11_DEPRECATED, + KW_SETUP_DEPRECATED, + +#define KW_SETUP_FIRST KW_CHARONDEBUG +#define KW_SETUP_LAST KW_SETUP_DEPRECATED + + /* conn section keywords */ + KW_CONN_NAME, + KW_CONN_SETUP, + KW_KEYEXCHANGE, + KW_TYPE, + KW_COMPRESS, + KW_INSTALLPOLICY, + KW_AGGRESSIVE, + KW_AUTHBY, + KW_EAP_IDENTITY, + KW_AAA_IDENTITY, + KW_MOBIKE, + KW_FORCEENCAPS, + KW_FRAGMENTATION, + KW_IKEDSCP, + KW_IKELIFETIME, + KW_KEYLIFE, + KW_REKEYMARGIN, + KW_LIFEBYTES, + KW_MARGINBYTES, + KW_LIFEPACKETS, + KW_MARGINPACKETS, + KW_KEYINGTRIES, + KW_REKEYFUZZ, + KW_REKEY, + KW_REAUTH, + KW_IKE, + KW_ESP, + KW_AH, + KW_DPDDELAY, + KW_DPDTIMEOUT, + KW_DPDACTION, + KW_CLOSEACTION, + KW_SHA256_96, + KW_INACTIVITY, + KW_MODECONFIG, + KW_XAUTH, + KW_XAUTH_IDENTITY, + KW_MEDIATION, + KW_MEDIATED_BY, + KW_ME_PEERID, + KW_REQID, + KW_REPLAY_WINDOW, + KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, + KW_TFC, + KW_PFS_DEPRECATED, + KW_CONN_DEPRECATED, + +#define KW_CONN_FIRST KW_CONN_SETUP +#define KW_CONN_LAST KW_CONN_DEPRECATED + + /* ca section keywords */ + KW_CA_NAME, + KW_CA_SETUP, + KW_CACERT, + KW_CRLURI, + KW_CRLURI2, + KW_OCSPURI, + KW_OCSPURI2, + KW_CERTURIBASE, + KW_CA_DEPRECATED, + +#define KW_CA_FIRST KW_CA_SETUP +#define KW_CA_LAST KW_CA_DEPRECATED + + /* end keywords */ + KW_HOST, + KW_IKEPORT, + KW_SUBNET, + KW_PROTOPORT, + KW_SOURCEIP, + KW_DNS, + KW_FIREWALL, + KW_HOSTACCESS, + KW_ALLOWANY, + KW_UPDOWN, + KW_AUTH1, + KW_AUTH2, + KW_ID, + KW_ID2, + KW_SIGKEY, + KW_CERT, + KW_CERT2, + KW_CERTPOLICY, + KW_SENDCERT, + KW_CA, + KW_CA2, + KW_GROUPS, + KW_GROUPS2, + KW_END_DEPRECATED, + +#define KW_END_FIRST KW_HOST +#define KW_END_LAST KW_END_DEPRECATED + + /* left end keywords */ + KW_LEFT, + KW_LEFTIKEPORT, + KW_LEFTSUBNET, + KW_LEFTPROTOPORT, + KW_LEFTSOURCEIP, + KW_LEFTDNS, + KW_LEFTFIREWALL, + KW_LEFTHOSTACCESS, + KW_LEFTALLOWANY, + KW_LEFTUPDOWN, + KW_LEFTAUTH, + KW_LEFTAUTH2, + KW_LEFTID, + KW_LEFTID2, + KW_LEFTSIGKEY, + KW_LEFTCERT, + KW_LEFTCERT2, + KW_LEFTCERTPOLICY, + KW_LEFTSENDCERT, + KW_LEFTCA, + KW_LEFTCA2, + KW_LEFTGROUPS, + KW_LEFTGROUPS2, + KW_LEFT_DEPRECATED, + +#define KW_LEFT_FIRST KW_LEFT +#define KW_LEFT_LAST KW_LEFT_DEPRECATED + + /* right end keywords */ + KW_RIGHT, + KW_RIGHTIKEPORT, + KW_RIGHTSUBNET, + KW_RIGHTPROTOPORT, + KW_RIGHTSOURCEIP, + KW_RIGHTDNS, + KW_RIGHTFIREWALL, + KW_RIGHTHOSTACCESS, + KW_RIGHTALLOWANY, + KW_RIGHTUPDOWN, + KW_RIGHTAUTH, + KW_RIGHTAUTH2, + KW_RIGHTID, + KW_RIGHTID2, + KW_RIGHTSIGKEY, + KW_RIGHTCERT, + KW_RIGHTCERT2, + KW_RIGHTCERTPOLICY, + KW_RIGHTSENDCERT, + KW_RIGHTCA, + KW_RIGHTCA2, + KW_RIGHTGROUPS, + KW_RIGHTGROUPS2, + KW_RIGHT_DEPRECATED, + +#define KW_RIGHT_FIRST KW_RIGHT +#define KW_RIGHT_LAST KW_RIGHT_DEPRECATED + + /* general section keywords */ + KW_ALSO, + KW_AUTO, + +}; + +struct kw_entry_t { + char *name; + kw_token_t token; +}; + +#ifndef IN_GPERF_GENERATED_FILE +const kw_entry_t *in_word_set(register const char*, register @GPERF_LEN_TYPE@); +#endif + +#endif /* _KEYWORDS_H_ */ diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 3f92dc83f..dd673bc7a 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -16,6 +16,7 @@ #include +#define IN_GPERF_GENERATED_FILE #include "keywords.h" %} diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in index fc5b86397..ce0c7b43c 100644 --- a/src/starter/tests/Makefile.in +++ b/src/starter/tests/Makefile.in @@ -241,9 +241,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am index ed170bd08..5c04b5ae7 100644 --- a/src/stroke/Makefile.am +++ b/src/stroke/Makefile.am @@ -4,13 +4,19 @@ stroke_SOURCES = \ stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = stroke_keywords.txt Android.mk -BUILT_SOURCES = stroke_keywords.c -MAINTAINERCLEANFILES = stroke_keywords.c +EXTRA_DIST = stroke_keywords.h.in stroke_keywords.txt Android.mk +BUILT_SOURCES = stroke_keywords.h stroke_keywords.c +MAINTAINERCLEANFILES = stroke_keywords.h stroke_keywords.c AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_PIDDIR=\"${piddir}\" -stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h +stroke_keywords.h: $(srcdir)/stroke_keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +stroke_keywords.c: $(srcdir)/stroke_keywords.txt stroke_keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 9d17733ba..be31bc581 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -215,9 +215,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -422,9 +424,9 @@ stroke_SOURCES = \ stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = stroke_keywords.txt Android.mk -BUILT_SOURCES = stroke_keywords.c -MAINTAINERCLEANFILES = stroke_keywords.c +EXTRA_DIST = stroke_keywords.h.in stroke_keywords.txt Android.mk +BUILT_SOURCES = stroke_keywords.h stroke_keywords.c +MAINTAINERCLEANFILES = stroke_keywords.h stroke_keywords.c AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_PIDDIR=\"${piddir}\" @@ -769,7 +771,13 @@ uninstall-am: uninstall-ipsecPROGRAMS .PRECIOUS: Makefile -stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h +stroke_keywords.h: $(srcdir)/stroke_keywords.h.in + $(AM_V_GEN) \ + sed \ + -e "s:\@GPERF_LEN_TYPE\@:$(GPERF_LEN_TYPE):" \ + $< > $@ + +stroke_keywords.c: $(srcdir)/stroke_keywords.txt stroke_keywords.h $(AM_V_GEN) \ $(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 4a1016277..00b992769 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -73,6 +73,7 @@ typedef enum { typedef struct stroke_token stroke_token_t; -extern const stroke_token_t* in_word_set(register const char *str, register unsigned int len); +extern const stroke_token_t* in_word_set(register const char *str, + register unsigned len); #endif /* _STROKE_KEYWORDS_H_ */ diff --git a/src/stroke/stroke_keywords.h.in b/src/stroke/stroke_keywords.h.in new file mode 100644 index 000000000..2b5780adc --- /dev/null +++ b/src/stroke/stroke_keywords.h.in @@ -0,0 +1,79 @@ +/* stroke keywords + * Copyright (C) 2006 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _STROKE_KEYWORDS_H_ +#define _STROKE_KEYWORDS_H_ + +typedef enum { + STROKE_ADD, + STROKE_DEL, + STROKE_DELETE, + STROKE_ROUTE, + STROKE_UNROUTE, + STROKE_UP, + STROKE_UP_NOBLK, + STROKE_DOWN, + STROKE_DOWN_NOBLK, + STROKE_DOWN_SRCIP, + STROKE_REKEY, + STROKE_LOGLEVEL, + STROKE_STATUS, + STROKE_STATUSALL, + STROKE_STATUSALL_NOBLK, + STROKE_LIST_PUBKEYS, + STROKE_LIST_CERTS, + STROKE_LIST_CACERTS, + STROKE_LIST_OCSPCERTS, + STROKE_LIST_AACERTS, + STROKE_LIST_ACERTS, + STROKE_LIST_GROUPS, + STROKE_LIST_CAINFOS, + STROKE_LIST_CRLS, + STROKE_LIST_OCSP, + STROKE_LIST_ALGS, + STROKE_LIST_PLUGINS, + STROKE_LIST_ALL, + STROKE_REREAD_SECRETS, + STROKE_REREAD_CACERTS, + STROKE_REREAD_OCSPCERTS, + STROKE_REREAD_AACERTS, + STROKE_REREAD_ACERTS, + STROKE_REREAD_CRLS, + STROKE_REREAD_ALL, + STROKE_PURGE_OCSP, + STROKE_PURGE_CRLS, + STROKE_PURGE_CERTS, + STROKE_PURGE_IKE, + STROKE_EXPORT_X509, + STROKE_EXPORT_CONN_CERT, + STROKE_EXPORT_CONN_CHAIN, + STROKE_LEASES, + STROKE_MEMUSAGE, + STROKE_USER_CREDS, + STROKE_COUNTERS, + STROKE_COUNTERS_RESET, +} stroke_keyword_t; + +#define STROKE_LIST_FIRST STROKE_LIST_PUBKEYS +#define STROKE_REREAD_FIRST STROKE_REREAD_SECRETS +#define STROKE_PURGE_FIRST STROKE_PURGE_OCSP +#define STROKE_EXPORT_FIRST STROKE_EXPORT_X509 + +typedef struct stroke_token stroke_token_t; + +extern const stroke_token_t* in_word_set(register const char *str, + register @GPERF_LEN_TYPE@ len); + +#endif /* _STROKE_KEYWORDS_H_ */ diff --git a/src/sw-collector/Makefile.in b/src/sw-collector/Makefile.in index 73016ad72..28169508a 100644 --- a/src/sw-collector/Makefile.in +++ b/src/sw-collector/Makefile.in @@ -252,9 +252,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/src/sw-collector/sw-collector.8.in b/src/sw-collector/sw-collector.8.in index 8560ba095..b9041c77b 100644 --- a/src/sw-collector/sw-collector.8.in +++ b/src/sw-collector/sw-collector.8.in @@ -1,4 +1,4 @@ -.TH SW-COLLECTOR 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan" +.TH SW-COLLECTOR 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -56,34 +56,34 @@ Prints usage information and a short summary of the available commands. .BI "\-v, \-\-debug " level Set debug level, default: 2. .TP -.B "\-q, \-\-quiet +.B "\-q, \-\-quiet" Disable debug output to stderr. .TP -.B "\-i, \-\-installed +.B "\-i, \-\-installed" Apply command to installed software packages, only. .TP -.B "\-r, \-\-removed +.B "\-r, \-\-removed" Apply command to removed software packages, only. .TP -.B "\-f, \-\-full +.B "\-f, \-\-full" Generate ISO 19770-2:2015 SWID tags with full file information (possible for installed software packages, only). .TP -.B "\-l, \-\-list +.B "\-l, \-\-list" Lists all software packages stored in the collector database showing their installation status. .TP -.B "\-u, \-\-unregistered +.B "\-u, \-\-unregistered" Lists all software packages residing in the local collector database but for which no SWID tags exist yet in a central collector database reachable via a REST interface. .TP -.B "\-g, \-\-generate +.B "\-g, \-\-generate" Generates ISO 19770-2:2015 SWID tags for all software packages residing in the local collector database but for which no SWID tags exist in a central collector database reachable via a REST interface. .TP -.B "\-m, \-\-migrate +.B "\-m, \-\-migrate" Can be used to migrate collector database versions. Currently all architecture suffixes are removed from dpkg package names. . diff --git a/src/sw-collector/sw-collector.c b/src/sw-collector/sw-collector.c index e673dd657..a42f1068a 100644 --- a/src/sw-collector/sw-collector.c +++ b/src/sw-collector/sw-collector.c @@ -249,6 +249,7 @@ static int extract_history(sw_collector_db_t *db) history = sw_collector_history_create(db, 1); if (!history) { + chunk_unmap(h); return EXIT_FAILURE; } diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 19815c51a..3a432c454 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -2,6 +2,7 @@ sbin_PROGRAMS = swanctl swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index 6da739b88..ea7130bbb 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -112,10 +112,11 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" PROGRAMS = $(sbin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp -am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ - commands/terminate.$(OBJEXT) commands/rekey.$(OBJEXT) \ - commands/redirect.$(OBJEXT) commands/install.$(OBJEXT) \ - commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ +am_swanctl_OBJECTS = command.$(OBJEXT) commands/counters.$(OBJEXT) \ + commands/initiate.$(OBJEXT) commands/terminate.$(OBJEXT) \ + commands/rekey.$(OBJEXT) commands/redirect.$(OBJEXT) \ + commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \ + commands/list_pols.$(OBJEXT) \ commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \ @@ -264,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -469,6 +472,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ @@ -606,6 +610,8 @@ commands/$(am__dirstamp): commands/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) commands/$(DEPDIR) @: > commands/$(DEPDIR)/$(am__dirstamp) +commands/counters.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \ @@ -664,6 +670,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/counters.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/flush_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 7f65d2b0e..225dff617 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -147,6 +147,15 @@ void command_register(command_t command) "MAX_COMMANDS\n"); return; } + for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) + { + if (cmds[i].op == command.op) + { + fprintf(stderr, "unable to register command --%s, short option " + "conflicts with --%s\n", command.cmd, cmds[i].cmd); + return; + } + } cmds[registered] = command; /* append default options, but not to --help */ diff --git a/src/swanctl/command.h b/src/swanctl/command.h index c17811498..0d93ae45c 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 25 +#define MAX_COMMANDS 26 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c new file mode 100644 index 000000000..ab386b5d8 --- /dev/null +++ b/src/swanctl/commands/counters.c @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include + +#include "command.h" + +CALLBACK(counters_kv, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + if (chunk_printable(chunk_create(value, len), NULL, ' ')) + { + printf(" %-22s: %.