From 918094fde55fa0dbfd59a5f88d576efb513a88db Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 2 Jan 2019 10:45:36 +0100 Subject: New upstream version 5.7.2 --- Android.common.mk | 2 +- ChangeLog | 6 +- Doxyfile.in | 12 - Makefile.am | 5 + Makefile.in | 6 + NEWS | 58 +- README | 2 +- TODO | 2 +- conf/plugins/tpm.conf | 4 + conf/plugins/tpm.opt | 4 + conf/strongswan.conf.5.main | 5 + configure | 23 +- configure.ac | 5 +- scripts/dh_speed.c | 1 + src/_copyright/_copyright.c | 2 - src/charon-cmd/charon-cmd.c | 9 +- src/charon-systemd/charon-systemd.c | 16 +- src/conftest/hooks/set_proposal_number.c | 2 +- src/ipsec/_ipsec.8 | 2 +- src/libcharon/bus/bus.c | 5 +- src/libcharon/bus/bus.h | 4 +- src/libcharon/bus/listeners/listener.h | 4 +- .../plugins/bypass_lan/bypass_lan_listener.c | 26 +- src/libcharon/plugins/dhcp/dhcp_socket.c | 10 + src/libcharon/plugins/eap_radius/eap_radius.c | 12 +- .../plugins/eap_radius/eap_radius_accounting.c | 59 +- .../plugins/eap_radius/eap_radius_accounting.h | 10 +- .../plugins/eap_radius/eap_radius_provider.c | 32 +- .../plugins/eap_radius/eap_radius_provider.h | 11 + src/libcharon/plugins/ha/ha_attribute.c | 13 +- src/libcharon/plugins/ha/ha_dispatcher.c | 4 +- src/libcharon/plugins/ha/ha_ike.c | 6 +- src/libcharon/plugins/ha/ha_message.c | 2 + src/libcharon/plugins/ha/ha_message.h | 2 + src/libcharon/plugins/ha/ha_segments.c | 7 + src/libcharon/plugins/ha/ha_segments.h | 7 + .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 17 + .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 27 +- src/libcharon/plugins/vici/libvici.h | 8 + src/libcharon/plugins/vici/vici_config.c | 7 +- src/libcharon/processing/jobs/adopt_children_job.c | 52 +- src/libcharon/sa/child_sa.c | 4 +- src/libcharon/sa/ike_sa.c | 45 +- src/libcharon/sa/ike_sa.h | 17 + src/libcharon/sa/ike_sa_manager.c | 2 + src/libcharon/sa/ikev1/phase1.c | 3 +- src/libcharon/sa/ikev1/task_manager_v1.c | 134 +- src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c | 1 - src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c | 1 - src/libcharon/sa/ikev1/tasks/quick_mode.c | 9 +- .../sa/ikev2/authenticators/pubkey_authenticator.c | 97 +- src/libcharon/sa/ikev2/task_manager_v2.c | 227 +- src/libcharon/sa/ikev2/tasks/child_delete.c | 24 +- src/libcharon/sa/ikev2/tasks/ike_init.c | 16 +- src/libcharon/sa/task_manager.h | 19 +- src/libcharon/tests/suites/test_child_rekey.c | 46 +- src/libimcv/imv/data.sql | 44 +- .../strongswan.org__strongSwan-5-7-1.swidtag | 11 - .../strongswan.org__strongSwan-5-7-2.swidtag | 11 + .../imv_attestation/imv_attestation_agent.c | 2 - src/libpttls/pt_tls_client.c | 1 - src/libstrongswan/credentials/auth_cfg.c | 1 + src/libstrongswan/credentials/builder.c | 1 + src/libstrongswan/credentials/builder.h | 2 + src/libstrongswan/credentials/keys/private_key.h | 13 + src/libstrongswan/credentials/keys/public_key.c | 2 +- .../credentials/keys/signature_params.c | 50 +- .../credentials/keys/signature_params.h | 19 +- src/libstrongswan/crypto/mac.h | 4 +- .../crypto/proposal/proposal_keywords_static.c | 24 +- .../crypto/proposal/proposal_keywords_static.h | 2 +- .../plugins/agent/agent_private_key.c | 133 +- src/libstrongswan/plugins/botan/Makefile.am | 4 +- src/libstrongswan/plugins/botan/Makefile.in | 13 +- src/libstrongswan/plugins/botan/botan_aead.c | 388 ++ src/libstrongswan/plugins/botan/botan_aead.h | 50 + src/libstrongswan/plugins/botan/botan_crypter.c | 6 + .../plugins/botan/botan_ec_public_key.c | 19 +- .../plugins/botan/botan_ed_private_key.c | 279 + .../plugins/botan/botan_ed_private_key.h | 63 + .../plugins/botan/botan_ed_public_key.c | 202 + .../plugins/botan/botan_ed_public_key.h | 51 + src/libstrongswan/plugins/botan/botan_gcm.c | 333 - src/libstrongswan/plugins/botan/botan_gcm.h | 47 - src/libstrongswan/plugins/botan/botan_plugin.c | 77 +- .../plugins/botan/botan_rsa_private_key.c | 24 +- .../plugins/botan/botan_rsa_public_key.c | 66 +- src/libstrongswan/plugins/botan/botan_util.c | 35 + src/libstrongswan/plugins/botan/botan_util.h | 12 + src/libstrongswan/plugins/botan/botan_util_keys.c | 38 +- .../plugins/curve25519/curve25519_public_key.c | 110 +- src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 4 + .../plugins/gcrypt/gcrypt_rsa_private_key.c | 6 +- .../plugins/gcrypt/gcrypt_rsa_public_key.c | 6 +- .../plugins/gmp/gmp_rsa_private_key.c | 6 +- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 7 +- src/libstrongswan/plugins/mysql/mysql_database.c | 10 +- src/libstrongswan/plugins/openssl/Makefile.am | 5 +- src/libstrongswan/plugins/openssl/Makefile.in | 11 +- src/libstrongswan/plugins/openssl/openssl_crl.c | 21 +- .../plugins/openssl/openssl_ed_private_key.c | 356 ++ .../plugins/openssl/openssl_ed_private_key.h | 58 + .../plugins/openssl/openssl_ed_public_key.c | 304 + .../plugins/openssl/openssl_ed_public_key.h | 38 + src/libstrongswan/plugins/openssl/openssl_plugin.c | 53 +- src/libstrongswan/plugins/openssl/openssl_rng.c | 11 +- .../plugins/openssl/openssl_rsa_private_key.c | 7 +- .../plugins/openssl/openssl_rsa_public_key.c | 7 +- src/libstrongswan/plugins/openssl/openssl_util.c | 8 +- src/libstrongswan/plugins/openssl/openssl_util.h | 4 +- src/libstrongswan/plugins/openssl/openssl_x509.c | 14 +- .../plugins/openssl/openssl_x_diffie_hellman.c | 256 + .../plugins/openssl/openssl_x_diffie_hellman.h | 37 + src/libstrongswan/plugins/sshkey/sshkey_builder.c | 35 +- src/libstrongswan/plugins/sshkey/sshkey_encoder.c | 38 +- src/libstrongswan/plugins/test_vectors/Makefile.am | 1 + src/libstrongswan/plugins/test_vectors/Makefile.in | 7 +- .../plugins/test_vectors/test_vectors.h | 2 + .../test_vectors/test_vectors/chacha20poly1305.c | 40 +- .../plugins/test_vectors/test_vectors/curve25519.c | 2 +- .../plugins/test_vectors/test_vectors/curve448.c | 43 + src/libstrongswan/settings/settings_lexer.c | 898 +-- src/libstrongswan/settings/settings_lexer.l | 5 + src/libstrongswan/tests/Makefile.am | 1 + src/libstrongswan/tests/Makefile.in | 19 + src/libstrongswan/tests/suites/test_ed25519.c | 84 +- src/libstrongswan/tests/suites/test_ed448.c | 654 ++ src/libstrongswan/tests/suites/test_rsa.c | 2 +- .../tests/suites/test_signature_params.c | 61 +- src/libstrongswan/tests/tests.h | 1 + src/libstrongswan/utils/chunk.h | 2 +- src/libstrongswan/utils/leak_detective.c | 42 +- src/libtpmtss/plugins/tpm/tpm_private_key.c | 10 +- src/libtpmtss/tpm_tss.h | 12 +- src/libtpmtss/tpm_tss_trousers.c | 7 + src/libtpmtss/tpm_tss_tss2_v1.c | 137 +- src/libtpmtss/tpm_tss_tss2_v2.c | 133 +- src/pki/commands/acert.c | 5 + src/pki/commands/issue.c | 5 + src/pki/commands/req.c | 5 + src/pki/commands/self.c | 5 + src/pki/commands/signcrl.c | 6 + src/pki/pki.c | 28 +- src/pki/pki.h | 3 +- src/pool/pool.c | 2 - src/pt-tls-client/pt-tls-client.1.in | 4 +- src/scepclient/scepclient.c | 9 +- src/sec-updater/sec-updater.sh | 58 +- src/starter/keywords.c | 24 +- src/starter/keywords.h | 2 +- src/starter/parser/lexer.c | 868 ++- src/starter/parser/lexer.l | 5 + src/stroke/stroke_keywords.c | 26 +- src/stroke/stroke_keywords.h | 2 +- src/sw-collector/sw-collector.c | 3 +- src/swanctl/commands/load_all.c | 5 +- src/swanctl/commands/load_authorities.c | 11 +- src/swanctl/commands/load_conns.c | 20 +- src/swanctl/commands/load_creds.c | 20 +- src/swanctl/commands/load_pools.c | 5 +- src/swanctl/commands/rekey.c | 2 +- src/swanctl/commands/terminate.c | 2 +- src/swanctl/swanctl.c | 44 + src/swanctl/swanctl.h | 52 +- testing/config/kernel/config-4.19 | 2690 ++++++++ testing/config/kvm/alice.xml | 6 +- testing/config/kvm/bob.xml | 2 +- testing/config/kvm/carol.xml | 2 +- testing/config/kvm/dave.xml | 2 +- testing/config/kvm/moon.xml | 2 +- testing/config/kvm/sun.xml | 2 +- testing/config/kvm/venus.xml | 2 +- testing/config/kvm/winnetou.xml | 2 +- testing/do-tests | 36 +- .../hosts/alice/etc/freeradius/3.0/clients.conf | 5 + .../hosts/alice/etc/freeradius/3.0/radiusd.conf | 99 + testing/hosts/alice/etc/freeradius/dictionary | 2 +- testing/hosts/alice/etc/freeradius/radiusd.conf | 2 - testing/hosts/default/etc/ssh/sshd_config | 2 +- testing/hosts/default/usr/local/bin/init_collector | 2 + testing/hosts/venus/etc/default/isc-dhcp-server | 3 + .../apache2/conf-enabled/testresults-as-text.conf | 1 + .../etc/apache2/conf.d/testresults-as-text | 4 - .../etc/apache2/sites-enabled/001-ocsp_vhost.conf | 24 +- .../hosts/winnetou/etc/openssl/duck/openssl.cnf | 20 +- .../hosts/winnetou/etc/openssl/ecdsa/openssl.cnf | 22 +- .../hosts/winnetou/etc/openssl/monster/openssl.cnf | 20 +- testing/hosts/winnetou/etc/openssl/openssl.cnf | 22 +- .../winnetou/etc/openssl/research/openssl.cnf | 20 +- .../hosts/winnetou/etc/openssl/rfc3779/openssl.cnf | 24 +- .../hosts/winnetou/etc/openssl/sales/openssl.cnf | 22 +- testing/scripts/build-baseimage | 41 +- testing/scripts/build-guestimages | 7 +- testing/scripts/build-rootimage | 5 +- testing/scripts/recipes/001_libtnc.mk | 31 - testing/scripts/recipes/002_tnc-fhh.mk | 35 - testing/scripts/recipes/003_freeradius.mk | 43 - testing/scripts/recipes/004_hostapd.mk | 39 - testing/scripts/recipes/004_wpa_supplicant.mk | 39 - testing/scripts/recipes/005_anet.mk | 9 +- testing/scripts/recipes/006_tkm-rpc.mk | 9 +- testing/scripts/recipes/007_x509-ada.mk | 9 +- testing/scripts/recipes/008_xfrm-ada.mk | 9 +- testing/scripts/recipes/009_xfrm-proxy.mk | 9 +- testing/scripts/recipes/010_tkm.mk | 9 +- testing/scripts/recipes/011_botan.mk | 12 +- .../recipes/patches/freeradius-eap-sim-identity | 30 - testing/scripts/recipes/patches/freeradius-tnc-fhh | 6687 -------------------- testing/scripts/recipes/patches/hostapd-config | 38 - testing/scripts/recipes/patches/tnc-fhh-tncsim | 12 - .../scripts/recipes/patches/wpa_supplicant-eap-tnc | 47 - testing/testing.conf | 16 +- .../tests/botan/net2net-ed25519/description.txt | 10 + testing/tests/botan/net2net-ed25519/evaltest.dat | 7 + .../net2net-ed25519/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/pkcs8/moonKey.pem | 3 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 13 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 11 + .../net2net-ed25519/hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/pkcs8/sunKey.pem | 3 + .../hosts/sun/etc/swanctl/swanctl.conf | 33 + .../hosts/sun/etc/swanctl/x509/sunCert.pem | 13 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 11 + testing/tests/botan/net2net-ed25519/posttest.dat | 7 + testing/tests/botan/net2net-ed25519/pretest.dat | 9 + testing/tests/botan/net2net-ed25519/test.conf | 25 + testing/tests/botan/net2net-pkcs12/description.txt | 8 + testing/tests/botan/net2net-pkcs12/evaltest.dat | 5 + .../net2net-pkcs12/hosts/moon/etc/strongswan.conf | 6 + .../hosts/moon/etc/swanctl/pkcs12/moonCert.p12 | Bin 0 -> 3661 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../net2net-pkcs12/hosts/sun/etc/strongswan.conf | 6 + .../hosts/sun/etc/swanctl/pkcs12/sunCert.p12 | Bin 0 -> 3661 bytes .../hosts/sun/etc/swanctl/swanctl.conf | 36 + testing/tests/botan/net2net-pkcs12/posttest.dat | 6 + testing/tests/botan/net2net-pkcs12/pretest.dat | 9 + testing/tests/botan/net2net-pkcs12/test.conf | 25 + .../botan/net2net-sha3-rsa-cert/description.txt | 8 + .../tests/botan/net2net-sha3-rsa-cert/evaltest.dat | 5 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 39 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 39 + .../hosts/sun/etc/swanctl/swanctl.conf | 33 + .../hosts/sun/etc/swanctl/x509/sunCert.pem | 28 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../tests/botan/net2net-sha3-rsa-cert/posttest.dat | 5 + .../tests/botan/net2net-sha3-rsa-cert/pretest.dat | 7 + .../tests/botan/net2net-sha3-rsa-cert/test.conf | 25 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 56 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../ikev1/xauth-rsa-eap-md5-radius/posttest.dat | 2 +- .../ikev1/xauth-rsa-eap-md5-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 0 .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 53 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + testing/tests/ikev1/xauth-rsa-radius/posttest.dat | 2 +- testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 2 +- .../ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf | 9 - .../hosts/moon/etc/dhcpd.conf | 9 - .../dhcp-static-mac/hosts/moon/etc/dhcpd.conf | 9 - testing/tests/ikev2/host2host-cert/description.txt | 6 +- .../tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat | 2 +- testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 14 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../ikev2/mult-auth-rsa-eap-sim-id/posttest.dat | 2 +- .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- testing/tests/ikev2/nat-rw-psk/description.txt | 3 +- testing/tests/ikev2/nat-rw/description.txt | 2 + testing/tests/ikev2/net2net-psk/description.txt | 5 +- .../tests/ikev2/rw-eap-aka-id-rsa/description.txt | 14 +- testing/tests/ikev2/rw-eap-aka-rsa/description.txt | 13 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 4 + .../ikev2/rw-eap-framed-ip-radius/posttest.dat | 2 +- .../ikev2/rw-eap-framed-ip-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 4 + .../ikev2/rw-eap-md5-class-radius/posttest.dat | 2 +- .../ikev2/rw-eap-md5-class-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../tests/ikev2/rw-eap-md5-id-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + testing/tests/ikev2/rw-eap-md5-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-md5-radius/pretest.dat | 2 +- testing/tests/ikev2/rw-eap-md5-rsa/description.txt | 12 +- .../ikev2/rw-eap-mschapv2-id-rsa/description.txt | 16 +- .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../tests/ikev2/rw-eap-peap-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-peap-radius/pretest.dat | 2 +- .../ikev2/rw-eap-sim-id-radius/description.txt | 16 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 3 - .../hosts/alice/etc/freeradius/users | 1 + .../tests/ikev2/rw-eap-sim-id-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat | 3 +- .../ikev2/rw-eap-sim-only-radius/description.txt | 23 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../ikev2/rw-eap-sim-only-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 3 +- .../tests/ikev2/rw-eap-sim-radius/description.txt | 25 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + testing/tests/ikev2/rw-eap-sim-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-radius/pretest.dat | 6 +- testing/tests/ikev2/rw-eap-sim-rsa/description.txt | 13 +- .../alice/etc/freeradius/3.0/mods-available/eap | 16 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 55 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/carol/etc/strongswan.conf | 4 - testing/tests/ikev2/rw-eap-tls-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-tls-radius/pretest.dat | 2 +- .../rw-eap-ttls-phase2-piggyback/description.txt | 10 - .../rw-eap-ttls-phase2-piggyback/evaltest.dat | 19 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/dave/etc/ipsec.conf | 20 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 11 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 18 - .../rw-eap-ttls-phase2-piggyback/posttest.dat | 6 - .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat | 11 - .../ikev2/rw-eap-ttls-phase2-piggyback/test.conf | 21 - .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../tests/ikev2/rw-eap-ttls-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 64 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../tests/ikev2/rw-radius-accounting/posttest.dat | 2 +- .../tests/ikev2/rw-radius-accounting/pretest.dat | 2 +- .../tests/ipv6-stroke/host2host-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/host2host-ikev2/evaltest.dat | 2 +- .../tests/ipv6-stroke/net2net-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/net2net-ikev2/evaltest.dat | 2 +- .../net2net-ip6-in-ip4-ikev1/evaltest.dat | 2 +- .../net2net-ip6-in-ip4-ikev2/evaltest.dat | 2 +- testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat | 4 +- testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat | 4 +- .../ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat | 4 +- .../ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat | 4 +- .../tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat | 4 +- .../tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat | 4 +- .../tests/ipv6-stroke/transport-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/transport-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/host2host-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/host2host-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/net2net-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/net2net-ikev2/evaltest.dat | 2 +- .../ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat | 2 +- .../ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat | 2 +- .../tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/rw-ikev1/evaltest.dat | 4 +- testing/tests/ipv6/rw-ikev2/evaltest.dat | 4 +- .../tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat | 4 +- .../tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/rw-psk-ikev1/evaltest.dat | 4 +- testing/tests/ipv6/rw-psk-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/transport-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/transport-ikev2/evaltest.dat | 2 +- .../tests/libipsec/net2net-cert-ipv6/evaltest.dat | 2 +- .../openssl-ikev1/alg-camellia/description.txt | 7 +- .../tests/openssl-ikev1/alg-camellia/evaltest.dat | 8 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-camellia/posttest.dat | 5 +- .../tests/openssl-ikev1/alg-camellia/pretest.dat | 8 +- testing/tests/openssl-ikev1/alg-camellia/test.conf | 4 + .../openssl-ikev1/alg-ecp-high/description.txt | 8 +- .../tests/openssl-ikev1/alg-ecp-high/evaltest.dat | 14 +- .../alg-ecp-high/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-ecp-high/posttest.dat | 6 +- .../tests/openssl-ikev1/alg-ecp-high/pretest.dat | 10 +- testing/tests/openssl-ikev1/alg-ecp-high/test.conf | 4 + .../openssl-ikev1/alg-ecp-low/description.txt | 10 +- .../tests/openssl-ikev1/alg-ecp-low/evaltest.dat | 15 +- .../alg-ecp-low/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-ecp-low/posttest.dat | 6 +- .../tests/openssl-ikev1/alg-ecp-low/pretest.dat | 10 +- testing/tests/openssl-ikev1/alg-ecp-low/test.conf | 4 + .../openssl-ikev1/ecdsa-certs/description.txt | 7 +- .../tests/openssl-ikev1/ecdsa-certs/evaltest.dat | 12 +- .../ecdsa-certs/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../ecdsa-certs/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/ecdsa/carolKey.pem | 8 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../ecdsa-certs/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/ecdsa/daveKey.pem | 6 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-certs/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev1/ecdsa-certs/posttest.dat | 11 +- .../tests/openssl-ikev1/ecdsa-certs/pretest.dat | 13 +- testing/tests/openssl-ikev1/ecdsa-certs/test.conf | 4 + .../openssl-ikev2/alg-aes-gcm/description.txt | 16 - .../tests/openssl-ikev2/alg-aes-gcm/evaltest.dat | 26 - .../alg-aes-gcm/hosts/carol/etc/ipsec.conf | 22 - .../alg-aes-gcm/hosts/carol/etc/strongswan.conf | 5 - .../alg-aes-gcm/hosts/dave/etc/ipsec.conf | 22 - .../alg-aes-gcm/hosts/dave/etc/strongswan.conf | 5 - .../alg-aes-gcm/hosts/moon/etc/ipsec.conf | 21 - .../alg-aes-gcm/hosts/moon/etc/strongswan.conf | 5 - .../tests/openssl-ikev2/alg-aes-gcm/posttest.dat | 6 - .../tests/openssl-ikev2/alg-aes-gcm/pretest.dat | 11 - testing/tests/openssl-ikev2/alg-aes-gcm/test.conf | 21 - .../openssl-ikev2/alg-blowfish/description.txt | 11 - .../tests/openssl-ikev2/alg-blowfish/evaltest.dat | 17 - .../alg-blowfish/hosts/carol/etc/ipsec.conf | 22 - .../alg-blowfish/hosts/carol/etc/strongswan.conf | 5 - .../alg-blowfish/hosts/dave/etc/ipsec.conf | 22 - .../alg-blowfish/hosts/dave/etc/strongswan.conf | 5 - .../alg-blowfish/hosts/moon/etc/ipsec.conf | 21 - .../alg-blowfish/hosts/moon/etc/strongswan.conf | 5 - .../tests/openssl-ikev2/alg-blowfish/posttest.dat | 6 - .../tests/openssl-ikev2/alg-blowfish/pretest.dat | 11 - testing/tests/openssl-ikev2/alg-blowfish/test.conf | 21 - .../openssl-ikev2/alg-camellia/description.txt | 7 +- .../tests/openssl-ikev2/alg-camellia/evaltest.dat | 8 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-camellia/posttest.dat | 5 +- .../tests/openssl-ikev2/alg-camellia/pretest.dat | 8 +- testing/tests/openssl-ikev2/alg-camellia/test.conf | 4 + .../alg-ecp-brainpool-high/description.txt | 8 +- .../alg-ecp-brainpool-high/evaltest.dat | 15 +- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../alg-ecp-brainpool-high/posttest.dat | 6 +- .../alg-ecp-brainpool-high/pretest.dat | 10 +- .../openssl-ikev2/alg-ecp-brainpool-high/test.conf | 4 + .../alg-ecp-brainpool-low/description.txt | 13 +- .../alg-ecp-brainpool-low/evaltest.dat | 15 +- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../alg-ecp-brainpool-low/posttest.dat | 6 +- .../alg-ecp-brainpool-low/pretest.dat | 10 +- .../openssl-ikev2/alg-ecp-brainpool-low/test.conf | 4 + .../openssl-ikev2/alg-ecp-high/description.txt | 8 +- .../tests/openssl-ikev2/alg-ecp-high/evaltest.dat | 14 +- .../alg-ecp-high/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-ecp-high/posttest.dat | 6 +- .../tests/openssl-ikev2/alg-ecp-high/pretest.dat | 10 +- testing/tests/openssl-ikev2/alg-ecp-high/test.conf | 4 + .../openssl-ikev2/alg-ecp-low/description.txt | 10 +- .../tests/openssl-ikev2/alg-ecp-low/evaltest.dat | 15 +- .../alg-ecp-low/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-ecp-low/posttest.dat | 6 +- .../tests/openssl-ikev2/alg-ecp-low/pretest.dat | 10 +- testing/tests/openssl-ikev2/alg-ecp-low/test.conf | 4 + .../critical-extension/description.txt | 2 +- .../openssl-ikev2/critical-extension/evaltest.dat | 2 - .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 952 -> 0 bytes .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 4 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/swanctl/x509/moonCert.der | Bin 0 -> 952 bytes .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 951 -> 0 bytes .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 - .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 27 + .../hosts/sun/etc/swanctl/swanctl.conf | 26 + .../hosts/sun/etc/swanctl/x509/sunCert.der | Bin 0 -> 951 bytes .../openssl-ikev2/critical-extension/posttest.dat | 9 +- .../openssl-ikev2/critical-extension/pretest.dat | 14 +- .../openssl-ikev2/critical-extension/test.conf | 6 +- .../openssl-ikev2/ecdsa-certs/description.txt | 7 +- .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat | 16 +- .../ecdsa-certs/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../ecdsa-certs/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/ecdsa/carolKey.pem | 8 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../ecdsa-certs/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 3 +- .../hosts/dave/etc/swanctl/ecdsa/daveKey.pem | 6 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-certs/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev2/ecdsa-certs/posttest.dat | 11 +- .../tests/openssl-ikev2/ecdsa-certs/pretest.dat | 13 +- testing/tests/openssl-ikev2/ecdsa-certs/test.conf | 4 + .../tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat | 8 +- .../ecdsa-pkcs8/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 7 - .../ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/pkcs8/carolKey.pem | 7 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-pkcs8/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 8 - .../ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/pkcs8/daveKey.pem | 8 + .../hosts/dave/etc/swanctl/swanctl.conf | 36 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-pkcs8/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat | 11 +- .../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat | 13 +- testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf | 4 + .../openssl-ikev2/net2net-pgp-v3/description.txt | 6 - .../openssl-ikev2/net2net-pgp-v3/evaltest.dat | 7 - .../net2net-pgp-v3/hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 15 - .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 15 - .../hosts/moon/etc/ipsec.d/private/moonKey.asc | 19 - .../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets | 3 - .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf | 6 - .../net2net-pgp-v3/hosts/sun/etc/ipsec.conf | 24 - .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 15 - .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 15 - .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 19 - .../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets | 3 - .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf | 6 - .../openssl-ikev2/net2net-pgp-v3/posttest.dat | 8 - .../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 9 - .../tests/openssl-ikev2/net2net-pgp-v3/test.conf | 21 - .../openssl-ikev2/net2net-pkcs12/description.txt | 4 +- .../openssl-ikev2/net2net-pkcs12/evaltest.dat | 6 +- .../net2net-pkcs12/hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/ipsec.d/private/moonCert.p12 | Bin 3661 -> 0 bytes .../net2net-pkcs12/hosts/moon/etc/ipsec.secrets | 3 - .../net2net-pkcs12/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/pkcs12/moonCert.p12 | Bin 0 -> 3661 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../net2net-pkcs12/hosts/sun/etc/ipsec.conf | 23 - .../hosts/sun/etc/ipsec.d/private/sunCert.p12 | Bin 3661 -> 0 bytes .../net2net-pkcs12/hosts/sun/etc/ipsec.secrets | 8 - .../net2net-pkcs12/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/pkcs12/sunCert.p12 | Bin 0 -> 3661 bytes .../hosts/sun/etc/swanctl/swanctl.conf | 36 + .../openssl-ikev2/net2net-pkcs12/posttest.dat | 8 +- .../tests/openssl-ikev2/net2net-pkcs12/pretest.dat | 16 +- .../tests/openssl-ikev2/net2net-pkcs12/test.conf | 6 +- .../tests/openssl-ikev2/rw-cert/description.txt | 9 +- testing/tests/openssl-ikev2/rw-cert/evaltest.dat | 13 +- .../rw-cert/hosts/carol/etc/ipsec.conf | 21 - .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 27 + .../rw-cert/hosts/dave/etc/ipsec.conf | 21 - .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 27 + .../rw-cert/hosts/moon/etc/ipsec.conf | 20 - .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/openssl-ikev2/rw-cert/posttest.dat | 8 +- testing/tests/openssl-ikev2/rw-cert/pretest.dat | 13 +- testing/tests/openssl-ikev2/rw-cert/test.conf | 4 + .../openssl-ikev2/rw-eap-tls-only/description.txt | 5 - .../openssl-ikev2/rw-eap-tls-only/evaltest.dat | 10 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 11 - .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../rw-eap-tls-only/hosts/moon/etc/ipsec.secrets | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 15 - .../openssl-ikev2/rw-eap-tls-only/posttest.dat | 4 - .../openssl-ikev2/rw-eap-tls-only/pretest.dat | 7 - .../tests/openssl-ikev2/rw-eap-tls-only/test.conf | 21 - .../openssl-ikev2/rw-suite-b-128/description.txt | 12 - .../openssl-ikev2/rw-suite-b-128/evaltest.dat | 11 - .../rw-suite-b-128/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 7 - .../rw-suite-b-128/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/carol/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/carol/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/carol/etc/strongswan.conf | 19 - .../rw-suite-b-128/hosts/dave/etc/ipsec.conf | 21 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 18 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 5 - .../rw-suite-b-128/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/dave/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 19 - .../rw-suite-b-128/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 18 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 5 - .../rw-suite-b-128/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/moon/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/moon/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/moon/etc/strongswan.conf | 18 - .../openssl-ikev2/rw-suite-b-128/posttest.dat | 6 - .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 11 - .../tests/openssl-ikev2/rw-suite-b-128/test.conf | 21 - .../openssl-ikev2/rw-suite-b-192/description.txt | 12 - .../openssl-ikev2/rw-suite-b-192/evaltest.dat | 11 - .../rw-suite-b-192/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 19 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../rw-suite-b-192/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/carol/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/carol/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/carol/etc/strongswan.conf | 19 - .../rw-suite-b-192/hosts/dave/etc/ipsec.conf | 21 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../rw-suite-b-192/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/dave/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 19 - .../rw-suite-b-192/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 19 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 6 - .../rw-suite-b-192/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/moon/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/moon/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/moon/etc/strongswan.conf | 18 - .../openssl-ikev2/rw-suite-b-192/posttest.dat | 6 - .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 11 - .../tests/openssl-ikev2/rw-suite-b-192/test.conf | 21 - .../rw-shared-vti-ip6-in-ip4/evaltest.dat | 4 +- testing/tests/sql/rw-psk-ipv6/evaltest.dat | 4 +- testing/tests/swanctl/config-payload/evaltest.dat | 8 +- .../swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf | 9 - testing/tests/swanctl/frags-ipv6/evaltest.dat | 4 +- .../tests/swanctl/host2host-cert/description.txt | 6 + testing/tests/swanctl/host2host-cert/evaltest.dat | 6 + .../host2host-cert/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 30 + .../host2host-cert/hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 30 + testing/tests/swanctl/host2host-cert/posttest.dat | 5 + testing/tests/swanctl/host2host-cert/pretest.dat | 7 + testing/tests/swanctl/host2host-cert/test.conf | 25 + .../swanctl/host2host-transport/description.txt | 6 + .../tests/swanctl/host2host-transport/evaltest.dat | 6 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 31 + .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 31 + .../tests/swanctl/host2host-transport/posttest.dat | 5 + .../tests/swanctl/host2host-transport/pretest.dat | 7 + .../tests/swanctl/host2host-transport/test.conf | 25 + testing/tests/swanctl/ip-pool-db/evaltest.dat | 8 +- testing/tests/swanctl/ip-pool/evaltest.dat | 8 +- .../tests/swanctl/ip-two-pools-db/description.txt | 14 + testing/tests/swanctl/ip-two-pools-db/evaltest.dat | 35 + .../hosts/alice/etc/strongswan.conf | 9 + .../hosts/alice/etc/swanctl/swanctl.conf | 27 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../ip-two-pools-db/hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../ip-two-pools-db/hosts/moon/etc/iptables.rules | 43 + .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 48 + .../hosts/venus/etc/strongswan.conf | 9 + .../hosts/venus/etc/swanctl/swanctl.conf | 27 + testing/tests/swanctl/ip-two-pools-db/posttest.dat | 18 + testing/tests/swanctl/ip-two-pools-db/pretest.dat | 30 + testing/tests/swanctl/ip-two-pools-db/test.conf | 29 + testing/tests/swanctl/ip-two-pools/description.txt | 9 + testing/tests/swanctl/ip-two-pools/evaltest.dat | 18 + .../ip-two-pools/hosts/alice/etc/strongswan.conf | 9 + .../hosts/alice/etc/swanctl/swanctl.conf | 26 + .../ip-two-pools/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../ip-two-pools/hosts/moon/etc/iptables.rules | 43 + .../ip-two-pools/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 55 + testing/tests/swanctl/ip-two-pools/posttest.dat | 8 + testing/tests/swanctl/ip-two-pools/pretest.dat | 11 + testing/tests/swanctl/ip-two-pools/test.conf | 25 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../swanctl/mult-auth-rsa-eap-sim-id/posttest.dat | 2 +- .../swanctl/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- testing/tests/swanctl/nat-rw-psk/description.txt | 8 + testing/tests/swanctl/nat-rw-psk/evaltest.dat | 14 + .../nat-rw-psk/hosts/alice/etc/strongswan.conf | 7 + .../hosts/alice/etc/swanctl/swanctl.conf | 33 + .../nat-rw-psk/hosts/sun/etc/iptables.rules | 24 + .../nat-rw-psk/hosts/sun/etc/strongswan.conf | 5 + .../nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf | 36 + .../nat-rw-psk/hosts/venus/etc/strongswan.conf | 7 + .../hosts/venus/etc/swanctl/swanctl.conf | 34 + testing/tests/swanctl/nat-rw-psk/posttest.dat | 7 + testing/tests/swanctl/nat-rw-psk/pretest.dat | 16 + testing/tests/swanctl/nat-rw-psk/test.conf | 25 + testing/tests/swanctl/nat-rw/description.txt | 8 + testing/tests/swanctl/nat-rw/evaltest.dat | 14 + .../swanctl/nat-rw/hosts/alice/etc/strongswan.conf | 7 + .../nat-rw/hosts/alice/etc/swanctl/swanctl.conf | 27 + .../swanctl/nat-rw/hosts/sun/etc/iptables.rules | 24 + .../swanctl/nat-rw/hosts/sun/etc/strongswan.conf | 5 + .../nat-rw/hosts/sun/etc/swanctl/swanctl.conf | 26 + .../swanctl/nat-rw/hosts/venus/etc/strongswan.conf | 7 + .../nat-rw/hosts/venus/etc/swanctl/swanctl.conf | 27 + testing/tests/swanctl/nat-rw/posttest.dat | 7 + testing/tests/swanctl/nat-rw/pretest.dat | 13 + testing/tests/swanctl/nat-rw/test.conf | 25 + testing/tests/swanctl/net2net-psk/description.txt | 7 + testing/tests/swanctl/net2net-psk/evaltest.dat | 5 + .../net2net-psk/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 55 + .../net2net-psk/hosts/sun/etc/strongswan.conf | 9 + .../net2net-psk/hosts/sun/etc/swanctl/swanctl.conf | 40 + testing/tests/swanctl/net2net-psk/posttest.dat | 5 + testing/tests/swanctl/net2net-psk/pretest.dat | 9 + testing/tests/swanctl/net2net-psk/test.conf | 25 + testing/tests/swanctl/rw-cert-pss/evaltest.dat | 8 +- testing/tests/swanctl/rw-cert/description.txt | 3 +- .../swanctl/rw-eap-aka-id-rsa/description.txt | 11 + .../tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 35 + .../tests/swanctl/rw-eap-aka-id-rsa/posttest.dat | 5 + .../tests/swanctl/rw-eap-aka-id-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-aka-rsa/description.txt | 8 + testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat | 9 + .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 34 + testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-aka-rsa/test.conf | 25 + .../swanctl/rw-eap-md5-id-radius/description.txt | 10 + .../swanctl/rw-eap-md5-id-radius/evaltest.dat | 10 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 28 + .../swanctl/rw-eap-md5-id-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-md5-id-radius/pretest.dat | 9 + .../tests/swanctl/rw-eap-md5-id-radius/test.conf | 29 + .../swanctl/rw-eap-md5-radius/description.txt | 7 + .../tests/swanctl/rw-eap-md5-radius/evaltest.dat | 9 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-md5-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-md5-radius/pretest.dat | 9 + testing/tests/swanctl/rw-eap-md5-radius/test.conf | 29 + .../tests/swanctl/rw-eap-md5-rsa/description.txt | 7 + testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat | 10 + .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 39 + testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-md5-rsa/test.conf | 25 + .../swanctl/rw-eap-mschapv2-id-rsa/description.txt | 10 + .../swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat | 11 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 40 + .../swanctl/rw-eap-mschapv2-id-rsa/posttest.dat | 5 + .../swanctl/rw-eap-mschapv2-id-rsa/pretest.dat | 8 + .../tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-peap-md5/description.txt | 10 + testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../rw-eap-peap-md5/hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../rw-eap-peap-md5/hosts/moon/etc/strongswan.conf | 22 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + testing/tests/swanctl/rw-eap-peap-md5/posttest.dat | 6 + testing/tests/swanctl/rw-eap-peap-md5/pretest.dat | 13 + testing/tests/swanctl/rw-eap-peap-md5/test.conf | 25 + .../swanctl/rw-eap-peap-mschapv2/description.txt | 8 + .../swanctl/rw-eap-peap-mschapv2/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 21 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + .../swanctl/rw-eap-peap-mschapv2/posttest.dat | 6 + .../tests/swanctl/rw-eap-peap-mschapv2/pretest.dat | 13 + .../tests/swanctl/rw-eap-peap-mschapv2/test.conf | 25 + .../swanctl/rw-eap-peap-radius/description.txt | 9 + .../tests/swanctl/rw-eap-peap-radius/evaltest.dat | 17 + .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 18 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../etc/freeradius/sites-available/inner-tunnel | 32 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-peap-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-peap-radius/pretest.dat | 14 + testing/tests/swanctl/rw-eap-peap-radius/test.conf | 29 + .../swanctl/rw-eap-sim-id-radius/description.txt | 13 + .../swanctl/rw-eap-sim-id-radius/evaltest.dat | 10 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 53 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../swanctl/rw-eap-sim-id-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-sim-id-radius/pretest.dat | 10 + .../tests/swanctl/rw-eap-sim-id-radius/test.conf | 29 + .../swanctl/rw-eap-sim-only-radius/description.txt | 15 + .../swanctl/rw-eap-sim-only-radius/evaltest.dat | 13 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 72 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/dave/etc/ipsec.d/triplets.dat | 3 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../swanctl/rw-eap-sim-only-radius/posttest.dat | 7 + .../swanctl/rw-eap-sim-only-radius/pretest.dat | 16 + .../tests/swanctl/rw-eap-sim-only-radius/test.conf | 29 + .../swanctl/rw-eap-sim-radius/description.txt | 15 + .../tests/swanctl/rw-eap-sim-radius/evaltest.dat | 13 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 72 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/dave/etc/ipsec.d/triplets.dat | 3 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../tests/swanctl/rw-eap-sim-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-sim-radius/pretest.dat | 16 + testing/tests/swanctl/rw-eap-sim-radius/test.conf | 29 + .../tests/swanctl/rw-eap-sim-rsa/description.txt | 8 + testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat | 9 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/ipsec.d/triplets.dat | 3 + .