*s\n", name, len, value); + } + return 0; +} + +CALLBACK(conns_sn, int, + void *null, vici_res_t *res, char *name) +{ + printf("%s:\n", strlen(name) ? name : "global"); + return vici_parse_cb(res, NULL, counters_kv, NULL, NULL); +} + +CALLBACK(counters_sn, int, + void *null, vici_res_t *res, char *name) +{ + return vici_parse_cb(res, conns_sn, NULL, NULL, NULL); +} + +static int counters(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *name = NULL; + int ret; + bool all = FALSE, reset = FALSE; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case 'n': + name = arg; + continue; + case 'a': + all = TRUE; + continue; + case 'R': + reset = TRUE; + continue; + case EOF: + break; + default: + return command_usage("invalid --counters option"); + } + break; + } + if (reset) + { + req = vici_begin("reset-counters"); + } + else + { + req = vici_begin("get-counters"); + } + if (all) + { + vici_add_key_valuef(req, "all", "yes"); + } + else if (name) + { + vici_add_key_valuef(req, "name", "%s", name); + } + + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "%s-counters request failed: %s\n", + reset ? "reset" : "get", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "counters reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (streq(vici_find_str(res, "no", "success"), "yes")) + { + if (reset) + { + printf("reset-counters completed successfully\n"); + } + else if (vici_parse_cb(res, counters_sn, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing get-counters reply failed: %s\n", + strerror(errno)); + } + } + else + { + fprintf(stderr, "%s-counters failed: %s\n", reset ? "reset" : "get", + vici_find_str(res, "", "errmsg")); + ret = 1; + } + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + counters, 'C', "counters", "list or reset IKE event counters", + {"[--name |--all] [--reset] [--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"name", 'n', 1, "connection name, omit for global counters"}, + {"all", 'a', 0, "get/reset counters for all tracked connections"}, + {"reset", 'R', 0, "reset the counters"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 1ff5ee8fb..9b87a963a 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -305,6 +305,9 @@ # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index d1aced493..6c73d4775 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -252,11 +252,9 @@ to enforce the uniqueness policy instead. On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer -(determined by the identities of the first authentication round). Only if set to -.RI "" "keep" "" -or -.RI "" "replace" "" -will the client send a notify. +(determined by the identities of the first authentication round). Unless set to +.RI "" "never" "" +the client will send a notify. .TP .BR connections..reauth_time " [0s]" @@ -485,6 +483,20 @@ configured any signature scheme constraint (without prefix) will also apply to IKEv2 authentication, unless this is disabled in .RB "" "strongswan.conf" "(5)." +To use RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in e.g. +.RI "" "ike:rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured RSASSA\-PSS signatures will only be used if enabled in +.RB "" "strongswan.conf" "(5)." .TP @@ -726,7 +738,24 @@ section's .RB "" "auth" "" keyword for details), such key types and hash algorithms are also applied as constraints -against IKEv2 signature authentication schemes used by the remote side. +against IKEv2 signature authentication schemes used by the remote side. To +require RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in +e.g. +.RI "" "rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured +RSASSA\-PSS signatures will only be accepted if enabled in +.RB "" "strongswan.conf" "(5)." + To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above @@ -1053,9 +1082,11 @@ Optional interface name to restrict IPsec policies. .TP .BR connections..children..mark_in " [0/0x00000000]" -Netfilter mark and mask for input traffic. On Linux Netfilter may require marks -on each packet to match an SA having that option set. This allows Netfilter -rules to select specific tunnels for incoming traffic. The special value +Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks +on each packet to match an SA/policy having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +SAs/policies for incoming traffic. Note that inbound marks are only set on +policies, by default, unless *mark_in_sa* is enabled. The special value .RI "" "%unique" "" sets a unique mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" @@ -1067,16 +1098,27 @@ An additional mask may be appended to the mark, separated by The default mask if omitted is 0xffffffff. +.TP +.BR connections..children..mark_in_sa " [no]" +Whether to set *mark_in* on the inbound SA. By default, the inbound mark is only +set on the inbound policy. The tuple destination address, protocol and SPI is +unique and the mark is not required to find the correct SA, allowing to mark +traffic after decryption instead (where more specific selectors may be used) to +match different policies. Marking packets before decryption is still possible, +even if no mark is set on the SA. + .TP .BR connections..children..mark_out " [0/0x00000000]" -Netfilter mark and mask for output traffic. On Linux Netfilter may require marks -on each packet to match a policy having that option set. This allows Netfilter -rules to select specific tunnels for outgoing traffic. The special value +Netfilter mark and mask for output traffic. On Linux, Netfilter may require +marks on each packet to match a policy/SA having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +policies/SAs for outgoing traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance, beyond that the value +sets a unique +mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" -assigns a different unique mark for each CHILD_SA direction -(in/out). +assigns a +different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by .RI "" "/" "." diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index d0a0d21dd..2dd9ea374 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -216,7 +216,7 @@ connections..unique = no On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). - Only if set to _keep_ or _replace_ will the client send a notify. + Unless set to _never_ the client will send a notify. connections..reauth_time = 0s Time to schedule IKE reauthentication. @@ -395,7 +395,11 @@ connections..local.auth = pubkey algorithm that matches or exceeds the strength of the signature key. If no constraints with _ike:_ prefix are configured any signature scheme constraint (without _ike:_ prefix) will also apply to IKEv2 authentication, - unless this is disabled in **strongswan.conf**(5). + unless this is disabled in **strongswan.conf**(5). To use RSASSA-PSS + signatures use _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. + _ike:rsa/pss-sha256_. If _pubkey_ or _rsa_ constraints are configured + RSASSA-PSS signatures will only be used if enabled in + **strongswan.conf**(5). connections..local.id = IKE identity to use for authentication round. @@ -589,7 +593,10 @@ connections..remote.auth = pubkey constraints are configured (refer to the description of the **local** section's **auth** keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication - schemes used by the remote side. + schemes used by the remote side. To require RSASSA-PSS signatures use + _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. _rsa/pss-sha256_. If + _pubkey_ or _rsa_ constraints are configured RSASSA-PSS signatures will only + be accepted if enabled in **strongswan.conf**(5). To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed @@ -867,25 +874,37 @@ connections..children..interface = connections..children..mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may require - marks on each packet to match an SA having that option set. This allows - Netfilter rules to select specific tunnels for incoming traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each + Netfilter mark and mask for input traffic. On Linux, Netfilter may require + marks on each packet to match an SA/policy having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific SAs/policies for incoming traffic. Note that inbound marks are + only set on policies, by default, unless *mark_in_sa* is enabled. The + special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond + that the value _%unique-dir_ assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections..children..mark_in_sa = no + Whether to set *mark_in* on the inbound SA. + + Whether to set *mark_in* on the inbound SA. By default, the inbound mark is + only set on the inbound policy. The tuple destination address, protocol and + SPI is unique and the mark is not required to find the correct SA, allowing + to mark traffic after decryption instead (where more specific selectors may + be used) to match different policies. Marking packets before decryption is + still possible, even if no mark is set on the SA. + connections..children..mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. - Netfilter mark and mask for output traffic. On Linux Netfilter may require - marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may require + marks on each packet to match a policy/SA having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific policies/SAs for outgoing traffic. The special value _%unique_ sets + a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_ + assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. diff --git a/testing/Makefile.in b/testing/Makefile.in index 3f6f1e4dd..1c244c66e 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -161,9 +161,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ diff --git a/testing/config/kernel/config-4.13 b/testing/config/kernel/config-4.13 new file mode 100644 index 000000000..dcdceccd8 --- /dev/null +++ b/testing/config/kernel/config-4.13 @@ -0,0 +1,2613 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.13.12 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_FHANDLE=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_RCU_NEED_SEGCBLIST is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_POSIX_TIMERS=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +# CONFIG_USERFAULTFD is not set +CONFIG_PCI_QUIRKS=y +CONFIG_MEMBARRIER=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y +# CONFIG_PC104 is not set + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SYSTEM_DATA_VERIFICATION is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_THIN_ARCHIVES=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +# CONFIG_HAVE_ARCH_HASH is not set +# CONFIG_ISA_BUS_API is not set +# CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX is not set +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +# CONFIG_REFCOUNT_FULL is not set + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_INTEL_RDT_A is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +# CONFIG_VM86 is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_HAVE_GENERIC_GUP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_LEGACY_VSYSCALL_NATIVE is not set +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_BUS_ADDR_T_64BIT=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT is not set + +# +# PCI host controller drivers +# +# CONFIG_VMD is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IP_TUNNEL=y +# CONFIG_SYN_COOKIES is not set +# CONFIG_NET_IPVTI is not set +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +# CONFIG_IPV6_VTI is not set +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +# CONFIG_IPV6_FOU is not set +# CONFIG_IPV6_FOU_TUNNEL is not set +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +# CONFIG_IP6_NF_NAT is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +# CONFIG_STREAM_PARSER is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set +# CONFIG_CXL_LIB is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +# CONFIG_AMD_XGBE_HAVE_ECC is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_MDIO_BUS is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ACP (Audio CoProcessor) Configuration +# +# CONFIG_DRM_LIB_RANDOM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set + +# +# USB Power Delivery and Type-C drivers +# +# CONFIG_TYPEC_UCSI is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_HYPERV_TSCPAGE is not set +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_MLX_CPLD_PLATFORM is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_COMMON_CLK_NXP is not set +# CONFIG_COMMON_CLK_PXA is not set +# CONFIG_COMMON_CLK_PIC32 is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# + +# +# Broadcom SoC drivers +# + +# +# i.MX SoC drivers +# +# CONFIG_SUNXI_SRAM is not set +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set + +# +# FPGA Configuration Support +# +# CONFIG_FPGA is not set + +# +# FSI support +# +# CONFIG_FSI is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set +# CONFIG_EFI_DEV_PATH_PARSER is not set + +# +# Tegra firmware driver +# + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_STACK_VALIDATION is not set +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHED_INFO is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_PROVE_RCU is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP_CORE is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +# CONFIG_CRYPTO_HW is not set + +# +# Certificates for signature checking +# +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +# CONFIG_DMA_NOOP_OPS is not set +# CONFIG_DMA_VIRT_OPS is not set +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +# CONFIG_SG_SPLIT is not set +# CONFIG_SG_POOL is not set +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_MMIO_FLUSH=y +CONFIG_SBITMAP=y diff --git a/testing/do-tests b/testing/do-tests index e3fd9b464..38999ea61 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -825,7 +825,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'systemd|swanctl|charon|last message repeated|imcv' \ /var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log done diff --git a/testing/hosts/default/etc/strongswan.conf.testing b/testing/hosts/default/etc/strongswan.conf.testing index b62355097..604769a49 100644 --- a/testing/hosts/default/etc/strongswan.conf.testing +++ b/testing/hosts/default/etc/strongswan.conf.testing @@ -7,6 +7,16 @@ charon { xfrm_acq_expires = 60 } } + syslog { + daemon { + } + auth { + default = 0 + } + } + journal { + default = -1 + } } include strongswan.conf diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 1264bd7ee..95453d620 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -18,7 +18,7 @@ INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev -INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip +INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev case "$BASEIMGSUITE" in diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan index d4e9e922f..150fce30c 100755 --- a/testing/scripts/build-strongswan +++ b/testing/scripts/build-strongswan @@ -50,8 +50,7 @@ execute "bindfs -u $SRCUID -g $SRCGID $SWANDIR $LOOPDIR/root/strongswan" do_on_exit umount $LOOPDIR/root/strongswan log_action "Remove SWID tags of previous versions" -execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete' -execute_chroot 'find /usr/local/share/strongswan -name *.swidtag -delete' +execute_chroot "find /usr/local/share -path '*strongswan*' -name *.swidtag -delete" echo "Building and installing strongSwan" diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 3c5f41834..80f779c7d 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -103,7 +103,8 @@ CONFIG_OPTS = \ --enable-lookip \ --enable-bliss \ --enable-sha3 \ - --enable-newhope + --enable-newhope \ + --enable-systemd export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/ssh_config b/testing/ssh_config index 367683018..56a619002 100644 --- a/testing/ssh_config +++ b/testing/ssh_config @@ -1,4 +1,5 @@ Host * + LogLevel QUIET # debian default SendEnv LANG LC_* SendEnv LEAK_DETECTIVE_LOG diff --git a/testing/testing.conf b/testing/testing.conf index e22afc3e4..e33fb4fc9 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -31,7 +31,7 @@ fi : ${KERNELPATCH=ha-4.4-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.6.0} +: ${SWANVERSION=5.6.1} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff --git a/testing/tests/af-alg/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt index 87679788f..995ab4c65 100644 --- a/testing/tests/af-alg/alg-camellia/description.txt +++ b/testing/tests/af-alg/alg-camellia/description.txt @@ -1,3 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_3072 well as the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA384_192. -A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite camellia256-sha512-modp3072 +well as the ESP cipher suite camellia192-sha384. A ping from carol to alice successfully +checks the established tunnel. diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/af-alg/alg-camellia/posttest.dat +++ b/testing/tests/af-alg/alg-camellia/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index 41255bccb..dbd1738ae 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf index afa7afe83..b6be829f4 100644 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/af-alg/rw-cert/posttest.dat +++ b/testing/tests/af-alg/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index 7652f460e..664cc9447 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt index 982efa5ea..28c6adb4b 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt @@ -1,4 +1,4 @@ Roadwarrior carol proposes to gateway moon the strong cipher suite -SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096 for the IKE protocol and -SERPENT_CBC_256 / HMAC_SHA2_512_256 for ESP packets. A ping from carol to -alice successfully checks the established tunnel. +serpent256-sha512-modp4096 for the IKE protocol and serpent256-sha512 +for ESP packets. A ping from carol to alice successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 0f615f4ac..8c6a3ba30 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt index e1a7403e3..bfef69b5c 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt @@ -1,4 +1,4 @@ Roadwarrior carol proposes to gateway moon the strong cipher suite -TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096 for the IKE protocol and -TWOFISH_CBC_256 / HMAC_SHA2_512_256 for ESP packets. A ping from carol to -alice successfully checks the established tunnel. +twofish256-sha512-modp4096 for the IKE protocol and twofish256-sha512 +for ESP packets. A ping from carol to alice successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 0f615f4ac..b9e2a8eee 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt +++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat index 562336fd4..8a2e36baa 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat @@ -1,12 +1,6 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f0bbfc10f..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..acba9cecb --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8481f8974..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1c06bb2ce --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat index e34f70277..dbd1738ae 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt index f60f5b1ad..0502a6be2 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/description.txt +++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt @@ -5,8 +5,8 @@ plugins aes des sha1 sha2 md5 gmp.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping -the client alice behind the gateway moon. +Upon the successful establishment of the IPsec tunnels, the updown directive +in swanctl.conf automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test both tunnel and firewall, both carol and +dave ping the client alice behind the gateway moon. diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat index 849d59a4e..eccdcf0c1 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 214a8de28..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - esp=3des-sha1! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..22fe14f92 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp1536 + } + } + version = 2 + proposals = 3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 603651a43..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048! - esp=aes256-sha512! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f7b335e72..4f6bec1b4 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm vici stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b3622f50e --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ce4c0decb..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048,3des-sha1-modp1536! - esp=aes256-sha512,3des-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ccd247af0 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat index 1865a1c60..b909ac76c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index 15c4ad7d1..664cc9447 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection net +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf index d6e251dba..0ddecec94 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf index 7c0490d59..40327a9ec 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf index 4fcff4a89..6c4ad62fc 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf index 2e81bfd04..1bf040c21 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 218c9f155..a725ea7da 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index ce610b6a3..5cadaccc9 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev1 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 7a578d242..04da33fd6 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -5,4 +5,10 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf index 77ed2c0c9..afa1641c5 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf index af5fa19ef..cf4c1eba4 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf index 82a8f38c5..51a2e5758 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf index 93f434598..f09c27902 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf index 89674b2a1..7456a9d8a 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index d69a7b808..99d3c61d9 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf index 82804a0fe..3c0578d4b 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index a3c9999f7..99a0e8940 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf index aac963e91..eee4e6edc 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark=10/0xffffffff also=sun diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf index 7af65a55d..e8eaa4887 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf index 82da6cb7a..95e90fd09 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf index 8cce0c957..71f5442c0 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256-esn-noesn! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf index 1fd5ddb03..9e0df8111 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-modp3072! esp=aes128-sha256-esn! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf index 01d114dd9..4251ecd68 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf index 49077484a..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -6,9 +6,15 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { - parameter_set = x9_98_bandwidth + parameter_set = x9_98_bandwidth } } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf index e57bec965..449ee7989 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-ntru128! esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf index 1dcbd6c27..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = x9_98_bandwidth diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 9da45bcba..f29a8b2a2 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index 50be98057..76fbc8024 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 0b31f738c..d461bda50 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -4,4 +4,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf index aeaebe1f4..8c7918b80 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf index 8b54476fd..3c4d0a07f 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -1,13 +1,10 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf index 3dcbf76ea..8d26c1381 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf index 9ba918893..ec7d9a79a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m @@ -11,7 +8,7 @@ conn %default keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf index d41e43a5c..cc86ebc0a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf @@ -1,17 +1,14 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf index a5c2cc5fc..cdcf4e6f2 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf @@ -1,7 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf index af5fa19ef..6bc136a9b 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf index b7b27b720..10d92873d 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf index ee4bfd27d..0ab0c4772 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 5e06976d1..756e3835c 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 2261fc3e1..74881b5cf 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 37fa2b435..4a645d741 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 8865bd52c..797d27cc2 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf index fc6f1e633..6aaeb160f 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index 84d571482..ef5666914 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf index 242329b3b..02899fdb7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf index 20afebf81..0ff7725ca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf index 5b1ac90a3..c18df1c73 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf index 8aa168745..2b58fbfca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf index 4b549cbd5..f0094e4d7 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark_in=10/0xffffffff mark_out=11/0xffffffff diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf index a2d62296f..0e4eaa1ea 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf index dbcd7d844..709e0c5e4 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf index 3c7adfbf9..47792af99 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf index 409bee2cb..650ebddd9 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf index 71edc4c14..ef99cc768 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/description.txt b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..9e68eb674 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add + diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c90a8e03 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..23bc5c627 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/test.conf b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/description.txt b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..faee5c854 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add + diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..f4dc393ee --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/test.conf b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4821989a9 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..23bc5c627 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7292066a9 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + fragmentation=yes + mobike=no + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..2141c15c5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + fragmentation=yes + mobike=no + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client alice