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-sim-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-tls-only/description.txt | 4 + testing/tests/swanctl/rw-eap-tls-only/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 16 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/swanctl/rw-eap-tls-only/posttest.dat | 5 + testing/tests/swanctl/rw-eap-tls-only/pretest.dat | 7 + testing/tests/swanctl/rw-eap-tls-only/test.conf | 25 + .../swanctl/rw-eap-tls-radius/description.txt | 7 + .../tests/swanctl/rw-eap-tls-radius/evaltest.dat | 9 + .../alice/etc/freeradius/3.0/mods-available/eap | 16 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 55 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/alice/etc/freeradius/eap.conf | 13 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 41 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 16 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../tests/swanctl/rw-eap-tls-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-tls-radius/pretest.dat | 8 + testing/tests/swanctl/rw-eap-tls-radius/test.conf | 29 + .../tests/swanctl/rw-eap-ttls-only/description.txt | 11 + .../tests/swanctl/rw-eap-ttls-only/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 21 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + .../tests/swanctl/rw-eap-ttls-only/posttest.dat | 6 + testing/tests/swanctl/rw-eap-ttls-only/pretest.dat | 13 + testing/tests/swanctl/rw-eap-ttls-only/test.conf | 25 + .../swanctl/rw-eap-ttls-radius/description.txt | 9 + .../tests/swanctl/rw-eap-ttls-radius/evaltest.dat | 17 + .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 18 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../etc/freeradius/sites-available/inner-tunnel | 32 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-ttls-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-ttls-radius/pretest.dat | 14 + testing/tests/swanctl/rw-eap-ttls-radius/test.conf | 29 + testing/tests/tnc/tnccs-11-fhh/description.txt | 13 - testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 18 - .../tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 22 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config | 4 - .../tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 22 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config | 4 - .../tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 28 - .../hosts/moon/etc/swanctl/swanctl.conf | 64 - .../hosts/moon/etc/tnc/dummyimv.policy | 1 - .../hosts/moon/etc/tnc/hostscannerimv.policy | 40 - .../hosts/moon/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config | 4 - testing/tests/tnc/tnccs-11-fhh/posttest.dat | 6 - testing/tests/tnc/tnccs-11-fhh/pretest.dat | 20 - testing/tests/tnc/tnccs-11-fhh/test.conf | 28 - .../tnc/tnccs-11-radius-block/description.txt | 14 - .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 15 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 27 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../hosts/carol/etc/tnc_config | 4 - .../hosts/dave/etc/strongswan.conf | 30 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../hosts/dave/etc/tnc_config | 4 - .../hosts/moon/etc/iptables.rules | 32 - .../hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 27 - .../tests/tnc/tnccs-11-radius-block/posttest.dat | 8 - .../tests/tnc/tnccs-11-radius-block/pretest.dat | 21 - testing/tests/tnc/tnccs-11-radius-block/test.conf | 29 - .../tests/tnc/tnccs-11-radius-pts/description.txt | 14 - testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 18 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/pts/data1.sql | 29 - .../hosts/alice/etc/strongswan.conf | 13 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnccs-11-radius-pts/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 19 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-radius-pts/hosts/carol/etc/tnc_config | 4 - .../hosts/dave/etc/strongswan.conf | 20 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-radius-pts/hosts/dave/etc/tnc_config | 4 - .../hosts/moon/etc/iptables.rules | 32 - .../hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 53 - testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 9 - testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 28 - testing/tests/tnc/tnccs-11-radius-pts/test.conf | 33 - testing/tests/tnc/tnccs-11-radius/description.txt | 13 - testing/tests/tnc/tnccs-11-radius/evaltest.dat | 18 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-radius/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 30 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnc/tnccs-11-radius/hosts/carol/etc/tnc_config | 4 - .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 30 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnc/tnccs-11-radius/hosts/dave/etc/tnc_config | 4 - .../tnccs-11-radius/hosts/moon/etc/iptables.rules | 32 - .../tnccs-11-radius/hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 53 - testing/tests/tnc/tnccs-11-radius/posttest.dat | 8 - testing/tests/tnc/tnccs-11-radius/pretest.dat | 22 - testing/tests/tnc/tnccs-11-radius/test.conf | 29 - .../tests/tnc/tnccs-11-supplicant/description.txt | 12 - testing/tests/tnc/tnccs-11-supplicant/evaltest.dat | 2 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnccs-11-supplicant/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/carol/etc/swanctl/swanctl.conf | 1 - .../tnccs-11-supplicant/hosts/carol/etc/tnc_config | 4 - .../hosts/carol/etc/wpa_supplicant.conf | 10 - .../hosts/dave/etc/strongswan.conf | 11 - .../hosts/dave/etc/swanctl/swanctl.conf | 1 - .../tnccs-11-supplicant/hosts/dave/etc/tnc_config | 4 - .../hosts/dave/etc/wpa_supplicant.conf | 10 - .../hosts/moon/etc/hostapd/hostapd.conf | 1127 ---- testing/tests/tnc/tnccs-11-supplicant/posttest.dat | 5 - testing/tests/tnc/tnccs-11-supplicant/pretest.dat | 11 - testing/tests/tnc/tnccs-11-supplicant/test.conf | 29 - .../hosts/carol/etc/pts/collector.sql | 39 + testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat | 1 + testing/tests/tnc/tnccs-20-fhh/description.txt | 13 - testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 18 - .../tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 18 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config | 3 - .../tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 17 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config | 3 - .../tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 21 - .../hosts/moon/etc/swanctl/swanctl.conf | 64 - .../hosts/moon/etc/tnc/dummyimv.policy | 1 - .../hosts/moon/etc/tnc/hostscannerimv.policy | 40 - .../hosts/moon/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config | 3 - testing/tests/tnc/tnccs-20-fhh/posttest.dat | 6 - testing/tests/tnc/tnccs-20-fhh/pretest.dat | 20 - testing/tests/tnc/tnccs-20-fhh/test.conf | 29 - .../etc/apache2/sites-available/000-default.conf | 8 +- .../alice/etc/apache2/sites-available/default | 1 - .../etc/apache2/sites-available/000-default.conf | 8 +- .../alice/etc/apache2/sites-available/default | 1 - 1304 files changed, 18947 insertions(+), 17285 deletions(-) delete mode 100644 src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag create mode 100644 src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag create mode 100644 src/libstrongswan/plugins/botan/botan_aead.c create mode 100644 src/libstrongswan/plugins/botan/botan_aead.h create mode 100644 src/libstrongswan/plugins/botan/botan_ed_private_key.c create mode 100644 src/libstrongswan/plugins/botan/botan_ed_private_key.h create mode 100644 src/libstrongswan/plugins/botan/botan_ed_public_key.c create mode 100644 src/libstrongswan/plugins/botan/botan_ed_public_key.h delete mode 100644 src/libstrongswan/plugins/botan/botan_gcm.c delete mode 100644 src/libstrongswan/plugins/botan/botan_gcm.h create mode 100644 src/libstrongswan/plugins/openssl/openssl_ed_private_key.c create mode 100644 src/libstrongswan/plugins/openssl/openssl_ed_private_key.h create mode 100644 src/libstrongswan/plugins/openssl/openssl_ed_public_key.c create mode 100644 src/libstrongswan/plugins/openssl/openssl_ed_public_key.h create mode 100644 src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c create mode 100644 src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c create mode 100644 src/libstrongswan/tests/suites/test_ed448.c create mode 100644 testing/config/kernel/config-4.19 create mode 100644 testing/hosts/alice/etc/freeradius/3.0/clients.conf create mode 100644 testing/hosts/alice/etc/freeradius/3.0/radiusd.conf create mode 100644 testing/hosts/venus/etc/default/isc-dhcp-server delete mode 100644 testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text delete mode 100644 testing/scripts/recipes/001_libtnc.mk delete mode 100644 testing/scripts/recipes/002_tnc-fhh.mk delete mode 100644 testing/scripts/recipes/003_freeradius.mk delete mode 100644 testing/scripts/recipes/004_hostapd.mk delete mode 100644 testing/scripts/recipes/004_wpa_supplicant.mk delete mode 100644 testing/scripts/recipes/patches/freeradius-eap-sim-identity delete mode 100644 testing/scripts/recipes/patches/freeradius-tnc-fhh delete mode 100644 testing/scripts/recipes/patches/hostapd-config delete mode 100644 testing/scripts/recipes/patches/tnc-fhh-tncsim delete mode 100644 testing/scripts/recipes/patches/wpa_supplicant-eap-tnc create mode 100755 testing/tests/botan/net2net-ed25519/description.txt create mode 100755 testing/tests/botan/net2net-ed25519/evaltest.dat create mode 100755 testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-ed25519/posttest.dat create mode 100755 testing/tests/botan/net2net-ed25519/pretest.dat create mode 100755 testing/tests/botan/net2net-ed25519/test.conf create mode 100644 testing/tests/botan/net2net-pkcs12/description.txt create mode 100644 testing/tests/botan/net2net-pkcs12/evaltest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 create mode 100755 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 create mode 100755 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-pkcs12/posttest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/pretest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/test.conf create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/description.txt create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf delete mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf delete mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/description.txt delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/test.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/description.txt delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/test.conf delete mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 create mode 100755 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 create mode 100755 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/test.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/test.conf delete mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf create mode 100755 testing/tests/swanctl/host2host-cert/description.txt create mode 100755 testing/tests/swanctl/host2host-cert/evaltest.dat create mode 100755 testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-cert/posttest.dat create mode 100755 testing/tests/swanctl/host2host-cert/pretest.dat create mode 100755 testing/tests/swanctl/host2host-cert/test.conf create mode 100755 testing/tests/swanctl/host2host-transport/description.txt create mode 100755 testing/tests/swanctl/host2host-transport/evaltest.dat create mode 100755 testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-transport/posttest.dat create mode 100755 testing/tests/swanctl/host2host-transport/pretest.dat create mode 100755 testing/tests/swanctl/host2host-transport/test.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/description.txt create mode 100755 testing/tests/swanctl/ip-two-pools-db/evaltest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/posttest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/pretest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/test.conf create mode 100755 testing/tests/swanctl/ip-two-pools/description.txt create mode 100755 testing/tests/swanctl/ip-two-pools/evaltest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools/posttest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/pretest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/test.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/description.txt create mode 100644 testing/tests/swanctl/nat-rw-psk/evaltest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/posttest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/pretest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/test.conf create mode 100644 testing/tests/swanctl/nat-rw/description.txt create mode 100644 testing/tests/swanctl/nat-rw/evaltest.dat create mode 100644 testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/posttest.dat create mode 100644 testing/tests/swanctl/nat-rw/pretest.dat create mode 100644 testing/tests/swanctl/nat-rw/test.conf create mode 100755 testing/tests/swanctl/net2net-psk/description.txt create mode 100755 testing/tests/swanctl/net2net-psk/evaltest.dat create mode 100755 testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-psk/posttest.dat create mode 100755 testing/tests/swanctl/net2net-psk/pretest.dat create mode 100755 testing/tests/swanctl/net2net-psk/test.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/description.txt create mode 100644 testing/tests/swanctl/rw-eap-tls-only/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/test.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/description.txt create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/test.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-fhh/evaltest.dat delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-fhh/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-fhh/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-fhh/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/test.conf create mode 100644 testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql delete mode 100644 testing/tests/tnc/tnccs-20-fhh/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-fhh/evaltest.dat delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-fhh/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-fhh/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-fhh/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default diff --git a/Android.common.mk b/Android.common.mk index 3c71998e6..8e435982c 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.7.1" +strongswan_VERSION := "5.7.2" diff --git a/ChangeLog b/ChangeLog index 53a9ec244..3e5641cba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,5 @@ A summary of changes is available in the NEWS file. For a more -detailed Changelog, use the repository (see HACKING) or the -online interface available at http://git.strongswan.org. +detailed Changelog, refer to the completed versions on the project's roadmap +(https://wiki.strongswan.org/projects/strongswan/roadmap) or use the Git +repository (see HACKING) or its web interface available at +https://git.strongswan.org. diff --git a/Doxyfile.in b/Doxyfile.in index 6c59d86c9..a1f3f8819 100644 --- a/Doxyfile.in +++ b/Doxyfile.in @@ -1789,18 +1789,6 @@ GENERATE_XML = NO XML_OUTPUT = xml -# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a -# validating XML parser to check the syntax of the XML files. -# This tag requires that the tag GENERATE_XML is set to YES. - -XML_SCHEMA = - -# The XML_DTD tag can be used to specify a XML DTD, which can be used by a -# validating XML parser to check the syntax of the XML files. -# This tag requires that the tag GENERATE_XML is set to YES. - -XML_DTD = - # If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program # listings (including syntax highlighting and cross-referencing information) to # the XML output. Note that enabling this will significantly increase the size diff --git a/Makefile.am b/Makefile.am index 54b822050..958edc6fe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,11 @@ config_includedir = $(ipseclibdir)/include nodist_config_include_HEADERS = config.h endif +# we can't (and shouldn't) install/uninstall system files during make distcheck, +# so override the autodetected path for systemd units +AM_DISTCHECK_CONFIGURE_FLAGS = \ + --with-systemdsystemunitdir='$$(prefix)/lib/systemd/system' + # we leave config files behind intentionally so prevent distcheck from complaining distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print diff --git a/Makefile.in b/Makefile.in index 7e06889c9..bbb0d4c1d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -492,6 +492,12 @@ MAINTAINERCLEANFILES = Android.common.mk @USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include @USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h +# we can't (and shouldn't) install/uninstall system files during make distcheck, +# so override the autodetected path for systemd units +AM_DISTCHECK_CONFIGURE_FLAGS = \ + --with-systemdsystemunitdir='$$(prefix)/lib/systemd/system' + + # we leave config files behind intentionally so prevent distcheck from complaining distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print all: $(BUILT_SOURCES) config.h diff --git a/NEWS b/NEWS index 18bf7e3db..b95b0fcf4 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,53 @@ +strongswan-5.7.2 +---------------- + +- Private key implementations may optionally provide a list of supported + signature schemes, which is used by the tpm plugin because for each key on a + TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined. + +- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt + length (as defined by the length of the key and hash). However, if the TPM is + FIPS-168-4 compliant, the salt length equals the hash length. This is assumed + for FIPS-140-2 compliant TPMs, but if that's not the case, it might be + necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't + use the maximum salt length. + +- swanctl now accesses directories for credentials relative to swanctl.conf, in + particular, when it's loaded from a custom location via --file argument. The + base directory that's used if --file is not given is configurable at runtime + via SWANCTL_DIR environment variable. + +- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to + Access-Request messages, simplifying associating database entries for IP + leases and accounting with sessions. + +- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients + don't claim them, allowing releasing them early on connection errors. + +- Selectors installed on transport mode SAs by the kernel-netlink plugin are + updated on IP address changes (e.g. via MOBIKE). + +- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. + For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature + authentication has to be disabled via charon.signature_authentication. + +- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures. + +- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys + and signatures when built against OpenSSL 1.1.1. + +- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin. + +- The mysql plugin now properly handles database connections with transactions + under heavy load. + +- IP addresses in HA pools are now distributed evenly among all segments. + +- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly + from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by + the plugin, e.g. for compatibility with if_ipsec(4) VTIs. + + strongswan-5.7.1 ---------------- @@ -1031,7 +1081,7 @@ strongswan-5.0.3 charon-tkm does not result in the compromise of cryptographic keys. The extracted functionality has been implemented from scratch in a minimal TCB (trusted computing base) in the Ada programming language. Further information - can be found at http://www.codelabs.ch/tkm/. + can be found at https://www.codelabs.ch/tkm/. strongswan-5.0.2 ---------------- @@ -1169,7 +1219,7 @@ strongswan-5.0.0 pluto, but currently does not support AH or bundled AH+ESP SAs. Beside RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication mode. Information for interoperability and migration is available at - http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1. + https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1. - Charon's bus_t has been refactored so that loggers and other listeners are now handled separately. The single lock was previously cause for deadlocks @@ -1600,7 +1650,7 @@ strongswan-4.4.0 - The IKEv2 High Availability plugin has been integrated. It provides load sharing and failover capabilities in a cluster of currently two nodes, based on an extend ClusterIP kernel module. More information is available at - http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability. + https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability. The development of the High Availability functionality was sponsored by secunet Security Networks AG. @@ -2308,7 +2358,7 @@ strongswan-4.1.7 - Preview of strongSwan Manager, a web based configuration and monitoring application. It uses a new XML control interface to query the IKEv2 daemon - (see http://wiki.strongswan.org/wiki/Manager). + (see https://wiki.strongswan.org/wiki/Manager). - Experimental SQLite configuration backend which will provide the configuration interface for strongSwan Manager in future releases. diff --git a/README b/README index 8d8febede..a19caf37a 100644 --- a/README +++ b/README @@ -9,7 +9,7 @@ which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatil IKE Configuration Interface*. The deprecated **ipsec** command using the legacy **stroke** configuration interface is described [**here**](README_LEGACY.md). For more detailed information consult the man pages and -[**our wiki**](http://wiki.strongswan.org). +[**our wiki**](https://wiki.strongswan.org). ## Quickstart ## diff --git a/TODO b/TODO index 186d4d02b..41ea04099 100644 --- a/TODO +++ b/TODO @@ -4,5 +4,5 @@ A roadmap of the strongSwan project is available online at: - http://wiki.strongswan.org/projects/strongswan/roadmap + https://wiki.strongswan.org/projects/strongswan/roadmap diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf index 1be961e89..91d533a1e 100644 --- a/conf/plugins/tpm.conf +++ b/conf/plugins/tpm.conf @@ -1,5 +1,9 @@ tpm { + # Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default + # salt length instead of maximum salt length with RSAPSS padding. + # fips_186_4 = no + # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt index df7adb098..06c88861e 100644 --- a/conf/plugins/tpm.opt +++ b/conf/plugins/tpm.opt @@ -1,6 +1,10 @@ charon.plugins.tpm.use_rng = no Whether the TPM should be used as RNG. +charon.plugins.tpm.fips_186_4 = no + Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default + salt length instead of maximum salt length with RSAPSS padding. + charon.plugins.tpm.tcti.name = device|tabrmd Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_. Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 486ee5af9..aea62fbae 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -1684,6 +1684,11 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set. .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]" Send a PB\-TNC batch with a modified PB\-TNC version. +.TP +.BR charon.plugins.tpm.fips_186_4 " [no]" +Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt +length instead of maximum salt length with RSAPSS padding. + .TP .BR charon.plugins.tpm.tcti.name " [device|tabrmd]" Name of TPM 2.0 TCTI library. Valid values: diff --git a/configure b/configure index f66cae07f..be0c1d92a 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.7.1. +# Generated by GNU Autoconf 2.69 for strongSwan 5.7.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.7.1' -PACKAGE_STRING='strongSwan 5.7.1' +PACKAGE_VERSION='5.7.2' +PACKAGE_STRING='strongSwan 5.7.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -2108,7 +2108,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.7.1 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.7.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2179,7 +2179,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.7.1:";; + short | recursive ) echo "Configuration of strongSwan 5.7.2:";; esac cat <<\_ACEOF @@ -2666,7 +2666,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.7.1 +strongSwan configure 5.7.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3188,7 +3188,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.7.1, which was +It was created by strongSwan $as_me 5.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4051,7 +4051,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.7.1' + VERSION='5.7.2' cat >>confdefs.h <<_ACEOF @@ -23080,6 +23080,9 @@ $as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >& else # required for libFuzzer FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + if test "$SANITIZER" = "coverage"; then + FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm" + fi fi fi @@ -27550,7 +27553,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.7.1, which was +This file was extended by strongSwan $as_me 5.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27616,7 +27619,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.7.1 +strongSwan config.status 5.7.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 673393f8d..8b2f0216d 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.7.1]) +AC_INIT([strongSwan],[5.7.2]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -1292,6 +1292,9 @@ if test x$fuzzing = xtrue; then else # required for libFuzzer FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++" + if test "$SANITIZER" = "coverage"; then + FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm" + fi AC_SUBST(FUZZING_LDFLAGS) fi fi diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c index f2f98d7af..235772faf 100644 --- a/scripts/dh_speed.c +++ b/scripts/dh_speed.c @@ -47,6 +47,7 @@ struct { {"ecp192", ECP_192_BIT}, {"ecp224", ECP_224_BIT}, {"curve25519", CURVE_25519}, + {"curve448", CURVE_448}, }; static void start_timing(struct timespec *start) diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c index 806f78062..038e60e87 100644 --- a/src/_copyright/_copyright.c +++ b/src/_copyright/_copyright.c @@ -84,11 +84,9 @@ main(int argc, char *argv[]) case 'h': /* help */ printf("%s\n", usage); exit(0); - break; case 'v': /* version */ printf("%s strongSwan "VERSION"\n", me); exit(0); - break; case '?': default: errflg = 1; diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c index 1293ec4c0..e85e21d5c 100644 --- a/src/charon-cmd/charon-cmd.c +++ b/src/charon-cmd/charon-cmd.c @@ -348,6 +348,9 @@ int main(int argc, char *argv[]) { exit(SS_RC_INITIALIZATION_FAILED); } + /* register this again after loading plugins to avoid issues with libraries + * that register atexit() handlers */ + atexit(libcharon_deinit); if (!lib->caps->drop(lib->caps)) { exit(SS_RC_INITIALIZATION_FAILED); @@ -358,9 +361,6 @@ int main(int argc, char *argv[]) creds = cmd_creds_create(); atexit(cleanup_creds); - /* handle all arguments */ - handle_arguments(argc, argv, FALSE); - if (uname(&utsname) != 0) { memset(&utsname, 0, sizeof(utsname)); @@ -369,6 +369,9 @@ int main(int argc, char *argv[]) VERSION, utsname.sysname, utsname.release, utsname.machine); lib->plugins->status(lib->plugins, LEVEL_CTRL); + /* handle all arguments */ + handle_arguments(argc, argv, FALSE); + /* add handler for SEGV and ILL, * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c index d06c26974..7d4465ebf 100644 --- a/src/charon-systemd/charon-systemd.c +++ b/src/charon-systemd/charon-systemd.c @@ -322,6 +322,7 @@ int main(int argc, char *argv[]) { struct sigaction action; struct utsname utsname; + int status = SS_RC_INITIALIZATION_FAILED; dbg = dbg_stderr; @@ -345,16 +346,15 @@ int main(int argc, char *argv[]) sd_notifyf(0, "STATUS=integrity check of charon-systemd failed"); return SS_RC_INITIALIZATION_FAILED; } - atexit(libcharon_deinit); if (!libcharon_init()) { sd_notifyf(0, "STATUS=libcharon initialization failed"); - return SS_RC_INITIALIZATION_FAILED; + goto error; } if (!lookup_uid_gid()) { sd_notifyf(0, "STATUS=unknown uid/gid"); - return SS_RC_INITIALIZATION_FAILED; + goto error; } /* we registered the journal logger as custom logger, which gets its * settings from .customlog.journal, let it fallback to .journal */ @@ -370,14 +370,14 @@ int main(int argc, char *argv[]) lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns))) { sd_notifyf(0, "STATUS=charon initialization failed"); - return SS_RC_INITIALIZATION_FAILED; + goto error; } lib->plugins->status(lib->plugins, LEVEL_CTRL); if (!lib->caps->drop(lib->caps)) { sd_notifyf(0, "STATUS=dropping capabilities failed"); - return SS_RC_INITIALIZATION_FAILED; + goto error; } /* add handler for SEGV and ILL, @@ -401,5 +401,9 @@ int main(int argc, char *argv[]) sd_notifyf(0, "STATUS=charon-systemd running, strongSwan %s, %s %s, %s", VERSION, utsname.sysname, utsname.release, utsname.machine); - return run(); + status = run(); + +error: + libcharon_deinit(); + return status; } diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c index dd814ad15..3fa53680c 100644 --- a/src/conftest/hooks/set_proposal_number.c +++ b/src/conftest/hooks/set_proposal_number.c @@ -122,7 +122,7 @@ METHOD(listener_t, message, bool, enumerator->destroy(enumerator); } sa = sa_payload_create_from_proposals_v2(updated); - list->destroy_offset(list, offsetof(proposal_t, destroy)); + DESTROY_OFFSET_IF(list, offsetof(proposal_t, destroy)); updated->destroy_offset(updated, offsetof(proposal_t, destroy)); message->add_payload(message, (payload_t*)sa); } diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index 143342ecb..d49d6cdf6 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.7.0rc2" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.7.2dr1" "strongSwan" . .SH NAME . diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index f4c01c22e..b7348f0f9 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -575,7 +575,7 @@ METHOD(bus_t, message, void, METHOD(bus_t, ike_keys, void, private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey, shared_key_t *shared) + ike_sa_t *rekey, shared_key_t *shared, auth_method_t method) { enumerator_t *enumerator; entry_t *entry; @@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void, } entry->calling++; keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other, - nonce_i, nonce_r, rekey, shared); + nonce_i, nonce_r, rekey, shared, + method); entry->calling--; if (!keep) { diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index df75683be..8a97e8dfc 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -353,10 +353,12 @@ struct bus_t { * @param nonce_r responder's nonce * @param rekey IKE_SA we are rekeying, if any (IKEv2 only) * @param shared shared key used for key derivation (IKEv1-PSK only) + * @param method auth method for key derivation (IKEv1-non-PSK only) */ void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey, shared_key_t *shared); + ike_sa_t *rekey, shared_key_t *shared, + auth_method_t method); /** * IKE_SA derived keys hook. diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 06057eb73..0f3b8578a 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -88,11 +88,13 @@ struct listener_t { * @param nonce_r responder's nonce * @param rekey IKE_SA we are rekeying, if any (IKEv2 only) * @param shared shared key used for key derivation (IKEv1-PSK only) + * @param method auth method for key derivation (IKEv1-non-PSK only) * @return TRUE to stay registered, FALSE to unregister */ bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey, shared_key_t *shared); + ike_sa_t *rekey, shared_key_t *shared, + auth_method_t method); /** * Hook called with derived IKE_SA keys. diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c index 644cff029..1abbf7731 100644 --- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c +++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c @@ -64,6 +64,7 @@ typedef struct { private_bypass_lan_listener_t *listener; host_t *net; uint8_t mask; + char *iface; child_cfg_t *cfg; } bypass_policy_t; @@ -85,6 +86,7 @@ static void bypass_policy_destroy(bypass_policy_t *this) ts->destroy(ts); } this->net->destroy(this->net); + free(this->iface); free(this); } @@ -126,6 +128,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) enumerator_t *enumerator; hashtable_t *seen; bypass_policy_t *found, *lookup; + traffic_selector_t *ts; host_t *net; uint8_t mask; char *iface; @@ -146,6 +149,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(lookup, .net = net->clone(net), .mask = mask, + .iface = strdupnull(iface), ); found = seen->put(seen, lookup, lookup); if (found) @@ -160,7 +164,6 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) .mode = MODE_PASS, }; child_cfg_t *cfg; - traffic_selector_t *ts; char name[128]; ts = traffic_selector_create_from_subnet(net->clone(net), mask, @@ -176,6 +179,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(found, .net = net->clone(net), .mask = mask, + .iface = strdupnull(iface), .cfg = cfg, ); this->policies->put(this->policies, found, found); @@ -186,11 +190,29 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) enumerator = this->policies->create_enumerator(this->policies); while (enumerator->enumerate(enumerator, NULL, &lookup)) { - if (!seen->get(seen, lookup)) + found = seen->get(seen, lookup); + if (!found) { this->policies->remove_at(this->policies, enumerator); bypass_policy_destroy(lookup); } + else if (!streq(lookup->iface, found->iface)) + { /* if the subnet is on multiple interfaces, we only get the last + * one (hopefully, they are enumerated in a consistent order) */ + ts = traffic_selector_create_from_subnet( + lookup->net->clone(lookup->net), + lookup->mask, 0, 0, 65535); + DBG1(DBG_IKE, "interface change for bypass policy for %R (from %s " + "to %s)", ts, lookup->iface, found->iface); + ts->destroy(ts); + free(lookup->iface); + lookup->iface = strdupnull(found->iface); + /* there is currently no API to update shunts, so we remove and + * reinstall it to update the route */ + charon->shunts->uninstall(charon->shunts, "bypass-lan", + lookup->cfg->get_name(lookup->cfg)); + charon->shunts->install(charon->shunts, "bypass-lan", lookup->cfg); + } } enumerator->destroy(enumerator); this->mutex->unlock(this->mutex); diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index 1e208d094..ecd92f2ef 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -489,6 +489,16 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); + if (offer->is_anyaddr(offer)) + { + server = host_create_from_chunk(AF_INET, + chunk_from_thing(dhcp->server_address), 0); + DBG1(DBG_CFG, "ignoring DHCP OFFER %+H from %H", offer, server); + server->destroy(server); + offer->destroy(offer); + return; + } + this->mutex->lock(this->mutex); enumerator = this->discover->create_enumerator(this->discover); while (enumerator->enumerate(enumerator, &transaction)) diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index fbbf6da83..ae1371b45 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -156,7 +156,7 @@ void eap_radius_build_attributes(radius_message_t *request) { ike_sa_t *ike_sa; host_t *host; - char buf[40], *station_id_fmt;; + char buf[40], *station_id_fmt, *session_id; uint32_t value; chunk_t chunk; @@ -202,6 +202,14 @@ void eap_radius_build_attributes(radius_message_t *request) host = ike_sa->get_other_host(ike_sa); snprintf(buf, sizeof(buf), station_id_fmt, host); request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf)); + + session_id = eap_radius_accounting_session_id(ike_sa); + if (session_id) + { + request->add(request, RAT_ACCT_SESSION_ID, + chunk_from_str(session_id)); + free(session_id); + } } } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index 92611492b..ecb2083c9 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi @@ -17,6 +17,7 @@ */ #include "eap_radius_accounting.h" +#include "eap_radius_provider.h" #include "eap_radius_plugin.h" #include @@ -460,6 +461,37 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, enumerator->destroy(enumerator); } +/** + * Add any unclaimed IP addresses to the message + */ +static void add_unclaimed_ips(radius_message_t *message, ike_sa_t *ike_sa) +{ + eap_radius_provider_t *provider; + enumerator_t *enumerator; + host_t *vip; + + provider = eap_radius_provider_get(); + enumerator = provider->clear_unclaimed(provider, + ike_sa->get_unique_id(ike_sa)); + while (enumerator->enumerate(enumerator, &vip)) + { + switch (vip->get_family(vip)) + { + case AF_INET: + message->add(message, RAT_FRAMED_IP_ADDRESS, + vip->get_address(vip)); + break; + case AF_INET6: + message->add(message, RAT_FRAMED_IPV6_ADDRESS, + vip->get_address(vip)); + break; + default: + break; + } + } + enumerator->destroy(enumerator); +} + /** * Add the Class attributes received in the Access-Accept message to the * RADIUS accounting message @@ -790,6 +822,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) chunk_create(entry->sid, strlen(entry->sid))); add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); + add_unclaimed_ips(message, ike_sa); value = htonl(entry->usage.bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); @@ -816,7 +849,6 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) value = htonl(time_monotonic(NULL) - entry->created); message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value)); - value = htonl(entry->cause); message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value)); @@ -1070,8 +1102,27 @@ eap_radius_accounting_t *eap_radius_accounting_create() return &this->public; } -/** - * See header +/* + * Described in header + */ +char *eap_radius_accounting_session_id(ike_sa_t *ike_sa) +{ + entry_t *entry; + char *sid = NULL; + + if (singleton) + { + singleton->mutex->lock(singleton->mutex); + entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); + sid = strdup(entry->sid); + singleton->mutex->unlock(singleton->mutex); + } + return sid; +} + +/* + * Described in header */ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h index dc1edcf54..1fe1107ea 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Tobias Brunner + * Copyright (C) 2017-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi @@ -49,6 +49,14 @@ struct eap_radius_accounting_t { */ eap_radius_accounting_t *eap_radius_accounting_create(); +/** + * Get the Accounting session ID for the given IKE_SA. + * + * @param ike_sa IKE_SA for which to determine the session ID + * @return allocated session ID + */ +char *eap_radius_accounting_session_id(ike_sa_t *ike_sa); + /** * Schedule Accounting interim updates for the given IKE_SA. * diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 8188bb764..defabb782 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -131,7 +134,7 @@ static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id) } /** - * Put an entry to hashtable, or destroy it ife empty + * Put an entry to hashtable, or destroy it if empty */ static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry) { @@ -494,6 +497,24 @@ METHOD(eap_radius_provider_t, add_attribute, void, this->listener.mutex->unlock(this->listener.mutex); } +METHOD(eap_radius_provider_t, clear_unclaimed, enumerator_t*, + private_eap_radius_provider_t *this, uint32_t id) +{ + entry_t *entry; + + this->listener.mutex->lock(this->listener.mutex); + entry = this->listener.unclaimed->remove(this->listener.unclaimed, + (void*)(uintptr_t)id); + this->listener.mutex->unlock(this->listener.mutex); + if (!entry) + { + return enumerator_create_empty(); + } + return enumerator_create_cleaner( + entry->addrs->create_enumerator(entry->addrs), + (void*)destroy_entry, entry); +} + METHOD(eap_radius_provider_t, destroy, void, private_eap_radius_provider_t *this) { @@ -523,6 +544,7 @@ eap_radius_provider_t *eap_radius_provider_create() }, .add_framed_ip = _add_framed_ip, .add_attribute = _add_attribute, + .clear_unclaimed = _clear_unclaimed, .destroy = _destroy, }, .listener = { @@ -539,6 +561,14 @@ eap_radius_provider_t *eap_radius_provider_create() }, ); + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting", FALSE, lib->ns)) + { + /* if RADIUS accounting is enabled, keep unclaimed IPs around until + * the Accounting-Stop message is sent */ + this->listener.public.message = NULL; + } + charon->bus->add_listener(charon->bus, &this->listener.public); singleton = &this->public; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h index 80971bddb..9f1121ca3 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -55,6 +58,14 @@ struct eap_radius_provider_t { void (*add_attribute)(eap_radius_provider_t *this, uint32_t id, configuration_attribute_type_t type, chunk_t data); + /** + * Clears any unclaimed IP addresses and attributes for the given IKE_SA. + * + * @param id IKE_SA unique identifier + * @return enumerator over unclaimed IP addresses, if any + */ + enumerator_t *(*clear_unclaimed)(eap_radius_provider_t *this, uint32_t id); + /** * Destroy a eap_radius_provider_t. */ diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c index 34d6efc48..2553fd014 100644 --- a/src/libcharon/plugins/ha/ha_attribute.c +++ b/src/libcharon/plugins/ha/ha_attribute.c @@ -159,13 +159,13 @@ static pool_t* get_pool(private_ha_attribute_t *this, char *name) } /** - * Check if we are responsible for a bit in our bitmask + * Check if we are responsible for an offset */ -static bool responsible_for(private_ha_attribute_t *this, int bit) +static bool responsible_for(private_ha_attribute_t *this, int offset) { u_int segment; - segment = this->kernel->get_segment_int(this->kernel, bit); + segment = offset % this->segments->count(this->segments) + 1; return this->segments->is_active(this->segments, segment); } @@ -175,7 +175,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, { enumerator_t *enumerator; pool_t *pool = NULL; - int offset = -1, byte, bit; + int offset = -1, tmp_offset, byte, bit; host_t *address; char *name; @@ -199,10 +199,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*, { for (bit = 0; bit < 8; bit++) { + tmp_offset = byte * 8 + bit; if (!