behind moon +sends an IPv4 ICMP request to client bob behind sun using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..c43086f76 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..f64bc2342 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client alice behind moon +sends an IPv4 ICMP request to client bob behind sun using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..704737eaf --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e739fc8ea --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..93660a2d8 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_MOON + leftsubnet=fec1::0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=fec2::0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aeab0b9b5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..30dadee78 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_SUN + leftsubnet=fec2::0/16 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=fec1::0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..429439ee4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f1cbd5576 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftsubnet=fec1::0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=fec2::0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0be55a717 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..1f1fa6c51 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftsubnet=fec2::0/16 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=fec1::0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..812d52a95 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ikev1/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4bcfd19dd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn home + left=PH_IP6_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af5fa19ef --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..125303638 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn home + left=PH_IP6_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..880b1b2e7 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn rw + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ikev2/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..21166b2d0 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP6_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..9513be833 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP6_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4bed27ec5 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..f9412611b --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IPv6 address from moon via +the IKEv1 mode config payload. +

+Upon the successful establishment of the ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..8aba6f0b1 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0c5b0b5a4 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d0ff82c2d --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e77d7b608 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + rightsourceip=fec3::/120 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat new file mode 100644 index 000000000..ebe5e2a80 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat new file mode 100644 index 000000000..e73bde487 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..237e6fa52 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IPv6 address from moon via +the IKEv2 configuration payload. +

+Upon the successful establishment of the ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..1ca1c6c26 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..bba2d96f7 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..5ea245568 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + rightsourceip=fec3::/120 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..ebe5e2a80 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..e73bde487 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 tunnel connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave send an IPv6 ICMP request to client alice +behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..47080139f --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP6_CAROL + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2abcb4e0a --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..c59d32a14 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP6_DAVE + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..2375cd559 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7d32866b5 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn rw + left=PH_IP6_MOON + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..88c418353 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 tunnel connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave send an IPv6 ICMP request to client alice +behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..eed683f72 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn home + left=PH_IP6_CAROL + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2abcb4e0a --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..3b45adb0d --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn home + left=PH_IP6_DAVE + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..2375cd559 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f6c4c6ab9 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn rw + left=PH_IP6_MOON + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..88c418353 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev1/description.txt b/testing/tests/ipv6-stroke/transport-ikev1/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat new file mode 100644 index 000000000..5ae9d2c12 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f2938f307 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..9af8aa862 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev1/test.conf b/testing/tests/ipv6-stroke/transport-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev2/description.txt b/testing/tests/ipv6-stroke/transport-ikev2/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat new file mode 100644 index 000000000..0dfba54ea --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a48b6cbc6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e80eb8101 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev2/test.conf b/testing/tests/ipv6-stroke/transport-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6/host2host-ikev1/description.txt b/testing/tests/ipv6/host2host-ikev1/description.txt index b52c4caf8..d9ef11539 100644 --- a/testing/tests/ipv6/host2host-ikev1/description.txt +++ b/testing/tests/ipv6/host2host-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP connection between the hosts moon and sun is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules that pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat index 186ce4e06..ef6ec2b98 100644 --- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9e68eb674..000000000 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add - diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1fa9a622c --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 23bc5c627..000000000 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..585e32489 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev1/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat index 46c015387..340344c95 100644 --- a/testing/tests/ipv6/host2host-ikev1/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection host-host +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host -moon::ipsec up host-host +moon::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf index e1d17aa16..7bc3a6eee 100644 --- a/testing/tests/ipv6/host2host-ikev1/test.conf +++ b/testing/tests/ipv6/host2host-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/host2host-ikev2/description.txt b/testing/tests/ipv6/host2host-ikev2/description.txt index b52c4caf8..3714c800b 100644 --- a/testing/tests/ipv6/host2host-ikev2/description.txt +++ b/testing/tests/ipv6/host2host-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP connection between the hosts moon and sun is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat index 186ce4e06..23add7ae5 100644 --- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES -sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES \ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index faee5c854..000000000 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add - diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..b422344f2 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index f4dc393ee..000000000 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..376f8d8fa --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev2/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat index 46c015387..0c558800c 100644 --- a/testing/tests/ipv6/host2host-ikev2/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null \ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/host2host-ikev2/test.conf +++ b/testing/tests/ipv6/host2host-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev1/description.txt b/testing/tests/ipv6/net2net-ikev1/description.txt index 5952ecc2d..9c574d22f 100644 --- a/testing/tests/ipv6/net2net-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ikev1/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client alice behind moon sends an IPv6 ICMP +request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat index 4cf23a31b..877459c88 100644 --- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4821989a9..000000000 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e4ae7c91b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 23bc5c627..000000000 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..df389144d --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat index a14b3cf79..60b2810cf 100644 --- a/testing/tests/ipv6/net2net-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev2/description.txt b/testing/tests/ipv6/net2net-ikev2/description.txt index 5952ecc2d..0fe026cc0 100644 --- a/testing/tests/ipv6/net2net-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ikev2/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun +is successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client alice behind moon sends an IPv6 ICMP +request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat index 4cf23a31b..a3e2bad94 100644 --- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7292066a9..000000000 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - mobike=no - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1bf52633b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 2141c15c5..000000000 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - mobike=no - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..73480f112 --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat index ee9e22ed7..829c64764 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c43086f76..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=10.1.0.0/16 - rightsubnet=10.2.0.0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..7604b97d5 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index f64bc2342..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=10.2.0.0/16 - rightsubnet=10.1.0.0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf index 7a39a8ae4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size=1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..4a7f98856 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat index 812ccd162..9a9d27b29 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat index ee9e22ed7..b898de258 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -1,7 +1,6 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 704737eaf..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=10.1.0.0/16 - rightsubnet=10.2.0.0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..aea5c228c --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e739fc8ea..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=10.2.0.0/16 - rightsubnet=10.1.0.0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1efe64d86 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat index 812ccd162..5a4e73383 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt index 5952ecc2d..26cb55e4d 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +alice behind moon sends an IPv6 ICMP request to client bob +behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 803cf5ef5..849da7c61 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16] sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 93660a2d8..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=fec1::0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=fec2::0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e78611432 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 30dadee78..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=fec2::0/16 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=fec1::0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..db19938ac --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat index 58711bc06..58be2992f 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt index 5952ecc2d..dee74097c 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +alice behind moon sends an IPv6 ICMP request to client bob +behind sun using the ping6 command. \ No newline at end of file diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 803cf5ef5..40ae8524a 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,7 +1,4 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f1cbd5576..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftsubnet=fec1::0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=fec2::0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..775c2feae --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 1f1fa6c51..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftsubnet=fec2::0/16 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=fec1::0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..ed7e9b477 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat index 58711bc06..e1d5265cc 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt index ebcc00724..0c0525ce1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt @@ -1,11 +1,14 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates containing RFC 3779 IP address block constraints. -Both moon and sun set rightsubnet=::/0 thus allowing the peers to narrow down -the address range to their actual subnets fec1::/16 and fec2::/16, respectively. -These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates containing +RFC 3779 IP address block constraints. Both moon and sun set +rightsubnet=::/0 thus allowing the peers to narrow down the address range +to their actual subnets fec1::/16 and fec2::/16, respectively. +These unilaterally proposed traffic selectors must be validated by corresponding +IP address block constraints.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +Upon the successful establishment of the IPsec tunnel, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both the net-to-net tunnel and the firewall rules, client alice behind +moon sends an IPv6 ICMP request to client bob behind sun +using the ping6 command. diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat index 3b0a3eeca..72dade743 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat @@ -1,9 +1,7 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 46b9ad415..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 124e2ae46..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 -MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 -GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu -uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA -PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 -jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd -D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK -KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u -Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG -MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy -bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL -aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo -830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 -lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 -NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR -pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu -Mc/lk4Nl8pHRO+Xm ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 11607c8cb..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 -unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd -GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb -kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg -z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY -pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ -ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB -u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 -ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt -pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV -VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ -ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ -intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku -4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I -HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd -iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE -caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX -b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 -8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 -J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 -3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 -NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh -VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU -KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof -50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..11607c8cb --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..c172a2c13 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..124e2ae46 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG +MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy +bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 4a0f911a3..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem deleted file mode 100644 index a93121da1..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 -MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 -oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf -pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw -ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 -Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd -0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd -bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj -Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 -IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz -d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo -dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww -RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu -7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p -nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg -oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx -k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD -yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug -NnBR3lf2HB2lWA== ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem deleted file mode 100644 index 55f5f8037..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS -dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV -eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 -dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid -gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah -tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn -d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB -J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 -6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD -cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 -SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB -BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG -KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 -iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg -zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 -7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE -ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 -Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 -lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU -7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 -yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT -1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX -uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ -dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ -QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..55f5f8037 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..68927c36d --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..a93121da1 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww +RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat index 8229b6254..eddc9bf97 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES -moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES # send two pings because the first is lost due to Path MTU Discovery between alice and moon carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES # reduce the size as the default is already larger than the threshold of 90 bytes carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bd9a9e59f..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn home - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP6_MOON - rightsubnet=fec1::/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf index af5fa19ef..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..279eb3205 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c4f9b5b5b..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn rw - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf index 93f434598..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b15b952cc --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat index fdaf44080..55b22dfde 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat index 3f6427f50..96a2d7d9e 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat @@ -6,8 +6,8 @@ carol::ip6tables-restore < /etc/ip6tables.rules moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf index 8098d4720..8eedcd9f9 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/test.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/test.conf @@ -24,3 +24,7 @@ IPSECHOSTS="moon carol" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev1/description.txt b/testing/tests/ipv6/rw-ikev1/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ikev1/description.txt @@ -1,7 +1,7 @@ The roadwarriors carol and dave set up an IPv6 connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave send an IPv6 ICMP request to the client alice behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat index 0e125b70e..1202a99d2 100644 --- a/testing/tests/ipv6/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4bcfd19dd..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf index 0835a1605..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..52970208b --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 125303638..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c26ba5780 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 880b1b2e7..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f72f9ef86 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ikev1/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev2/description.txt b/testing/tests/ipv6/rw-ikev2/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ikev2/description.txt @@ -1,7 +1,7 @@ The roadwarriors carol and dave set up an IPv6 connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave send an IPv6 ICMP request to the client alice behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat index 0e125b70e..d5d5a6b1c 100644 --- a/testing/tests/ipv6/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 21166b2d0..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5bfbe324d --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9513be833..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7fe33bf8f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4bed27ec5..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b28e49e07 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt index f9412611b..ce07226c5 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt @@ -1,10 +1,10 @@ -The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each -to gateway moon. The authentication is based on X.509 certificates. -Both carol and dave request a virtual IPv6 address from moon via -the IKEv1 mode config payload. +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel +connection each to gateway moon. The authentication is based on X.509 +certificates. Both carol and dave request a virtual IPv6 +address from moon via the IKEv1 mode config payload.

-Upon the successful establishment of the ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave send -an IPv6 ICMP request to the client alice behind the gateway moon -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both carol and dave send an IPv6 ICMP +request to the client alice behind the gateway moon using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index f6dc9aa3e..78488871f 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8aba6f0b1..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fcf530ebe --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d0ff82c2d..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..51fb8d65c --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e77d7b608..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - rightsourceip=fec3::/120 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..72201edc0 --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt index 237e6fa52..790427243 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt @@ -1,10 +1,10 @@ -The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each -to gateway moon. The authentication is based on X.509 certificates. -Both carol and dave request a virtual IPv6 address from moon via -the IKEv2 configuration payload. +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel +connection each to gateway moon. The authentication is based on X.509 +certificates Both carol and dave request a virtual IPv6 address +from moon via the IKEv2 configuration payload.