(pool->mask[byte] & 1 << bit) && - responsible_for(this, bit)) + responsible_for(this, tmp_offset)) { - offset = byte * 8 + bit; + offset = tmp_offset; pool->mask[byte] |= 1 << bit; break; } diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 4e3803892..ab845317f 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty; host_t *other = NULL; bool ok = FALSE; + auth_method_t method = AUTH_RSA; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message case HA_ALG_DH: dh_grp = value.u16; break; + case HA_AUTH_METHOD: + method = value.u16; default: break; } @@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa); shared_key_t *shared = NULL; - auth_method_t method = AUTH_RSA; if (psk.len) { diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 2854ab76d..aae402d50 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext) METHOD(listener_t, ike_keys, bool, private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey, - shared_key_t *shared) + shared_key_t *shared, auth_method_t method) { ha_message_t *m; chunk_t secret; @@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool, { m->add_attribute(m, HA_PSK, shared->get_key(shared)); } + else + { + m->add_attribute(m, HA_AUTH_METHOD, method); + } } m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c index 7891b1654..28b7b0d5b 100644 --- a/src/libcharon/plugins/ha/ha_message.c +++ b/src/libcharon/plugins/ha/ha_message.c @@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void, case HA_OUTBOUND_CPI: case HA_SEGMENT: case HA_ESN: + case HA_AUTH_METHOD: { uint16_t val; @@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool, case HA_OUTBOUND_CPI: case HA_SEGMENT: case HA_ESN: + case HA_AUTH_METHOD: { if (this->buf.len < sizeof(uint16_t)) { diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index 3e43dc8dc..3c0058d99 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -156,6 +156,8 @@ enum ha_message_attribute_t { HA_PSK, /** chunk_t, IV for next IKEv1 message */ HA_IV, + /** uint16_t, auth_method_t for IKEv1 key derivation */ + HA_AUTH_METHOD, }; /** diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 0a407f9ef..153534915 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -433,6 +433,12 @@ METHOD(ha_segments_t, is_active, bool, return (this->active & SEGMENTS_BIT(segment)) != 0; } +METHOD(ha_segments_t, count, u_int, + private_ha_segments_t *this) +{ + return this->count; +} + METHOD(ha_segments_t, destroy, void, private_ha_segments_t *this) { @@ -459,6 +465,7 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, .deactivate = _deactivate, .handle_status = _handle_status, .is_active = _is_active, + .count = _count, .destroy = _destroy, }, .socket = socket, diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h index 10d5812c6..bc96a8d3e 100644 --- a/src/libcharon/plugins/ha/ha_segments.h +++ b/src/libcharon/plugins/ha/ha_segments.h @@ -82,6 +82,13 @@ struct ha_segments_t { */ bool (*is_active)(ha_segments_t *this, u_int segment); + /** + * Return the number of segments + * + * @return number of segments + */ + u_int (*count)(ha_segments_t *this); + /** * Destroy a ha_segments_t. */ diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 1292e0895..40fff7e05 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -2257,6 +2257,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, uint32_t replay_esn_len = 0; kernel_ipsec_del_sa_t del = { 0 }; status_t status = FAILED; + traffic_selector_t *ts; char markstr[32] = ""; /* if IPComp is used, we first update the IPComp SA */ @@ -2360,10 +2361,26 @@ METHOD(kernel_ipsec_t, update_sa, status_t, if (!id->src->ip_equals(id->src, data->new_src)) { host2xfrm(data->new_src, &sa->saddr); + + ts = selector2ts(&sa->sel, TRUE); + if (ts && ts->is_host(ts, id->src)) + { + ts->set_address(ts, data->new_src); + ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s); + } + DESTROY_IF(ts); } if (!id->dst->ip_equals(id->dst, data->new_dst)) { host2xfrm(data->new_dst, &sa->id.daddr); + + ts = selector2ts(&sa->sel, FALSE); + if (ts && ts->is_host(ts, id->dst)) + { + ts->set_address(ts, data->new_dst); + ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d); + } + DESTROY_IF(ts); } rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info); diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index dbe409a62..37170a310 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -1287,20 +1287,27 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, return; } - index = response.x_policy->sadb_x_policy_id; - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, policy_entry_match_byindex, - (void**)&policy, index) && - policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS) + if (response.x_sa2) { - reqid = sa->sa->cfg.reqid; + reqid = response.x_sa2->sadb_x_sa2_reqid; } else { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no " - "matching policy found", index); + index = response.x_policy->sadb_x_policy_id; + this->mutex->lock(this->mutex); + if (this->policies->find_first(this->policies, policy_entry_match_byindex, + (void**)&policy, index) && + policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS) + { + reqid = sa->sa->cfg.reqid; + } + else + { + DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no " + "matching policy found", index); + } + this->mutex->unlock(this->mutex); } - this->mutex->unlock(this->mutex); src_ts = sadb_address2ts(response.src); dst_ts = sadb_address2ts(response.dst); diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h index d69597881..964752f53 100644 --- a/src/libcharon/plugins/vici/libvici.h +++ b/src/libcharon/plugins/vici/libvici.h @@ -86,6 +86,10 @@ #include +#ifdef __cplusplus +extern "C" { +#endif + /** * Opaque vici connection contex. */ @@ -465,4 +469,8 @@ void vici_init(); */ void vici_deinit(); +#ifdef __cplusplus +} +#endif + #endif /** LIBVICI_H_ @}*/ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 10c62dc89..ace7a4528 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -733,7 +733,7 @@ CALLBACK(parse_ts, bool, if (host_create_from_range(buf, &lower, &upper)) { type = (lower->get_family(lower) == AF_INET) ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE; + TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE; ts = traffic_selector_create_from_bytes(proto, type, lower->get_address(lower), from, upper->get_address(upper), to); @@ -2494,7 +2494,10 @@ CALLBACK(config_sn, bool, if (peer.mediated_by) { cfg.mediated_by = peer.mediated_by; - cfg.peer_id = peer.peer_id->clone(peer.peer_id); + if (peer.peer_id) + { + cfg.peer_id = peer.peer_id->clone(peer.peer_id); + } } #endif /* ME */ peer_cfg = peer_cfg_create(name, ike_cfg, &cfg); diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index 998af0d3f..e2a7f6b20 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -53,6 +53,36 @@ METHOD(job_t, destroy, void, free(this); } +METHOD(adopt_children_job_t, queue_task, void, + private_adopt_children_job_t *this, task_t *task) +{ + array_insert_create(&this->tasks, ARRAY_TAIL, task); +} + +/** + * Adopt child-creating tasks from the given IKE_SA + */ +static u_int adopt_child_tasks(private_adopt_children_job_t *this, + ike_sa_t *ike_sa, task_queue_t queue) +{ + enumerator_t *tasks; + task_t *task; + u_int count = 0; + + tasks = ike_sa->create_task_enumerator(ike_sa, queue); + while (tasks->enumerate(tasks, &task)) + { + if (task->get_type(task) == TASK_QUICK_MODE) + { + ike_sa->remove_task(ike_sa, tasks); + queue_task(this, task); + count++; + } + } + tasks->destroy(tasks); + return count; +} + METHOD(job_t, execute, job_requeue_t, private_adopt_children_job_t *this) { @@ -65,6 +95,7 @@ METHOD(job_t, execute, job_requeue_t, ike_sa_t *ike_sa; child_sa_t *child_sa; uint32_t unique; + u_int tasks = 0; ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id); if (ike_sa) @@ -127,11 +158,17 @@ METHOD(job_t, execute, job_requeue_t, * it does trigger an assign_vips(FALSE) event, so we also * trigger one below */ ike_sa->clear_virtual_ips(ike_sa, FALSE); - if (children->get_count(children) || vips->get_count(vips)) + + tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_ACTIVE); + tasks += adopt_child_tasks(this, ike_sa, TASK_QUEUE_QUEUED); + + if (children->get_count(children) || tasks || + vips->get_count(vips)) { DBG1(DBG_IKE, "detected reauth of existing IKE_SA, " - "adopting %d children and %d virtual IPs", - children->get_count(children), vips->get_count(vips)); + "adopting %d children, %d child tasks, and %d " + "virtual IPs", children->get_count(children), + tasks, vips->get_count(vips)); } if (ike_sa->get_state(ike_sa) == IKE_PASSIVE) { @@ -152,7 +189,8 @@ METHOD(job_t, execute, job_requeue_t, charon->ike_sa_manager->checkin( charon->ike_sa_manager, ike_sa); } - if (children->get_count(children) || vips->get_count(vips)) + if (children->get_count(children) || tasks || + vips->get_count(vips)) { break; } @@ -237,12 +275,6 @@ METHOD(job_t, get_priority, job_priority_t, return JOB_PRIO_HIGH; } -METHOD(adopt_children_job_t, queue_task, void, - private_adopt_children_job_t *this, task_t *task) -{ - array_insert_create(&this->tasks, ARRAY_TAIL, task); -} - /** * See header */ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index c33398bee..bdc96a4bc 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -978,7 +978,7 @@ static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa, } /** - * Install inbound policie(s): in, fwd + * Install inbound policies: in, fwd */ static status_t install_policies_inbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, @@ -1012,7 +1012,7 @@ static status_t install_policies_inbound(private_child_sa_t *this, } /** - * Install outbound policie(s): out, [fwd] + * Install outbound policies: out, [fwd] */ static status_t install_policies_outbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index a4ad866d3..3d576a0e8 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1996,8 +1996,7 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, /* adopt any active or queued CHILD-creating tasks */ if (status != DESTROY_ME) { - task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager; - other_tasks->adopt_child_tasks(other_tasks, this->task_manager); + new->adopt_child_tasks(new, &this->public); if (new->get_state(new) == IKE_CREATED) { status = new->initiate(new, NULL, 0, NULL, NULL); @@ -2404,7 +2403,9 @@ METHOD(ike_sa_t, retransmit, status_t, } case IKE_DELETING: DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding"); - if (has_condition(this, COND_REAUTHENTICATING)) + if (has_condition(this, COND_REAUTHENTICATING) && + !lib->settings->get_bool(lib->settings, + "%s.make_before_break", FALSE, lib->ns)) { DBG1(DBG_IKE, "delete during reauthentication failed, " "trying to reestablish IKE_SA anyway"); @@ -2719,6 +2720,12 @@ METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, return this->task_manager->create_task_enumerator(this->task_manager, queue); } +METHOD(ike_sa_t, remove_task, void, + private_ike_sa_t *this, enumerator_t *enumerator) +{ + return this->task_manager->remove_task(this->task_manager, enumerator); +} + METHOD(ike_sa_t, flush_queue, void, private_ike_sa_t *this, task_queue_t queue) { @@ -2737,6 +2744,36 @@ METHOD(ike_sa_t, queue_task_delayed, void, this->task_manager->queue_task_delayed(this->task_manager, task, delay); } +/** + * Migrate and queue child-creating tasks from another IKE_SA + */ +static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other, + task_queue_t queue) +{ + enumerator_t *enumerator; + task_t *task; + + enumerator = other->create_task_enumerator(other, queue); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_CHILD_CREATE || + task->get_type(task) == TASK_QUICK_MODE) + { + other->remove_task(other, enumerator); + task->migrate(task, &this->public); + queue_task(this, task); + } + } + enumerator->destroy(enumerator); +} + +METHOD(ike_sa_t, adopt_child_tasks, void, + private_ike_sa_t *this, ike_sa_t *other) +{ + migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE); + migrate_child_tasks(this, other, TASK_QUEUE_QUEUED); +} + METHOD(ike_sa_t, inherit_pre, void, private_ike_sa_t *this, ike_sa_t *other_public) { @@ -3052,9 +3089,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .create_attribute_enumerator = _create_attribute_enumerator, .set_kmaddress = _set_kmaddress, .create_task_enumerator = _create_task_enumerator, + .remove_task = _remove_task, .flush_queue = _flush_queue, .queue_task = _queue_task, .queue_task_delayed = _queue_task_delayed, + .adopt_child_tasks = _adopt_child_tasks, #ifdef ME .act_as_mediation_server = _act_as_mediation_server, .get_server_reflexive_host = _get_server_reflexive_host, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c1d3e1d7a..be480eac8 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -1124,6 +1124,16 @@ struct ike_sa_t { */ enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue); + /** + * Remove the task the given enumerator points to. + * + * @note This should be used with caution, in partciular, for tasks in the + * active and passive queues. + * + * @param enumerator enumerator created with the method above + */ + void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator); + /** * Flush a task queue, cancelling all tasks in it. * @@ -1147,6 +1157,13 @@ struct ike_sa_t { */ void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay); + /** + * Adopt child creating tasks from the given IKE_SA. + * + * @param other other IKE_SA to adopt tasks from + */ + void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other); + /** * Inherit required attributes to new SA before rekeying. * diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c50c70860..3bac4b109 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1967,6 +1967,8 @@ static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new) } enumerator->destroy(enumerator); + new->adopt_child_tasks(new, old); + enumerator = old->create_virtual_ip_enumerator(old, FALSE); while (enumerator->enumerate(enumerator, &vip)) { diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index b99d75142..ac2899f11 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool, return FALSE; } charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value, - this->nonce_i, this->nonce_r, NULL, shared_key); + this->nonce_i, this->nonce_r, NULL, shared_key, + method); DESTROY_IF(shared_key); return TRUE; } diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 5f6c3bbe8..f76471e78 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2016 Tobias Brunner + * Copyright (C) 2007-2018 Tobias Brunner * Copyright (C) 2007-2011 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -544,20 +544,20 @@ METHOD(task_manager_t, initiate, status_t, new_mid = TRUE; break; } - if (!mode_config_expected(this) && - activate_task(this, TASK_QUICK_MODE)) + if (activate_task(this, TASK_ISAKMP_DPD)) { - exchange = QUICK_MODE; + exchange = INFORMATIONAL_V1; new_mid = TRUE; break; } - if (activate_task(this, TASK_INFORMATIONAL)) + if (!mode_config_expected(this) && + activate_task(this, TASK_QUICK_MODE)) { - exchange = INFORMATIONAL_V1; + exchange = QUICK_MODE; new_mid = TRUE; break; } - if (activate_task(this, TASK_ISAKMP_DPD)) + if (activate_task(this, TASK_INFORMATIONAL)) { exchange = INFORMATIONAL_V1; new_mid = TRUE; @@ -1121,7 +1121,15 @@ static status_t process_request(private_task_manager_t *this, } } else - { /* We don't send a response, so don't retransmit one if we get + { + if (this->responding.retransmitted > 1) + { + packet_t *packet = NULL; + array_get(this->responding.packets, 0, &packet); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, + packet); + } + /* We don't send a response, so don't retransmit one if we get * the same message again. */ clear_packets(this->responding.packets); } @@ -1883,39 +1891,6 @@ METHOD(task_manager_t, adopt_tasks, void, } } -/** - * Migrates child-creating tasks from src to dst - */ -static void migrate_child_tasks(private_task_manager_t *this, - linked_list_t *src, linked_list_t *dst) -{ - enumerator_t *enumerator; - task_t *task; - - enumerator = src->create_enumerator(src); - while (enumerator->enumerate(enumerator, &task)) - { - if (task->get_type(task) == TASK_QUICK_MODE) - { - src->remove_at(src, enumerator); - task->migrate(task, this->ike_sa); - dst->insert_last(dst, task); - } - } - enumerator->destroy(enumerator); -} - -METHOD(task_manager_t, adopt_child_tasks, void, - private_task_manager_t *this, task_manager_t *other_public) -{ - private_task_manager_t *other = (private_task_manager_t*)other_public; - - /* move active child tasks from other to this */ - migrate_child_tasks(this, other->active_tasks, this->queued_tasks); - /* do the same for queued tasks */ - migrate_child_tasks(this, other->queued_tasks, this->queued_tasks); -} - METHOD(task_manager_t, busy, bool, private_task_manager_t *this) { @@ -1976,19 +1951,86 @@ METHOD(task_manager_t, reset, void, } } +/** + * Data for a task queue enumerator + */ +typedef struct { + enumerator_t public; + task_queue_t queue; + enumerator_t *inner; +} task_enumerator_t; + +METHOD(enumerator_t, task_enumerator_destroy, void, + task_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +METHOD(enumerator_t, task_enumerator_enumerate, bool, + task_enumerator_t *this, va_list args) +{ + task_t **task; + + VA_ARGS_VGET(args, task); + return this->inner->enumerate(this->inner, task); +} + METHOD(task_manager_t, create_task_enumerator, enumerator_t*, private_task_manager_t *this, task_queue_t queue) { + task_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = enumerator_enumerate_default, + .venumerate = _task_enumerator_enumerate, + .destroy = _task_enumerator_destroy, + }, + .queue = queue, + ); switch (queue) { case TASK_QUEUE_ACTIVE: - return this->active_tasks->create_enumerator(this->active_tasks); + enumerator->inner = this->active_tasks->create_enumerator( + this->active_tasks); + break; + case TASK_QUEUE_PASSIVE: + enumerator->inner = this->passive_tasks->create_enumerator( + this->passive_tasks); + break; + case TASK_QUEUE_QUEUED: + enumerator->inner = this->queued_tasks->create_enumerator( + this->queued_tasks); + break; + default: + enumerator->inner = enumerator_create_empty(); + break; + } + return &enumerator->public; +} + +METHOD(task_manager_t, remove_task, void, + private_task_manager_t *this, enumerator_t *enumerator_public) +{ + task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public; + + switch (enumerator->queue) + { + case TASK_QUEUE_ACTIVE: + this->active_tasks->remove_at(this->active_tasks, + enumerator->inner); + break; case TASK_QUEUE_PASSIVE: - return this->passive_tasks->create_enumerator(this->passive_tasks); + this->passive_tasks->remove_at(this->passive_tasks, + enumerator->inner); + break; case TASK_QUEUE_QUEUED: - return this->queued_tasks->create_enumerator(this->queued_tasks); + this->queued_tasks->remove_at(this->queued_tasks, + enumerator->inner); + break; default: - return enumerator_create_empty(); + break; } } @@ -2039,9 +2081,9 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa) .get_mid = _get_mid, .reset = _reset, .adopt_tasks = _adopt_tasks, - .adopt_child_tasks = _adopt_child_tasks, .busy = _busy, .create_task_enumerator = _create_task_enumerator, + .remove_task = _remove_task, .flush = _flush, .flush_queue = _flush_queue, .destroy = _destroy, diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c index 7dbbdc92f..b652d926f 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c @@ -287,7 +287,6 @@ METHOD(task_t, process_i, status_t, default: return FAILED; } - break; } case AGGRESSIVE: { diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c index 58f856e3f..566bfe83a 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c @@ -605,7 +605,6 @@ METHOD(task_t, process_i, status_t, default: return FAILED; } - break; } case AGGRESSIVE: { diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 007e94d96..b0a42b8bd 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1110,14 +1110,17 @@ METHOD(task_t, process_r, status_t, this->tsi = select_ts(this, FALSE, tsi); this->tsr = select_ts(this, TRUE, tsr); } - tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy)); - tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy)); if (!this->config || !this->tsi || !this->tsr || this->mode != this->config->get_mode(this->config)) { - DBG1(DBG_IKE, "no matching CHILD_SA config found"); + DBG1(DBG_IKE, "no matching CHILD_SA config found for " + "%#R === %#R", tsi, tsr); + tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy)); + tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy)); return send_notify(this, INVALID_ID_INFORMATION); } + tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy)); + tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy)); if (this->config->has_option(this->config, OPT_IPCOMP)) { diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 1fcef03cc..97d33a89e 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -110,6 +110,40 @@ static bool build_signature_auth_data(chunk_t *auth_data, return TRUE; } +/** + * Check if the given scheme is supported by the key and, if so, add it to the + * first array (we add the scheme supported by the key in case the parameters + * are different) + */ +static void add_scheme_if_supported(array_t *selected, array_t *supported, + signature_params_t *config) +{ + signature_params_t *sup; + int i; + + if (!supported) + { + array_insert(selected, ARRAY_TAIL, signature_params_clone(config)); + return; + } + + for (i = 0; i < array_count(supported); i++) + { + array_get(supported, i, &sup); + if (signature_params_comply(sup, config)) + { + array_insert(selected, ARRAY_TAIL, signature_params_clone(sup)); + return; + } + } +} + +CALLBACK(destroy_scheme, void, + signature_params_t *params, int idx, void *user) +{ + signature_params_destroy(params); +} + /** * Selects possible signature schemes based on our configuration, the other * peer's capabilities and the private key @@ -123,10 +157,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, auth_rule_t rule; key_type_t key_type; bool have_config = FALSE; - array_t *selected; + array_t *supported = NULL, *selected; selected = array_create(0, 0); key_type = private->get_type(private); + + if (private->supported_signature_schemes) + { + enumerator = private->supported_signature_schemes(private); + while (enumerator->enumerate(enumerator, &config)) + { + if (keymat->hash_algorithm_supported(keymat, + hasher_from_signature_scheme(config->scheme, + config->params))) + { + array_insert_create(&supported, ARRAY_TAIL, + signature_params_clone(config)); + } + } + enumerator->destroy(enumerator); + + if (!supported) + { + return selected; + } + } + enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &config)) { @@ -134,21 +190,32 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, { continue; } - have_config = TRUE; if (key_type == key_type_from_signature_scheme(config->scheme) && keymat->hash_algorithm_supported(keymat, hasher_from_signature_scheme(config->scheme, config->params))) { - array_insert(selected, ARRAY_TAIL, signature_params_clone(config)); + add_scheme_if_supported(selected, supported, config); } + have_config = TRUE; } enumerator->destroy(enumerator); - if (!have_config) + if (have_config) { - /* if no specific configuration, find schemes appropriate for the key - * and supported by the other peer */ + array_destroy_function(supported, destroy_scheme, NULL); + } + else + { + /* if we have no config, return either whatever schemes the key (and + * peer) support or.. */ + if (supported) + { + array_destroy(selected); + return supported; + } + + /* ...find schemes appropriate for the key and supported by the peer */ enumerator = signature_schemes_for_key(key_type, private->get_keysize(private)); while (enumerator->enumerate(enumerator, &config)) @@ -207,12 +274,6 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, return selected; } -CALLBACK(destroy_scheme, void, - signature_params_t *params, int idx, void *user) -{ - signature_params_destroy(params); -} - /** * Adds the given auth data to the message, either in an AUTH payload or * a NO_PPK_AUTH notify. @@ -310,9 +371,9 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, if (params->scheme == SIGN_RSA_EMSA_PSS) { rsa_pss_params_t *pss = params->params; - DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id, - signature_scheme_names, params->scheme, - hash_algorithm_short_names_upper, pss->hash, + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N_SALT_%zd " + "%s", id, signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash, pss->salt_len, status == SUCCESS ? "successful" : "failed"); } else @@ -586,9 +647,9 @@ METHOD(authenticator_t, process, status_t, else if (params->scheme == SIGN_RSA_EMSA_PSS) { rsa_pss_params_t *pss = params->params; - DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful", - id, signature_scheme_names, params->scheme, - hash_algorithm_short_names_upper, pss->hash); + DBG1(DBG_IKE, "authentication of '%Y' with %N_%N_SALT_%zd " + "successful", id, signature_scheme_names, params->scheme, + hash_algorithm_short_names_upper, pss->hash, pss->salt_len); } else { diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 910c77a2d..e9142d79b 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1458,6 +1458,59 @@ static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg, return found && !other; } +/** + * Check whether we should reject the given request message + */ +static inline bool reject_request(private_task_manager_t *this, + message_t *msg) +{ + ike_sa_state_t state; + exchange_type_t type; + ike_sa_id_t *ike_sa_id; + bool reject = FALSE; + + state = this->ike_sa->get_state(this->ike_sa); + type = msg->get_exchange_type(msg); + + /* reject initial messages if not received in specific states */ + switch (type) + { + case IKE_SA_INIT: + reject = state != IKE_CREATED; + break; + case IKE_AUTH: + reject = state != IKE_CONNECTING; + break; + default: + break; + } + + if (!reject) + { + switch (state) + { + /* after rekeying we only expect a DELETE in an INFORMATIONAL */ + case IKE_REKEYED: + reject = type != INFORMATIONAL; + break; + /* also reject requests for half-open IKE_SAs as initiator */ + case IKE_CREATED: + case IKE_CONNECTING: + ike_sa_id = this->ike_sa->get_id(this->ike_sa); + reject = ike_sa_id->is_initiator(ike_sa_id); + break; + default: + break; + } + } + + if (reject) + { + DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names, + type, ike_sa_state_names, state); + } + return reject; +} /** * Check if a message with message ID 0 looks like it is used to synchronize * the message IDs and we are prepared to process it. @@ -1483,8 +1536,6 @@ METHOD(task_manager_t, process_message, status_t, status_t status; uint32_t mid; bool schedule_delete_job = FALSE; - ike_sa_state_t state; - exchange_type_t type; charon->bus->message(charon->bus, msg, TRUE, FALSE); status = parse_message(this, msg); @@ -1517,24 +1568,14 @@ METHOD(task_manager_t, process_message, status_t, /* add a timeout if peer does not establish it completely */ schedule_delete_job = TRUE; } - this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, - time_monotonic(NULL)); mid = msg->get_message_id(msg); if (msg->get_request(msg)) { if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg))) { - /* reject initial messages if not received in specific states, - * after rekeying we only expect a DELETE in an INFORMATIONAL */ - type = msg->get_exchange_type(msg); - state = this->ike_sa->get_state(this->ike_sa); - if ((type == IKE_SA_INIT && state != IKE_CREATED) || - (type == IKE_AUTH && state != IKE_CONNECTING) || - (state == IKE_REKEYED && type != INFORMATIONAL)) + if (reject_request(this, msg)) { - DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", - exchange_type_names, type, ike_sa_state_names, state); return FAILED; } if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) @@ -1544,6 +1585,11 @@ METHOD(task_manager_t, process_message, status_t, status = handle_fragment(this, &this->responding.defrag, msg); if (status != SUCCESS) { + if (status == NEED_MORE) + { + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); + } return status; } charon->bus->message(charon->bus, msg, TRUE, TRUE); @@ -1554,6 +1600,8 @@ METHOD(task_manager_t, process_message, status_t, switch (process_request(this, msg)) { case SUCCESS: + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); this->responding.mid++; break; case NEED_MORE: @@ -1570,10 +1618,17 @@ METHOD(task_manager_t, process_message, status_t, status = handle_fragment(this, &this->responding.defrag, msg); if (status != SUCCESS) { + if (status == NEED_MORE) + { + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); + } return status; } DBG1(DBG_IKE, "received retransmit of request with ID %d, " "retransmitting response", mid); + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg); send_packets(this, this->responding.packets, msg->get_destination(msg), msg->get_source(msg)); @@ -1603,6 +1658,11 @@ METHOD(task_manager_t, process_message, status_t, status = handle_fragment(this, &this->initiating.defrag, msg); if (status != SUCCESS) { + if (status == NEED_MORE) + { + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); + } return status; } charon->bus->message(charon->bus, msg, TRUE, TRUE); @@ -1615,6 +1675,8 @@ METHOD(task_manager_t, process_message, status_t, flush(this); return DESTROY_ME; } + this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, + time_monotonic(NULL)); } else { @@ -2014,61 +2076,6 @@ METHOD(task_manager_t, adopt_tasks, void, } } -/** - * Migrates child-creating tasks from other to this - */ -static void migrate_child_tasks(private_task_manager_t *this, - private_task_manager_t *other, - task_queue_t queue) -{ - enumerator_t *enumerator; - array_t *array; - task_t *task; - - switch (queue) - { - case TASK_QUEUE_ACTIVE: - array = other->active_tasks; - break; - case TASK_QUEUE_QUEUED: - array = other->queued_tasks; - break; - default: - return; - } - - enumerator = array_create_enumerator(array); - while (enumerator->enumerate(enumerator, &task)) - { - queued_task_t *queued = NULL; - - if (queue == TASK_QUEUE_QUEUED) - { - queued = (queued_task_t*)task; - task = queued->task; - } - if (task->get_type(task) == TASK_CHILD_CREATE) - { - array_remove_at(array, enumerator); - task->migrate(task, this->ike_sa); - queue_task(this, task); - free(queued); - } - } - enumerator->destroy(enumerator); -} - -METHOD(task_manager_t, adopt_child_tasks, void, - private_task_manager_t *this, task_manager_t *other_public) -{ - private_task_manager_t *other = (private_task_manager_t*)other_public; - - /* move active child tasks from other to this */ - migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE); - /* do the same for queued tasks */ - migrate_child_tasks(this, other, TASK_QUEUE_QUEUED); -} - METHOD(task_manager_t, busy, bool, private_task_manager_t *this) { @@ -2124,17 +2131,39 @@ METHOD(task_manager_t, reset, void, this->reset = TRUE; } -CALLBACK(filter_queued, bool, - void *unused, enumerator_t *orig, va_list args) -{ +/** + * Data for a task queue enumerator + */ +typedef struct { + enumerator_t public; + task_queue_t queue; + enumerator_t *inner; queued_task_t *queued; +} task_enumerator_t; + +METHOD(enumerator_t, task_enumerator_destroy, void, + task_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +METHOD(enumerator_t, task_enumerator_enumerate, bool, + task_enumerator_t *this, va_list args) +{ task_t **task; VA_ARGS_VGET(args, task); - - if (orig->enumerate(orig, &queued)) + if (this->queue == TASK_QUEUE_QUEUED) + { + if (this->inner->enumerate(this->inner, &this->queued)) + { + *task = this->queued->task; + return TRUE; + } + } + else if (this->inner->enumerate(this->inner, task)) { - *task = queued->task; return TRUE; } return FALSE; @@ -2143,18 +2172,54 @@ CALLBACK(filter_queued, bool, METHOD(task_manager_t, create_task_enumerator, enumerator_t*, private_task_manager_t *this, task_queue_t queue) { + task_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = enumerator_enumerate_default, + .venumerate = _task_enumerator_enumerate, + .destroy = _task_enumerator_destroy, + }, + .queue = queue, + ); switch (queue) { case TASK_QUEUE_ACTIVE: - return array_create_enumerator(this->active_tasks); + enumerator->inner = array_create_enumerator(this->active_tasks); + break; case TASK_QUEUE_PASSIVE: - return array_create_enumerator(this->passive_tasks); + enumerator->inner = array_create_enumerator(this->passive_tasks); + break; case TASK_QUEUE_QUEUED: - return enumerator_create_filter( - array_create_enumerator(this->queued_tasks), - filter_queued, NULL, NULL); + enumerator->inner = array_create_enumerator(this->queued_tasks); + break; default: - return enumerator_create_empty(); + enumerator->inner = enumerator_create_empty(); + break; + } + return &enumerator->public; +} + +METHOD(task_manager_t, remove_task, void, + private_task_manager_t *this, enumerator_t *enumerator_public) +{ + task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public; + + switch (enumerator->queue) + { + case TASK_QUEUE_ACTIVE: + array_remove_at(this->active_tasks, enumerator->inner); + break; + case TASK_QUEUE_PASSIVE: + array_remove_at(this->passive_tasks, enumerator->inner); + break; + case TASK_QUEUE_QUEUED: + array_remove_at(this->queued_tasks, enumerator->inner); + free(enumerator->queued); + enumerator->queued = NULL; + break; + default: + break; } } @@ -2204,9 +2269,9 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa) .get_mid = _get_mid, .reset = _reset, .adopt_tasks = _adopt_tasks, - .adopt_child_tasks = _adopt_child_tasks, .busy = _busy, .create_task_enumerator = _create_task_enumerator, + .remove_task = _remove_task, .flush = _flush, .flush_queue = _flush_queue, .destroy = _destroy, diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 6c8b29018..0e3711898 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -174,6 +174,11 @@ static void install_outbound(private_child_delete_t *this, linked_list_t *my_ts, *other_ts; status_t status; + if (!spi) + { + return; + } + child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE); if (!child_sa) @@ -312,7 +317,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_sa_t *child_sa; child_cfg_t *child_cfg; protocol_id_t protocol; - uint32_t spi, reqid, rekey_spi; + uint32_t spi, reqid; action_t action; status_t status = SUCCESS; time_t now, expire; @@ -335,11 +340,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) } else { - rekey_spi = child_sa->get_rekey_spi(child_sa); - if (rekey_spi) - { - install_outbound(this, protocol, rekey_spi); - } + install_outbound(this, protocol, child_sa->get_rekey_spi(child_sa)); /* for rekeyed CHILD_SAs we uninstall the outbound SA but don't * immediately destroy it, by default, so we can process delayed * packets */ @@ -459,6 +460,17 @@ METHOD(task_t, build_i, status_t, this->spi = child_sa->get_spi(child_sa, TRUE); } + if (this->expired && child_sa->get_state(child_sa) == CHILD_REKEYED) + { /* the peer was expected to delete this SA, but if we send a DELETE + * we might cause a collision there if the CREATE_CHILD_SA response + * is delayed (the peer wouldn't know if we deleted this SA due to an + * expire or because of a forced delete by the user and might then + * ignore the CREATE_CHILD_SA response once it arrives) */ + child_sa->set_state(child_sa, CHILD_DELETED); + install_outbound(this, this->protocol, + child_sa->get_rekey_spi(child_sa)); + } + if (child_sa->get_state(child_sa) == CHILD_DELETED) { /* DELETEs for this CHILD_SA were already exchanged, but it was not yet * destroyed to allow delayed packets to get processed */ diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 307d99264..b570904e2 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this, return FALSE; } charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty, - nonce_i, nonce_r, this->old_sa, NULL); + nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE); return TRUE; } @@ -890,6 +890,20 @@ METHOD(task_t, pre_process_i, status_t, switch (type) { + case COOKIE: + { + chunk_t cookie; + + cookie = notify->get_notification_data(notify); + if (chunk_equals(cookie, this->cookie)) + { + DBG1(DBG_IKE, "ignore response with duplicate COOKIE " + "notify"); + enumerator->destroy(enumerator); + return FAILED; + } + break; + } case REDIRECT: { identification_t *gateway; diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 9545da4f3..c357d5035 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2016 Tobias Brunner + * Copyright (C) 2013-2018 Tobias Brunner * Copyright (C) 2006 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -227,13 +227,6 @@ struct task_manager_t { */ void (*adopt_tasks) (task_manager_t *this, task_manager_t *other); - /** - * Migrate all active or queued CHILD_SA-creating tasks from other to this. - * - * @param other manager which gives away its tasks - */ - void (*adopt_child_tasks) (task_manager_t *this, task_manager_t *other); - /** * Increment a message ID counter, in- or outbound. * @@ -284,6 +277,16 @@ struct task_manager_t { enumerator_t* (*create_task_enumerator)(task_manager_t *this, task_queue_t queue); + /** + * Remove the task the given enumerator points to. + * + * @note This should be used with caution, in partciular, for tasks in the + * active and passive queues. + * + * @param enumerator enumerator created with the method above + */ + void (*remove_task)(task_manager_t *this, enumerator_t *enumerator); + /** * Flush all tasks, regardless of the queue. */ diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c index 51d577cd8..b9f6ea0bc 100644 --- a/src/libcharon/tests/suites/test_child_rekey.c +++ b/src/libcharon/tests/suites/test_child_rekey.c @@ -370,8 +370,8 @@ END_TEST /** * Check that the responder handles hard expires properly while waiting for the - * delete after a rekeying (e.g. if the initiator of the rekeying fails to - * delete the CHILD_SA for some reason). + * delete after a rekeying (e.g. if the rekey settings are tight or the + * CREATE_CHILD_SA response is delayed). */ START_TEST(test_regular_responder_handle_hard_expire) { @@ -405,28 +405,22 @@ START_TEST(test_regular_responder_handle_hard_expire) /* we don't expect this to get called anymore */ assert_hook_not_called(child_rekey); - /* this is similar to a regular delete collision */ - assert_single_payload(OUT, PLV2_DELETE); + /* this is similar to a regular delete collision, but we don't actually + * want to send a delete back as that might conflict with a delayed + * CREATE_CHILD_SA response */ call_ikesa(b, delete_child_sa, PROTO_ESP, 2, TRUE); - assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED); - assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED); - /* since the SAs expired they would not actually be installed in the kernel - * anymore and since we have not yet installed a new outbound SA this - * will result in dropped packets and possibly acquires */ - assert_ipsec_sas_installed(b, 1, 2, 4); + assert_child_sa_count(b, 1); + assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + /* the expire causes the outbound SA to get installed */ + assert_ipsec_sas_installed(b, 3, 4); /* INFORMATIONAL { D } --> */ + assert_no_jobs_scheduled(); assert_single_payload(IN, PLV2_DELETE); exchange_test_helper->process_message(exchange_test_helper, b, NULL); - assert_child_sa_state(b, 2, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED); - assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED); - assert_ipsec_sas_installed(b, 1, 2, 4); - /* <-- INFORMATIONAL { D } */ - assert_single_payload(IN, PLV2_DELETE); - exchange_test_helper->process_message(exchange_test_helper, a, NULL); - assert_child_sa_state(a, 1, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED); - assert_child_sa_state(a, 3, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); - assert_ipsec_sas_installed(a, 1, 2, 3, 4); + assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + assert_ipsec_sas_installed(b, 3, 4); + assert_scheduler(); /* <-- INFORMATIONAL { } */ assert_jobs_scheduled(1); assert_message_empty(IN); @@ -436,23 +430,11 @@ START_TEST(test_regular_responder_handle_hard_expire) assert_child_sa_count(a, 2); assert_ipsec_sas_installed(a, 1, 3, 4); assert_scheduler(); - /* INFORMATIONAL { } --> */ - assert_jobs_scheduled(1); - assert_message_empty(IN); - exchange_test_helper->process_message(exchange_test_helper, b, NULL); - assert_child_sa_state(b, 2, CHILD_DELETED, CHILD_OUTBOUND_NONE); - assert_child_sa_state(b, 4, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); - assert_child_sa_count(b, 2); - assert_ipsec_sas_installed(b, 2, 3, 4); - assert_scheduler(); - /* simulate the execution of the scheduled jobs */ + /* simulate the execution of the scheduled job */ destroy_rekeyed(a, 1); assert_child_sa_count(a, 1); assert_ipsec_sas_installed(a, 3, 4); - destroy_rekeyed(b, 2); - assert_child_sa_count(b, 1); - assert_ipsec_sas_installed(b, 3, 4); /* child_rekey/child_updown */ assert_hook(); diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 5d5283620..3f8b4c957 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -574,6 +574,24 @@ INSERT INTO products ( /* 96 */ 'Ubuntu 18.04 x86_64' ); +INSERT INTO products ( /* 97 */ + name +) VALUES ( + 'Debian 9.5 i686' +); + +INSERT INTO products ( /* 98 */ + name +) VALUES ( + 'Debian 9.5 x86_64' +); + +INSERT INTO products ( /* 99 */ + name +) VALUES ( + 'Debian 9.6 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -671,7 +689,7 @@ INSERT INTO files ( /* 1 */ INSERT INTO files ( /* 2 */ name, dir ) VALUES ( - 'libcrypto.so.1.0.0', 11 + 'libcrypto.so.1.1', 11 ); INSERT INTO files ( /* 3 */ @@ -683,7 +701,7 @@ INSERT INTO files ( /* 3 */ INSERT INTO files ( /* 4 */ name, dir ) VALUES ( - 'libssl.so.1.0.0', 11 + 'libssl.so.1.1', 11 ); INSERT INTO files ( /* 5 */ @@ -1144,6 +1162,12 @@ INSERT INTO groups_product_defaults ( 4, 94 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 97 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1264,6 +1288,18 @@ INSERT INTO groups_product_defaults ( 5, 95 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 98 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 99 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1665,13 +1701,13 @@ INSERT INTO policies ( /* 11 */ INSERT INTO policies ( /* 12 */ type, name, file, rec_fail, rec_noresult ) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 + 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1', 2, 2, 2 ); INSERT INTO policies ( /* 13 */ type, name, file, rec_fail, rec_noresult ) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 + 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.1', 4, 2, 2 ); INSERT INTO policies ( /* 14 */ diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag deleted file mode 100644 index 6ca455dac..000000000 --- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-1.swidtag +++ /dev/null @@ -1,11 +0,0 @@ - - - - diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag new file mode 100644 index 000000000..77f00e036 --- /dev/null +++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-7-2.swidtag @@ -0,0 +1,11 @@ + + + + diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c index 89ba86930..51bcdc410 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c @@ -249,8 +249,6 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this, os_name.len, os_name.ptr); } break; - - break; } case IETF_ATTR_STRING_VERSION: { diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index 265a4a09a..f86f13dcc 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -231,7 +231,6 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) reader->destroy(reader); return FAILED; } - break; case PT_TLS_SASL_RESULT_MECH_FAILURE: case PT_TLS_SASL_RESULT_FAILURE: /* non-fatal failure, try again */ diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 278c67405..b04627e63 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -551,6 +551,7 @@ static signature_params_t *create_rsa_pss_constraint(char *token) .scheme = SIGN_RSA_EMSA_PSS, .params = &pss, }; + rsa_pss_params_set_salt_len(&pss, 0); params = signature_params_clone(&pss_params); } return params; diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 0239ee17e..61dfbbcad 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -73,6 +73,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_SAFE_PRIMES", "BUILD_SHARES", "BUILD_THRESHOLD", + "BUILD_EDDSA_PUB", "BUILD_EDDSA_PRIV_ASN1_DER", "BUILD_END", ); diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 7928ef487..b283bd166 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -156,6 +156,8 @@ enum builder_part_t { BUILD_SHARES, /** minimum number of participating private key shares */ BUILD_THRESHOLD, + /** EdDSA public key blob */ + BUILD_EDDSA_PUB, /** DER encoded ASN.1 EdDSA private key */ BUILD_EDDSA_PRIV_ASN1_DER, /** end of variable argument builder list */ diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index d7cfdd74d..5cf8641ad 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -39,6 +39,19 @@ struct private_key_t { */ key_type_t (*get_type)(private_key_t *this); + /** + * Get signature schemes supported by this key. + * + * This is useful for keys that only support certain hash algorithms or + * require specific parameters for RSA/PSS signatures. + * + * @note Implementing this method is optional. If multiple schemes are + * returned, they should be ordered by decreasing preference. + * + * @return enumerator over signature_params_t* + */ + enumerator_t *(*supported_signature_schemes)(private_key_t *this); + /** * Create a signature over a chunk of data. * diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index 89fa9b348..3ef6981f6 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -250,7 +250,7 @@ int signature_scheme_to_oid(signature_scheme_t scheme) #define PSS_PARAMS(bits) static rsa_pss_params_t pss_params_sha##bits = { \ .hash = HASH_SHA##bits, \ .mgf1_hash = HASH_SHA##bits, \ - .salt_len = RSA_PSS_SALT_LEN_DEFAULT, \ + .salt_len = HASH_SIZE_SHA##bits, \ } PSS_PARAMS(256); diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c index 8f42fb940..d89bd2c96 100644 --- a/src/libstrongswan/credentials/keys/signature_params.c +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -18,22 +18,43 @@ #include #include -/** - * Determine the salt length in case it is not configured +/* + * Described in header */ -static ssize_t rsa_pss_salt_length(rsa_pss_params_t *pss) +bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits) { - ssize_t salt_len = pss->salt_len; + size_t hash_len; - if (salt_len <= RSA_PSS_SALT_LEN_DEFAULT) + if (params->salt_len < 0) { - salt_len = hasher_hash_size(pss->hash); - if (!salt_len) + hash_len = hasher_hash_size(params->hash); + if (!hash_len) + { + return FALSE; + } + + switch (params->salt_len) { - return -1; + case RSA_PSS_SALT_LEN_DEFAULT: + params->salt_len = hash_len; + break; + case RSA_PSS_SALT_LEN_MAX: + if (modbits) + { + /* emBits = modBits - 1 */ + modbits -= 1; + /* emLen = ceil(emBits/8) */ + modbits = (modbits+7) / BITS_PER_BYTE; + /* account for 0x01 separator in DB, 0xbc trailing byte */ + params->salt_len = max(0, (ssize_t)(modbits - hash_len - 2)); + break; + } + return FALSE; + default: + return FALSE; } } - return salt_len; + return TRUE; } /** @@ -68,8 +89,7 @@ static bool compare_params(signature_params_t *a, signature_params_t *b, return pss_a->hash == pss_b->hash && pss_a->mgf1_hash == pss_b->mgf1_hash && - (!strict || - rsa_pss_salt_length(pss_a) == rsa_pss_salt_length(pss_b)); + (!strict || pss_a->salt_len == pss_b->salt_len); } default: break; @@ -328,7 +348,6 @@ end: bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1) { chunk_t hash = chunk_empty, mgf = chunk_empty, slen = chunk_empty; - ssize_t salt_len; int alg; if (params->hash != HASH_SHA1) @@ -351,16 +370,15 @@ bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1) mgf = asn1_algorithmIdentifier_params(OID_MGF1, asn1_algorithmIdentifier(alg)); } - salt_len = rsa_pss_salt_length(params); - if (salt_len < 0) + if (params->salt_len < 0) { chunk_free(&hash); chunk_free(&mgf); return FALSE; } - else if (salt_len != HASH_SIZE_SHA1) + else if (params->salt_len != HASH_SIZE_SHA1) { - slen = asn1_integer("m", asn1_integer_from_uint64(salt_len)); + slen = asn1_integer("m", asn1_integer_from_uint64(params->salt_len)); } *asn1 = asn1_wrap(ASN1_SEQUENCE, "mmm", hash.len ? asn1_wrap(ASN1_CONTEXT_C_0, "m", hash) : chunk_empty, diff --git a/src/libstrongswan/credentials/keys/signature_params.h b/src/libstrongswan/credentials/keys/signature_params.h index 6934c5e88..b4169a829 100644 --- a/src/libstrongswan/credentials/keys/signature_params.h +++ b/src/libstrongswan/credentials/keys/signature_params.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Tobias Brunner + * Copyright (C) 2017-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -100,11 +100,15 @@ struct rsa_pss_params_t { hash_algorithm_t hash; /** Hash for the MGF1 function */ hash_algorithm_t mgf1_hash; - /** Salt length, use RSA_PSS_SALT_LEN_DEFAULT for length equal to hash */ + /** Salt length, use the constants below for special lengths resolved + * via rsa_pss_params_set_salt_len() */ ssize_t salt_len; /** Salt value, for unit tests (not all implementations support this) */ chunk_t salt; +/** Use a salt length equal to the length of the hash */ #define RSA_PSS_SALT_LEN_DEFAULT -1 +/** Use the maximum salt length depending on the hash and key length */ +#define RSA_PSS_SALT_LEN_MAX -2 }; /** @@ -126,4 +130,15 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params); */ bool rsa_pss_params_build(rsa_pss_params_t *params, chunk_t *asn1); +/** + * Determine and set the salt length for the given params in case constants + * are used + * + * @param params parameters to update + * @param modbits RSA modulus length in bits (required if RSA_PSS_SALT_LEN_MAX + * is used) + * @return salt length to use, negative on error + */ +bool rsa_pss_params_set_salt_len(rsa_pss_params_t *params, size_t modbits); + #endif /** SIGNATURE_PARAMS_H_ @}*/ diff --git a/src/libstrongswan/crypto/mac.h b/src/libstrongswan/crypto/mac.h index 50dc4c73a..97cb7e352 100644 --- a/src/libstrongswan/crypto/mac.h +++ b/src/libstrongswan/crypto/mac.h @@ -39,12 +39,12 @@ struct mac_t { * * If out is NULL, no result is given back. A next call will * append the data to already supplied data. If out is not NULL, - * the mac of all apended data is calculated, written to out and the + * the MAC of all appended data is calculated, written to out and the * internal state is reset. * * @param data chunk of data to authenticate * @param out pointer where the generated bytes will be written - * @return TRUE if mac generated successfully + * @return TRUE if MAC generated successfully */ bool (*get_mac)(mac_t *this, chunk_t data, uint8_t *out) __attribute__((warn_unused_result)); diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c index cad94aa82..a078d3b30 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c @@ -1,4 +1,4 @@ -/* C code produced by gperf version 3.0.4 */ +/* ANSI-C code produced by gperf version 3.1 */ /* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D */ /* Computed positions: -k'1,5-7,10,15,$' */ @@ -26,7 +26,7 @@ && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \ && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126)) /* The character set is not based on ISO-646. */ -error "gperf generated tables don't work with this execution character set. Please report a bug to ." +#error "gperf generated tables don't work with this execution character set. Please report a bug to ." #endif @@ -74,9 +74,7 @@ inline #endif #endif static unsigned int -hash (str, len) - register const char *str; - register unsigned int len; +hash (register const char *str, register size_t len) { static const unsigned char asso_values[] = { @@ -107,7 +105,7 @@ hash (str, len) 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251, 251 }; - register int hval = len; + register unsigned int hval = len; switch (hval) { @@ -320,22 +318,14 @@ static const short lookup[] = 143 }; -#ifdef __GNUC__ -__inline -#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__ -__attribute__ ((__gnu_inline__)) -#endif -#endif const struct proposal_token * -proposal_get_token_static (str, len) - register const char *str; - register unsigned int len; +proposal_get_token_static (register const char *str, register size_t len) { if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH) { - register int key = hash (str, len); + register unsigned int key = hash (str, len); - if (key <= MAX_HASH_VALUE && key >= 0) + if (key <= MAX_HASH_VALUE) { register int index = lookup[key]; diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h index 1345f36bb..a0beec0bb 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h @@ -19,7 +19,7 @@ #include "proposal_keywords.h" const proposal_token_t* proposal_get_token_static(register const char *str, - register unsigned len); + register size_t len); #endif /* PROPOSAL_KEYWORDS_STATIC_H_ */ diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 77c29916c..db87affc9 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -81,6 +81,14 @@ enum agent_msg_type_t { SSH_AGENT_SIGN_RESPONSE = 14, }; +/** + * Flags for signatures + */ +enum agent_signature_flags_t { + SSH_AGENT_FLAG_SHA2_256 = 2, + SSH_AGENT_FLAG_SHA2_512 = 4, +}; + /** * read a byte from a blob */ @@ -217,12 +225,35 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey) } static bool scheme_supported(private_agent_private_key_t *this, - signature_scheme_t scheme) + signature_scheme_t scheme, uint32_t *flags, + char **prefix) { switch (this->pubkey->get_type(this->pubkey)) { case KEY_RSA: - return scheme == SIGN_RSA_EMSA_PKCS1_SHA1; + switch (scheme) + { + case SIGN_RSA_EMSA_PKCS1_SHA1: + *prefix = "ssh-rsa"; + return TRUE; + case SIGN_RSA_EMSA_PKCS1_SHA2_256: + *flags |= SSH_AGENT_FLAG_SHA2_256; + *prefix = "rsa-sha2-256"; + return TRUE; + case SIGN_RSA_EMSA_PKCS1_SHA2_512: + *flags |= SSH_AGENT_FLAG_SHA2_512; + *prefix = "rsa-sha2-512"; + return TRUE; + default: + break; + } + return FALSE; + case KEY_ED25519: + *prefix = "ssh-ed25519"; + return scheme == SIGN_ED25519; + case KEY_ED448: + *prefix = "ssh-ed448"; + return scheme == SIGN_ED448; case KEY_ECDSA: return scheme == SIGN_ECDSA_256 || scheme == SIGN_ECDSA_384 || @@ -236,11 +267,12 @@ METHOD(private_key_t, sign, bool, private_agent_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) { - uint32_t len, flags; - char buf[2048]; + key_type_t type; + uint32_t len, flags = 0; + char buf[2048], *prefix = NULL; chunk_t blob; - if (!scheme_supported(this, scheme)) + if (!scheme_supported(this, scheme, &flags, &prefix)) { DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent", signature_scheme_names, scheme); @@ -272,7 +304,7 @@ METHOD(private_key_t, sign, bool, return FALSE; } - flags = htonl(0); + flags = htonl(flags); if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags)) { DBG1(DBG_LIB, "writing to ssh-agent failed"); @@ -290,9 +322,15 @@ METHOD(private_key_t, sign, bool, } /* parse length */ blob = read_string(&blob); - /* check sig type */ - if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa"))) - { /* for RSA the signature has no special encoding */ + /* verify type */ + if (prefix && !chunk_equals(read_string(&blob), chunk_from_str(prefix))) + { + DBG1(DBG_LIB, "ssh-agent didn't return requested %s signature", prefix); + return FALSE; + } + type = this->pubkey->get_type(this->pubkey); + if (type == KEY_RSA || type == KEY_ED25519 || type == KEY_ED448) + { /* for RSA/EdDSA, the signature has no special encoding */ blob = read_string(&blob); if (blob.len) { @@ -301,7 +339,7 @@ METHOD(private_key_t, sign, bool, } } else - { /* anything else is treated as ECSDA for now */ + { /* parse ECDSA signatures */ blob = read_string(&blob); if (blob.len) { @@ -340,6 +378,80 @@ METHOD(private_key_t, get_keysize, int, return this->pubkey->get_keysize(this->pubkey); } +/** + * Private data for RSA scheme enumerator + */ +typedef struct { + enumerator_t public; + int index; + bool reverse; +} scheme_enumerator_t; + +static signature_params_t rsa_schemes[] = { + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 }, + { .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 }, +}; + +METHOD(enumerator_t, enumerate_rsa_scheme, bool, + scheme_enumerator_t *this, va_list args) +{ + signature_params_t **params; + + VA_ARGS_VGET(args, params); + + if ((this->reverse && --this->index >= 0) || + (!this->reverse && ++this->index < countof(rsa_schemes))) + { + *params = &rsa_schemes[this->index]; + return TRUE; + } + return FALSE; +} + +/** + * Create an enumerator for the supported RSA signature schemes + */ +static enumerator_t *create_rsa_enumerator(private_agent_private_key_t *this) +{ + scheme_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = enumerator_enumerate_default, + .venumerate = _enumerate_rsa_scheme, + .destroy = (void*)free, + }, + .index = -1, + .reverse = FALSE, + ); + /* propose SHA-512 first for larger keys */ + if (get_keysize(this) > 3072) + { + enumerator->index = countof(rsa_schemes); + enumerator->reverse = TRUE; + } + return &enumerator->public; +} + +METHOD(private_key_t, supported_signature_schemes, enumerator_t*, + private_agent_private_key_t *this) +{ + key_type_t type = get_type(this); + + switch (type) + { + case KEY_RSA: + return create_rsa_enumerator(this); + case KEY_ED25519: + case KEY_ED448: + case KEY_ECDSA: + return signature_schemes_for_key(type, get_keysize(this)); + default: + break; + } + return enumerator_create_empty(); +} + METHOD(private_key_t, get_public_key, public_key_t*, private_agent_private_key_t *this) { @@ -413,6 +525,7 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) .public = { .key = { .get_type = _get_type, + .supported_signature_schemes = _supported_signature_schemes, .sign = _sign, .decrypt = _decrypt, .get_keysize = _get_keysize, diff --git a/src/libstrongswan/plugins/botan/Makefile.am b/src/libstrongswan/plugins/botan/Makefile.am index c1160145a..30d3e601c 100644 --- a/src/libstrongswan/plugins/botan/Makefile.am +++ b/src/libstrongswan/plugins/botan/Makefile.am @@ -23,9 +23,11 @@ libstrongswan_botan_la_SOURCES = \ botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \ botan_ec_public_key.h botan_ec_public_key.c \ botan_ec_private_key.h botan_ec_private_key.c \ + botan_ed_public_key.h botan_ed_public_key.c \ + botan_ed_private_key.h botan_ed_private_key.c \ botan_util.h botan_util.c \ botan_util_keys.h botan_util_keys.c \ - botan_gcm.h botan_gcm.c \ + botan_aead.h botan_aead.c \ botan_x25519.h botan_x25519.c libstrongswan_botan_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/botan/Makefile.in b/src/libstrongswan/plugins/botan/Makefile.in index ef9f88610..3bb3e22f4 100644 --- a/src/libstrongswan/plugins/botan/Makefile.in +++ b/src/libstrongswan/plugins/botan/Makefile.in @@ -142,8 +142,9 @@ am_libstrongswan_botan_la_OBJECTS = botan_plugin.lo botan_rng.lo \ botan_hasher.lo botan_hmac.lo botan_crypter.lo \ botan_rsa_public_key.lo botan_rsa_private_key.lo \ botan_diffie_hellman.lo botan_ec_diffie_hellman.lo \ - botan_ec_public_key.lo botan_ec_private_key.lo botan_util.lo \ - botan_util_keys.lo botan_gcm.lo botan_x25519.lo + botan_ec_public_key.lo botan_ec_private_key.lo \ + botan_ed_public_key.lo botan_ed_private_key.lo botan_util.lo \ + botan_util_keys.lo botan_aead.lo botan_x25519.lo libstrongswan_botan_la_OBJECTS = $(am_libstrongswan_botan_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -478,9 +479,11 @@ libstrongswan_botan_la_SOURCES = \ botan_ec_diffie_hellman.h botan_ec_diffie_hellman.c \ botan_ec_public_key.h botan_ec_public_key.c \ botan_ec_private_key.h botan_ec_private_key.c \ + botan_ed_public_key.h botan_ed_public_key.c \ + botan_ed_private_key.h botan_ed_private_key.c \ botan_util.h botan_util.c \ botan_util_keys.h botan_util_keys.c \ - botan_gcm.h botan_gcm.c \ + botan_aead.h botan_aead.c \ botan_x25519.h botan_x25519.c libstrongswan_botan_la_LDFLAGS = -module -avoid-version @@ -574,12 +577,14 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_aead.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ec_public_key.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_gcm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_ed_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_hmac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/botan_plugin.Plo@am__quote@ diff --git a/src/libstrongswan/plugins/botan/botan_aead.c b/src/libstrongswan/plugins/botan/botan_aead.c new file mode 100644 index 000000000..40006ae77 --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_aead.c @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2018 Atanas Filyanov + * Rohde & Schwarz Cybersecurity GmbH + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "botan_aead.h" + +#include + +#if (defined(BOTAN_HAS_AES) && \ + (defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \ + defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305) + +#include + +#include + +/** + * As defined in RFC 4106 (GCM) and RFC 7634 (ChaPoly) + */ +#define IV_LEN 8 +#define SALT_LEN 4 +#define CHAPOLY_KEY_LEN 32 +/** + * As defined in RFC 4309 + */ +#define CCM_SALT_LEN 3 + +typedef struct private_aead_t private_aead_t; + +struct private_aead_t { + + /** + * Public interface + */ + aead_t public; + + /** + * The encryption key + */ + chunk_t key; + + /** + * Salt value + */ + chunk_t salt; + + /** + * Size of the integrity check value + */ + size_t icv_size; + + /** + * IV generator + */ + iv_gen_t *iv_gen; + + /** + * The cipher to use + */ + const char* cipher_name; +}; + +/** + * Do the actual en/decryption + */ +static bool do_crypt(private_aead_t *this, chunk_t data, chunk_t assoc, + chunk_t iv, u_char *out, uint32_t init_flag) +{ + botan_cipher_t cipher; + size_t output_written = 0, input_consumed = 0; + chunk_t nonce; + + if (botan_cipher_init(&cipher, this->cipher_name, init_flag)) + { + return FALSE; + } + + if (botan_cipher_set_key(cipher, this->key.ptr, this->key.len)) + { + botan_cipher_destroy(cipher); + return FALSE; + } + + if (assoc.len && + botan_cipher_set_associated_data(cipher, assoc.ptr, assoc.len)) + { + botan_cipher_destroy(cipher); + return FALSE; + } + + nonce = chunk_cata("cc", this->salt, iv); + + if (botan_cipher_start(cipher, nonce.ptr, nonce.len)) + { + botan_cipher_destroy(cipher); + return FALSE; + } + + if (init_flag == BOTAN_CIPHER_INIT_FLAG_ENCRYPT) + { + if (botan_cipher_update(cipher, BOTAN_CIPHER_UPDATE_FLAG_FINAL, + out, data.len + this->icv_size, &output_written, + data.ptr, data.len, &input_consumed)) + { + botan_cipher_destroy(cipher); + return FALSE; + } + } + else if (init_flag == BOTAN_CIPHER_INIT_FLAG_DECRYPT) + { + if (botan_cipher_update(cipher, BOTAN_CIPHER_UPDATE_FLAG_FINAL, + out, data.len, &output_written, data.ptr, + data.len + this->icv_size, &input_consumed)) + { + botan_cipher_destroy(cipher); + return FALSE; + } + } + + botan_cipher_destroy(cipher); + + return TRUE; +} + +METHOD(aead_t, encrypt, bool, + private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + u_char *out; + + out = plain.ptr; + if (encrypted) + { + *encrypted = chunk_alloc(plain.len + this->icv_size); + out = encrypted->ptr; + } + return do_crypt(this, plain, assoc, iv, out, + BOTAN_CIPHER_INIT_FLAG_ENCRYPT); +} + +METHOD(aead_t, decrypt, bool, + private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + u_char *out; + + if (encrypted.len < this->icv_size) + { + return FALSE; + } + encrypted.len -= this->icv_size; + + out = encrypted.ptr; + if (plain) + { + *plain = chunk_alloc(encrypted.len); + out = plain->ptr; + } + return do_crypt(this, encrypted, assoc, iv, out, + BOTAN_CIPHER_INIT_FLAG_DECRYPT); +} + +METHOD(aead_t, get_block_size, size_t, + private_aead_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_aead_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_aead_t *this) +{ + return IV_LEN; +} + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + private_aead_t *this) +{ + return this->iv_gen; +} + +METHOD(aead_t, get_key_size, size_t, + private_aead_t *this) +{ + return this->key.len + this->salt.len; +} + +METHOD(aead_t, set_key, bool, + private_aead_t *this, chunk_t key) +{ + if (key.len != get_key_size(this)) + { + return FALSE; + } + memcpy(this->salt.ptr, key.ptr + key.len - this->salt.len, this->salt.len); + memcpy(this->key.ptr, key.ptr, this->key.len); + return TRUE; +} + +METHOD(aead_t, destroy, void, + private_aead_t *this) +{ + chunk_clear(&this->key); + chunk_clear(&this->salt); + this->iv_gen->destroy(this->iv_gen); + free(this); +} + +#ifdef BOTAN_HAS_AES +#if defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_GCM) + +static struct { + encryption_algorithm_t algo; + size_t key_size; + char *name; + size_t icv_size; +} aes_modes[] = { + { ENCR_AES_GCM_ICV8, 16, "AES-128/GCM(8)", 8 }, + { ENCR_AES_GCM_ICV8, 24, "AES-192/GCM(8)", 8 }, + { ENCR_AES_GCM_ICV8, 32, "AES-256/GCM(8)", 8 }, + { ENCR_AES_GCM_ICV12, 16, "AES-128/GCM(12)", 12 }, + { ENCR_AES_GCM_ICV12, 24, "AES-192/GCM(12)", 12 }, + { ENCR_AES_GCM_ICV12, 32, "AES-256/GCM(12)", 12 }, + { ENCR_AES_GCM_ICV16, 16, "AES-128/GCM(16)", 16 }, + { ENCR_AES_GCM_ICV16, 24, "AES-192/GCM(16)", 16 }, + { ENCR_AES_GCM_ICV16, 32, "AES-256/GCM(16)", 16 }, + { ENCR_AES_CCM_ICV8, 16, "AES-128/CCM(8,4)", 8 }, + { ENCR_AES_CCM_ICV8, 24, "AES-192/CCM(8,4)", 8 }, + { ENCR_AES_CCM_ICV8, 32, "AES-256/CCM(8,4)", 8 }, + { ENCR_AES_CCM_ICV12, 16, "AES-128/CCM(12,4)", 12 }, + { ENCR_AES_CCM_ICV12, 24, "AES-192/CCM(12,4)", 12 }, + { ENCR_AES_CCM_ICV12, 32, "AES-256/CCM(12,4)", 12 }, + { ENCR_AES_CCM_ICV16, 16, "AES-128/CCM(16,4)", 16 }, + { ENCR_AES_CCM_ICV16, 24, "AES-192/CCM(16,4)", 16 }, + { ENCR_AES_CCM_ICV16, 32, "AES-256/CCM(16,4)", 16 }, +}; + +/** + * Determine the cipher name and ICV size for the given algorithm and key size + */ +static bool determine_aes_params(private_aead_t *this, + encryption_algorithm_t algo, size_t key_size) +{ + int i; + + for (i = 0; i < countof(aes_modes); i++) + { + if (aes_modes[i].algo == algo && + aes_modes[i].key_size == key_size) + { + this->cipher_name = aes_modes[i].name; + this->icv_size = aes_modes[i].icv_size; + return TRUE; + } + } + return FALSE; +} + +#endif +#endif + +/** + * Check the given salt size, set it if not set + */ +static bool check_salt_size(size_t expected, size_t *salt_size) +{ + if (*salt_size) + { + return *salt_size == expected; + } + *salt_size = expected; + return TRUE; +} + +/* + * Described in header + */ +aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size, + size_t salt_size) +{ + private_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_iv_gen = _get_iv_gen, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + switch (algo) + { +#ifdef BOTAN_HAS_AES +#ifdef BOTAN_HAS_AEAD_GCM + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + if (!key_size) + { + key_size = 16; + } + if (!check_salt_size(SALT_LEN, &salt_size) || + !determine_aes_params(this, algo, key_size)) + { + free(this); + return NULL; + } + break; +#endif +#ifdef BOTAN_HAS_AEAD_CCM + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + if (!key_size) + { + key_size = 16; + } + if (!check_salt_size(CCM_SALT_LEN, &salt_size) || + !determine_aes_params(this, algo, key_size)) + { + free(this); + return NULL; + } + break; +#endif +#endif +#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305 + case ENCR_CHACHA20_POLY1305: + if (!key_size) + { + key_size = CHAPOLY_KEY_LEN; + } + if (key_size != CHAPOLY_KEY_LEN || + !check_salt_size(SALT_LEN, &salt_size)) + { + free(this); + return NULL; + } + this->cipher_name = "ChaCha20Poly1305"; + this->icv_size = 16; + break; +#endif + default: + free(this); + return NULL; + } + + this->key = chunk_alloc(key_size); + this->salt = chunk_alloc(salt_size); + this->iv_gen = iv_gen_seq_create(); + + return &this->public; +} + +#endif diff --git a/src/libstrongswan/plugins/botan/botan_aead.h b/src/libstrongswan/plugins/botan/botan_aead.h new file mode 100644 index 000000000..00a2ba4bc --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_aead.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2018 Atanas Filyanov + * Rohde & Schwarz Cybersecurity GmbH + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * Implements the aead_t interface using Botan. + * + * @defgroup botan_aead botan_aead + * @{ @ingroup botan_p + */ + +#ifndef BOTAN_AEAD_H_ +#define BOTAN_AEAD_H_ + +#include + +/** + * Constructor to create aead_t implementation. + * + * @param algo algorithm to implement + * @param key_size key size in bytes + * @param salt_size size of implicit salt length + * @return aead_t object, NULL if not supported + */ +aead_t *botan_aead_create(encryption_algorithm_t algo, size_t key_size, + size_t salt_size); + +#endif /** BOTAN_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/botan/botan_crypter.c b/src/libstrongswan/plugins/botan/botan_crypter.c index 002be6ea8..3ec5c4d5e 100644 --- a/src/libstrongswan/plugins/botan/botan_crypter.c +++ b/src/libstrongswan/plugins/botan/botan_crypter.c @@ -25,6 +25,10 @@ #include "botan_crypter.h" +#include + +#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC) + #include typedef struct private_botan_crypter_t private_botan_crypter_t; @@ -189,3 +193,5 @@ botan_crypter_t *botan_crypter_create(encryption_algorithm_t algo, this->key = chunk_alloc(key_size); return &this->public; } + +#endif diff --git a/src/libstrongswan/plugins/botan/botan_ec_public_key.c b/src/libstrongswan/plugins/botan/botan_ec_public_key.c index 4c85dbcec..095ae3f20 100644 --- a/src/libstrongswan/plugins/botan/botan_ec_public_key.c +++ b/src/libstrongswan/plugins/botan/botan_ec_public_key.c @@ -69,9 +69,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this, const char* hash_and_padding, int signature_format, size_t keylen, chunk_t data, chunk_t signature) { - botan_pk_op_verify_t verify_op; chunk_t sig = signature; - bool valid = FALSE; if (signature_format == SIG_FORMAT_DER_SEQUENCE) { @@ -104,22 +102,7 @@ static bool verify_signature(private_botan_ec_public_key_t *this, memcpy(sig.ptr + (keylen - r.len), r.ptr, r.len); memcpy(sig.ptr + keylen + (keylen - s.len), s.ptr, s.len); } - - if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0)) - { - return FALSE; - } - - if (botan_pk_op_verify_update(verify_op, data.ptr, data.len)) - { - botan_pk_op_verify_destroy(verify_op); - return FALSE; - } - - valid = !