-Upon the successful establishment of the ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave send -an IPv6 ICMP request to the client alice behind the gateway moon -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both carol and dave send an IPv6 ICMP +request to the client alice behind the gateway moon using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index f6dc9aa3e..d0f2bac96 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1ca1c6c26..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1a9ed078f --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index bba2d96f7..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1fb687eaa --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5ea245568..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - rightsourceip=fec3::/120 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6624bfb3e --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev1/description.txt b/testing/tests/ipv6/rw-psk-ikev1/description.txt index 66fc09053..fd7369d8f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev1/description.txt @@ -1,7 +1,7 @@ -The roadwarriors carol and dave set up an IPv6 tunnel connection each +The roadwarriors carol and dave set up an IPv6 tunnel connection each to gateway moon. The authentication is based on distinct pre-shared keys and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -carol and dave send an IPv6 ICMP request to client alice -behind the gateway moon using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to client alice behind the gateway moon using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat index 16982a736..e92aa028d 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat @@ -1,13 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES + carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 47080139f..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn home - left=PH_IP6_CAROL - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 2abcb4e0a..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..524530721 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index c59d32a14..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn home - left=PH_IP6_DAVE - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 2375cd559..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7e3cff4ff --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7d32866b5..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn rw - left=PH_IP6_MOON - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 88c418353..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..70c360ce7 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev2/description.txt b/testing/tests/ipv6/rw-psk-ikev2/description.txt index 66fc09053..0bd1474a0 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev2/description.txt @@ -1,7 +1,7 @@ -The roadwarriors carol and dave set up an IPv6 tunnel connection each +TThe roadwarriors carol and dave set up an IPv6 tunnel connection each to gateway moon. The authentication is based on distinct pre-shared keys and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -carol and dave send an IPv6 ICMP request to client alice -behind the gateway moon using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to client alice behind the gateway moon using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat index 16982a736..ce79801ec 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=4500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index eed683f72..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP6_CAROL - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 2abcb4e0a..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6d1b0a61b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 3b45adb0d..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP6_DAVE - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 2375cd559..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8d848205b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f6c4c6ab9..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn rw - left=PH_IP6_MOON - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 88c418353..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df4170e96 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat index 551eae263..082416d60 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat @@ -1,18 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a2e054e13..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index bf8a4919d..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 -MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 -YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ -u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu -a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr -xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ -Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj -FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 -g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 -0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry -b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz -d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw -MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA -ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 -atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl -mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT -FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ -6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 -9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index a75622149..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 -XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ -e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie -SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP -uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN -8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL -KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG -nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo -U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg -qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 -MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO -zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU -0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb -/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 -5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl -lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 -gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w -ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB -Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi -jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 -OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s -zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy -R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn -oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv -XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf index da170cb15..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..a75622149 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 +XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ +e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie +SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP +uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN +8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL +KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG +nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo +U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg +qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 +MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO +zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU +0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb +/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 +5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl +lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 +gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w +ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB +Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi +jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 +OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s +zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy +R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn +oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv +XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54fb36da4 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..bf8a4919d --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 +MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 +YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ +u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu +a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr +xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ +Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj +FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 +g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 +0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw +MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA +ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 +atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl +mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT +FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ +6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 +9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8d275e2bd..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 88ce01ed5..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 -MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO -8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ -OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz -eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 -WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn -RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m -mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u -Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh -bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw -FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg -MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 -TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t -U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU -IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe -5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 -jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index f72970c4d..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx -EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR -cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 -74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D -M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G -pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq -1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa -7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ -iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt -su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ -AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm -B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE -kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC -XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 -VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z -/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU -CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf -552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG -XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi -o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ -NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 -u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d -xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC -dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE -DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem new file mode 100644 index 000000000..f72970c4d --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx +EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR +cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 +74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D +M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G +pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq +1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa +7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ +iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt +su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ +AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm +B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE +kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC +XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 +VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z +/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU +CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf +552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG +XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi +o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ +NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 +u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d +xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC +dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE +DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..098ba6db7 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..88ce01ed5 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 +MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO +8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ +OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz +eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 +WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn +RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m +mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u +Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh +bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw +FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg +MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 +TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t +U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU +IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe +5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 +jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 236302350..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 124e2ae46..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 -MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 -GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu -uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA -PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 -jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd -D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK -KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u -Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG -MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy -bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL -aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo -830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 -lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 -NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR -pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu -Mc/lk4Nl8pHRO+Xm ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 11607c8cb..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 -unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd -GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb -kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg -z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY -pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ -ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB -u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 -ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt -pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV -VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ -ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ -intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku -4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I -HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd -iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE -caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX -b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 -8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 -J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 -3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 -NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh -VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU -KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof -50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..11607c8cb --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4edc8cd86 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..124e2ae46 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG +MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy +bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev1/description.txt b/testing/tests/ipv6/transport-ikev1/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev1/description.txt +++ b/testing/tests/ipv6/transport-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP transport connection between the hosts moon and sun is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, moon sends an IPv6 ICMP request to +sun using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat index 5ae9d2c12..736425d36 100644 --- a/testing/tests/ipv6/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat @@ -1,9 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f2938f307..000000000 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..016d51707 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 9af8aa862..000000000 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..deee09d83 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev1/posttest.dat +++ b/testing/tests/ipv6/transport-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat index 46c015387..7ab42a1ce 100644 --- a/testing/tests/ipv6/transport-ikev1/pretest.dat +++ b/testing/tests/ipv6/transport-ikev1/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev1/test.conf +++ b/testing/tests/ipv6/transport-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev2/description.txt b/testing/tests/ipv6/transport-ikev2/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev2/description.txt +++ b/testing/tests/ipv6/transport-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP transport connection between the hosts moon and sun is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, moon sends an IPv6 ICMP request to +sun using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 0dfba54ea..48ddcd069 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,10 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a48b6cbc6..000000000 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - mobike=no - keyexchange=ikev2 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..2f06bbab4 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e80eb8101..000000000 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - mobike=no - keyexchange=ikev2 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..dc981a7a7 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev2/posttest.dat +++ b/testing/tests/ipv6/transport-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat index 46c015387..cb7fe951f 100644 --- a/testing/tests/ipv6/transport-ikev2/pretest.dat +++ b/testing/tests/ipv6/transport-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev2/test.conf +++ b/testing/tests/ipv6/transport-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat index 77c2528ea..f482c558a 100644 --- a/testing/tests/libipsec/host2host-cert/evaltest.dat +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32] +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6e8329a44..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8f8b04029 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index becb97e04..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a0739647c --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/posttest.dat b/testing/tests/libipsec/host2host-cert/posttest.dat index 8b6052f38..23ebee582 100644 --- a/testing/tests/libipsec/host2host-cert/posttest.dat +++ b/testing/tests/libipsec/host2host-cert/posttest.dat @@ -1,5 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index 35c0f3e1c..00e5c199f 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -2,8 +2,8 @@ moon::sysctl -w net.ipv4.conf.all.rp_filter=2 sun::sysctl -w net.ipv4.conf.all.rp_filter=2 moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host moon::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/libipsec/host2host-cert/test.conf b/testing/tests/libipsec/host2host-cert/test.conf index 9647dc6a2..52d886dcc 100644 --- a/testing/tests/libipsec/host2host-cert/test.conf +++ b/testing/tests/libipsec/host2host-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat index 9365a8f44..36c0ee781 100644 --- a/testing/tests/libipsec/net2net-3des/evaltest.dat +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 141b4a3ed..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fe2a4dd75 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 0108a04a3..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54c35b3e1 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-3des/posttest.dat +++ b/testing/tests/libipsec/net2net-3des/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-3des/test.conf +++ b/testing/tests/libipsec/net2net-3des/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert-ipv6/description.txt b/testing/tests/libipsec/net2net-cert-ipv6/description.txt new file mode 100644 index 000000000..ab582c3a5 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/description.txt @@ -0,0 +1,14 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. +

+This scenario is mainly to test how fragmented IPv6 packets are handled (e.g. determining +the protocol via IPv6 extension headers). Three pings are required due to PMTUD, the first +is rejected by moon, so alice adjusts the MTU. The second gets through, +but the response is rejected by sun, so bob will adjust the MTU. The third +finally is successful. diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat new file mode 100644 index 000000000..e9a30b9ac --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..586cc57c1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16[ipv6-icmp] + remote_ts = fec2::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown new file mode 100755 index 000000000..e7c3640d4 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown @@ -0,0 +1,597 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..74977608d --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16[ipv6-icmp] + remote_ts = fec1::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown new file mode 100755 index 000000000..e7c3640d4 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown @@ -0,0 +1,597 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat new file mode 100644 index 000000000..8cbf20027 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat @@ -0,0 +1,9 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat new file mode 100644 index 000000000..20aca8291 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert-ipv6/test.conf b/testing/tests/libipsec/net2net-cert-ipv6/test.conf new file mode 100644 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat index e489fec64..5364c1e82 100644 --- a/testing/tests/libipsec/net2net-cert/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 631adfcd3..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..239b7a4fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index b16440aa1..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..75b1c46f1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-cert/posttest.dat +++ b/testing/tests/libipsec/net2net-cert/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-cert/test.conf +++ b/testing/tests/libipsec/net2net-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat index c1aae4032..af619f4b8 100644 --- a/testing/tests/libipsec/net2net-null/evaltest.dat +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f206a16fb..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..15b978249 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 21b116595..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df65eb085 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-null/posttest.dat +++ b/testing/tests/libipsec/net2net-null/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-null/pretest.dat +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-null/test.conf b/testing/tests/libipsec/net2net-null/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-null/test.conf +++ b/testing/tests/libipsec/net2net-null/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt deleted file mode 100644 index a1b09405a..000000000 --- a/testing/tests/libipsec/rw-suite-b/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on Suite B with 128 bit security based on X.509 ECDSA -certificates, ECP Diffie-Hellman groups and AES-GCM authenticated encryption. -The kernel-libipsec plugin is used for userland IPsec AES-GCM authenticated ESP -encryption. -

-Upon the successful establishment of the IPsec tunnel, an updown script automatically -inserts iptables-based firewall rules that let pass the traffic tunneled via the ipsec0 -tun interface. In order to test both tunnel and firewall, carol and dave ping -the client alice behind the gateway moon. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat deleted file mode 100644 index 487a21c57..000000000 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > carol.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP dave.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > dave.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8106e28d2..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index a85635faf..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj -BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME -GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5 -nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR -Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49 -hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d29ddb9ee..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3d6725162..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9b6ca682a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index c83be145d..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh -RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c -CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3 -45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi -gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 17e94022e..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49 -AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO -gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf deleted file mode 100644 index abb34ac91..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="knl 3, esp 3" - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=%any - rightsourceip=10.3.0.0/24 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a3b043e82..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq -/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C -DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6 -Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl -RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 5bd2778a9..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49 -AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP -3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d68b6e57a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/libipsec/rw-suite-b/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/libipsec/rw-suite-b/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index c8f63bced..ee8cbcdef 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index f2c60511b..f5b116b3b 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 28a5cad31..2236a5f71 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 7af4b4e37..4aa2068f4 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf index 4234eb134..855ba919d 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat index a105fc040..cf289abd0 100644 --- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*60m.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 068d72917..f8b710495 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 374693e36..e918fc238 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index d0c7b9c76..084bcd2f4 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -6,9 +6,12 @@ carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index e1f0c22ae..94df5b360 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -5,9 +5,12 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index 576bd6738..614109c91 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net alice::ping -c 1 -W 1 10.2.0.10 bob::ping -c 1 -W 1 10.1.0.20 diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index 8fc6d1a1c..f5eef5528 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl sun::expect-connection net-net -moon::service charon start 2> /dev/null -moon::sleep 4 +moon::systemctl start strongswan-swanctl +moon::sleep 4 diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index d964629a2..3b1742150 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap-aka carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index 3f82576b6..8248b2d4d 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index 60a1055a2..0659eabbc 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -4,6 +4,9 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules @@ -13,9 +16,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index 8d61e4c87..d95028998 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -4,12 +4,15 @@ sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipse alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +alice::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +venus::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t alice::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf index ff6e7193e..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/swanctl/config-payload/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/config-payload/posttest.dat +++ b/testing/tests/swanctl/config-payload/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat index 9c281d032..706c08b5f 100755 --- a/testing/tests/swanctl/config-payload/pretest.dat +++ b/testing/tests/swanctl/config-payload/pretest.dat @@ -2,9 +2,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat index 210685a90..58dfa27b8 100644 --- a/testing/tests/swanctl/crl-to-cache/posttest.dat +++ b/testing/tests/swanctl/crl-to-cache/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/x509crl/* carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/swanctl/crl-to-cache/pretest.dat index 8f72f9cc7..b9e2a8eee 100644 --- a/testing/tests/swanctl/crl-to-cache/pretest.dat +++ b/testing/tests/swanctl/crl-to-cache/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 1f1e0a652..c00d3dc4b 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -4,14 +4,9 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat index 87e731511..37e8b02d8 100644 --- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl venus::cat /var/state/dhcp/dhcpd.leases venus::server isc-dhcp-server stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat index fd3d1bf5b..ace13851a 100644 --- a/testing/tests/swanctl/dhcp-dynamic/pretest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/pretest.dat @@ -3,9 +3,9 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/posttest.dat b/testing/tests/swanctl/frags-ipv4/posttest.dat index 17e36599c..2b4cc0c1a 100755 --- a/testing/tests/swanctl/frags-ipv4/posttest.dat +++ b/testing/tests/swanctl/frags-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/swanctl/frags-ipv4/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/frags-ipv4/pretest.dat +++ b/testing/tests/swanctl/frags-ipv4/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/posttest.dat b/testing/tests/swanctl/frags-ipv6/posttest.dat index 39b16a9be..07434159c 100755 --- a/testing/tests/swanctl/frags-ipv6/posttest.dat +++ b/testing/tests/swanctl/frags-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/swanctl/frags-ipv6/pretest.dat index 9593ac9f8..131ec9937 100755 --- a/testing/tests/swanctl/frags-ipv6/pretest.dat +++ b/testing/tests/swanctl/frags-ipv6/pretest.dat @@ -7,9 +7,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf index 11b1576e4..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf index be90bde25..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf index 885d986c3..31cf56d24 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici plugins { attr-sql { @@ -21,4 +16,5 @@ charon { pool { load = sqlite + database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/swanctl/ip-pool-db/posttest.dat index 2644b3941..9767f38a5 100755 --- a/testing/tests/swanctl/ip-pool-db/posttest.dat +++ b/testing/tests/swanctl/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 955a3c9be..9573581df 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -7,9 +7,9 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf index 67e5a616a..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/swanctl/ip-pool/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/ip-pool/posttest.dat +++ b/testing/tests/swanctl/ip-pool/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/ip-pool/pretest.dat +++ b/testing/tests/swanctl/ip-pool/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/posttest.dat b/testing/tests/swanctl/manual-prio/posttest.dat index fd9726374..c9dcaa167 100755 --- a/testing/tests/swanctl/manual-prio/posttest.dat +++ b/testing/tests/swanctl/manual-prio/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/swanctl/manual-prio/pretest.dat b/testing/tests/swanctl/manual-prio/pretest.dat index 8613a0189..ba345ffea 100755 --- a/testing/tests/swanctl/manual-prio/pretest.dat +++ b/testing/tests/swanctl/manual-prio/pretest.dat @@ -1,9 +1,9 @@ winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 carol::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index 40b0c5962..b18ba6809 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat index 25354d363..010a4f9c4 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat index a6909c89f..57d39a5e6 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -5,9 +5,9 @@ alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::radiusd -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/posttest.dat b/testing/tests/swanctl/multi-level-ca/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/multi-level-ca/posttest.dat +++ b/testing/tests/swanctl/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/swanctl/multi-level-ca/pretest.dat index 4c1be2e14..e7f2ef179 100644 --- a/testing/tests/swanctl/multi-level-ca/pretest.dat +++ b/testing/tests/swanctl/multi-level-ca/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection alice carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/swanctl/net2net-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat index 8d47767a0..30f6ede76 100755 --- a/testing/tests/swanctl/net2net-ed25519/posttest.dat +++ b/testing/tests/swanctl/net2net-ed25519/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat index f939b3ac4..410253e54 100755 --- a/testing/tests/swanctl/net2net-ed25519/pretest.dat +++ b/testing/tests/swanctl/net2net-ed25519/pretest.dat @@ -2,8 +2,8 @@ moon::rm /etc/swanctl/rsa/moonKey.pem sun::rm /etc/swanctl/rsa/sunKey.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/posttest.dat b/testing/tests/swanctl/net2net-gw/posttest.dat index 94914f832..b29cf321e 100755 --- a/testing/tests/swanctl/net2net-gw/posttest.dat +++ b/testing/tests/swanctl/net2net-gw/posttest.dat @@ -1,8 +1,8 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null sun::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null -carol::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-gw/pretest.dat b/testing/tests/swanctl/net2net-gw/pretest.dat index e3136491c..acfd0e95e 100755 --- a/testing/tests/swanctl/net2net-gw/pretest.dat +++ b/testing/tests/swanctl/net2net-gw/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl carol::expect-connection gw-moon carol::expect-connection gw-sun moon::expect-connection gw-gw diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf index 2ff6ac024..812c12bf9 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -4,15 +4,11 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf index b119e8274..1c5da7b88 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -1,14 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat index ba484f90d..dc6949dbb 100644 --- a/testing/tests/swanctl/net2net-multicast/posttest.dat +++ b/testing/tests/swanctl/net2net-multicast/posttest.dat @@ -1,3 +1,3 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat index 5b8d98879..c5b1bdbfd 100644 --- a/testing/tests/swanctl/net2net-multicast/pretest.dat +++ b/testing/tests/swanctl/net2net-multicast/pretest.dat @@ -1,7 +1,7 @@ moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat index c2227a5dd..a8696960d 100644 --- a/testing/tests/swanctl/net2net-pubkey/posttest.dat +++ b/testing/tests/swanctl/net2net-pubkey/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat index b4f48af72..021675bc5 100644 --- a/testing/tests/swanctl/net2net-pubkey/pretest.dat +++ b/testing/tests/swanctl/net2net-pubkey/pretest.dat @@ -2,8 +2,8 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules sun::cd /etc/swanctl; rm x509/* x509ca/* moon::cd /etc/swanctl; rm x509/* x509ca/* -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf index 4ca179a5f..61d2bd9e4 100755 --- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-route/posttest.dat +++ b/testing/tests/swanctl/net2net-route/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat index 459879bbc..fa303b64e 100755 --- a/testing/tests/swanctl/net2net-route/pretest.dat +++ b/testing/tests/swanctl/net2net-route/pretest.dat @@ -1,7 +1,7 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-start/posttest.dat +++ b/testing/tests/swanctl/net2net-start/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat index 6c1783b74..681293753 100755 --- a/testing/tests/swanctl/net2net-start/pretest.dat +++ b/testing/tests/swanctl/net2net-start/pretest.dat @@ -1,5 +1,5 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl moon::sleep 0.5 diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf index e3eb4e36d..79b138bd5 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } plugins { revocation { enable_ocsp = no } - } + } } diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf index 3912f5e07..2e78d2279 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf @@ -1,12 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { revocation { enable_ocsp = no diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/swanctl/ocsp-disabled/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-disabled/posttest.dat +++ b/testing/tests/swanctl/ocsp-disabled/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/swanctl/ocsp-disabled/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-disabled/pretest.dat +++ b/testing/tests/swanctl/ocsp-disabled/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf index acf2151a9..