(botan_pk_op_verify_finish(verify_op, sig.ptr, sig.len)); - - botan_pk_op_verify_destroy(verify_op); - return valid; + return botan_verify_signature(this->key, hash_and_padding, data, sig); } METHOD(public_key_t, get_type, key_type_t, diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.c b/src/libstrongswan/plugins/botan/botan_ed_private_key.c new file mode 100644 index 000000000..3f0f54222 --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.c @@ -0,0 +1,279 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "botan_ed_private_key.h" +#include "botan_ed_public_key.h" +#include "botan_util.h" + +#include + +#ifdef BOTAN_HAS_ED25519 + +#include +#include + +typedef struct private_private_key_t private_private_key_t; + +#define ED25519_KEY_LEN 32 + +/** + * Private data + */ +struct private_private_key_t { + + /** + * Public interface + */ + private_key_t public; + + /** + * Botan private key object + */ + botan_privkey_t key; + + /** + * Reference count + */ + refcount_t ref; +}; + +METHOD(private_key_t, sign, bool, + private_private_key_t *this, signature_scheme_t scheme, + void *params, chunk_t data, chunk_t *signature) +{ + switch (scheme) + { + case SIGN_ED25519: + return botan_get_signature(this->key, "Pure", data, signature); + default: + DBG1(DBG_LIB, "signature scheme %N not supported via botan", + signature_scheme_names, scheme); + return FALSE; + } +} + +METHOD(private_key_t, decrypt, bool, + private_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) +{ + DBG1(DBG_LIB, "EdDSA private key decryption not implemented"); + return FALSE; +} + +METHOD(private_key_t, get_keysize, int, + private_private_key_t *this) +{ + return ED25519_KEY_LEN * 8; +} + +METHOD(private_key_t, get_type, key_type_t, + private_private_key_t *this) +{ + return KEY_ED25519; +} + +METHOD(private_key_t, get_public_key, public_key_t*, + private_private_key_t *this) +{ + botan_pubkey_t pubkey; + + if (botan_privkey_export_pubkey(&pubkey, this->key)) + { + return NULL; + } + return botan_ed_public_key_adopt(pubkey); +} + +METHOD(private_key_t, get_fingerprint, bool, + private_private_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) +{ + botan_pubkey_t pubkey; + bool success = FALSE; + + /* check the cache before doing the export */ + if (lib->encoding->get_cache(lib->encoding, type, this, fingerprint)) + { + return TRUE; + } + + if (botan_privkey_export_pubkey(&pubkey, this->key)) + { + return FALSE; + } + success = botan_get_fingerprint(pubkey, this, type, fingerprint); + botan_pubkey_destroy(pubkey); + return success; +} + +METHOD(private_key_t, get_encoding, bool, + private_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + return botan_get_privkey_encoding(this->key, type, encoding); +} + +METHOD(private_key_t, get_ref, private_key_t*, + private_private_key_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + +METHOD(private_key_t, destroy, void, + private_private_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this); + botan_privkey_destroy(this->key); + free(this); + } +} + +/** + * Internal generic constructor + */ +static private_private_key_t *create_empty() +{ + private_private_key_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .ref = 1, + ); + + return this; +} + +/* + * Described in header + */ +private_key_t *botan_ed_private_key_adopt(botan_privkey_t key) +{ + private_private_key_t *this; + + this = create_empty(); + this->key = key; + + return &this->public; +} + +/* + * Described in header + */ +private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args) +{ + private_private_key_t *this; + botan_rng_t rng; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_KEY_SIZE: + /* just ignore the key size */ + va_arg(args, u_int); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (botan_rng_init(&rng, "system")) + { + return NULL; + } + + this = create_empty(); + + if (botan_privkey_create(&this->key, "Ed25519", NULL, rng)) + { + DBG1(DBG_LIB, "EdDSA private key generation failed"); + botan_rng_destroy(rng); + free(this); + return NULL; + } + + botan_rng_destroy(rng); + return &this->public; +} + +/* + * Described in header + */ +private_key_t *botan_ed_private_key_load(key_type_t type, va_list args) +{ + private_private_key_t *this; + chunk_t key = chunk_empty; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_EDDSA_PRIV_ASN1_DER: + key = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + /* PKCS#8-encoded keys are handled generically, so we only handle the + * explicit case */ + if (asn1_unwrap(&key, &key) != ASN1_OCTET_STRING || + key.len != ED25519_KEY_LEN) + { + return NULL; + } + + this = create_empty(); + + if (botan_privkey_load_ed25519(&this->key, key.ptr)) + { + free(this); + return NULL; + } + return &this->public; +} + +#endif diff --git a/src/libstrongswan/plugins/botan/botan_ed_private_key.h b/src/libstrongswan/plugins/botan/botan_ed_private_key.h new file mode 100644 index 000000000..f7f32e8f3 --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_ed_private_key.h @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup botan_ed_private_key botan_ed_private_key + * @{ @ingroup botan_p + */ + +#ifndef BOTAN_ED_PRIVATE_KEY_H_ +#define BOTAN_ED_PRIVATE_KEY_H_ + +#include + +#include +#include + +/** + * Generate an EdDSA private key using Botan. + * + * @param type type of the key, must be KEY_ED25519 + * @param args builder_part_t argument list + * @return generated key, NULL on failure + */ +private_key_t *botan_ed_private_key_gen(key_type_t type, va_list args); + +/** + * Load an EdDSA private key using Botan. + * + * @param type type of the key, must be KEY_ED25519 + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +private_key_t *botan_ed_private_key_load(key_type_t type, va_list args); + +/** + * Load an EdDSA private key by adopting a botan_privkey_t object. + * + * @param key private key object (adopted) + * @return loaded key, NULL on failure + */ +private_key_t *botan_ed_private_key_adopt(botan_privkey_t key); + +#endif /** BOTAN_ED_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.c b/src/libstrongswan/plugins/botan/botan_ed_public_key.c new file mode 100644 index 000000000..41d2baae8 --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.c @@ -0,0 +1,202 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "botan_ed_public_key.h" +#include "botan_util.h" + +#include + +#ifdef BOTAN_HAS_ED25519 + +#include + +typedef struct private_public_key_t private_public_key_t; + +/** + * Private data + */ +struct private_public_key_t { + + /** + * Public interface + */ + public_key_t public; + + /** + * Botan public key object + */ + botan_pubkey_t key; + + /** + * Reference counter + */ + refcount_t ref; +}; + +METHOD(public_key_t, get_type, key_type_t, + private_public_key_t *this) +{ + return KEY_ED25519; +} + +METHOD(public_key_t, get_keysize, int, + private_public_key_t *this) +{ + return ED25519_KEY_LEN * 8; +} + +METHOD(public_key_t, verify, bool, + private_public_key_t *this, signature_scheme_t scheme, + void *params, chunk_t data, chunk_t signature) +{ + switch (scheme) + { + case SIGN_ED25519: + return botan_verify_signature(this->key, "Pure", data, signature); + default: + DBG1(DBG_LIB, "signature scheme %N not supported via botan", + signature_scheme_names, scheme); + return FALSE; + } +} + +METHOD(public_key_t, encrypt, bool, + private_public_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) +{ + DBG1(DBG_LIB, "EdDSA public key encryption not implemented"); + return FALSE; +} + +METHOD(public_key_t, get_fingerprint, bool, + private_public_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) +{ + return botan_get_fingerprint(this->key, this, type, fingerprint); +} + +METHOD(public_key_t, get_encoding, bool, + private_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + return botan_get_encoding(this->key, type, encoding); +} + +METHOD(public_key_t, get_ref, public_key_t*, + private_public_key_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + +METHOD(public_key_t, destroy, void, + private_public_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this); + botan_pubkey_destroy(this->key); + free(this); + } +} + +/** + * Internal generic constructor + */ +static private_public_key_t *create_empty() +{ + private_public_key_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt, + .get_keysize = _get_keysize, + .equals = public_key_equals, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .ref = 1, + ); + + return this; +} + +/* + * Described in header + */ +public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key) +{ + private_public_key_t *this; + + this = create_empty(); + this->key = key; + + return &this->public; +} + +/* + * Described in header + */ +public_key_t *botan_ed_public_key_load(key_type_t type, va_list args) +{ + private_public_key_t *this; + chunk_t key = chunk_empty; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_EDDSA_PUB: + key = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + /* ASN.1-encoded keys are handled generically, so we only handle the + * explicit case */ + if (key.len != ED25519_KEY_LEN) + { + return NULL; + } + + this = create_empty(); + + if (botan_pubkey_load_ed25519(&this->key, key.ptr)) + { + free(this); + return NULL; + } + return &this->public; +} + +#endif diff --git a/src/libstrongswan/plugins/botan/botan_ed_public_key.h b/src/libstrongswan/plugins/botan/botan_ed_public_key.h new file mode 100644 index 000000000..0f44b1afb --- /dev/null +++ b/src/libstrongswan/plugins/botan/botan_ed_public_key.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#ifndef BOTAN_ED_PUBLIC_KEY_H_ +#define BOTAN_ED_PUBLIC_KEY_H_ + +#include + +#include +#include + +#define ED25519_KEY_LEN 32 + +/** + * Load an EdDSA public key by adopting a botan_pubkey_t object. + * + * @param key public key object (adopted) + * @return loaded key, NULL on failure + */ +public_key_t *botan_ed_public_key_adopt(botan_pubkey_t key); + +/** + * Load an EdDSA public key using Botan. + * + * @param type type of the key, must be KEY_ED25519 + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +public_key_t *botan_ed_public_key_load(key_type_t type, va_list args); + +#endif /** BOTAN_ED_PUBLIC_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/botan/botan_gcm.c b/src/libstrongswan/plugins/botan/botan_gcm.c deleted file mode 100644 index 7e0fc1468..000000000 --- a/src/libstrongswan/plugins/botan/botan_gcm.c +++ /dev/null @@ -1,333 +0,0 @@ -/* - * Copyright (C) 2018 Atanas Filyanov - * Rohde & Schwarz Cybersecurity GmbH - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -#include "botan_gcm.h" - -#include - -#ifdef BOTAN_HAS_AES -#ifdef BOTAN_HAS_AEAD_GCM - -#include - -#include - -/** - * as defined in RFC 4106 - */ -#define IV_LEN 8 -#define SALT_LEN 4 -#define NONCE_LEN (IV_LEN + SALT_LEN) - -typedef struct private_aead_t private_aead_t; - -struct private_aead_t { - - /** - * Public interface - */ - aead_t public; - - /** - * The encryption key - */ - chunk_t key; - - /** - * Salt value - */ - char salt[SALT_LEN]; - - /** - * Size of the integrity check value - */ - size_t icv_size; - - /** - * IV generator - */ - iv_gen_t *iv_gen; - - /** - * The cipher to use - */ - const char* cipher_name; -}; - -/** - * Do the actual en/decryption - */ -static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv, - u_char *out, uint32_t init_flag) -{ - botan_cipher_t cipher; - uint8_t nonce[NONCE_LEN]; - size_t output_written = 0, input_consumed = 0; - - memcpy(nonce, this->salt, SALT_LEN); - memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN); - - if (botan_cipher_init(&cipher, this->cipher_name, init_flag)) - { - return FALSE; - } - - if (botan_cipher_set_key(cipher, this->key.ptr, this->key.len)) - { - botan_cipher_destroy(cipher); - return FALSE; - } - - if (assoc.len && - botan_cipher_set_associated_data(cipher, assoc.ptr, assoc.len)) - { - botan_cipher_destroy(cipher); - return FALSE; - } - - if (botan_cipher_start(cipher, nonce, NONCE_LEN)) - { - botan_cipher_destroy(cipher); - return FALSE; - } - - if (init_flag == BOTAN_CIPHER_INIT_FLAG_ENCRYPT) - { - if (botan_cipher_update(cipher, BOTAN_CIPHER_UPDATE_FLAG_FINAL, - out, data.len + this->icv_size, &output_written, - data.ptr, data.len, &input_consumed)) - { - botan_cipher_destroy(cipher); - return FALSE; - } - } - else if (init_flag == BOTAN_CIPHER_INIT_FLAG_DECRYPT) - { - if (botan_cipher_update(cipher, BOTAN_CIPHER_UPDATE_FLAG_FINAL, - out, data.len, &output_written, data.ptr, - data.len + this->icv_size, &input_consumed)) - { - botan_cipher_destroy(cipher); - return FALSE; - } - } - - botan_cipher_destroy(cipher); - - return TRUE; -} - -METHOD(aead_t, encrypt, bool, - private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, - chunk_t *encrypted) -{ - u_char *out; - - out = plain.ptr; - if (encrypted) - { - *encrypted = chunk_alloc(plain.len + this->icv_size); - out = encrypted->ptr; - } - return crypt(this, plain, assoc, iv, out, BOTAN_CIPHER_INIT_FLAG_ENCRYPT); -} - -METHOD(aead_t, decrypt, bool, - private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, - chunk_t *plain) -{ - u_char *out; - - if (encrypted.len < this->icv_size) - { - return FALSE; - } - encrypted.len -= this->icv_size; - - out = encrypted.ptr; - if (plain) - { - *plain = chunk_alloc(encrypted.len); - out = plain->ptr; - } - return crypt(this, encrypted, assoc, iv, out, - BOTAN_CIPHER_INIT_FLAG_DECRYPT); -} - -METHOD(aead_t, get_block_size, size_t, - private_aead_t *this) -{ - return 1; -} - -METHOD(aead_t, get_icv_size, size_t, - private_aead_t *this) -{ - return this->icv_size; -} - -METHOD(aead_t, get_iv_size, size_t, - private_aead_t *this) -{ - return IV_LEN; -} - -METHOD(aead_t, get_iv_gen, iv_gen_t*, - private_aead_t *this) -{ - return this->iv_gen; -} - -METHOD(aead_t, get_key_size, size_t, - private_aead_t *this) -{ - return this->key.len + SALT_LEN; -} - -METHOD(aead_t, set_key, bool, - private_aead_t *this, chunk_t key) -{ - if (key.len != get_key_size(this)) - { - return FALSE; - } - memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN); - memcpy(this->key.ptr, key.ptr, this->key.len); - return TRUE; -} - -METHOD(aead_t, destroy, void, - private_aead_t *this) -{ - chunk_clear(&this->key); - this->iv_gen->destroy(this->iv_gen); - free(this); -} - -/* - * Described in header - */ -aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size, - size_t salt_size) -{ - private_aead_t *this; - - INIT(this, - .public = { - .encrypt = _encrypt, - .decrypt = _decrypt, - .get_block_size = _get_block_size, - .get_icv_size = _get_icv_size, - .get_iv_size = _get_iv_size, - .get_iv_gen = _get_iv_gen, - .get_key_size = _get_key_size, - .set_key = _set_key, - .destroy = _destroy, - }, - ); - - if (salt_size && salt_size != SALT_LEN) - { - /* currently not supported */ - free(this); - return NULL; - } - - switch (algo) - { - case ENCR_AES_GCM_ICV8: - switch (key_size) - { - case 0: - key_size = 16; - /* FALL */ - case 16: - this->cipher_name = "AES-128/GCM(8)"; - break; - case 24: - this->cipher_name = "AES-192/GCM(8)"; - break; - case 32: - this->cipher_name = "AES-256/GCM(8)"; - break; - default: - free(this); - return NULL; - } - this->icv_size = 8; - break; - case ENCR_AES_GCM_ICV12: - switch (key_size) - { - case 0: - key_size = 16; - /* FALL */ - case 16: - this->cipher_name = "AES-128/GCM(12)"; - break; - case 24: - this->cipher_name = "AES-192/GCM(12)"; - break; - case 32: - this->cipher_name = "AES-256/GCM(12)"; - break; - default: - free(this); - return NULL; - } - this->icv_size = 12; - break; - case ENCR_AES_GCM_ICV16: - switch (key_size) - { - case 0: - key_size = 16; - /* FALL */ - case 16: - this->cipher_name = "AES-128/GCM"; - break; - case 24: - this->cipher_name = "AES-192/GCM"; - break; - case 32: - this->cipher_name = "AES-256/GCM"; - break; - default: - free(this); - return NULL; - } - this->icv_size = 16; - break; - default: - free(this); - return NULL; - } - - this->key = chunk_alloc(key_size); - this->iv_gen = iv_gen_seq_create(); - - return &this->public; -} - -#endif -#endif diff --git a/src/libstrongswan/plugins/botan/botan_gcm.h b/src/libstrongswan/plugins/botan/botan_gcm.h deleted file mode 100644 index b2053cb4d..000000000 --- a/src/libstrongswan/plugins/botan/botan_gcm.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2018 Atanas Filyanov - * Rohde & Schwarz Cybersecurity GmbH - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -/** - * Implements the aead_t interface using Botan in GCM mode. - * - * @defgroup botan_gcm botan_gcm - * @{ @ingroup botan_p - */ - -#ifndef BOTAN_GCM_H_ -#define BOTAN_GCM_H_ - -#include - -/** - * Constructor to create aead_t implementation. - * - * @param algo algorithm to implement - * @param key_size key size in bytes - * @param salt_size size of implicit salt length - * @return aead_t object, NULL if not supported - */ -aead_t *botan_gcm_create(encryption_algorithm_t algo, size_t key_size, - size_t salt_size); - -#endif /** BOTAN_GCM_H_ @}*/ diff --git a/src/libstrongswan/plugins/botan/botan_plugin.c b/src/libstrongswan/plugins/botan/botan_plugin.c index fd8e5f5a6..f045ba074 100644 --- a/src/libstrongswan/plugins/botan/botan_plugin.c +++ b/src/libstrongswan/plugins/botan/botan_plugin.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2018 René Korthaus @@ -36,7 +37,9 @@ #include "botan_ec_diffie_hellman.h" #include "botan_ec_public_key.h" #include "botan_ec_private_key.h" -#include "botan_gcm.h" +#include "botan_ed_public_key.h" +#include "botan_ed_private_key.h" +#include "botan_aead.h" #include "botan_util_keys.h" #include "botan_x25519.h" @@ -101,6 +104,7 @@ METHOD(plugin_t, get_features, int, #endif /* crypters */ +#if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC) PLUGIN_REGISTER(CRYPTER, botan_crypter_create), #ifdef BOTAN_HAS_AES #ifdef BOTAN_HAS_MODE_CBC @@ -108,17 +112,43 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24), PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32), #endif +#endif +#endif + + /* AEAD */ +#if (defined(BOTAN_HAS_AES) && \ + (defined(BOTAN_HAS_AEAD_GCM) || defined(BOTAN_HAS_AEAD_CCM))) || \ + defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305) + PLUGIN_REGISTER(AEAD, botan_aead_create), +#ifdef BOTAN_HAS_AES #ifdef BOTAN_HAS_AEAD_GCM - /* AES GCM */ - PLUGIN_REGISTER(AEAD, botan_gcm_create), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32), #endif + #ifdef BOTAN_HAS_AEAD_CCM + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 32), + #endif +#endif +#ifdef BOTAN_HAS_AEAD_CHACHA20_POLY1305 + PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32), #endif +#endif + /* hashers */ PLUGIN_REGISTER(HASHER, botan_hasher_create), #ifdef BOTAN_HAS_MD5 @@ -135,6 +165,13 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(HASHER, HASH_SHA384), PLUGIN_PROVIDE(HASHER, HASH_SHA512), #endif +#ifdef BOTAN_HAS_SHA3 + PLUGIN_PROVIDE(HASHER, HASH_SHA3_224), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_512), +#endif + /* prfs */ #ifdef BOTAN_HAS_HMAC PLUGIN_REGISTER(PRF, botan_hmac_prf_create), @@ -168,7 +205,8 @@ METHOD(plugin_t, get_features, int, #endif /* BOTAN_HAS_HMAC */ /* generic key loaders */ -#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA) +#if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA) || \ + defined(BOTAN_HAS_ED25519) PLUGIN_REGISTER(PUBKEY, botan_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_ANY), #ifdef BOTAN_HAS_RSA @@ -176,6 +214,9 @@ METHOD(plugin_t, get_features, int, #endif #ifdef BOTAN_HAS_ECDSA PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA), +#endif +#ifdef BOTAN_HAS_ED25519 + PLUGIN_PROVIDE(PUBKEY, KEY_ED25519), #endif PLUGIN_REGISTER(PRIVKEY, botan_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), @@ -185,6 +226,9 @@ METHOD(plugin_t, get_features, int, #ifdef BOTAN_HAS_ECDSA PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA), #endif +#ifdef BOTAN_HAS_ED25519 + PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519), +#endif #endif /* RSA */ #ifdef BOTAN_HAS_RSA @@ -218,6 +262,16 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_384), PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA2_512), #endif +#ifdef BOTAN_HAS_SHA3 + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_224), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA3_512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_224), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA3_512), +#endif #endif #ifdef BOTAN_HAS_EMSA_PSSR PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PSS), @@ -272,6 +326,21 @@ METHOD(plugin_t, get_features, int, #endif /* BOTAN_HAS_EMSA1 */ #endif /* BOTAN_HAS_ECDSA */ +#ifdef BOTAN_HAS_ED25519 + /* EdDSA private/public key loading */ + PLUGIN_REGISTER(PUBKEY, botan_ed_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ED25519), + PLUGIN_REGISTER(PRIVKEY, botan_ed_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519), + PLUGIN_REGISTER(PRIVKEY_GEN, botan_ed_private_key_gen, FALSE), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519), + /* register a pro forma identity hasher, never instantiated */ + PLUGIN_REGISTER(HASHER, return_null), + PLUGIN_PROVIDE(HASHER, HASH_IDENTITY), +#endif + /* random numbers */ #if BOTAN_HAS_SYSTEM_RNG #if BOTAN_HAS_HMAC_DRBG diff --git a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c index bb723ff95..02820b297 100644 --- a/src/libstrongswan/plugins/botan/botan_rsa_private_key.c +++ b/src/libstrongswan/plugins/botan/botan_rsa_private_key.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2018 René Korthaus @@ -84,13 +85,8 @@ bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len) { return FALSE; } - - if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash, - params->salt_len) < len; - } - return snprintf(id, len, "EMSA-PSS(%s,MGF1)", hash) < len; + return snprintf(id, len, "EMSA-PSS(%s,MGF1,%zd)", hash, + params->salt_len) < len; } /** @@ -140,6 +136,18 @@ METHOD(private_key_t, sign, bool, case SIGN_RSA_EMSA_PKCS1_SHA2_512: return botan_get_signature(this->key, "EMSA_PKCS1(SHA-512)", data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_224: + return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(224))", data, + signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_256: + return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(256))", data, + signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_384: + return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(384))", data, + signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_512: + return botan_get_signature(this->key, "EMSA_PKCS1(SHA-3(512))", data, + signature); case SIGN_RSA_EMSA_PSS: return build_emsa_pss_signature(this, params, data, signature); default: @@ -617,7 +625,7 @@ botan_rsa_private_key_t *botan_rsa_private_key_load(key_type_t type, if (n.ptr && e.ptr && d.ptr) { - botan_mp_t n_mp, e_mp, d_mp, p_mp, q_mp; + botan_mp_t n_mp, e_mp, d_mp, p_mp = NULL, q_mp = NULL; if (!chunk_to_botan_mp(n, &n_mp)) { diff --git a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c index c6e2e8861..244caa585 100644 --- a/src/libstrongswan/plugins/botan/botan_rsa_public_key.c +++ b/src/libstrongswan/plugins/botan/botan_rsa_public_key.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2018 René Korthaus @@ -68,33 +69,6 @@ struct private_botan_rsa_public_key_t { */ bool botan_emsa_pss_identifier(rsa_pss_params_t *params, char *id, size_t len); -/** - * Verify RSA signature - */ -static bool verify_rsa_signature(private_botan_rsa_public_key_t *this, - const char* hash_and_padding, chunk_t data, - chunk_t signature) -{ - botan_pk_op_verify_t verify_op; - bool valid = FALSE; - - if (botan_pk_op_verify_create(&verify_op, this->key, hash_and_padding, 0)) - { - return FALSE; - } - - if (botan_pk_op_verify_update(verify_op, data.ptr, data.len)) - { - botan_pk_op_verify_destroy(verify_op); - return FALSE; - } - - valid = !botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len); - - botan_pk_op_verify_destroy(verify_op); - return valid; -} - /** * Verification of an EMSA PSS signature described in PKCS#1 */ @@ -109,7 +83,7 @@ static bool verify_emsa_pss_signature(private_botan_rsa_public_key_t *this, { return FALSE; } - return verify_rsa_signature(this, hash_and_padding, data, signature); + return botan_verify_signature(this->key, hash_and_padding, data, signature); } METHOD(public_key_t, get_type, key_type_t, @@ -125,23 +99,35 @@ METHOD(public_key_t, verify, bool, switch (scheme) { case SIGN_RSA_EMSA_PKCS1_NULL: - return verify_rsa_signature(this, "EMSA_PKCS1(Raw)", data, - signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(Raw)", data, + signature); case SIGN_RSA_EMSA_PKCS1_SHA1: - return verify_rsa_signature(this, "EMSA_PKCS1(SHA-1)", data, - signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-1)", data, + signature); case SIGN_RSA_EMSA_PKCS1_SHA2_224: - return verify_rsa_signature(this, "EMSA_PKCS1(SHA-224)", - data, signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-224)", + data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_256: - return verify_rsa_signature(this, "EMSA_PKCS1(SHA-256)", - data, signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-256)", + data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_384: - return verify_rsa_signature(this, "EMSA_PKCS1(SHA-384)", - data, signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-384)", + data, signature); case SIGN_RSA_EMSA_PKCS1_SHA2_512: - return verify_rsa_signature(this, "EMSA_PKCS1(SHA-512)", - data, signature); + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-512)", + data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_224: + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(224)", + data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_256: + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(256))", + data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_384: + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(384))", + data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA3_512: + return botan_verify_signature(this->key, "EMSA_PKCS1(SHA-3(512))", + data, signature); case SIGN_RSA_EMSA_PSS: return verify_emsa_pss_signature(this, params, data, signature); default: diff --git a/src/libstrongswan/plugins/botan/botan_util.c b/src/libstrongswan/plugins/botan/botan_util.c index 5e18405d7..f5728e43e 100644 --- a/src/libstrongswan/plugins/botan/botan_util.c +++ b/src/libstrongswan/plugins/botan/botan_util.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2018 René Korthaus @@ -67,6 +68,14 @@ const char *botan_get_hash(hash_algorithm_t hash) return "SHA-384"; case HASH_SHA512: return "SHA-512"; + case HASH_SHA3_224: + return "SHA-3(224)"; + case HASH_SHA3_256: + return "SHA-3(256)"; + case HASH_SHA3_384: + return "SHA-3(384)"; + case HASH_SHA3_512: + return "SHA-3(512)"; default: return NULL; } @@ -249,6 +258,32 @@ bool botan_get_signature(botan_privkey_t key, const char *scheme, return TRUE; } +/* + * Described in header + */ +bool botan_verify_signature(botan_pubkey_t key, const char *scheme, + chunk_t data, chunk_t signature) +{ + botan_pk_op_verify_t verify_op; + bool valid = FALSE; + + if (botan_pk_op_verify_create(&verify_op, key, scheme, 0)) + { + return FALSE; + } + + if (botan_pk_op_verify_update(verify_op, data.ptr, data.len)) + { + botan_pk_op_verify_destroy(verify_op); + return FALSE; + } + + valid = !botan_pk_op_verify_finish(verify_op, signature.ptr, signature.len); + + botan_pk_op_verify_destroy(verify_op); + return valid; +} + /* * Described in header */ diff --git a/src/libstrongswan/plugins/botan/botan_util.h b/src/libstrongswan/plugins/botan/botan_util.h index 08830356e..7fb74ec5d 100644 --- a/src/libstrongswan/plugins/botan/botan_util.h +++ b/src/libstrongswan/plugins/botan/botan_util.h @@ -100,6 +100,18 @@ bool botan_get_fingerprint(botan_pubkey_t pubkey, void *cache, bool botan_get_signature(botan_privkey_t key, const char *scheme, chunk_t data, chunk_t *signature); +/** + * Verify the given signature using the provided data and key with the specified + * signature scheme (hash/padding). + * + * @param key private key object + * @param scheme hash/padding algorithm + * @param data signed data + * @param signature signature to verify + */ +bool botan_verify_signature(botan_pubkey_t key, const char* scheme, + chunk_t data, chunk_t signature); + /** * Do the Diffie-Hellman key derivation using the given private key and public * value. diff --git a/src/libstrongswan/plugins/botan/botan_util_keys.c b/src/libstrongswan/plugins/botan/botan_util_keys.c index 176c2caf9..dc4031491 100644 --- a/src/libstrongswan/plugins/botan/botan_util_keys.c +++ b/src/libstrongswan/plugins/botan/botan_util_keys.c @@ -24,6 +24,8 @@ #include "botan_util_keys.h" #include "botan_ec_public_key.h" #include "botan_ec_private_key.h" +#include "botan_ed_public_key.h" +#include "botan_ed_private_key.h" #include "botan_rsa_public_key.h" #include "botan_rsa_private_key.h" @@ -104,15 +106,27 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args) return NULL; } +#ifdef BOTAN_HAS_RSA if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA)) { this = (public_key_t*)botan_rsa_public_key_adopt(pubkey); } - else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA)) + else +#endif +#ifdef BOTAN_HAS_ECDSA + if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA)) { this = (public_key_t*)botan_ec_public_key_adopt(pubkey); } else +#endif +#ifdef BOTAN_HAS_ED25519 + if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519)) + { + this = botan_ed_public_key_adopt(pubkey); + } + else +#endif { botan_pubkey_destroy(pubkey); } @@ -120,6 +134,7 @@ public_key_t *botan_public_key_load(key_type_t type, va_list args) return this; } +#ifdef BOTAN_HAS_ECDSA /** * Determine the curve OID from a PKCS#8 structure */ @@ -139,6 +154,7 @@ static int determine_ec_oid(chunk_t pkcs8) } return oid; } +#endif /* * Described in header @@ -151,7 +167,6 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args) chunk_t blob = chunk_empty; botan_rng_t rng; char *name; - int oid; while (TRUE) { @@ -188,20 +203,35 @@ private_key_t *botan_private_key_load(key_type_t type, va_list args) botan_pubkey_destroy(pubkey); if (!name) { + botan_privkey_destroy(key); return NULL; } + +#ifdef BOTAN_HAS_RSA if (streq(name, "RSA") && (type == KEY_ANY || type == KEY_RSA)) { this = (private_key_t*)botan_rsa_private_key_adopt(key); } - else if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA)) + else +#endif +#ifdef BOTAN_HAS_ECDSA + if (streq(name, "ECDSA") && (type == KEY_ANY || type == KEY_ECDSA)) { - oid = determine_ec_oid(blob); + int oid = determine_ec_oid(blob); if (oid != OID_UNKNOWN) { this = (private_key_t*)botan_ec_private_key_adopt(key, oid); } } + else +#endif +#ifdef BOTAN_HAS_ED25519 + if (streq(name, "Ed25519") && (type == KEY_ANY || type == KEY_ED25519)) + { + this = botan_ed_private_key_adopt(key); + } +#endif + if (!this) { botan_privkey_destroy(key); diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c index 1d4dec565..dfc1df4d0 100644 --- a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c +++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -48,6 +49,13 @@ METHOD(public_key_t, get_type, key_type_t, return KEY_ED25519; } +/* L = 2^252+27742317777372353535851937790883648493 in little-endian form */ +static chunk_t curve25519_order = chunk_from_chars( + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10); + METHOD(public_key_t, verify, bool, private_curve25519_public_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t signature) @@ -93,6 +101,20 @@ METHOD(public_key_t, verify, bool, { return FALSE; } + /* make sure 0 <= s < L, as per RFC 8032, section 5.1.7 to prevent signature + * malleability. Due to the three-bit check above (forces s < 2^253) there + * is not that much room, but adding L once works with most signatures */ + for (i = 31; ; i--) + { + if (sig[i+32] < curve25519_order.ptr[i]) + { + break; + } + else if (sig[i+32] > curve25519_order.ptr[i] || i == 0) + { + return FALSE; + } + } hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); if (!hasher) @@ -199,6 +221,52 @@ static const asn1Object_t pubkeyObjects[] = { #define ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM 1 #define ED25519_SUBJECT_PUBLIC_KEY 2 +/** + * Parse the ASN.1-encoded subjectPublicKeyInfo + */ +static bool parse_public_key_info(private_curve25519_public_key_t *this, + chunk_t blob) +{ + asn1_parser_t *parser; + chunk_t object; + bool success = FALSE; + int objectID, oid; + + parser = asn1_parser_create(pubkeyObjects, blob); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM: + { + oid = asn1_parse_algorithmIdentifier(object, + parser->get_level(parser) + 1, NULL); + if (oid != OID_ED25519) + { + goto end; + } + break; + } + case ED25519_SUBJECT_PUBLIC_KEY: + { + /* encoded as an ASN1 BIT STRING */ + if (object.len != 1 + ED25519_KEY_LEN) + { + goto end; + } + this->pubkey = chunk_clone(chunk_skip(object, 1)); + break; + } + } + } + success = parser->success(parser); + +end: + parser->destroy(parser); + return success; +} + /** * See header. */ @@ -206,16 +274,16 @@ curve25519_public_key_t *curve25519_public_key_load(key_type_t type, va_list args) { private_curve25519_public_key_t *this; - chunk_t blob = chunk_empty, object; - asn1_parser_t *parser; - bool success = FALSE; - int objectID, oid; + chunk_t asn1 = chunk_empty, blob = chunk_empty; while (TRUE) { switch (va_arg(args, builder_part_t)) { case BUILD_BLOB_ASN1_DER: + asn1 = va_arg(args, chunk_t); + continue; + case BUILD_EDDSA_PUB: blob = va_arg(args, chunk_t); continue; case BUILD_END: @@ -244,39 +312,11 @@ curve25519_public_key_t *curve25519_public_key_load(key_type_t type, .ref = 1, ); - parser = asn1_parser_create(pubkeyObjects, blob); - - while (parser->iterate(parser, &objectID, &object)) + if (blob.len == ED25519_KEY_LEN) { - switch (objectID) - { - case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM: - { - oid = asn1_parse_algorithmIdentifier(object, - parser->get_level(parser) + 1, NULL); - if (oid != OID_ED25519) - { - goto end; - } - break; - } - case ED25519_SUBJECT_PUBLIC_KEY: - { - /* encoded as an ASN1 BIT STRING */ - if (object.len != 1 + ED25519_KEY_LEN) - { - goto end; - } - this->pubkey = chunk_clone(chunk_skip(object, 1)); - break; - } - } + this->pubkey = chunk_clone(blob); } - success = parser->success(parser); - -end: - parser->destroy(parser); - if (!success) + else if (!asn1.len || !parse_public_key_info(this, asn1)) { destroy(this); return NULL; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 45fba242b..6946e4576 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -43,10 +43,12 @@ struct private_gcrypt_plugin_t { gcrypt_plugin_t public; }; +#if GCRYPT_VERSION_NUMBER < 0x010600 /** * Define gcrypt multi-threading callbacks as gcry_threads_pthread */ GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif METHOD(plugin_t, get_name, char*, private_gcrypt_plugin_t *this) @@ -163,7 +165,9 @@ plugin_t *gcrypt_plugin_create() { private_gcrypt_plugin_t *this; +#if GCRYPT_VERSION_NUMBER < 0x010600 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); +#endif if (!gcry_check_version(GCRYPT_VERSION)) { diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index c06f43348..394b87c27 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -187,11 +187,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, } else { - u_int slen = hasher_hash_size(hash_algorithm); - if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - slen = pss->salt_len; - } + u_int slen = pss->salt_len; err = gcry_sexp_build(&in, NULL, "(data(flags pss)(salt-length %u)(hash %s %b))", slen, hash_name, hash.len, hash.ptr); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 9e2ac1287..bbfa5e298 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -139,11 +139,7 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this, if (pss) { - u_int slen = hasher_hash_size(algorithm); - if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - slen = pss->salt_len; - } + u_int slen = pss->salt_len; err = gcry_sexp_build(&in, NULL, "(data(flags pss)(salt-length %u)(hash %s %b))", slen, hash_name, hash.len, hash.ptr); diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index a255a40ab..2d2d5c6fb 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -393,15 +393,11 @@ static bool build_emsa_pss_signature(private_gmp_rsa_private_key_t *this, goto error; } - salt.len = hash.len; + salt.len = params->salt_len; if (params->salt.len) { salt = params->salt; } - else if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - salt.len = params->salt_len; - } if (emlen < (hash.len + salt.len + 2)) { /* too long */ goto error; diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 9b5ee67fa..f9bd1d314 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -205,12 +205,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, { goto error; } - /* determine salt length */ - salt.len = hash.len; - if (params->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - salt.len = params->salt_len; - } + salt.len = params->salt_len; /* verify general structure of EM */ maskbits = (8 * em.len) - embits; if (em.len < (hash.len + salt.len + 2) || em.ptr[em.len-1] != 0xbc || diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index d7e35d9fd..90f8185b0 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -131,9 +131,13 @@ typedef struct { */ static void conn_release(private_mysql_database_t *this, conn_t *conn) { - this->mutex->lock(this->mutex); - conn->in_use = FALSE; - this->mutex->unlock(this->mutex); + /* do not release the connection while transactions are using it */ + if (!this->transaction->get(this->transaction)) + { + this->mutex->lock(this->mutex); + conn->in_use = FALSE; + this->mutex->unlock(this->mutex); + } } /** diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index 9287f788a..d484092e7 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -29,7 +29,10 @@ libstrongswan_openssl_la_SOURCES = \ openssl_pkcs12.c openssl_pkcs12.h \ openssl_rng.c openssl_rng.h \ openssl_hmac.c openssl_hmac.h \ - openssl_gcm.c openssl_gcm.h + openssl_gcm.c openssl_gcm.h \ + openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \ + openssl_ed_private_key.c openssl_ed_private_key.h \ + openssl_ed_public_key.c openssl_ed_public_key.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = $(OPENSSL_LIB) diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index 79be2e670..da04d17cf 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -145,7 +145,8 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \ openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \ openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \ openssl_pkcs7.lo openssl_pkcs12.lo openssl_rng.lo \ - openssl_hmac.lo openssl_gcm.lo + openssl_hmac.lo openssl_gcm.lo openssl_x_diffie_hellman.lo \ + openssl_ed_private_key.lo openssl_ed_public_key.lo libstrongswan_openssl_la_OBJECTS = \ $(am_libstrongswan_openssl_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -487,7 +488,10 @@ libstrongswan_openssl_la_SOURCES = \ openssl_pkcs12.c openssl_pkcs12.h \ openssl_rng.c openssl_rng.h \ openssl_hmac.c openssl_hmac.h \ - openssl_gcm.c openssl_gcm.h + openssl_gcm.c openssl_gcm.h \ + openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \ + openssl_ed_private_key.c openssl_ed_private_key.h \ + openssl_ed_public_key.c openssl_ed_public_key.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = $(OPENSSL_LIB) @@ -586,6 +590,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ed_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@ @@ -598,6 +604,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x_diffie_hellman.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index bb5f20dcf..3e7490dc6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -57,6 +57,9 @@ static inline void X509_CRL_get0_signature(const X509_CRL *crl, ASN1_BIT_STRING #define X509_REVOKED_get0_serialNumber(r) ({ (r)->serialNumber; }) #define X509_REVOKED_get0_revocationDate(r) ({ (r)->revocationDate; }) #define X509_CRL_get0_extensions(c) ({ (c)->crl->extensions; }) +#define ASN1_STRING_get0_data(a) ASN1_STRING_data(a) +#define X509_CRL_get0_lastUpdate(c) X509_CRL_get_lastUpdate(c) +#define X509_CRL_get0_nextUpdate(c) X509_CRL_get_nextUpdate(c) #endif typedef struct private_openssl_crl_t private_openssl_crl_t; @@ -193,7 +196,7 @@ METHOD(enumerator_t, crl_enumerate, bool, if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED && ASN1_STRING_length(crlrsn) == 1) { - *reason = *ASN1_STRING_data(crlrsn); + *reason = *ASN1_STRING_get0_data(crlrsn); } ASN1_STRING_free(crlrsn); } @@ -288,7 +291,11 @@ METHOD(certificate_t, issued_by, bool, chunk_t fingerprint, tbs; public_key_t *key; x509_t *x509; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const ASN1_BIT_STRING *sig; +#else ASN1_BIT_STRING *sig; +#endif bool valid; if (issuer->get_type(issuer) != CERT_X509) @@ -509,7 +516,7 @@ static bool parse_extensions(private_openssl_crl_t *this) bool ok; int i, num; X509_EXTENSION *ext; - STACK_OF(X509_EXTENSION) *extensions; + const STACK_OF(X509_EXTENSION) *extensions; extensions = X509_CRL_get0_extensions(this->crl); if (extensions) @@ -564,7 +571,11 @@ static bool parse_crl(private_openssl_crl_t *this) { const unsigned char *ptr = this->encoding.ptr; chunk_t sig_scheme; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const X509_ALGOR *alg; +#else X509_ALGOR *alg; +#endif this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len); if (!this->crl) @@ -573,7 +584,7 @@ static bool parse_crl(private_openssl_crl_t *this) } X509_CRL_get0_signature(this->crl, NULL, &alg); - sig_scheme = openssl_i2chunk(X509_ALGOR, alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg); INIT(this->scheme); if (!signature_params_parse(sig_scheme, 0, this->scheme)) { @@ -588,8 +599,8 @@ static bool parse_crl(private_openssl_crl_t *this) { return FALSE; } - this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl)); - this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl)); + this->thisUpdate = openssl_asn1_to_time(X509_CRL_get0_lastUpdate(this->crl)); + this->nextUpdate = openssl_asn1_to_time(X509_CRL_get0_nextUpdate(this->crl)); return parse_extensions(this); } diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c new file mode 100644 index 000000000..b5bc9b868 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.c @@ -0,0 +1,356 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) + +#include "openssl_ed_private_key.h" + +#include + +typedef struct private_private_key_t private_private_key_t; + +/** + * Private data + */ +struct private_private_key_t { + + /** + * Public interface + */ + private_key_t public; + + /** + * Key object + */ + EVP_PKEY *key; + + /** + * Key type + */ + key_type_t type; + + /** + * TRUE if the key is from an OpenSSL ENGINE and might not be readable + */ + bool engine; + + /** + * reference count + */ + refcount_t ref; +}; + +/** + * We can't include asn1.h, declare function prototype directly + */ +int asn1_unwrap(chunk_t*, chunk_t*); + +/* from ed public key */ +int openssl_ed_key_type(key_type_t type); +int openssl_ed_keysize(key_type_t type); +bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, chunk_t *fp); + +METHOD(private_key_t, sign, bool, + private_private_key_t *this, signature_scheme_t scheme, + void *params, chunk_t data, chunk_t *signature) +{ + EVP_MD_CTX *ctx; + bool success = FALSE; + + if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) || + (this->type == KEY_ED448 && scheme != SIGN_ED448)) + { + DBG1(DBG_LIB, "signature scheme %N not supported by %N key", + signature_scheme_names, scheme, key_type_names, this->type); + return FALSE; + } + + ctx = EVP_MD_CTX_new(); + if (!ctx || + EVP_DigestSignInit(ctx, NULL, NULL, NULL, this->key) <= 0) + { + goto error; + } + + if (EVP_DigestSign(ctx, NULL, &signature->len, data.ptr, data.len) <= 0) + { + goto error; + } + + *signature = chunk_alloc(signature->len); + + if (EVP_DigestSign(ctx, signature->ptr, &signature->len, + data.ptr, data.len) <= 0) + { + goto error; + } + + success = TRUE; + +error: + EVP_MD_CTX_free(ctx); + return success; +} + +METHOD(private_key_t, decrypt, bool, + private_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) +{ + DBG1(DBG_LIB, "EdDSA private key decryption not implemented"); + return FALSE; +} + +METHOD(private_key_t, get_keysize, int, + private_private_key_t *this) +{ + return openssl_ed_keysize(this->type); +} + +METHOD(private_key_t, get_type, key_type_t, + private_private_key_t *this) +{ + return this->type; +} + +METHOD(private_key_t, get_public_key, public_key_t*, + private_private_key_t *this) +{ + public_key_t *public; + chunk_t key; + + if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &key.len)) + { + return FALSE; + } + key = chunk_alloca(key.len); + if (!EVP_PKEY_get_raw_public_key(this->key, key.ptr, &key.len)) + { + return FALSE; + } + public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, this->type, + BUILD_EDDSA_PUB, key, BUILD_END); + return public; +} + +METHOD(private_key_t, get_fingerprint, bool, + private_private_key_t *this, cred_encoding_type_t type, + chunk_t *fingerprint) +{ + return openssl_ed_fingerprint(this->key, type, fingerprint); +} + +METHOD(private_key_t, get_encoding, bool, + private_private_key_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + u_char *p; + + if (this->engine) + { + return FALSE; + } + + switch (type) + { + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: + { + bool success = TRUE; + + *encoding = chunk_alloc(i2d_PrivateKey(this->key, NULL)); + p = encoding->ptr; + i2d_PrivateKey(this->key, &p); + + if (type == PRIVKEY_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); + chunk_clear(&asn1_encoding); + } + return success; + } + default: + return FALSE; + } +} + +METHOD(private_key_t, get_ref, private_key_t*, + private_private_key_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + +METHOD(private_key_t, destroy, void, + private_private_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this->key); + EVP_PKEY_free(this->key); + free(this); + } +} + +/** + * Internal generic constructor + */ +static private_private_key_t *create_internal(key_type_t type, EVP_PKEY *key) +{ + private_private_key_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .type = type, + .key = key, + .ref = 1, + ); + + return this; +} + +/* + * Described in header + */ +private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine) +{ + private_private_key_t *this; + key_type_t type; + + switch (EVP_PKEY_base_id(key)) + { + case EVP_PKEY_X25519: + type = KEY_ED25519; + break; + case EVP_PKEY_X448: + type = KEY_ED448; + break; + default: + EVP_PKEY_free(key); + return NULL; + } + + this = create_internal(type, key); + this->engine = engine; + return &this->public; +} + +/* + * Described in header + */ +private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args) +{ + private_private_key_t *this; + EVP_PKEY_CTX *ctx; + EVP_PKEY *key = NULL; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_KEY_SIZE: + /* just ignore the key size */ + va_arg(args, u_int); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + ctx = EVP_PKEY_CTX_new_id(openssl_ed_key_type(type), NULL); + if (!ctx || + EVP_PKEY_keygen_init(ctx) <= 0 || + EVP_PKEY_keygen(ctx, &key) <= 0) + { + DBG1(DBG_LIB, "generating %N key failed", key_type_names, type); + EVP_PKEY_CTX_free(ctx); + return NULL; + } + EVP_PKEY_CTX_free(ctx); + + this = create_internal(type, key); + return &this->public; +} + +/* + * Described in header + */ +private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args) +{ + private_private_key_t *this; + chunk_t blob = chunk_empty, priv = chunk_empty; + EVP_PKEY *key = NULL; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_EDDSA_PRIV_ASN1_DER: + priv = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (priv.len) + { + /* unwrap octet string */ + if (asn1_unwrap(&priv, &priv) == 0x04 && priv.len) + { + key = EVP_PKEY_new_raw_private_key(openssl_ed_key_type(type), NULL, + priv.ptr, priv.len); + } + } + else if (blob.len) + { + key = d2i_PrivateKey(openssl_ed_key_type(type), NULL, + (const u_char**)&blob.ptr, blob.len); + } + if (!key) + { + return NULL; + } + this = create_internal(type, key); + return &this->public; +} + +#endif /* OPENSSL_NO_ECDSA */ diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h new file mode 100644 index 000000000..ce9071348 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_ed_private_key.h @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_ed_private_key openssl_ed_private_key + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_ED_PRIVATE_KEY_H_ +#define OPENSSL_ED_PRIVATE_KEY_H_ + +#include + +#include +#include + +/** + * Generate an EdDSA private key using OpenSSL. + * + * @param type type of the key, must be KEY_ED25519 or KEY_ED448 + * @param args builder_part_t argument list + * @return generated key, NULL on failure + */ +private_key_t *openssl_ed_private_key_gen(key_type_t type, va_list args); + +/** + * Load an EdDSA private key using OpenSSL. + * + * Accepts a BUILD_BLOB_ASN1_DER argument. + * + * @param type type of the key, must be KEY_ED25519 or KEY_ED448 + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +private_key_t *openssl_ed_private_key_load(key_type_t type, va_list args); + +/** + * Wrap an EVP_PKEY object of type EVP_PKEY_ED25519/448 + * + * @param key EVP_PKEY object (adopted) + * @param engine whether the key was loaded via an engine + * @return loaded key, NULL on failure + */ +private_key_t *openssl_ed_private_key_create(EVP_PKEY *key, bool engine); + +#endif /** OPENSSL_ED_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c new file mode 100644 index 000000000..2daddc57e --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.c @@ -0,0 +1,304 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) + +#include + +#include "openssl_ed_public_key.h" + +#include + +typedef struct private_public_key_t private_public_key_t; + +/** + * Private data + */ +struct private_public_key_t { + + /** + * Public interface + */ + public_key_t public; + + /** + * Key object + */ + EVP_PKEY *key; + + /** + * Key type + */ + key_type_t type; + + /** + * Reference counter + */ + refcount_t ref; +}; + +/** + * Map a key type to an EVP key type + */ +int openssl_ed_key_type(key_type_t type) +{ + switch (type) + { + case KEY_ED25519: + return EVP_PKEY_ED25519; + case KEY_ED448: + return EVP_PKEY_ED448; + default: + return 0; + } +} + +/** + * Map a key type to a key size + */ +int openssl_ed_keysize(key_type_t type) +{ + switch (type) + { + case KEY_ED25519: + return 32 * 8; + case KEY_ED448: + return 57 * 8; + default: + return 0; + } +} + +METHOD(public_key_t, get_type, key_type_t, + private_public_key_t *this) +{ + return this->type; +} + +METHOD(public_key_t, verify, bool, + private_public_key_t *this, signature_scheme_t scheme, + void *params, chunk_t data, chunk_t signature) +{ + EVP_MD_CTX *ctx; + + if ((this->type == KEY_ED25519 && scheme != SIGN_ED25519) || + (this->type == KEY_ED448 && scheme != SIGN_ED448)) + { + DBG1(DBG_LIB, "signature scheme %N not supported by %N key", + signature_scheme_names, scheme, key_type_names, this->type); + return FALSE; + } + + ctx = EVP_MD_CTX_new(); + if (!ctx || + EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, this->key) <= 0 || + EVP_DigestVerify(ctx, signature.ptr, signature.len, + data.ptr, data.len) <= 0) + { + EVP_MD_CTX_free(ctx); + return FALSE; + } + EVP_MD_CTX_free(ctx); + return TRUE; +} + +METHOD(public_key_t, encrypt, bool, + private_public_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) +{ + DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names, + scheme); + return FALSE; +} + +METHOD(public_key_t, get_keysize, int, + private_public_key_t *this) +{ + return openssl_ed_keysize(this->type); +} + +/** + * Calculate fingerprint from an EdDSA key, also used in ed private key. + */ +bool openssl_ed_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, + chunk_t *fp) +{ + hasher_t *hasher; + chunk_t blob; + u_char *p; + + if (lib->encoding->get_cache(lib->encoding, type, key, fp)) + { + return TRUE; + } + switch (type) + { + case KEYID_PUBKEY_SHA1: + if (!EVP_PKEY_get_raw_public_key(key, NULL, &blob.len)) + { + return FALSE; + } + blob = chunk_alloca(blob.len); + if (!EVP_PKEY_get_raw_public_key(key, blob.ptr, &blob.len)) + { + return FALSE; + } + break; + case KEYID_PUBKEY_INFO_SHA1: + blob = chunk_alloca(i2d_PUBKEY(key, NULL)); + p = blob.ptr; + i2d_PUBKEY(key, &p); + break; + default: + return FALSE; + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher || !hasher->allocate_hash(hasher, blob, fp)) + { + DBG1(DBG_LIB, "SHA1 not supported, fingerprinting failed"); + DESTROY_IF(hasher); + return FALSE; + } + hasher->destroy(hasher); + lib->encoding->cache(lib->encoding, type, key, *fp); + return TRUE; +} + +METHOD(public_key_t, get_fingerprint, bool, + private_public_key_t *this, cred_encoding_type_t type, chunk_t *fingerprint) +{ + return openssl_ed_fingerprint(this->key, type, fingerprint); +} + +METHOD(public_key_t, get_encoding, bool, + private_public_key_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + bool success = TRUE; + u_char *p; + + *encoding = chunk_alloc(i2d_PUBKEY(this->key, NULL)); + p = encoding->ptr; + i2d_PUBKEY(this->key, &p); + + if (type != PUBKEY_SPKI_ASN1_DER) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, type, + NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); + chunk_clear(&asn1_encoding); + } + return success; +} + +METHOD(public_key_t, get_ref, public_key_t*, + private_public_key_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + +METHOD(public_key_t, destroy, void, + private_public_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this->key); + EVP_PKEY_free(this->key); + free(this); + } +} + +/** + * Generic private constructor + */ +static private_public_key_t *create_empty(key_type_t type) +{ + private_public_key_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt, + .get_keysize = _get_keysize, + .equals = public_key_equals, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .type = type, + .ref = 1, + ); + + return this; +} + +/* + * Described in header + */ +public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args) +{ + private_public_key_t *this; + chunk_t blob = chunk_empty, pub = chunk_empty; + EVP_PKEY *key = NULL; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_EDDSA_PUB: + pub = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (pub.len) + { + key = EVP_PKEY_new_raw_public_key(openssl_ed_key_type(type), NULL, + pub.ptr, pub.len); + } + else if (blob.len) + { + key = d2i_PUBKEY(NULL, (const u_char**)&blob.ptr, blob.len); + if (key && EVP_PKEY_base_id(key) != openssl_ed_key_type(type)) + { + EVP_PKEY_free(key); + return NULL; + } + } + if (!key) + { + return NULL; + } + this = create_empty(type); + this->key = key; + return &this->public; +} + +#endif /* OPENSSL_VERSION_NUMBER */ diff --git a/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h new file mode 100644 index 000000000..c4e1ba3ed --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_ed_public_key.h @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_ed_public_key openssl_ed_public_key + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_ED_PUBLIC_KEY_H_ +#define OPENSSL_ED_PUBLIC_KEY_H_ + +#include +#include + +/** + * Load an EdDSA public key using OpenSSL. + * + * Accepts a BUILD_BLOB_ASN1_DER argument. + * + * @param type type of the key, must be KEY_ED25519 or KEY_ED448 + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +public_key_t *openssl_ed_public_key_load(key_type_t type, va_list args); + +#endif /** OPENSSL_ED_PUBLIC_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 8b0a7c5c7..cbeb6c3b7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2008 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -47,6 +47,9 @@ #include "openssl_rng.h" #include "openssl_hmac.h" #include "openssl_gcm.h" +#include "openssl_x_diffie_hellman.h" +#include "openssl_ed_public_key.h" +#include "openssl_ed_private_key.h" #ifndef FIPS_MODE #define FIPS_MODE 0 @@ -307,6 +310,11 @@ static private_key_t *openssl_private_key_load(key_type_t type, va_list args) case EVP_PKEY_EC: return openssl_ec_private_key_create(key, FALSE); #endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) + case EVP_PKEY_ED25519: + case EVP_PKEY_ED448: + return openssl_ed_private_key_create(key, FALSE); +#endif /* OPENSSL_VERSION_NUMBER */ default: EVP_PKEY_free(key); break; @@ -370,7 +378,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type, #ifndef OPENSSL_NO_ENGINE char *engine_id = NULL; char keyname[BUF_LEN]; - chunk_t keyid = chunk_empty;; + chunk_t keyid = chunk_empty; EVP_PKEY *key; ENGINE *engine; int slot = -1; @@ -395,7 +403,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type, } break; } - if (!keyid.len || keyid.len > 40) + if (!keyid.len) { return NULL; } @@ -405,7 +413,7 @@ static private_key_t *openssl_private_key_connect(key_type_t type, { snprintf(keyname, sizeof(keyname), "%d:", slot); } - if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1) + if (sizeof(keyname) - strlen(keyname) <= keyid.len * 2 + 1) { return NULL; } @@ -428,21 +436,21 @@ static private_key_t *openssl_private_key_connect(key_type_t type, ENGINE_free(engine); return NULL; } + ENGINE_free(engine); if (!login(engine, keyid)) { DBG1(DBG_LIB, "login to engine '%s' failed", engine_id); - ENGINE_free(engine); + ENGINE_finish(engine); return NULL; } key = ENGINE_load_private_key(engine, keyname, NULL, NULL); + ENGINE_finish(engine); if (!key) { DBG1(DBG_LIB, "failed to load private key with ID '%s' from " "engine '%s'", keyname, engine_id); - ENGINE_free(engine); return NULL; } - ENGINE_free(engine); switch (EVP_PKEY_base_id(key)) { @@ -454,6 +462,11 @@ static private_key_t *openssl_private_key_connect(key_type_t type, case EVP_PKEY_EC: return openssl_ec_private_key_create(key, TRUE); #endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) + case EVP_PKEY_ED25519: + case EVP_PKEY_ED448: + return openssl_ed_private_key_create(key, TRUE); +#endif /* OPENSSL_VERSION_NUMBER */ default: EVP_PKEY_free(key); break; @@ -594,7 +607,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(DH, ECP_384_BP), PLUGIN_PROVIDE(DH, ECP_512_BP), PLUGIN_PROVIDE(DH, ECP_224_BP), -#endif +#endif /* OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_DH /* MODP DH groups */ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create), @@ -699,6 +712,30 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521), #endif #endif /* OPENSSL_NO_ECDSA */ +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) + PLUGIN_REGISTER(DH, openssl_x_diffie_hellman_create), + /* available since 1.1.0a, but we require 1.1.1 features */ + PLUGIN_PROVIDE(DH, CURVE_25519), + /* available since 1.1.1 */ + PLUGIN_PROVIDE(DH, CURVE_448), + /* EdDSA private/public key loading */ + PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ED25519), + PLUGIN_PROVIDE(PUBKEY, KEY_ED448), + PLUGIN_REGISTER(PRIVKEY, openssl_ed_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519), + PLUGIN_PROVIDE(PRIVKEY, KEY_ED448), + PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ed_private_key_gen, FALSE), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED448), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED448), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED448), + /* register a pro forma identity hasher, never instantiated */ + PLUGIN_REGISTER(HASHER, return_null), + PLUGIN_PROVIDE(HASHER, HASH_IDENTITY), +#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_EC */ /* generic key loader */ PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE), PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c index a25b6b4b6..d3993749f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rng.c +++ b/src/libstrongswan/plugins/openssl/openssl_rng.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2012-2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Aleksandr Grinberg * * Permission is hereby granted, free of charge, to any person obtaining a copy @@ -24,7 +27,6 @@ #include #include -#include #include "openssl_rng.h" @@ -49,6 +51,13 @@ struct private_openssl_rng_t { METHOD(rng_t, get_bytes, bool, private_openssl_rng_t *this, size_t bytes, uint8_t *buffer) { +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + if (this->quality > RNG_WEAK) + { /* use a separate DRBG for data we want to keep private, compared + * to e.g. nonces */ + return RAND_priv_bytes((char*)buffer, bytes) == 1; + } +#endif return RAND_bytes((char*)buffer, bytes) == 1; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 401a51a0b..8a9fdfe25 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -103,13 +103,8 @@ static bool build_signature(private_openssl_rsa_private_key_t *this, if (pss) { const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); - int slen = EVP_MD_size(md); - if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - slen = pss->salt_len; - } if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || - EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 || EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) { goto error; diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 20bf30ae9..38b4eda35 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -95,13 +95,8 @@ static bool verify_signature(private_openssl_rsa_public_key_t *this, if (pss) { const EVP_MD *mgf1md = openssl_get_md(pss->mgf1_hash); - int slen = EVP_MD_size(md); - if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT) - { - slen = pss->salt_len; - } if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || - EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, slen) <= 0 || + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, pss->salt_len) <= 0 || EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md) <= 0) { goto error; diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index b7f969f73..f99dcd6b1 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -26,6 +26,7 @@ #if OPENSSL_VERSION_NUMBER < 0x10100000L #define OBJ_get0_data(o) ((o)->data) #define OBJ_length(o) ((o)->length) +#define ASN1_STRING_get0_data(a) ASN1_STRING_data((ASN1_STRING*)a) #endif /** @@ -164,11 +165,12 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1) /** * Described in header. */ -chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1) +chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1) { if (asn1) { - return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1)); + return chunk_create((u_char*)ASN1_STRING_get0_data(asn1), + ASN1_STRING_length(asn1)); } return chunk_empty; } @@ -212,7 +214,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj) /** * Described in header. */ -time_t openssl_asn1_to_time(ASN1_TIME *time) +time_t openssl_asn1_to_time(const ASN1_TIME *time) { chunk_t chunk; diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h index 80e557fa8..4afe76bf2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.h +++ b/src/libstrongswan/plugins/openssl/openssl_util.h @@ -109,7 +109,7 @@ chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1); * @param asn1 asn1 string to convert * @return chunk, pointing into asn1 string */ -chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1); +chunk_t openssl_asn1_str2chunk(const ASN1_STRING *asn1); /** * Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN. @@ -133,7 +133,7 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj); * @param time openssl ASN1_TIME * @returns time_t, 0 on error */ -time_t openssl_asn1_to_time(ASN1_TIME *time); +time_t openssl_asn1_to_time(const ASN1_TIME *time); /** * Compatibility macros diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index fae2d678f..fe21b0221 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -389,7 +389,11 @@ METHOD(certificate_t, issued_by, bool, public_key_t *key; bool valid; x509_t *x509 = (x509_t*)issuer; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const ASN1_BIT_STRING *sig; +#else ASN1_BIT_STRING *sig; +#endif chunk_t tbs; if (&this->public.x509.interface == issuer) @@ -993,7 +997,7 @@ static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this, */ static bool parse_extensions(private_openssl_x509_t *this) { - STACK_OF(X509_EXTENSION) *extensions; + const STACK_OF(X509_EXTENSION) *extensions; int i, num; /* unless we see a keyUsage extension we are compliant with RFC 4945 */ @@ -1077,7 +1081,11 @@ static bool parse_certificate(private_openssl_x509_t *this) hasher_t *hasher; chunk_t chunk, sig_scheme, sig_scheme_tbs; ASN1_OBJECT *oid; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const X509_ALGOR *alg; +#else X509_ALGOR *alg; +#endif this->x509 = d2i_X509(NULL, &ptr, this->encoding.len); if (!this->x509) @@ -1135,9 +1143,9 @@ static bool parse_certificate(private_openssl_x509_t *this) /* while X509_ALGOR_cmp() is declared in the headers of older OpenSSL * versions, at least on Ubuntu 14.04 it is not actually defined */ X509_get0_signature(NULL, &alg, this->x509); - sig_scheme = openssl_i2chunk(X509_ALGOR, alg); + sig_scheme = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg); alg = X509_get0_tbs_sigalg(this->x509); - sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, alg); + sig_scheme_tbs = openssl_i2chunk(X509_ALGOR, (X509_ALGOR*)alg); if (!chunk_equals(sig_scheme, sig_scheme_tbs)) { free(sig_scheme_tbs.ptr); diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c new file mode 100644 index 000000000..37943f5bf --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.c @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/* basic support for X25519 was added with 1.1.0a, but we require features (e.g. + * to load the keys) that were only added with 1.1.1 */ +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH) + +#include "openssl_x_diffie_hellman.h" + +#include + +typedef struct private_diffie_hellman_t private_diffie_hellman_t; + +/** + * Private data + */ +struct private_diffie_hellman_t { + /** + * Public interface. + */ + diffie_hellman_t public; + + /** + * Diffie Hellman group number. + */ + diffie_hellman_group_t group; + + /** + * Private (public) key + */ + EVP_PKEY *key; + + /** + * Shared secret + */ + chunk_t shared_secret; + + /** + * True if shared secret is computed + */ + bool computed; +}; + +/** + * Map a DH group to a key type + */ +static int map_key_type(diffie_hellman_group_t group) +{ + switch (group) + { + case CURVE_25519: + return EVP_PKEY_X25519; + case CURVE_448: + return EVP_PKEY_X448; + default: + return 0; + } +} + +/** + * Compute the shared secret + */ +static bool compute_shared_key(private_diffie_hellman_t *this, EVP_PKEY *pub, + chunk_t *shared_secret) +{ + EVP_PKEY_CTX *ctx; + bool success = FALSE; + + ctx = EVP_PKEY_CTX_new(this->key, NULL); + if (!ctx) + { + return FALSE; + } + + if (EVP_PKEY_derive_init(ctx) <= 0) + { + goto error; + } + + if (EVP_PKEY_derive_set_peer(ctx, pub) <= 0) + { + goto error; + } + + if (EVP_PKEY_derive(ctx, NULL, &shared_secret->len) <= 0) + { + goto error; + } + + *shared_secret = chunk_alloc(shared_secret->len); + + if (EVP_PKEY_derive(ctx, shared_secret->ptr, &shared_secret->len) <= 0) + { + goto error; + } + + success = TRUE; + +error: + EVP_PKEY_CTX_free(ctx); + return success; +} + +METHOD(diffie_hellman_t, set_other_public_value, bool, + private_diffie_hellman_t *this, chunk_t value) +{ + EVP_PKEY *pub; + + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + + pub = EVP_PKEY_new_raw_public_key(map_key_type(this->group), NULL, + value.ptr, value.len); + if (!pub) + { + DBG1(DBG_LIB, "%N public value is malformed", + diffie_hellman_group_names, this->group); + return FALSE; + } + + chunk_clear(&this->shared_secret); + + if (!compute_shared_key(this, pub, &this->shared_secret)) + { + DBG1(DBG_LIB, "%N shared secret computation failed", + diffie_hellman_group_names, this->group); + EVP_PKEY_free(pub); + return FALSE; + } + this->computed = TRUE; + EVP_PKEY_free(pub); + return TRUE; +} + +METHOD(diffie_hellman_t, get_my_public_value, bool, + private_diffie_hellman_t *this, chunk_t *value) +{ + size_t len; + + if (!EVP_PKEY_get_raw_public_key(this->key, NULL, &len)) + { + return FALSE; + } + + *value = chunk_alloc(len); + + if (!EVP_PKEY_get_raw_public_key(this->key, value->ptr, &value->len)) + { + chunk_free(value); + return FALSE; + } + return TRUE; +} + +METHOD(diffie_hellman_t, set_private_value, bool, + private_diffie_hellman_t *this, chunk_t value) +{ + EVP_PKEY_free(this->key); + this->key = EVP_PKEY_new_raw_private_key(map_key_type(this->group), NULL, + value.ptr, value.len); + if (!this->key) + { + return FALSE; + } + return TRUE; +} + +METHOD(diffie_hellman_t, get_shared_secret, bool, + private_diffie_hellman_t *this, chunk_t *secret) +{ + if (!this->computed) + { + return FALSE; + } + *secret = chunk_clone(this->shared_secret); + return TRUE; +} + +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + private_diffie_hellman_t *this) +{ + return this->group; +} + +METHOD(diffie_hellman_t, destroy, void, + private_diffie_hellman_t *this) +{ + EVP_PKEY_free(this->key); + chunk_clear(&this->shared_secret); + free(this); +} + +/* + * Described in header + */ +diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group) +{ + private_diffie_hellman_t *this; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *key = NULL; + + switch (group) + { + case CURVE_25519: + ctx = EVP_PKEY_CTX_new_id(NID_X25519, NULL); + break; + case CURVE_448: + ctx = EVP_PKEY_CTX_new_id(NID_X448, NULL); + break; + default: + break; + } + + if (!ctx || + EVP_PKEY_keygen_init(ctx) <= 0 || + EVP_PKEY_keygen(ctx, &key) <= 0) + { + DBG1(DBG_LIB, "generating key for %N failed", + diffie_hellman_group_names, group); + EVP_PKEY_CTX_free(ctx); + return NULL; + } + EVP_PKEY_CTX_free(ctx); + + INIT(this, + .public = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .set_private_value = _set_private_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + }, + .group = group, + .key = key, + ); + return &this->public; +} + +#endif /* OPENSSL_NO_ECDH */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h new file mode 100644 index 000000000..e28f38d15 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x_diffie_hellman.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * Implementation of the X25519/X448 Diffie-Hellman algorithm using OpenSSL. + * + * @defgroup openssl_x_diffie_hellman openssl_x_diffie_hellman + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_X_DIFFIE_HELLMAN_H_ +#define OPENSSL_X_DIFFIE_HELLMAN_H_ + +#include + +/** + * Creates a new diffie_hellman_t object. + * + * @param group Diffie Hellman group number to use + * @return object, NULL if not supported + */ +diffie_hellman_t *openssl_x_diffie_hellman_create(diffie_hellman_group_t group); + +#endif /** OPENSSL_X_DIFFIE_HELLMAN_H_ @}*/ + diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c index eab6559b3..934514249 100644 --- a/src/libstrongswan/plugins/sshkey/sshkey_builder.c +++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Tobias Brunner + * Copyright (C) 2013-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -89,6 +89,34 @@ static sshkey_public_key_t *parse_public_key(chunk_t blob) return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END); } + else if (chunk_equals(format, chunk_from_str("ssh-ed25519"))) + { + chunk_t blob; + + if (!reader->read_data32(reader, &blob)) + { + DBG1(DBG_LIB, "invalid Ed25519 key in SSH key"); + reader->destroy(reader); + return NULL; + } + reader->destroy(reader); + return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519, + BUILD_EDDSA_PUB, blob, BUILD_END); + } + else if (chunk_equals(format, chunk_from_str("ssh-ed448"))) + { + chunk_t blob; + + if (!reader->read_data32(reader, &blob)) + { + DBG1(DBG_LIB, "invalid Ed448 key in SSH key"); + reader->destroy(reader); + return NULL; + } + reader->destroy(reader); + return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_EDDSA_PUB, blob, BUILD_END); + } else if (format.len > strlen(ECDSA_PREFIX) && strpfx(format.ptr, ECDSA_PREFIX)) { @@ -140,8 +168,9 @@ static sshkey_public_key_t *load_from_stream(FILE *file) char line[1024], *token; while (!public && fgets(line, sizeof(line), file)) - { /* the format is: ssh-rsa|ecdsa-... */ - if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX)) + { /* the format is: ssh- */ + if (!strpfx(line, "ssh-rsa") && !strpfx(line, ECDSA_PREFIX) && + !strpfx(line, "ssh-ed25519") && !strpfx(line, "ssh-ed448")) { continue; } diff --git a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c index 9f5f8bd1f..ed35fc010 100644 --- a/src/libstrongswan/plugins/sshkey/sshkey_encoder.c +++ b/src/libstrongswan/plugins/sshkey/sshkey_encoder.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -72,6 +72,42 @@ static bool build_public_key(chunk_t *encoding, va_list args) writer->destroy(writer); return TRUE; } + else if (cred_encoding_args(args, CRED_PART_EDDSA_PUB_ASN1_DER, &n, + CRED_PART_END)) + { + chunk_t alg; + char *prefix; + int oid; + + /* parse subjectPublicKeyInfo */ + if (asn1_unwrap(&n, &n) != ASN1_SEQUENCE) + { + return FALSE; + } + oid = asn1_parse_algorithmIdentifier(n, 1, NULL); + switch (oid) + { + case OID_ED25519: + prefix = "ssh-ed25519"; + break; + case OID_ED448: + prefix = "ssh-ed448"; + break; + default: + return FALSE; + } + if (asn1_unwrap(&n, &alg) != ASN1_SEQUENCE || + asn1_unwrap(&n, &n) != ASN1_BIT_STRING || !n.len) + { + return FALSE; + } + writer = bio_writer_create(0); + writer->write_data32(writer, chunk_from_str(prefix)); + writer->write_data32(writer, chunk_skip(n, 1)); + *encoding = chunk_to_base64(writer->get_buf(writer), NULL); + writer->destroy(writer); + return TRUE; + } else if (cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER, &n, CRED_PART_END)) { diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index c4d9f2fc5..3d34cf7c9 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -49,6 +49,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/ecp.c \ test_vectors/ecpbp.c \ test_vectors/curve25519.c \ + test_vectors/curve448.c \ test_vectors/rng.c libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 7f6c319c6..ed3ae0f40 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -156,7 +156,8 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ test_vectors/sha3_shake.lo test_vectors/fips_prf.lo \ test_vectors/modp.lo test_vectors/modpsub.lo \ test_vectors/ecp.lo test_vectors/ecpbp.lo \ - test_vectors/curve25519.lo test_vectors/rng.lo + test_vectors/curve25519.lo test_vectors/curve448.lo \ + test_vectors/rng.lo libstrongswan_test_vectors_la_OBJECTS = \ $(am_libstrongswan_test_vectors_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -518,6 +519,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/ecp.c \ test_vectors/ecpbp.c \ test_vectors/curve25519.c \ + test_vectors/curve448.c \ test_vectors/rng.c libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version @@ -680,6 +682,8 @@ test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/curve25519.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/curve448.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/rng.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) @@ -710,6 +714,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20_xof.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve25519.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/curve448.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/des.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecpbp.Plo@am__quote@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index 7ab965a82..7c8ac0c6e 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -116,6 +116,7 @@ TEST_VECTOR_AEAD(aes_gcm23) TEST_VECTOR_AEAD(chacha20poly1305_1) TEST_VECTOR_AEAD(chacha20poly1305_2) TEST_VECTOR_AEAD(chacha20poly1305_3) +TEST_VECTOR_AEAD(chacha20poly1305_4) TEST_VECTOR_SIGNER(aes_xcbc_s1) TEST_VECTOR_SIGNER(aes_xcbc_s2) @@ -305,3 +306,4 @@ TEST_VECTOR_DH(ecp384bp) TEST_VECTOR_DH(ecp512bp) TEST_VECTOR_DH(curve25519_1) TEST_VECTOR_DH(curve25519_2) +TEST_VECTOR_DH(curve448_1) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c index 21726cbbb..dcbfe5ca3 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c @@ -16,9 +16,39 @@ #include /** - * From draft-irtf-cfrg-chacha20-poly1305 + * From RFC 7539 */ aead_test_vector_t chacha20poly1305_1 = { + .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, + .len = 114, .alen = 12, + .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" + "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" + "\x07\x00\x00\x00", + .iv = "\x40\x41\x42\x43\x44\x45\x46\x47", + .adata = "\x50\x51\x52\x53\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7", + .plain = "\x4c\x61\x64\x69\x65\x73\x20\x61\x6e\x64\x20\x47\x65\x6e\x74\x6c" + "\x65\x6d\x65\x6e\x20\x6f\x66\x20\x74\x68\x65\x20\x63\x6c\x61\x73" + "\x73\x20\x6f\x66\x20\x27\x39\x39\x3a\x20\x49\x66\x20\x49\x20\x63" + "\x6f\x75\x6c\x64\x20\x6f\x66\x66\x65\x72\x20\x79\x6f\x75\x20\x6f" + "\x6e\x6c\x79\x20\x6f\x6e\x65\x20\x74\x69\x70\x20\x66\x6f\x72\x20" + "\x74\x68\x65\x20\x66\x75\x74\x75\x72\x65\x2c\x20\x73\x75\x6e\x73" + "\x63\x72\x65\x65\x6e\x20\x77\x6f\x75\x6c\x64\x20\x62\x65\x20\x69" + "\x74\x2e", + .cipher = "\xd3\x1a\x8d\x34\x64\x8e\x60\xdb\x7b\x86\xaf\xbc\x53\xef\x7e\xc2" + "\xa4\xad\xed\x51\x29\x6e\x08\xfe\xa9\xe2\xb5\xa7\x36\xee\x62\xd6" + "\x3d\xbe\xa4\x5e\x8c\xa9\x67\x12\x82\xfa\xfb\x69\xda\x92\x72\x8b" + "\x1a\x71\xde\x0a\x9e\x06\x0b\x29\x05\xd6\xa5\xb6\x7e\xcd\x3b\x36" + "\x92\xdd\xbd\x7f\x2d\x77\x8b\x8c\x98\x03\xae\xe3\x28\x09\x1b\x58" + "\xfa\xb3\x24\xe4\xfa\xd6\x75\x94\x55\x85\x80\x8b\x48\x31\xd7\xbc" + "\x3f\xf4\xde\xf0\x8e\x4b\x7a\x9d\xe5\x76\xd2\x65\x86\xce\xc6\x4b" + "\x61\x16\x1a\xe1\x0b\x59\x4f\x09\xe2\x6a\x7e\x90\x2e\xcb\xd0\x60" + "\x06\x91", +}; + +/** + * Additional test vector from RFC 7539 + */ +aead_test_vector_t chacha20poly1305_2 = { .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, .len = 265, .alen = 12, .key = "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a\xf3\x33\x88\x86\x04\xf6\xb5\xf0" @@ -64,9 +94,9 @@ aead_test_vector_t chacha20poly1305_1 = { }; /** - * ESP example from draft-ietf-ipsecme-chacha20-poly1305-06 + * ESP example from RFC 7634 */ -aead_test_vector_t chacha20poly1305_2 = { +aead_test_vector_t chacha20poly1305_3 = { .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, .len = 88, .alen = 8, .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" @@ -90,9 +120,9 @@ aead_test_vector_t chacha20poly1305_2 = { }; /** - * IKEv2 example from draft-ietf-ipsecme-chacha20-poly1305-06 + * IKEv2 example from RFC 7634 */ -aead_test_vector_t chacha20poly1305_3 = { +aead_test_vector_t chacha20poly1305_4 = { .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, .len = 13, .alen = 32, .