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/posttest.dat b/testing/tests/swanctl/ocsp-multi-level/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/ocsp-multi-level/posttest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/swanctl/ocsp-multi-level/pretest.dat index 7b83e219d..505f17572 100644 --- a/testing/tests/swanctl/ocsp-multi-level/pretest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection home carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index 9ea516013..c7b494ddc 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index 9ba617c0a..d9c31430b 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/swanctl/protoport-dual/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-dual/posttest.dat +++ b/testing/tests/swanctl/protoport-dual/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat index 87ee29bf6..2bdc109ab 100644 --- a/testing/tests/swanctl/protoport-dual/pretest.dat +++ b/testing/tests/swanctl/protoport-dual/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp moon::expect-connection ssh carol::expect-connection icmp diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/swanctl/protoport-range/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-range/posttest.dat +++ b/testing/tests/swanctl/protoport-range/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/swanctl/protoport-range/pretest.dat index b45d4b3c6..7f38b7662 100644 --- a/testing/tests/swanctl/protoport-range/pretest.dat +++ b/testing/tests/swanctl/protoport-range/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp-req moon::expect-connection icmp-rep moon::expect-connection ftp-ssh diff --git a/testing/tests/swanctl/rw-cert-pss/description.txt b/testing/tests/swanctl/rw-cert-pss/description.txt new file mode 100755 index 000000000..41c02b519 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates +and IKEv2 AUTH payloads based on RSA-PSS signatures. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat new file mode 100755 index 000000000..a62fda968 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7aceb6913 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha512 + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4c7c177ed --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha384 + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..4bd975a00 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + rsa_pss = yes + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4ba02ad6c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/posttest.dat b/testing/tests/swanctl/rw-cert-pss/posttest.dat new file mode 100755 index 000000000..b909ac76c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert-pss/pretest.dat b/testing/tests/swanctl/rw-cert-pss/pretest.dat new file mode 100755 index 000000000..dd1a17ccb --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-cert-pss/test.conf b/testing/tests/swanctl/rw-cert-pss/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/swanctl/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-cert/posttest.dat +++ b/testing/tests/swanctl/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-cert/pretest.dat +++ b/testing/tests/swanctl/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf index dcca175db..617b812d5 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/swanctl/rw-dnssec/posttest.dat index 48a4abe78..dba97a988 100644 --- a/testing/tests/swanctl/rw-dnssec/posttest.dat +++ b/testing/tests/swanctl/rw-dnssec/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/swanctl/rw-dnssec/pretest.dat index 5faf602fc..ca44e08fc 100644 --- a/testing/tests/swanctl/rw-dnssec/pretest.dat +++ b/testing/tests/swanctl/rw-dnssec/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat index 3842250e6..2fa2d200d 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat @@ -3,8 +3,8 @@ carol::iptables-restore < /etc/iptables.rules carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat index 96c1ed114..8cc1c4dc5 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf index c090d6853..9c4e819c5 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/posttest.dat b/testing/tests/swanctl/rw-hash-and-url/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-hash-and-url/posttest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/swanctl/rw-hash-and-url/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf index 22b318472..b8874523b 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf index a55b90a5d..c2b18d966 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce des sha1 sha2 hmac pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf index e7b5caaf8..85354251d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes des sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat index 37029c074..dc541004d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf index 6bfef3d39..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf index 1d90adb5d..475705026 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf index d4e3ca2e5..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -1,18 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { +charon-systemd { load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat index a550a2f6d..7772b25eb 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index c6dd6be45..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,14 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat index 58d5b8675..84935ec51 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat index a550a2f6d..7772b25eb 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index e539ea5f4..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 02f6c1b36..a12456f26 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index c42979965..f196d2431 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat index 3393f516d..51c301923 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 5efaed621..0325fe9a2 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat index 5faf602fc..ca44e08fc 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat index de43d510d..e0ca17a4c 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat @@ -5,9 +5,9 @@ moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index e5c0136d8..91e32f7ba 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat index d6bc0709e..e871fba2b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat @@ -1,9 +1,9 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t venus::expect-connection nat-t diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/swanctl/xauth-rsa/posttest.dat +++ b/testing/tests/swanctl/xauth-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat index 762c35418..dd1a17ccb 100644 --- a/testing/tests/swanctl/xauth-rsa/pretest.dat +++ b/testing/tests/swanctl/xauth-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index a3d85b054..aacee2221 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 80c96b677..305a9d1e6 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index 691cdbc2d..5d17eb638 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index cc0ce6c31..efddc609e 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 978cc6659..a534ac66e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index 0bc6e3525..469e81156 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf index 387236ebc..cbaf67c89 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index db806c3c9..ab96df0ed 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second carol::echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 5745ffede..7d0dfa385 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -15,9 +15,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 09ca9d0e4..1ca6c3d10 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 9c6f28fe3..9df983c80 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } + syslog { daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 57e2ee6b4..bb2ce93b3 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index af30c204d..649426628 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 524536228..0a20b9407 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index bba631b1f..ad5cb6205 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11/posttest.dat +++ b/testing/tests/tnc/tnccs-11/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index fac3dc02d..aa8bb7cd3 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index 168e4ec64..b3d3049be 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index bb15d3ffa..b3845a3ee 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-block/posttest.dat +++ b/testing/tests/tnc/tnccs-20-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index c09abf917..13677a470 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index aceddc368..fa3458e22 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = isolate + command = isolate retry = yes retry_command = allow } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 7ac1a5d70..f4d6543aa 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index a0b807755..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat index 2248d002c..a327dae63 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat @@ -11,7 +11,7 @@ alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by T alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -20,5 +20,5 @@ alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by passwo alice::cat /var/log/daemon.log::received software ID events with ... items for request 9 at last eid 2 of epoch::YES alice::cat /var/log/daemon.log::3 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 3 items for request 9 at last eid 2 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat index c0d732368..3e4fbefa1 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf index 073355713..e91440326 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf index 6c1b9917b..6c84f3abb 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 @@ -24,7 +17,7 @@ charon { } tnccs-20 { tests { - pb_tnc_noskip = yes + pb_tnc_noskip = yes } } } diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf index 56fa7a967..66c6cb541 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf index cb6abf305..a6e58ba4e 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat index 9af5f39a2..8158822a6 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index 5af3b7500..d61ea90ad 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -4,8 +4,8 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config carol::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index c3338d43b..aa4934fb1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 89d9e50bd..8fc1c8729 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 0cd34865c..4732fbd4b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index 195534315..fb77fd87e 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -36,5 +30,5 @@ charon { libimcv { debug_level = 3 - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf index f0a6c4bde..883f154b8 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -43,7 +36,7 @@ libimcv { plugins { imc-hcd { - push_info = no + push_info = no subtypes { system { attributes_natural_language = en @@ -78,7 +71,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch for App XYZ 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -137,7 +130,7 @@ libimcv { version = 00000007000000080000000000000000 } } - + resident_application { resident-app-if { name = Resident Interface App @@ -150,10 +143,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf index f5c3440c1..9f1718992 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -52,18 +45,18 @@ libimcv { vendor_smi_code = 36906 pstn_fax_enabled = yes time_source = 0.ch.pool.ntp.org - user_application_enabled = no + user_application_enabled = no user_application_persistence_enabled = no firmware { fw-1 { - name = Firmware ABC + name = Firmware ABC patches = "security patch 2014-05-08\r\nupgrade 2014-08-16\r\nsecurity patch 2015-3-22\r\n" string_version = 1.0.7 version = 00000001000000000000000700000000 } fw-2 { - name = Firmware UVW + name = Firmware UVW string_version = 13.8.5 version = 0000000D000000080000000500000000 } @@ -71,7 +64,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -96,7 +89,7 @@ libimcv { interface { attributes_natural_language = en - + firmware { fw-if { name = Interface Firmware @@ -118,10 +111,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf index 4dae69352..08e5e38e5 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf @@ -1,17 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat index bcd655353..33a60f9ab 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat @@ -1,7 +1,7 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop -alice::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index f9b4159d9..decc2394a 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -9,10 +9,10 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::rm /etc/swanctl/rsa/aliceKey.pem alice::rm /etc/swanctl/x509/aliceCert.pem -alice::service charon start -moon::service charon start -carol::service charon start -dave::service charon start +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf index a555970ec..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +29,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf index b2280db18..7e049dc02 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = none + command = none } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf index 1212e2356..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -40,6 +33,6 @@ libimcv { } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf index f29175d67..879a3cdac 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf index 9e694bc01..b596dbc1b 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 +charon-systemd { + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat index d1f83a319..767e8f2ba 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -1 +1 @@ -sun::service charon stop +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index 8642292a8..9da18266e 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ -sun::service charon start +sun::systemctl start strongswan-swanctl moon::cat /etc/pts/options moon::sleep 1 moon::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat index 198b2bde3..7850e2e74 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat @@ -10,7 +10,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -21,5 +21,5 @@ alice::cat /var/log/daemon.log::received software ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 8056a90e9..5dbfa8247 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -1,19 +1,19 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf index d3941d811..3e4d76f10 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 134cd991c..2e249d48d 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index e58bab611..a683ba77c 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 pts = 3 } @@ -34,10 +27,10 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { - hash_algorithm = sha1 + hash_algorithm = sha256 } } } diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 03e5f22af..1167f55ea 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -12,14 +12,14 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index ef90078f2..3ec0227b2 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 4af05ad31..7de2756a9 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 53c515f77..8e8fda6c4 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 13ae2b71f..3c5037aae 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -13,9 +13,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 240ebbafb..e01fe4b4c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -35,7 +29,7 @@ charon { } libimcv { - debug_level = 3 + debug_level = 3 database = sqlite:///etc/db.d/config.db policy_script = /usr/local/libexec/ipsec/imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index 47b9affed..a8aff3883 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index d00808398..852e0714e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf index 8b931afc9..bcf316622 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index e5ec2afc7..97850dc97 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -1,8 +1,8 @@ -moon::service charon stop -carol::service charon stop -dave::service charon stop -alice::service charon stop -alice::service apache2 stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/x509/aaaCert.pem alice::rm /etc/swanctl/rsa/aaaKey.pem moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index 385cc305a..15dcc54d8 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -17,11 +17,11 @@ alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc -alice::service apache2 start -alice::service charon start -moon::service charon start -dave::service charon start -carol::service charon start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index fc232bfde..bf4191618 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -9,7 +9,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -19,5 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index b08a85bb4..944a5928d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -29,7 +26,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swid { @@ -39,6 +36,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index f4fb7e2dc..3b477dd81 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index b7a772692..9da89723d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index 46ed39bb8..1e5f7becf 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index 2eb34841d..8ebf56878 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -1,22 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 3 imc = 3 - pts = 3 + pts = 3 } } } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index e9fa8cb80..0b47d35e7 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index e58bab611..bf14fe327 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { hash_algorithm = sha1 diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 7e51900a1..7f7f52869 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = allow } } diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index 4aeda6674..d93482b10 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { @@ -32,7 +25,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = isolate } imc-scanner { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 902e837f5..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imv = 2 + imv = 2 } } plugins { @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index 73f32424e..dab32e727 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 07df4c086..e26da3e7a 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index 7aef92f39..66799c1e4 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index 1d11baa99..57985e682 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index 887806475..da21bc6f8 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index e78272b43..e90055fad 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20/posttest.dat +++ b/testing/tests/tnc/tnccs-20/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index 609852bc7..f0f941815 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index 2c0deca5e..e5925a4cf 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index d61bcd111..0261fe1b0 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-dynamic/posttest.dat +++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home -- cgit v1.2.3