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c index 676fcfc5a..23c024a37 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c @@ -16,7 +16,7 @@ #include /** - * From RFC 8037 + * From RFC 7748 */ dh_test_vector_t curve25519_1 = { .group = CURVE_25519, .priv_len = 32, .pub_len = 32, .shared_len = 32, diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c new file mode 100644 index 000000000..fccbb808a --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve448.c @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * From RFC 7748 + */ +dh_test_vector_t curve448_1 = { + .group = CURVE_448, .priv_len = 56, .pub_len = 56, .shared_len = 56, + .priv_a = "\x9a\x8f\x49\x25\xd1\x51\x9f\x57\x75\xcf\x46\xb0\x4b\x58\x00\xd4" + "\xee\x9e\xe8\xba\xe8\xbc\x55\x65\xd4\x98\xc2\x8d\xd9\xc9\xba\xf5" + "\x74\xa9\x41\x97\x44\x89\x73\x91\x00\x63\x82\xa6\xf1\x27\xab\x1d" + "\x9a\xc2\xd8\xc0\xa5\x98\x72\x6b", + .priv_b = "\x1c\x30\x6a\x7a\xc2\xa0\xe2\xe0\x99\x0b\x29\x44\x70\xcb\xa3\x39" + "\xe6\x45\x37\x72\xb0\x75\x81\x1d\x8f\xad\x0d\x1d\x69\x27\xc1\x20" + "\xbb\x5e\xe8\x97\x2b\x0d\x3e\x21\x37\x4c\x9c\x92\x1b\x09\xd1\xb0" + "\x36\x6f\x10\xb6\x51\x73\x99\x2d", + .pub_a = "\x9b\x08\xf7\xcc\x31\xb7\xe3\xe6\x7d\x22\xd5\xae\xa1\x21\x07\x4a" + "\x27\x3b\xd2\xb8\x3d\xe0\x9c\x63\xfa\xa7\x3d\x2c\x22\xc5\xd9\xbb" + "\xc8\x36\x64\x72\x41\xd9\x53\xd4\x0c\x5b\x12\xda\x88\x12\x0d\x53" + "\x17\x7f\x80\xe5\x32\xc4\x1f\xa0", + .pub_b = "\x3e\xb7\xa8\x29\xb0\xcd\x20\xf5\xbc\xfc\x0b\x59\x9b\x6f\xec\xcf" + "\x6d\xa4\x62\x71\x07\xbd\xb0\xd4\xf3\x45\xb4\x30\x27\xd8\xb9\x72" + "\xfc\x3e\x34\xfb\x42\x32\xa1\x3c\xa7\x06\xdc\xb5\x7a\xec\x3d\xae" + "\x07\xbd\xc1\xc6\x7b\xf3\x36\x09", + .shared = "\x07\xff\xf4\x18\x1a\xc6\xcc\x95\xec\x1c\x16\xa9\x4a\x0f\x74\xd1" + "\x2d\xa2\x32\xce\x40\xa7\x75\x52\x28\x1d\x28\x2b\xb6\x0c\x0b\x56" + "\xfd\x24\x64\xc3\x35\x54\x39\x36\x52\x1c\x24\x40\x30\x85\xd5\x9a" + "\x44\x9a\x50\x37\x51\x4a\x87\x9d", +}; diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c index c29dfa57b..a88a58f0e 100644 --- a/src/libstrongswan/settings/settings_lexer.c +++ b/src/libstrongswan/settings/settings_lexer.c @@ -7,7 +7,6 @@ /* A lexical scanner generated by flex */ /* %not-for-header */ - /* %if-c-only */ /* %if-not-reentrant */ /* %endif */ @@ -17,7 +16,7 @@ #define FLEX_SCANNER #define YY_FLEX_MAJOR_VERSION 2 #define YY_FLEX_MINOR_VERSION 6 -#define YY_FLEX_SUBMINOR_VERSION 0 +#define YY_FLEX_SUBMINOR_VERSION 4 #if YY_FLEX_SUBMINOR_VERSION > 0 #define FLEX_BETA #endif @@ -26,9 +25,230 @@ /* %endif */ /* %if-c-only */ - +#ifdef yy_create_buffer +#define settings_parser__create_buffer_ALREADY_DEFINED +#else +#define yy_create_buffer settings_parser__create_buffer +#endif + +#ifdef yy_delete_buffer +#define settings_parser__delete_buffer_ALREADY_DEFINED +#else +#define yy_delete_buffer settings_parser__delete_buffer +#endif + +#ifdef yy_scan_buffer +#define settings_parser__scan_buffer_ALREADY_DEFINED +#else +#define yy_scan_buffer settings_parser__scan_buffer +#endif + +#ifdef yy_scan_string +#define settings_parser__scan_string_ALREADY_DEFINED +#else +#define yy_scan_string settings_parser__scan_string +#endif + +#ifdef yy_scan_bytes +#define settings_parser__scan_bytes_ALREADY_DEFINED +#else +#define yy_scan_bytes settings_parser__scan_bytes +#endif + +#ifdef yy_init_buffer +#define settings_parser__init_buffer_ALREADY_DEFINED +#else +#define yy_init_buffer settings_parser__init_buffer +#endif + +#ifdef yy_flush_buffer +#define settings_parser__flush_buffer_ALREADY_DEFINED +#else +#define yy_flush_buffer settings_parser__flush_buffer +#endif + +#ifdef yy_load_buffer_state +#define settings_parser__load_buffer_state_ALREADY_DEFINED +#else +#define yy_load_buffer_state settings_parser__load_buffer_state +#endif + +#ifdef yy_switch_to_buffer +#define settings_parser__switch_to_buffer_ALREADY_DEFINED +#else +#define yy_switch_to_buffer settings_parser__switch_to_buffer +#endif + +#ifdef yypush_buffer_state +#define settings_parser_push_buffer_state_ALREADY_DEFINED +#else +#define yypush_buffer_state settings_parser_push_buffer_state +#endif + +#ifdef yypop_buffer_state +#define settings_parser_pop_buffer_state_ALREADY_DEFINED +#else +#define yypop_buffer_state settings_parser_pop_buffer_state +#endif + +#ifdef yyensure_buffer_stack +#define settings_parser_ensure_buffer_stack_ALREADY_DEFINED +#else +#define yyensure_buffer_stack settings_parser_ensure_buffer_stack +#endif + +#ifdef yylex +#define settings_parser_lex_ALREADY_DEFINED +#else +#define yylex settings_parser_lex +#endif + +#ifdef yyrestart +#define settings_parser_restart_ALREADY_DEFINED +#else +#define yyrestart settings_parser_restart +#endif + +#ifdef yylex_init +#define settings_parser_lex_init_ALREADY_DEFINED +#else +#define yylex_init settings_parser_lex_init +#endif + +#ifdef yylex_init_extra +#define settings_parser_lex_init_extra_ALREADY_DEFINED +#else +#define yylex_init_extra settings_parser_lex_init_extra +#endif + +#ifdef yylex_destroy +#define settings_parser_lex_destroy_ALREADY_DEFINED +#else +#define yylex_destroy settings_parser_lex_destroy +#endif + +#ifdef yyget_debug +#define settings_parser_get_debug_ALREADY_DEFINED +#else +#define yyget_debug settings_parser_get_debug +#endif + +#ifdef yyset_debug +#define settings_parser_set_debug_ALREADY_DEFINED +#else +#define yyset_debug settings_parser_set_debug +#endif + +#ifdef yyget_extra +#define settings_parser_get_extra_ALREADY_DEFINED +#else +#define yyget_extra settings_parser_get_extra +#endif + +#ifdef yyset_extra +#define settings_parser_set_extra_ALREADY_DEFINED +#else +#define yyset_extra settings_parser_set_extra +#endif + +#ifdef yyget_in +#define settings_parser_get_in_ALREADY_DEFINED +#else +#define yyget_in settings_parser_get_in +#endif + +#ifdef yyset_in +#define settings_parser_set_in_ALREADY_DEFINED +#else +#define yyset_in settings_parser_set_in +#endif + +#ifdef yyget_out +#define settings_parser_get_out_ALREADY_DEFINED +#else +#define yyget_out settings_parser_get_out +#endif + +#ifdef yyset_out +#define settings_parser_set_out_ALREADY_DEFINED +#else +#define yyset_out settings_parser_set_out +#endif + +#ifdef yyget_leng +#define settings_parser_get_leng_ALREADY_DEFINED +#else +#define yyget_leng settings_parser_get_leng +#endif + +#ifdef yyget_text +#define settings_parser_get_text_ALREADY_DEFINED +#else +#define yyget_text settings_parser_get_text +#endif + +#ifdef yyget_lineno +#define settings_parser_get_lineno_ALREADY_DEFINED +#else +#define yyget_lineno settings_parser_get_lineno +#endif + +#ifdef yyset_lineno +#define settings_parser_set_lineno_ALREADY_DEFINED +#else +#define yyset_lineno settings_parser_set_lineno +#endif + +#ifdef yyget_column +#define settings_parser_get_column_ALREADY_DEFINED +#else +#define yyget_column settings_parser_get_column +#endif + +#ifdef yyset_column +#define settings_parser_set_column_ALREADY_DEFINED +#else +#define yyset_column settings_parser_set_column +#endif + +#ifdef yywrap +#define settings_parser_wrap_ALREADY_DEFINED +#else +#define yywrap settings_parser_wrap +#endif + /* %endif */ +#ifdef yyget_lval +#define settings_parser_get_lval_ALREADY_DEFINED +#else +#define yyget_lval settings_parser_get_lval +#endif + +#ifdef yyset_lval +#define settings_parser_set_lval_ALREADY_DEFINED +#else +#define yyset_lval settings_parser_set_lval +#endif + +#ifdef yyalloc +#define settings_parser_alloc_ALREADY_DEFINED +#else +#define yyalloc settings_parser_alloc +#endif + +#ifdef yyrealloc +#define settings_parser_realloc_ALREADY_DEFINED +#else +#define yyrealloc settings_parser_realloc +#endif + +#ifdef yyfree +#define settings_parser_free_ALREADY_DEFINED +#else +#define yyfree settings_parser_free +#endif + /* %if-c-only */ /* %endif */ @@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t; #define UINT32_MAX (4294967295U) #endif +#ifndef SIZE_MAX +#define SIZE_MAX (~(size_t)0) +#endif + #endif /* ! C99 */ #endif /* ! FLEXINT_H */ /* %endif */ +/* begin standard C++ headers. */ /* %if-c++-only */ /* %endif */ -#ifdef __cplusplus - -/* The "const" storage-class-modifier is valid. */ -#define YY_USE_CONST - -#else /* ! __cplusplus */ - -/* C99 requires __STDC__ to be defined as 1. */ -#if defined (__STDC__) - -#define YY_USE_CONST - -#endif /* defined (__STDC__) */ -#endif /* ! __cplusplus */ - -#ifdef YY_USE_CONST +/* TODO: this is always defined, so inline it */ #define yyconst const + +#if defined(__GNUC__) && __GNUC__ >= 3 +#define yynoreturn __attribute__((__noreturn__)) #else -#define yyconst +#define yynoreturn #endif /* %not-for-header */ - /* Returned upon end-of-file. */ #define YY_NULL 0 /* %ok-for-header */ /* %not-for-header */ - -/* Promotes a possibly negative, possibly signed char to an unsigned - * integer for use as an array index. If the signed char is negative, - * we want to instead treat it as an 8-bit unsigned char, hence the - * double cast. +/* Promotes a possibly negative, possibly signed char to an + * integer in range [0..255] for use as an array index. */ -#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c) +#define YY_SC_TO_UI(c) ((YY_CHAR) (c)) /* %ok-for-header */ /* %if-reentrant */ @@ -183,20 +392,16 @@ typedef void* yyscan_t; * definition of BEGIN. */ #define BEGIN yyg->yy_start = 1 + 2 * - /* Translate the current start state into a value that can be later handed * to BEGIN to return to the state. The YYSTATE alias is for lex * compatibility. */ #define YY_START ((yyg->yy_start - 1) / 2) #define YYSTATE YY_START - /* Action number for EOF rule of a given start state. */ #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) - /* Special action meaning "start processing a new file". */ -#define YY_NEW_FILE settings_parser_restart(yyin ,yyscanner ) - +#define YY_NEW_FILE yyrestart( yyin , yyscanner ) #define YY_END_OF_BUFFER_CHAR 0 /* Size of default input buffer. */ @@ -237,10 +442,10 @@ typedef size_t yy_size_t; #define EOB_ACT_CONTINUE_SCAN 0 #define EOB_ACT_END_OF_FILE 1 #define EOB_ACT_LAST_MATCH 2 - + /* Note: We specifically omit the test for yy_rule_can_match_eol because it requires * access to the local variable yy_act. Since yyless() is a macro, it would break - * existing scanners that call yyless() from OUTSIDE settings_parser_lex. + * existing scanners that call yyless() from OUTSIDE yylex. * One obvious solution it to make yy_act a global. I tried that, and saw * a 5% performance hit in a non-yylineno scanner, because yy_act is * normally declared as a register variable-- so it is not worth it. @@ -273,7 +478,6 @@ typedef size_t yy_size_t; YY_DO_BEFORE_ACTION; /* set up yytext again */ \ } \ while ( 0 ) - #define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner ) #ifndef YY_STRUCT_YY_BUFFER_STATE @@ -293,7 +497,7 @@ struct yy_buffer_state /* Size of input buffer in bytes, not including room for EOB * characters. */ - yy_size_t yy_buf_size; + int yy_buf_size; /* Number of characters read into yy_ch_buf, not including EOB * characters. @@ -321,7 +525,7 @@ struct yy_buffer_state int yy_bs_lineno; /**< The line count. */ int yy_bs_column; /**< The column count. */ - + /* Whether to try to fill the input buffer when we reach the * end of it. */ @@ -338,7 +542,7 @@ struct yy_buffer_state * possible backing-up. * * When we actually see the EOF, we change the status to "new" - * (via settings_parser_restart()), so that the user can continue scanning by + * (via yyrestart()), so that the user can continue scanning by * just pointing yyin at a new input file. */ #define YY_BUFFER_EOF_PENDING 2 @@ -348,7 +552,6 @@ struct yy_buffer_state /* %if-c-only Standard (non-C++) definition */ /* %not-for-header */ - /* %if-not-reentrant */ /* %endif */ /* %ok-for-header */ @@ -364,7 +567,6 @@ struct yy_buffer_state #define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \ ? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \ : NULL) - /* Same as previous macro, but useful when we know that the buffer stack is not * NULL or when we need an lvalue. For internal use only. */ @@ -374,57 +576,52 @@ struct yy_buffer_state /* %if-not-reentrant */ /* %not-for-header */ - /* %ok-for-header */ /* %endif */ -void settings_parser_restart (FILE *input_file ,yyscan_t yyscanner ); -void settings_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner ); -YY_BUFFER_STATE settings_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner ); -void settings_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner ); -void settings_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner ); -void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner ); -void settings_parser_pop_buffer_state (yyscan_t yyscanner ); - -static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner ); -static void settings_parser__load_buffer_state (yyscan_t yyscanner ); -static void settings_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner ); +void yyrestart ( FILE *input_file , yyscan_t yyscanner ); +void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner ); +void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner ); +void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner ); +void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner ); +void yypop_buffer_state ( yyscan_t yyscanner ); -#define YY_FLUSH_BUFFER settings_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner) +static void yyensure_buffer_stack ( yyscan_t yyscanner ); +static void yy_load_buffer_state ( yyscan_t yyscanner ); +static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner ); +#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner) -YY_BUFFER_STATE settings_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner ); -YY_BUFFER_STATE settings_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner ); -YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner ); /* %endif */ -void *settings_parser_alloc (yy_size_t ,yyscan_t yyscanner ); -void *settings_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner ); -void settings_parser_free (void * ,yyscan_t yyscanner ); - -#define yy_new_buffer settings_parser__create_buffer +void *yyalloc ( yy_size_t , yyscan_t yyscanner ); +void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner ); +void yyfree ( void * , yyscan_t yyscanner ); +#define yy_new_buffer yy_create_buffer #define yy_set_interactive(is_interactive) \ { \ if ( ! YY_CURRENT_BUFFER ){ \ - settings_parser_ensure_buffer_stack (yyscanner); \ + yyensure_buffer_stack (yyscanner); \ YY_CURRENT_BUFFER_LVALUE = \ - settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \ + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \ } \ YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \ } - #define yy_set_bol(at_bol) \ { \ if ( ! YY_CURRENT_BUFFER ){\ - settings_parser_ensure_buffer_stack (yyscanner); \ + yyensure_buffer_stack (yyscanner); \ YY_CURRENT_BUFFER_LVALUE = \ - settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \ + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \ } \ YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \ } - #define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol) /* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */ @@ -434,8 +631,7 @@ void settings_parser_free (void * ,yyscan_t yyscanner ); #define YY_SKIP_YYWRAP #define FLEX_DEBUG - -typedef unsigned char YY_CHAR; +typedef flex_uint8_t YY_CHAR; typedef int yy_state_type; @@ -445,13 +641,10 @@ typedef int yy_state_type; /* %if-c-only Standard (non-C++) definition */ -static yy_state_type yy_get_previous_state (yyscan_t yyscanner ); -static yy_state_type yy_try_NUL_trans (yy_state_type current_state ,yyscan_t yyscanner); -static int yy_get_next_buffer (yyscan_t yyscanner ); -#if defined(__GNUC__) && __GNUC__ >= 3 -__attribute__((__noreturn__)) -#endif -static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); +static yy_state_type yy_get_previous_state ( yyscan_t yyscanner ); +static yy_state_type yy_try_NUL_trans ( yy_state_type current_state , yyscan_t yyscanner); +static int yy_get_next_buffer ( yyscan_t yyscanner ); +static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner ); /* %endif */ @@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); #define YY_DO_BEFORE_ACTION \ yyg->yytext_ptr = yy_bp; \ /* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\ - yyleng = (size_t) (yy_cp - yy_bp); \ + yyleng = (int) (yy_cp - yy_bp); \ yyg->yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ /* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\ yyg->yy_c_buf_p = yy_cp; - /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ #define YY_NUM_RULES 39 #define YY_END_OF_BUFFER 40 @@ -477,7 +669,7 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[85] = +static const flex_int16_t yy_accept[85] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 40, 12, 2, 3, 2, 11, 1, 7, 6, 8, @@ -490,7 +682,7 @@ static yyconst flex_int16_t yy_accept[85] = 0, 10, 10, 0 } ; -static yyconst YY_CHAR yy_ec[256] = +static const YY_CHAR yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, 1, 1, 4, 1, 1, 1, 1, 1, 1, 1, @@ -522,14 +714,14 @@ static yyconst YY_CHAR yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst YY_CHAR yy_meta[24] = +static const YY_CHAR yy_meta[24] = { 0, 1, 2, 3, 4, 5, 6, 5, 7, 8, 7, 9, 10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 7, 5 } ; -static yyconst flex_uint16_t yy_base[103] = +static const flex_int16_t yy_base[103] = { 0, 0, 0, 23, 0, 45, 67, 89, 111, 49, 50, 124, 0, 133, 335, 55, 335, 60, 335, 335, 335, @@ -545,7 +737,7 @@ static yyconst flex_uint16_t yy_base[103] = 314, 324 } ; -static yyconst flex_int16_t yy_def[103] = +static const flex_int16_t yy_def[103] = { 0, 84, 1, 84, 3, 85, 85, 86, 86, 87, 87, 84, 88, 84, 84, 84, 84, 89, 84, 84, 84, @@ -561,7 +753,7 @@ static yyconst flex_int16_t yy_def[103] = 84, 84 } ; -static yyconst flex_uint16_t yy_nxt[359] = +static const flex_int16_t yy_nxt[359] = { 0, 12, 13, 14, 15, 13, 16, 17, 18, 19, 20, 21, 12, 12, 12, 12, 22, 12, 12, 12, 12, @@ -604,7 +796,7 @@ static yyconst flex_uint16_t yy_nxt[359] = 84, 84, 84, 84, 84, 84, 84, 84 } ; -static yyconst flex_int16_t yy_chk[359] = +static const flex_int16_t yy_chk[359] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -648,18 +840,18 @@ static yyconst flex_int16_t yy_chk[359] = } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[40] = +static const flex_int32_t yy_rule_can_match_eol[40] = { 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, }; -static yyconst flex_int16_t yy_rule_linenum[39] = +static const flex_int16_t yy_rule_linenum[39] = { 0, - 66, 67, 68, 70, 71, 73, 74, 76, 81, 86, - 91, 96, 102, 103, 104, 106, 108, 113, 120, 121, - 123, 144, 150, 157, 160, 180, 183, 186, 189, 195, - 196, 198, 218, 219, 220, 221, 222, 223 + 71, 72, 73, 75, 76, 78, 79, 81, 86, 91, + 96, 101, 107, 108, 109, 111, 113, 118, 125, 126, + 128, 149, 155, 162, 165, 185, 188, 191, 194, 200, + 201, 203, 223, 224, 225, 226, 227, 228 } ; /* The intent behind this definition is that it'll catch @@ -694,9 +886,13 @@ bool settings_parser_open_next_file(parser_helper_t *ctx); static void include_files(parser_helper_t *ctx); +#line 890 "settings/settings_lexer.c" /* use start conditions stack */ /* do not declare unneeded functions */ #define YY_NO_INPUT 1 +/* do not include unistd.h as it might conflict with our scanner states */ +#define YY_NO_UNISTD_H 1 +/* due to that disable interactive mode, which requires isatty() */ /* don't use global variables, and interact properly with bison */ /* maintain the line number */ /* don't generate a default rule */ @@ -712,7 +908,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ /* pattern for section/key names */ -#line 716 "settings/settings_lexer.c" +#line 912 "settings/settings_lexer.c" #define INITIAL 0 #define ref 1 @@ -751,7 +947,7 @@ struct yyguts_t YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */ char yy_hold_char; int yy_n_chars; - yy_size_t yyleng_r; + int yyleng_r; char *yy_c_buf_p; int yy_init; int yy_start; @@ -775,7 +971,7 @@ struct yyguts_t /* %if-c-only */ -static int yy_init_globals (yyscan_t yyscanner ); +static int yy_init_globals ( yyscan_t yyscanner ); /* %endif */ @@ -785,9 +981,9 @@ static int yy_init_globals (yyscan_t yyscanner ); * from bison output in section 1.*/ # define yylval yyg->yylval_r -int settings_parser_lex_init (yyscan_t* scanner); +int yylex_init (yyscan_t* scanner); -int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner); +int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner); /* %endif */ @@ -796,41 +992,41 @@ int settings_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner /* Accessor methods to globals. These are made visible to non-reentrant scanners for convenience. */ -int settings_parser_lex_destroy (yyscan_t yyscanner ); +int yylex_destroy ( yyscan_t yyscanner ); -int settings_parser_get_debug (yyscan_t yyscanner ); +int yyget_debug ( yyscan_t yyscanner ); -void settings_parser_set_debug (int debug_flag ,yyscan_t yyscanner ); +void yyset_debug ( int debug_flag , yyscan_t yyscanner ); -YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner ); +YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner ); -void settings_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner ); +void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner ); -FILE *settings_parser_get_in (yyscan_t yyscanner ); +FILE *yyget_in ( yyscan_t yyscanner ); -void settings_parser_set_in (FILE * _in_str ,yyscan_t yyscanner ); +void yyset_in ( FILE * _in_str , yyscan_t yyscanner ); -FILE *settings_parser_get_out (yyscan_t yyscanner ); +FILE *yyget_out ( yyscan_t yyscanner ); -void settings_parser_set_out (FILE * _out_str ,yyscan_t yyscanner ); +void yyset_out ( FILE * _out_str , yyscan_t yyscanner ); -yy_size_t settings_parser_get_leng (yyscan_t yyscanner ); + int yyget_leng ( yyscan_t yyscanner ); -char *settings_parser_get_text (yyscan_t yyscanner ); +char *yyget_text ( yyscan_t yyscanner ); -int settings_parser_get_lineno (yyscan_t yyscanner ); +int yyget_lineno ( yyscan_t yyscanner ); -void settings_parser_set_lineno (int _line_number ,yyscan_t yyscanner ); +void yyset_lineno ( int _line_number , yyscan_t yyscanner ); -int settings_parser_get_column (yyscan_t yyscanner ); +int yyget_column ( yyscan_t yyscanner ); -void settings_parser_set_column (int _column_no ,yyscan_t yyscanner ); +void yyset_column ( int _column_no , yyscan_t yyscanner ); /* %if-bison-bridge */ -YYSTYPE * settings_parser_get_lval (yyscan_t yyscanner ); +YYSTYPE * yyget_lval ( yyscan_t yyscanner ); -void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner ); +void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner ); /* %endif */ @@ -840,17 +1036,16 @@ void settings_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner ); #ifndef YY_SKIP_YYWRAP #ifdef __cplusplus -extern "C" int settings_parser_wrap (yyscan_t yyscanner ); +extern "C" int yywrap ( yyscan_t yyscanner ); #else -extern int settings_parser_wrap (yyscan_t yyscanner ); +extern int yywrap ( yyscan_t yyscanner ); #endif #endif /* %not-for-header */ - #ifndef YY_NO_UNPUT - static void yyunput (int c,char *buf_ptr ,yyscan_t yyscanner); + static void yyunput ( int c, char *buf_ptr , yyscan_t yyscanner); #endif /* %ok-for-header */ @@ -858,21 +1053,20 @@ extern int settings_parser_wrap (yyscan_t yyscanner ); /* %endif */ #ifndef yytext_ptr -static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner); +static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner); #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner); +static int yy_flex_strlen ( const char * , yyscan_t yyscanner); #endif #ifndef YY_NO_INPUT /* %if-c-only Standard (non-C++) definition */ /* %not-for-header */ - #ifdef __cplusplus -static int yyinput (yyscan_t yyscanner ); +static int yyinput ( yyscan_t yyscanner ); #else -static int input (yyscan_t yyscanner ); +static int input ( yyscan_t yyscanner ); #endif /* %ok-for-header */ @@ -881,11 +1075,11 @@ static int input (yyscan_t yyscanner ); /* %if-c-only */ - static void yy_push_state (int _new_state ,yyscan_t yyscanner); + static void yy_push_state ( int _new_state , yyscan_t yyscanner); - static void yy_pop_state (yyscan_t yyscanner ); + static void yy_pop_state ( yyscan_t yyscanner ); - static int yy_top_state (yyscan_t yyscanner ); + static int yy_top_state ( yyscan_t yyscanner ); /* %endif */ @@ -905,7 +1099,7 @@ static int input (yyscan_t yyscanner ); /* This used to be an fputs(), but since the string might contain NUL's, * we now use fwrite(). */ -#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0) +#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0) /* %endif */ /* %if-c++-only C++ definition */ /* %endif */ @@ -920,7 +1114,7 @@ static int input (yyscan_t yyscanner ); if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \ { \ int c = '*'; \ - size_t n; \ + int n; \ for ( n = 0; n < max_size && \ (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ buf[n] = (char) c; \ @@ -933,7 +1127,7 @@ static int input (yyscan_t yyscanner ); else \ { \ errno=0; \ - while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \ + while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \ { \ if( errno != EINTR) \ { \ @@ -974,11 +1168,9 @@ static int input (yyscan_t yyscanner ); /* %if-tables-serialization structures and prototypes */ /* %not-for-header */ - /* %ok-for-header */ /* %not-for-header */ - /* %tables-yydmap generated elements */ /* %endif */ /* end tables serialization structures and prototypes */ @@ -992,10 +1184,10 @@ static int input (yyscan_t yyscanner ); #define YY_DECL_IS_OURS 1 /* %if-c-only Standard (non-C++) definition */ -extern int settings_parser_lex \ - (YYSTYPE * yylval_param ,yyscan_t yyscanner); +extern int yylex \ + (YYSTYPE * yylval_param , yyscan_t yyscanner); -#define YY_DECL int settings_parser_lex \ +#define YY_DECL int yylex \ (YYSTYPE * yylval_param , yyscan_t yyscanner) /* %endif */ /* %if-c++-only C++ definition */ @@ -1019,7 +1211,6 @@ extern int settings_parser_lex \ YY_USER_ACTION /* %not-for-header */ - /** The main scanner function which does all the work. */ YY_DECL @@ -1057,20 +1248,20 @@ YY_DECL /* %endif */ if ( ! YY_CURRENT_BUFFER ) { - settings_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); YY_CURRENT_BUFFER_LVALUE = - settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); } - settings_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); } { /* %% [7.0] user's declarations go here */ -#line 64 "settings/settings_lexer.l" +#line 69 "settings/settings_lexer.l" -#line 1074 "settings/settings_lexer.c" +#line 1265 "settings/settings_lexer.c" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -1100,22 +1291,18 @@ yy_match: { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 85 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 335 ); + while ( yy_current_state != 84 ); + yy_cp = yyg->yy_last_accepting_cpos; + yy_current_state = yyg->yy_last_accepting_state; yy_find_action: /* %% [10.0] code to find the action number goes here */ yy_act = yy_accept[yy_current_state]; - if ( yy_act == 0 ) - { /* have to back up */ - yy_cp = yyg->yy_last_accepting_cpos; - yy_current_state = yyg->yy_last_accepting_state; - yy_act = yy_accept[yy_current_state]; - } YY_DO_BEFORE_ACTION; @@ -1123,10 +1310,10 @@ yy_find_action: if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] ) { - yy_size_t yyl; + int yyl; for ( yyl = 0; yyl < yyleng; ++yyl ) if ( yytext[yyl] == '\n' ) - + do{ yylineno++; yycolumn=0; }while(0) @@ -1164,40 +1351,40 @@ do_action: /* This label is used only to access EOF actions. */ case 1: YY_RULE_SETUP -#line 66 "settings/settings_lexer.l" +#line 71 "settings/settings_lexer.l" /* eat comments */ YY_BREAK case 2: YY_RULE_SETUP -#line 67 "settings/settings_lexer.l" +#line 72 "settings/settings_lexer.l" /* eat whitespace */ YY_BREAK case 3: /* rule 3 can match eol */ YY_RULE_SETUP -#line 68 "settings/settings_lexer.l" +#line 73 "settings/settings_lexer.l" /* eat newlines and comments at the end of a line */ YY_BREAK case 4: -#line 71 "settings/settings_lexer.l" +#line 76 "settings/settings_lexer.l" case 5: YY_RULE_SETUP -#line 71 "settings/settings_lexer.l" +#line 76 "settings/settings_lexer.l" return yytext[0]; YY_BREAK case 6: YY_RULE_SETUP -#line 73 "settings/settings_lexer.l" +#line 78 "settings/settings_lexer.l" return DOT; YY_BREAK case 7: YY_RULE_SETUP -#line 74 "settings/settings_lexer.l" +#line 79 "settings/settings_lexer.l" return COMMA; YY_BREAK case 8: YY_RULE_SETUP -#line 76 "settings/settings_lexer.l" +#line 81 "settings/settings_lexer.l" { yy_push_state(ref, yyscanner); return COLON; @@ -1205,7 +1392,7 @@ YY_RULE_SETUP YY_BREAK case 9: YY_RULE_SETUP -#line 81 "settings/settings_lexer.l" +#line 86 "settings/settings_lexer.l" { yy_push_state(val, yyscanner); return yytext[0]; @@ -1218,7 +1405,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1); yyg->yy_c_buf_p = yy_cp -= 1; YY_DO_BEFORE_ACTION; /* set up yytext again */ YY_RULE_SETUP -#line 86 "settings/settings_lexer.l" +#line 91 "settings/settings_lexer.l" { yyextra->string_init(yyextra); yy_push_state(inc, yyscanner); @@ -1226,7 +1413,7 @@ YY_RULE_SETUP YY_BREAK case 11: YY_RULE_SETUP -#line 91 "settings/settings_lexer.l" +#line 96 "settings/settings_lexer.l" { PARSER_DBG1(yyextra, "unexpected string detected"); return STRING_ERROR; @@ -1234,7 +1421,7 @@ YY_RULE_SETUP YY_BREAK case 12: YY_RULE_SETUP -#line 96 "settings/settings_lexer.l" +#line 101 "settings/settings_lexer.l" { yylval->s = strdup(yytext); return NAME; @@ -1243,28 +1430,28 @@ YY_RULE_SETUP case 13: YY_RULE_SETUP -#line 102 "settings/settings_lexer.l" +#line 107 "settings/settings_lexer.l" /* eat comments */ YY_BREAK case 14: YY_RULE_SETUP -#line 103 "settings/settings_lexer.l" +#line 108 "settings/settings_lexer.l" /* eat whitespace */ YY_BREAK case 15: /* rule 15 can match eol */ YY_RULE_SETUP -#line 104 "settings/settings_lexer.l" +#line 109 "settings/settings_lexer.l" /* eat newlines and comments at the end of a line */ YY_BREAK case 16: YY_RULE_SETUP -#line 106 "settings/settings_lexer.l" +#line 111 "settings/settings_lexer.l" return COMMA; YY_BREAK case 17: YY_RULE_SETUP -#line 108 "settings/settings_lexer.l" +#line 113 "settings/settings_lexer.l" { yylval->s = strdup(yytext); return NAME; @@ -1272,7 +1459,7 @@ YY_RULE_SETUP YY_BREAK case 18: YY_RULE_SETUP -#line 113 "settings/settings_lexer.l" +#line 118 "settings/settings_lexer.l" { unput(yytext[0]); yy_pop_state(yyscanner); @@ -1282,20 +1469,20 @@ YY_RULE_SETUP case 19: YY_RULE_SETUP -#line 120 "settings/settings_lexer.l" +#line 125 "settings/settings_lexer.l" /* just ignore these */ YY_BREAK case 20: YY_RULE_SETUP -#line 121 "settings/settings_lexer.l" +#line 126 "settings/settings_lexer.l" YY_BREAK case YY_STATE_EOF(val): -#line 122 "settings/settings_lexer.l" +#line 127 "settings/settings_lexer.l" case 21: /* rule 21 can match eol */ YY_RULE_SETUP -#line 123 "settings/settings_lexer.l" +#line 128 "settings/settings_lexer.l" { if (*yytext) { @@ -1319,7 +1506,7 @@ YY_RULE_SETUP YY_BREAK case 22: YY_RULE_SETUP -#line 144 "settings/settings_lexer.l" +#line 149 "settings/settings_lexer.l" { yyextra->string_init(yyextra); yy_push_state(str, yyscanner); @@ -1328,7 +1515,7 @@ YY_RULE_SETUP /* same as above, but allow more characters */ case 23: YY_RULE_SETUP -#line 150 "settings/settings_lexer.l" +#line 155 "settings/settings_lexer.l" { yylval->s = strdup(yytext); return NAME; @@ -1338,16 +1525,16 @@ YY_RULE_SETUP case 24: YY_RULE_SETUP -#line 157 "settings/settings_lexer.l" +#line 162 "settings/settings_lexer.l" /* just ignore these */ YY_BREAK /* we allow all characters except #, } and spaces, they can be escaped */ case YY_STATE_EOF(inc): -#line 159 "settings/settings_lexer.l" +#line 164 "settings/settings_lexer.l" case 25: /* rule 25 can match eol */ YY_RULE_SETUP -#line 160 "settings/settings_lexer.l" +#line 165 "settings/settings_lexer.l" { if (*yytext) { @@ -1371,28 +1558,28 @@ YY_RULE_SETUP YY_BREAK case 26: YY_RULE_SETUP -#line 180 "settings/settings_lexer.l" +#line 185 "settings/settings_lexer.l" { /* string include */ yy_push_state(str, yyscanner); } YY_BREAK case 27: YY_RULE_SETUP -#line 183 "settings/settings_lexer.l" +#line 188 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case 28: YY_RULE_SETUP -#line 186 "settings/settings_lexer.l" +#line 191 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext+1); } YY_BREAK case 29: YY_RULE_SETUP -#line 189 "settings/settings_lexer.l" +#line 194 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext); } @@ -1401,17 +1588,17 @@ YY_RULE_SETUP case 30: YY_RULE_SETUP -#line 195 "settings/settings_lexer.l" +#line 200 "settings/settings_lexer.l" /* just ignore these */ YY_BREAK case 31: -#line 197 "settings/settings_lexer.l" +#line 202 "settings/settings_lexer.l" YY_RULE_SETUP case YY_STATE_EOF(str): -#line 197 "settings/settings_lexer.l" +#line 202 "settings/settings_lexer.l" case 32: YY_RULE_SETUP -#line 198 "settings/settings_lexer.l" +#line 203 "settings/settings_lexer.l" { if (!streq(yytext, "\"")) { @@ -1434,34 +1621,34 @@ YY_RULE_SETUP YY_BREAK case 33: YY_RULE_SETUP -#line 218 "settings/settings_lexer.l" +#line 223 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\n"); YY_BREAK case 34: YY_RULE_SETUP -#line 219 "settings/settings_lexer.l" +#line 224 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\r"); YY_BREAK case 35: YY_RULE_SETUP -#line 220 "settings/settings_lexer.l" +#line 225 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\t"); YY_BREAK case 36: /* rule 36 can match eol */ YY_RULE_SETUP -#line 221 "settings/settings_lexer.l" +#line 226 "settings/settings_lexer.l" /* merge lines that end with escaped EOL characters */ YY_BREAK case 37: YY_RULE_SETUP -#line 222 "settings/settings_lexer.l" +#line 227 "settings/settings_lexer.l" yyextra->string_add(yyextra, yytext+1); YY_BREAK case 38: /* rule 38 can match eol */ YY_RULE_SETUP -#line 223 "settings/settings_lexer.l" +#line 228 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext); } @@ -1469,7 +1656,7 @@ YY_RULE_SETUP case YY_STATE_EOF(INITIAL): case YY_STATE_EOF(ref): -#line 228 "settings/settings_lexer.l" +#line 233 "settings/settings_lexer.l" { settings_parser_pop_buffer_state(yyscanner); if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1480,10 +1667,10 @@ case YY_STATE_EOF(ref): YY_BREAK case 39: YY_RULE_SETUP -#line 236 "settings/settings_lexer.l" +#line 241 "settings/settings_lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1487 "settings/settings_lexer.c" +#line 1674 "settings/settings_lexer.c" case YY_END_OF_BUFFER: { @@ -1499,7 +1686,7 @@ YY_FATAL_ERROR( "flex scanner jammed" ); /* We're scanning a new file or input source. It's * possible that this happened because the user * just pointed yyin at a new source and called - * settings_parser_lex(). If so, then we have to assure + * yylex(). If so, then we have to assure * consistency between YY_CURRENT_BUFFER and our * globals. Here is the right place to do so, because * this is the first action (other than possibly a @@ -1553,7 +1740,8 @@ YY_FATAL_ERROR( "flex scanner jammed" ); else { /* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */ - yy_cp = yyg->yy_c_buf_p; + yy_cp = yyg->yy_last_accepting_cpos; + yy_current_state = yyg->yy_last_accepting_state; goto yy_find_action; } } @@ -1564,7 +1752,7 @@ YY_FATAL_ERROR( "flex scanner jammed" ); { yyg->yy_did_buffer_switch_on_eof = 0; - if ( settings_parser_wrap(yyscanner ) ) + if ( yywrap( yyscanner ) ) { /* Note: because we've taken care in * yy_get_next_buffer() to have set up @@ -1618,12 +1806,11 @@ YY_FATAL_ERROR( "flex scanner jammed" ); } /* end of action switch */ } /* end of scanning one token */ } /* end of user's declarations */ -} /* end of settings_parser_lex */ +} /* end of yylex */ /* %ok-for-header */ /* %if-c++-only */ /* %not-for-header */ - /* %ok-for-header */ /* %endif */ @@ -1644,7 +1831,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf; char *source = yyg->yytext_ptr; - yy_size_t number_to_move, i; + int number_to_move, i; int ret_val; if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] ) @@ -1673,7 +1860,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* Try to read more data. */ /* First move last chars to start of buffer. */ - number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1; + number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1); for ( i = 0; i < number_to_move; ++i ) *(dest++) = *(source++); @@ -1686,7 +1873,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) @@ -1700,7 +1887,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( b->yy_is_our_buffer ) { - yy_size_t new_size = b->yy_buf_size * 2; + int new_size = b->yy_buf_size * 2; if ( new_size <= 0 ) b->yy_buf_size += b->yy_buf_size / 8; @@ -1709,11 +1896,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner) b->yy_ch_buf = (char *) /* Include room in for 2 EOB chars. */ - settings_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner ); + yyrealloc( (void *) b->yy_ch_buf, + (yy_size_t) (b->yy_buf_size + 2) , yyscanner ); } else /* Can't grow it, we don't own it. */ - b->yy_ch_buf = 0; + b->yy_ch_buf = NULL; if ( ! b->yy_ch_buf ) YY_FATAL_ERROR( @@ -1741,7 +1929,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( number_to_move == YY_MORE_ADJ ) { ret_val = EOB_ACT_END_OF_FILE; - settings_parser_restart(yyin ,yyscanner); + yyrestart( yyin , yyscanner); } else @@ -1755,12 +1943,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else ret_val = EOB_ACT_CONTINUE_SCAN; - if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) { + if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) { /* Extend the array by 50%, plus the number we really need. */ int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1); - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) settings_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner ); + YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc( + (void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner ); if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" ); + /* "- 2" to take care of EOB's */ + YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2); } yyg->yy_n_chars += number_to_move; @@ -1776,7 +1967,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* %if-c-only */ /* %not-for-header */ - static yy_state_type yy_get_previous_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ @@ -1802,9 +1992,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner) { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 85 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; } return yy_current_state; @@ -1836,9 +2026,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner) { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 85 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; yy_is_jam = (yy_current_state == 84); (void)yyg; @@ -1864,7 +2054,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) { /* need to shift things up to make room */ /* +2 for EOB chars. */ - yy_size_t number_to_move = yyg->yy_n_chars + 2; + int number_to_move = yyg->yy_n_chars + 2; char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[ YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2]; char *source = @@ -1876,7 +2066,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) yy_cp += (int) (dest - source); yy_bp += (int) (dest - source); YY_CURRENT_BUFFER_LVALUE->yy_n_chars = - yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size; + yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size; if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) YY_FATAL_ERROR( "flex scanner push-back overflow" ); @@ -1928,7 +2118,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else { /* need more input */ - yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr; + int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr); ++yyg->yy_c_buf_p; switch ( yy_get_next_buffer( yyscanner ) ) @@ -1945,14 +2135,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner) */ /* Reset buffer status. */ - settings_parser_restart(yyin ,yyscanner); + yyrestart( yyin , yyscanner); /*FALLTHROUGH*/ case EOB_ACT_END_OF_FILE: { - if ( settings_parser_wrap(yyscanner ) ) - return EOF; + if ( yywrap( yyscanner ) ) + return 0; if ( ! yyg->yy_did_buffer_switch_on_eof ) YY_NEW_FILE; @@ -1976,7 +2166,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* %% [19.0] update BOL and yylineno */ if ( c == '\n' ) - + do{ yylineno++; yycolumn=0; }while(0) @@ -1994,7 +2184,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) * @note This function does not reset the start condition to @c INITIAL . */ /* %if-c-only */ - void settings_parser_restart (FILE * input_file , yyscan_t yyscanner) + void yyrestart (FILE * input_file , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2002,13 +2192,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner) struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; if ( ! YY_CURRENT_BUFFER ){ - settings_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); YY_CURRENT_BUFFER_LVALUE = - settings_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); } - settings_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner); - settings_parser__load_buffer_state(yyscanner ); + yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner); + yy_load_buffer_state( yyscanner ); } /* %if-c++-only */ @@ -2019,7 +2209,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ - void settings_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) + void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2028,10 +2218,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* TODO. We should be able to replace this entire function body * with - * settings_parser_pop_buffer_state(); - * settings_parser_push_buffer_state(new_buffer); + * yypop_buffer_state(); + * yypush_buffer_state(new_buffer); */ - settings_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); if ( YY_CURRENT_BUFFER == new_buffer ) return; @@ -2044,18 +2234,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner) } YY_CURRENT_BUFFER_LVALUE = new_buffer; - settings_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); /* We don't actually know whether we did this switch during - * EOF (settings_parser_wrap()) processing, but the only time this flag - * is looked at is after settings_parser_wrap() is called, so it's safe + * EOF (yywrap()) processing, but the only time this flag + * is looked at is after yywrap() is called, so it's safe * to go ahead and always set it. */ yyg->yy_did_buffer_switch_on_eof = 1; } /* %if-c-only */ -static void settings_parser__load_buffer_state (yyscan_t yyscanner) +static void yy_load_buffer_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2078,29 +2268,29 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) * @return the allocated buffer state. */ /* %if-c-only */ - YY_BUFFER_STATE settings_parser__create_buffer (FILE * file, int size , yyscan_t yyscanner) + YY_BUFFER_STATE yy_create_buffer (FILE * file, int size , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ { YY_BUFFER_STATE b; - b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner ); + b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner ); if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); - b->yy_buf_size = (yy_size_t)size; + b->yy_buf_size = size; /* yy_ch_buf has to be 2 characters longer than the size given because * we need to put in 2 end-of-buffer characters. */ - b->yy_ch_buf = (char *) settings_parser_alloc(b->yy_buf_size + 2 ,yyscanner ); + b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner ); if ( ! b->yy_ch_buf ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser__create_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); b->yy_is_our_buffer = 1; - settings_parser__init_buffer(b,file ,yyscanner); + yy_init_buffer( b, file , yyscanner); return b; } @@ -2109,11 +2299,11 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) /* %endif */ /** Destroy the buffer. - * @param b a buffer created with settings_parser__create_buffer() + * @param b a buffer created with yy_create_buffer() * @param yyscanner The scanner object. */ /* %if-c-only */ - void settings_parser__delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) + void yy_delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2127,17 +2317,17 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0; if ( b->yy_is_our_buffer ) - settings_parser_free((void *) b->yy_ch_buf ,yyscanner ); + yyfree( (void *) b->yy_ch_buf , yyscanner ); - settings_parser_free((void *) b ,yyscanner ); + yyfree( (void *) b , yyscanner ); } /* Initializes or reinitializes a buffer. * This function is sometimes called more than once on the same buffer, - * such as during a settings_parser_restart() or at EOF. + * such as during a yyrestart() or at EOF. */ /* %if-c-only */ - static void settings_parser__init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner) + static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2146,7 +2336,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) int oerrno = errno; struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - settings_parser__flush_buffer(b ,yyscanner); + yy_flush_buffer( b , yyscanner); /* %if-c-only */ b->yy_input_file = file; @@ -2155,8 +2345,8 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) /* %endif */ b->yy_fill_buffer = 1; - /* If b is the current buffer, then settings_parser__init_buffer was _probably_ - * called from settings_parser_restart() or through yy_get_next_buffer. + /* If b is the current buffer, then yy_init_buffer was _probably_ + * called from yyrestart() or through yy_get_next_buffer. * In that case, we don't want to reset the lineno or column. */ if (b != YY_CURRENT_BUFFER){ @@ -2166,7 +2356,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) /* %if-c-only */ - b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; + b->yy_is_interactive = 0; /* %endif */ /* %if-c++-only */ @@ -2179,7 +2369,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ - void settings_parser__flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) + void yy_flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2203,7 +2393,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) b->yy_buffer_status = YY_BUFFER_NEW; if ( b == YY_CURRENT_BUFFER ) - settings_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); } /* %if-c-or-c++ */ @@ -2214,7 +2404,7 @@ static void settings_parser__load_buffer_state (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ -void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) +void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2223,9 +2413,9 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy if (new_buffer == NULL) return; - settings_parser_ensure_buffer_stack(yyscanner); + yyensure_buffer_stack(yyscanner); - /* This block is copied from settings_parser__switch_to_buffer. */ + /* This block is copied from yy_switch_to_buffer. */ if ( YY_CURRENT_BUFFER ) { /* Flush out information for old buffer. */ @@ -2239,8 +2429,8 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy yyg->yy_buffer_stack_top++; YY_CURRENT_BUFFER_LVALUE = new_buffer; - /* copied from settings_parser__switch_to_buffer. */ - settings_parser__load_buffer_state(yyscanner ); + /* copied from yy_switch_to_buffer. */ + yy_load_buffer_state( yyscanner ); yyg->yy_did_buffer_switch_on_eof = 1; } /* %endif */ @@ -2251,7 +2441,7 @@ void settings_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yy * @param yyscanner The scanner object. */ /* %if-c-only */ -void settings_parser_pop_buffer_state (yyscan_t yyscanner) +void yypop_buffer_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2260,13 +2450,13 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner) if (!YY_CURRENT_BUFFER) return; - settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner); + yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner); YY_CURRENT_BUFFER_LVALUE = NULL; if (yyg->yy_buffer_stack_top > 0) --yyg->yy_buffer_stack_top; if (YY_CURRENT_BUFFER) { - settings_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); yyg->yy_did_buffer_switch_on_eof = 1; } } @@ -2277,7 +2467,7 @@ void settings_parser_pop_buffer_state (yyscan_t yyscanner) * Guarantees space for at least one push. */ /* %if-c-only */ -static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner) +static void yyensure_buffer_stack (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2291,15 +2481,15 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner) * scanner will even need a stack. We use 2 instead of 1 to avoid an * immediate realloc on the next call. */ - num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */ - yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_alloc + num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */ + yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc (num_to_alloc * sizeof(struct yy_buffer_state*) , yyscanner); if ( ! yyg->yy_buffer_stack ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" ); - + YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" ); + memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*)); - + yyg->yy_buffer_stack_max = num_to_alloc; yyg->yy_buffer_stack_top = 0; return; @@ -2311,12 +2501,12 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner) yy_size_t grow_size = 8 /* arbitrary grow size */; num_to_alloc = yyg->yy_buffer_stack_max + grow_size; - yyg->yy_buffer_stack = (struct yy_buffer_state**)settings_parser_realloc + yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc (yyg->yy_buffer_stack, num_to_alloc * sizeof(struct yy_buffer_state*) , yyscanner); if ( ! yyg->yy_buffer_stack ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser_ensure_buffer_stack()" ); + YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" ); /* zero only the new slots.*/ memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*)); @@ -2330,9 +2520,9 @@ static void settings_parser_ensure_buffer_stack (yyscan_t yyscanner) * @param base the character buffer * @param size the size in bytes of the character buffer * @param yyscanner The scanner object. - * @return the newly allocated buffer state object. + * @return the newly allocated buffer state object. */ -YY_BUFFER_STATE settings_parser__scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner) { YY_BUFFER_STATE b; @@ -2340,73 +2530,73 @@ YY_BUFFER_STATE settings_parser__scan_buffer (char * base, yy_size_t size , yy base[size-2] != YY_END_OF_BUFFER_CHAR || base[size-1] != YY_END_OF_BUFFER_CHAR ) /* They forgot to leave room for the EOB's. */ - return 0; + return NULL; - b = (YY_BUFFER_STATE) settings_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner ); + b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner ); if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" ); - b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */ + b->yy_buf_size = (int) (size - 2); /* "- 2" to take care of EOB's */ b->yy_buf_pos = b->yy_ch_buf = base; b->yy_is_our_buffer = 0; - b->yy_input_file = 0; + b->yy_input_file = NULL; b->yy_n_chars = b->yy_buf_size; b->yy_is_interactive = 0; b->yy_at_bol = 1; b->yy_fill_buffer = 0; b->yy_buffer_status = YY_BUFFER_NEW; - settings_parser__switch_to_buffer(b ,yyscanner ); + yy_switch_to_buffer( b , yyscanner ); return b; } /* %endif */ /* %if-c-only */ -/** Setup the input buffer state to scan a string. The next call to settings_parser_lex() will +/** Setup the input buffer state to scan a string. The next call to yylex() will * scan from a @e copy of @a str. * @param yystr a NUL-terminated string to scan * @param yyscanner The scanner object. * @return the newly allocated buffer state object. * @note If you want to scan bytes that may contain NUL values, then use - * settings_parser__scan_bytes() instead. + * yy_scan_bytes() instead. */ -YY_BUFFER_STATE settings_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner) { - return settings_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner); + return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner); } /* %endif */ /* %if-c-only */ -/** Setup the input buffer state to scan the given bytes. The next call to settings_parser_lex() will +/** Setup the input buffer state to scan the given bytes. The next call to yylex() will * scan from a @e copy of @a bytes. * @param yybytes the byte buffer to scan * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes. * @param yyscanner The scanner object. * @return the newly allocated buffer state object. */ -YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yybytes_len , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_bytes (const char * yybytes, int _yybytes_len , yyscan_t yyscanner) { YY_BUFFER_STATE b; char *buf; yy_size_t n; - yy_size_t i; + int i; /* Get memory for full buffer, including space for trailing EOB's. */ - n = _yybytes_len + 2; - buf = (char *) settings_parser_alloc(n ,yyscanner ); + n = (yy_size_t) (_yybytes_len + 2); + buf = (char *) yyalloc( n , yyscanner ); if ( ! buf ) - YY_FATAL_ERROR( "out of dynamic memory in settings_parser__scan_bytes()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); for ( i = 0; i < _yybytes_len; ++i ) buf[i] = yybytes[i]; buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR; - b = settings_parser__scan_buffer(buf,n ,yyscanner); + b = yy_scan_buffer( buf, n , yyscanner); if ( ! b ) - YY_FATAL_ERROR( "bad buffer in settings_parser__scan_bytes()" ); + YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" ); /* It's okay to grow etc. this buffer, and we should throw it * away when we're done. @@ -2429,13 +2619,14 @@ YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t yy_size_t new_size; yyg->yy_start_stack_depth += YY_START_STACK_INCR; - new_size = yyg->yy_start_stack_depth * sizeof( int ); + new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int ); if ( ! yyg->yy_start_stack ) - yyg->yy_start_stack = (int *) settings_parser_alloc(new_size ,yyscanner ); + yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner ); else - yyg->yy_start_stack = (int *) settings_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner ); + yyg->yy_start_stack = (int *) yyrealloc( + (void *) yyg->yy_start_stack, new_size , yyscanner ); if ( ! yyg->yy_start_stack ) YY_FATAL_ERROR( "out of memory expanding start-condition stack" ); @@ -2474,11 +2665,11 @@ YY_BUFFER_STATE settings_parser__scan_bytes (yyconst char * yybytes, yy_size_t #endif /* %if-c-only */ -static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner) +static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - (void) fprintf( stderr, "%s\n", msg ); + fprintf( stderr, "%s\n", msg ); exit( YY_EXIT_FAILURE ); } /* %endif */ @@ -2510,7 +2701,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner) /** Get the user-defined data for this scanner. * @param yyscanner The scanner object. */ -YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner) +YY_EXTRA_TYPE yyget_extra (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyextra; @@ -2521,10 +2712,10 @@ YY_EXTRA_TYPE settings_parser_get_extra (yyscan_t yyscanner) /** Get the current line number. * @param yyscanner The scanner object. */ -int settings_parser_get_lineno (yyscan_t yyscanner) +int yyget_lineno (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - + if (! YY_CURRENT_BUFFER) return 0; @@ -2534,10 +2725,10 @@ int settings_parser_get_lineno (yyscan_t yyscanner) /** Get the current column number. * @param yyscanner The scanner object. */ -int settings_parser_get_column (yyscan_t yyscanner) +int yyget_column (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - + if (! YY_CURRENT_BUFFER) return 0; @@ -2547,7 +2738,7 @@ int settings_parser_get_column (yyscan_t yyscanner) /** Get the input stream. * @param yyscanner The scanner object. */ -FILE *settings_parser_get_in (yyscan_t yyscanner) +FILE *yyget_in (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyin; @@ -2556,7 +2747,7 @@ FILE *settings_parser_get_in (yyscan_t yyscanner) /** Get the output stream. * @param yyscanner The scanner object. */ -FILE *settings_parser_get_out (yyscan_t yyscanner) +FILE *yyget_out (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyout; @@ -2565,7 +2756,7 @@ FILE *settings_parser_get_out (yyscan_t yyscanner) /** Get the length of the current token. * @param yyscanner The scanner object. */ -yy_size_t settings_parser_get_leng (yyscan_t yyscanner) +int yyget_leng (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyleng; @@ -2575,7 +2766,7 @@ yy_size_t settings_parser_get_leng (yyscan_t yyscanner) * @param yyscanner The scanner object. */ -char *settings_parser_get_text (yyscan_t yyscanner) +char *yyget_text (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yytext; @@ -2587,7 +2778,7 @@ char *settings_parser_get_text (yyscan_t yyscanner) * @param user_defined The data to be associated with this scanner. * @param yyscanner The scanner object. */ -void settings_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner) +void yyset_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyextra = user_defined ; @@ -2599,13 +2790,13 @@ void settings_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner * @param _line_number line number * @param yyscanner The scanner object. */ -void settings_parser_set_lineno (int _line_number , yyscan_t yyscanner) +void yyset_lineno (int _line_number , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* lineno is only valid if an input buffer exists. */ if (! YY_CURRENT_BUFFER ) - YY_FATAL_ERROR( "settings_parser_set_lineno called with no buffer" ); + YY_FATAL_ERROR( "yyset_lineno called with no buffer" ); yylineno = _line_number; } @@ -2614,13 +2805,13 @@ void settings_parser_set_lineno (int _line_number , yyscan_t yyscanner) * @param _column_no column number * @param yyscanner The scanner object. */ -void settings_parser_set_column (int _column_no , yyscan_t yyscanner) +void yyset_column (int _column_no , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* column is only valid if an input buffer exists. */ if (! YY_CURRENT_BUFFER ) - YY_FATAL_ERROR( "settings_parser_set_column called with no buffer" ); + YY_FATAL_ERROR( "yyset_column called with no buffer" ); yycolumn = _column_no; } @@ -2629,27 +2820,27 @@ void settings_parser_set_column (int _column_no , yyscan_t yyscanner) * input buffer. * @param _in_str A readable stream. * @param yyscanner The scanner object. - * @see settings_parser__switch_to_buffer + * @see yy_switch_to_buffer */ -void settings_parser_set_in (FILE * _in_str , yyscan_t yyscanner) +void yyset_in (FILE * _in_str , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyin = _in_str ; } -void settings_parser_set_out (FILE * _out_str , yyscan_t yyscanner) +void yyset_out (FILE * _out_str , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyout = _out_str ; } -int settings_parser_get_debug (yyscan_t yyscanner) +int yyget_debug (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yy_flex_debug; } -void settings_parser_set_debug (int _bdebug , yyscan_t yyscanner) +void yyset_debug (int _bdebug , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yy_flex_debug = _bdebug ; @@ -2662,13 +2853,13 @@ void settings_parser_set_debug (int _bdebug , yyscan_t yyscanner) /* %if-bison-bridge */ -YYSTYPE * settings_parser_get_lval (yyscan_t yyscanner) +YYSTYPE * yyget_lval (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yylval; } -void settings_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) +void yyset_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yylval = yylval_param; @@ -2678,20 +2869,18 @@ void settings_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) /* User-visible API */ -/* settings_parser_lex_init is special because it creates the scanner itself, so it is +/* yylex_init is special because it creates the scanner itself, so it is * the ONLY reentrant function that doesn't take the scanner as the last argument. * That's why we explicitly handle the declaration, instead of using our macros. */ - -int settings_parser_lex_init(yyscan_t* ptr_yy_globals) - +int yylex_init(yyscan_t* ptr_yy_globals) { if (ptr_yy_globals == NULL){ errno = EINVAL; return 1; } - *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), NULL ); + *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL ); if (*ptr_yy_globals == NULL){ errno = ENOMEM; @@ -2704,39 +2893,37 @@ int settings_parser_lex_init(yyscan_t* ptr_yy_globals) return yy_init_globals ( *ptr_yy_globals ); } -/* settings_parser_lex_init_extra has the same functionality as settings_parser_lex_init, but follows the +/* yylex_init_extra has the same functionality as yylex_init, but follows the * convention of taking the scanner as the last argument. Note however, that * this is a *pointer* to a scanner, as it will be allocated by this call (and * is the reason, too, why this function also must handle its own declaration). - * The user defined value in the first argument will be available to settings_parser_alloc in + * The user defined value in the first argument will be available to yyalloc in * the yyextra field. */ - -int settings_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals ) - +int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals ) { struct yyguts_t dummy_yyguts; - settings_parser_set_extra (yy_user_defined, &dummy_yyguts); + yyset_extra (yy_user_defined, &dummy_yyguts); if (ptr_yy_globals == NULL){ errno = EINVAL; return 1; } - - *ptr_yy_globals = (yyscan_t) settings_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts ); - + + *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts ); + if (*ptr_yy_globals == NULL){ errno = ENOMEM; return 1; } - + /* By setting to 0xAA, we expose bugs in yy_init_globals. Leave at 0x00 for releases. */ memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t)); - - settings_parser_set_extra (yy_user_defined, *ptr_yy_globals); - + + yyset_extra (yy_user_defined, *ptr_yy_globals); + return yy_init_globals ( *ptr_yy_globals ); } @@ -2747,13 +2934,13 @@ static int yy_init_globals (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* Initialization is the same as for the non-reentrant scanner. - * This function is called from settings_parser_lex_destroy(), so don't allocate here. + * This function is called from yylex_destroy(), so don't allocate here. */ - yyg->yy_buffer_stack = 0; + yyg->yy_buffer_stack = NULL; yyg->yy_buffer_stack_top = 0; yyg->yy_buffer_stack_max = 0; - yyg->yy_c_buf_p = (char *) 0; + yyg->yy_c_buf_p = NULL; yyg->yy_init = 0; yyg->yy_start = 0; @@ -2766,45 +2953,45 @@ static int yy_init_globals (yyscan_t yyscanner) yyin = stdin; yyout = stdout; #else - yyin = (FILE *) 0; - yyout = (FILE *) 0; + yyin = NULL; + yyout = NULL; #endif /* For future reference: Set errno on error, since we are called by - * settings_parser_lex_init() + * yylex_init() */ return 0; } /* %endif */ /* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */ -/* settings_parser_lex_destroy is for both reentrant and non-reentrant scanners. */ -int settings_parser_lex_destroy (yyscan_t yyscanner) +/* yylex_destroy is for both reentrant and non-reentrant scanners. */ +int yylex_destroy (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* Pop the buffer stack, destroying each element. */ while(YY_CURRENT_BUFFER){ - settings_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner ); + yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner ); YY_CURRENT_BUFFER_LVALUE = NULL; - settings_parser_pop_buffer_state(yyscanner); + yypop_buffer_state(yyscanner); } /* Destroy the stack itself. */ - settings_parser_free(yyg->yy_buffer_stack ,yyscanner); + yyfree(yyg->yy_buffer_stack , yyscanner); yyg->yy_buffer_stack = NULL; /* Destroy the start condition stack. */ - settings_parser_free(yyg->yy_start_stack ,yyscanner ); + yyfree( yyg->yy_start_stack , yyscanner ); yyg->yy_start_stack = NULL; /* Reset the globals. This is important in a non-reentrant scanner so the next time - * settings_parser_lex() is called, initialization will occur. */ + * yylex() is called, initialization will occur. */ yy_init_globals( yyscanner); /* %if-reentrant */ /* Destroy the main struct (reentrant only). */ - settings_parser_free ( yyscanner , yyscanner ); + yyfree ( yyscanner , yyscanner ); yyscanner = NULL; /* %endif */ return 0; @@ -2816,7 +3003,7 @@ int settings_parser_lex_destroy (yyscan_t yyscanner) */ #ifndef yytext_ptr -static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner) +static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; @@ -2828,7 +3015,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner) +static int yy_flex_strlen (const char * s , yyscan_t yyscanner) { int n; for ( n = 0; s[n]; ++n ) @@ -2838,14 +3025,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner) } #endif -void *settings_parser_alloc (yy_size_t size , yyscan_t yyscanner) +void *yyalloc (yy_size_t size , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - return (void *) malloc( size ); + return malloc(size); } -void *settings_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner) +void *yyrealloc (void * ptr, yy_size_t size , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; @@ -2857,14 +3044,14 @@ void *settings_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner * any pointer type to void*, and deal with argument conversions * as though doing an assignment. */ - return (void *) realloc( (char *) ptr, size ); + return realloc(ptr, size); } -void settings_parser_free (void * ptr , yyscan_t yyscanner) +void yyfree (void * ptr , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - free( (char *) ptr ); /* see settings_parser_realloc() for (char *) cast */ + free( (char *) ptr ); /* see yyrealloc() for (char *) cast */ } /* %if-tables-serialization definitions */ @@ -2874,8 +3061,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 236 "settings/settings_lexer.l" - +#line 241 "settings/settings_lexer.l" /** diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l index 19ab8d7b2..e8c2b9884 100644 --- a/src/libstrongswan/settings/settings_lexer.l +++ b/src/libstrongswan/settings/settings_lexer.l @@ -32,6 +32,11 @@ static void include_files(parser_helper_t *ctx); /* do not declare unneeded functions */ %option noinput noyywrap +/* do not include unistd.h as it might conflict with our scanner states */ +%option nounistd +/* due to that disable interactive mode, which requires isatty() */ +%option never-interactive + /* don't use global variables, and interact properly with bison */ %option reentrant bison-bridge diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 5737e7a17..d4cac5a3b 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -58,6 +58,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_mgf1.c \ suites/test_ntru.c \ suites/test_ed25519.c \ + suites/test_ed448.c \ suites/test_signature_params.c libstrongswan_tests_CFLAGS = \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index c5b943572..664c84f3f 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -163,6 +163,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \ suites/libstrongswan_tests-test_mgf1.$(OBJEXT) \ suites/libstrongswan_tests-test_ntru.$(OBJEXT) \ suites/libstrongswan_tests-test_ed25519.$(OBJEXT) \ + suites/libstrongswan_tests-test_ed448.$(OBJEXT) \ suites/libstrongswan_tests-test_signature_params.$(OBJEXT) libstrongswan_tests_OBJECTS = $(am_libstrongswan_tests_OBJECTS) libstrongswan_tests_DEPENDENCIES = \ @@ -548,6 +549,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_mgf1.c \ suites/test_ntru.c \ suites/test_ed25519.c \ + suites/test_ed448.c \ suites/test_signature_params.c libstrongswan_tests_CFLAGS = \ @@ -708,6 +710,8 @@ suites/libstrongswan_tests-test_ntru.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_ed25519.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_ed448.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_signature_params.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) @@ -740,6 +744,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ecdsa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed25519.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enum.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_enumerator.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_fetch_http.Po@am__quote@ @@ -1359,6 +1364,20 @@ suites/libstrongswan_tests-test_ed25519.obj: suites/test_ed25519.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi` +suites/libstrongswan_tests-test_ed448.o: suites/test_ed448.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.o `test -f 'suites/test_ed448.c' || echo '$(srcdir)/'`suites/test_ed448.c + +suites/libstrongswan_tests-test_ed448.obj: suites/test_ed448.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_ed448.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_ed448.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed448.c' object='suites/libstrongswan_tests-test_ed448.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_ed448.obj `if test -f 'suites/test_ed448.c'; then $(CYGPATH_W) 'suites/test_ed448.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed448.c'; fi` + suites/libstrongswan_tests-test_signature_params.o: suites/test_signature_params.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_signature_params.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo -c -o suites/libstrongswan_tests-test_signature_params.o `test -f 'suites/test_signature_params.c' || echo '$(srcdir)/'`suites/test_signature_params.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c index 86cbb1bc0..c52b90885 100644 --- a/src/libstrongswan/tests/suites/test_ed25519.c +++ b/src/libstrongswan/tests/suites/test_ed25519.c @@ -24,10 +24,12 @@ struct sig_test_t { chunk_t pubkey; chunk_t msg; chunk_t sig; + chunk_t fp_pk; + chunk_t fp_spki; }; /** - * Ed25519 Test Vectors from draft-irtf-cfrg-eddsa + * Ed25519 Test Vectors from RFC 8032 */ static sig_test_t sig_tests[] = { /* Test 1 */ @@ -51,7 +53,13 @@ static sig_test_t sig_tests[] = { 0x01, 0x55, 0x5f, 0xb8, 0x82, 0x15, 0x90, 0xa3, 0x3b, 0xac, 0xc6, 0x1e, 0x39, 0x70, 0x1c, 0xf9, 0xb4, 0x6b, 0xd2, 0x5b, 0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43, - 0x8e, 0x7a, 0x10, 0x0b) + 0x8e, 0x7a, 0x10, 0x0b), + chunk_from_chars( + 0x5b, 0x27, 0xaa, 0x55, 0x89, 0x17, 0x97, 0x70, 0xe4, 0x75, + 0x75, 0xb1, 0x62, 0xa1, 0xde, 0xd9, 0x7b, 0x8b, 0xfc, 0x6d), + chunk_from_chars( + 0xa5, 0x66, 0xbe, 0x19, 0x84, 0x01, 0x73, 0x41, 0x3a, 0x61, + 0x04, 0x83, 0x50, 0xef, 0xf2, 0x3e, 0x8f, 0xe2, 0x22, 0x66), }, /* Test 2 */ { chunk_from_chars( @@ -75,7 +83,13 @@ static sig_test_t sig_tests[] = { 0x69, 0xda, 0x08, 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e, 0x45, 0x8f, 0x36, 0x13, 0xd0, 0xf1, 0x1d, 0x8c, 0x38, 0x7b, 0x2e, 0xae, 0xb4, 0x30, 0x2a, 0xee, 0xb0, 0x0d, 0x29, 0x16, - 0x12, 0xbb, 0x0c, 0x00) + 0x12, 0xbb, 0x0c, 0x00), + chunk_from_chars( + 0x13, 0xf7, 0x72, 0x66, 0x9e, 0x15, 0x2a, 0xe6, 0xa6, 0x2a, + 0x60, 0xa3, 0x48, 0x8a, 0x6f, 0x29, 0x7d, 0x06, 0x13, 0xdd), + chunk_from_chars( + 0xbd, 0xae, 0x41, 0xeb, 0x5d, 0xbf, 0x88, 0xb9, 0xdf, 0x18, + 0xda, 0xbb, 0x2d, 0xee, 0xa9, 0x1a, 0x4e, 0x03, 0x38, 0xe4), }, /* Test 3 */ { chunk_from_chars( @@ -99,7 +113,13 @@ static sig_test_t sig_tests[] = { 0xc3, 0xac, 0x18, 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90, 0xae, 0x67, 0xf7, 0x60, 0x98, 0x4d, 0xc6, 0x59, 0x4a, 0x7c, 0x15, 0xe9, 0x71, 0x6e, 0xd2, 0x8d, 0xc0, 0x27, 0xbe, 0xce, - 0xea, 0x1e, 0xc4, 0x0a) + 0xea, 0x1e, 0xc4, 0x0a), + chunk_from_chars( + 0x88, 0xc7, 0x64, 0xc8, 0xbe, 0x44, 0x37, 0x4a, 0x7d, 0x2f, + 0x5d, 0x84, 0x72, 0x1f, 0x8e, 0x32, 0x5e, 0x5b, 0xd6, 0x4c), + chunk_from_chars( + 0xad, 0x01, 0x30, 0xb1, 0x2b, 0x48, 0x62, 0x9b, 0xb9, 0xad, + 0xea, 0x92, 0x1f, 0xfe, 0xd2, 0x9a, 0x42, 0xf0, 0xad, 0xe6), }, /* Test 1024 */ { chunk_from_chars( @@ -235,7 +255,13 @@ static sig_test_t sig_tests[] = { 0xc3, 0x50, 0xaa, 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45, 0x28, 0xec, 0xea, 0x23, 0xc4, 0x36, 0xd9, 0x4b, 0x5e, 0x8f, 0xcd, 0x4f, 0x68, 0x1e, 0x30, 0xa6, 0xac, 0x00, 0xa9, 0x70, - 0x4a, 0x18, 0x8a, 0x03) + 0x4a, 0x18, 0x8a, 0x03), + chunk_from_chars( + 0x11, 0x2d, 0xb3, 0x08, 0x97, 0x6e, 0x38, 0x8f, 0x5f, 0x5e, + 0xb0, 0xae, 0x8f, 0x5f, 0x59, 0x1d, 0xff, 0x74, 0xf4, 0x44), + chunk_from_chars( + 0xcb, 0x36, 0xcc, 0x6a, 0x82, 0x2c, 0x49, 0x40, 0xfb, 0x08, + 0x04, 0xf6, 0x3a, 0x4f, 0x20, 0x2b, 0xe5, 0x73, 0x43, 0x2f), }, /* Test SHA(abc) */ { chunk_from_chars( @@ -265,7 +291,13 @@ static sig_test_t sig_tests[] = { 0xb5, 0x89, 0x09, 0x35, 0x1f, 0xc9, 0xac, 0x90, 0xb3, 0xec, 0xfd, 0xfb, 0xc7, 0xc6, 0x64, 0x31, 0xe0, 0x30, 0x3d, 0xca, 0x17, 0x9c, 0x13, 0x8a, 0xc1, 0x7a, 0xd9, 0xbe, 0xf1, 0x17, - 0x73, 0x31, 0xa7, 0x04) + 0x73, 0x31, 0xa7, 0x04), + chunk_from_chars( + 0x26, 0x4c, 0xa5, 0x7f, 0x89, 0x6d, 0x64, 0x81, 0xd1, 0x87, + 0xe9, 0x89, 0x47, 0x29, 0x5a, 0xfe, 0xe3, 0x6d, 0x82, 0x44), + chunk_from_chars( + 0x27, 0x88, 0xfc, 0x14, 0xb1, 0xcd, 0xd0, 0x24, 0xd5, 0x9d, + 0x31, 0x65, 0x59, 0x63, 0x69, 0xcf, 0xaf, 0x50, 0x10, 0xe7), } }; @@ -273,24 +305,34 @@ START_TEST(test_ed25519_sign) { private_key_t *key; public_key_t *pubkey, *public; - chunk_t sig, encoding; + chunk_t sig, encoding, fp; /* load private key */ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519, BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END); ck_assert(key != NULL); ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding)); - ck_assert(chunk_equals(encoding, sig_tests[_i].key)); + ck_assert_chunk_eq(encoding, sig_tests[_i].key); chunk_free(&encoding); + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp); + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp); + /* load public key */ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519, BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END); ck_assert(pubkey != NULL); ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding)); - ck_assert(chunk_equals(encoding, sig_tests[_i].pubkey)); + ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey); chunk_free(&encoding); + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp); + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp); + /* compare public keys */ public = key->get_public_key(key); ck_assert(public != NULL); @@ -299,7 +341,7 @@ START_TEST(test_ed25519_sign) /* sign */ ck_assert(key->sign(key, SIGN_ED25519, NULL, sig_tests[_i].msg, &sig)); ck_assert(sig.len == 64); - ck_assert(chunk_equals(sig, sig_tests[_i].sig)); + ck_assert_chunk_eq(sig, sig_tests[_i].sig); /* verify */ ck_assert(pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[_i].msg, @@ -364,7 +406,7 @@ START_TEST(test_ed25519_gen) ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub)); ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub)); ck_assert(fp_pub.ptr != NULL); - ck_assert(chunk_equals(fp_pub, fp_priv)); + ck_assert_chunk_eq(fp_pub, fp_priv); /* clone public key */ pubkey2 = pubkey->get_ref(pubkey); @@ -429,6 +471,16 @@ static chunk_t zero_pk = chunk_from_chars( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); +/* sig_tests[0].sig with s+L */ +static chunk_t malleable_sig = chunk_from_chars( + 0xe5, 0x56, 0x43, 0x00, 0xc3, 0x60, 0xac, 0x72, 0x90, 0x86, + 0xe2, 0xcc, 0x80, 0x6e, 0x82, 0x8a, 0x84, 0x87, 0x7f, 0x1e, + 0xb8, 0xe5, 0xd9, 0x74, 0xd8, 0x73, 0xe0, 0x65, 0x22, 0x49, + 0x01, 0x55, 0x4c, 0x8c, 0x78, 0x72, 0xaa, 0x06, 0x4e, 0x04, + 0x9d, 0xbb, 0x30, 0x13, 0xfb, 0xf2, 0x93, 0x80, 0xd2, 0x5b, + 0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43, + 0x8e, 0x7a, 0x10, 0x1b); + START_TEST(test_ed25519_fail) { private_key_t *key; @@ -479,6 +531,16 @@ START_TEST(test_ed25519_fail) ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, chunk_empty, chunk_empty)); + /* RFC 8032, section 5.1.7 requires that 0 <= s < L to prevent signature + * malleability. Only a warning because Botan and OpenSSL are both + * vulnerable to this. */ + if (pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg, + malleable_sig)) + { + warn("Ed25519 signature verification is vulnerable to malleable " + "signatures"); + } + /* malformed signature */ sig = chunk_create(sig1, 64); memcpy(sig1, sig_tests[0].sig.ptr, 64); diff --git a/src/libstrongswan/tests/suites/test_ed448.c b/src/libstrongswan/tests/suites/test_ed448.c new file mode 100644 index 000000000..288da19a0 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_ed448.c @@ -0,0 +1,654 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2016 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +typedef struct sig_test_t sig_test_t; + +struct sig_test_t { + chunk_t key; + chunk_t pubkey; + chunk_t msg; + chunk_t sig; + chunk_t fp_pk; + chunk_t fp_spki; +}; + +/** + * Ed448 Test Vectors from RFC 8032 + */ +static sig_test_t sig_tests[] = { + /* Blank */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0x6c,0x82,0xa5,0x62,0xcb,0x80,0x8d,0x10,0xd6,0x32,0xbe,0x89,0xc8,0x51,0x3e,0xbf, + 0x6c,0x92,0x9f,0x34,0xdd,0xfa,0x8c,0x9f,0x63,0xc9,0x96,0x0e,0xf6,0xe3,0x48,0xa3, + 0x52,0x8c,0x8a,0x3f,0xcc,0x2f,0x04,0x4e,0x39,0xa3,0xfc,0x5b,0x94,0x49,0x2f,0x8f, + 0x03,0x2e,0x75,0x49,0xa2,0x00,0x98,0xf9,0x5b), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x5f,0xd7,0x44,0x9b, + 0x59,0xb4,0x61,0xfd,0x2c,0xe7,0x87,0xec,0x61,0x6a,0xd4,0x6a,0x1d,0xa1,0x34,0x24, + 0x85,0xa7,0x0e,0x1f,0x8a,0x0e,0xa7,0x5d,0x80,0xe9,0x67,0x78,0xed,0xf1,0x24,0x76, + 0x9b,0x46,0xc7,0x06,0x1b,0xd6,0x78,0x3d,0xf1,0xe5,0x0f,0x6c,0xd1,0xfa,0x1a,0xbe, + 0xaf,0xe8,0x25,0x61,0x80), + { NULL, 0 }, + chunk_from_chars( + 0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae, + 0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f, + 0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78, + 0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xff,0x0d,0x20,0x28,0xd4,0xb1,0x8a, + 0x9d,0xf6,0x3e,0x00,0x6c,0x5d,0x1c,0x2d,0x34,0x5b,0x92,0x5d,0x8d,0xc0,0x0b,0x41, + 0x04,0x85,0x2d,0xb9,0x9a,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb, + 0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65, + 0x26,0x00), + chunk_from_chars( + 0x6d,0xe0,0x8a,0x72,0x35,0x1e,0xf1,0xad,0xeb,0xca,0x2c,0xd7,0xf1,0xfd,0xa6,0x91, + 0x54,0xad,0xfa,0x4f), + chunk_from_chars( + 0x1b,0x7a,0x47,0x56,0x91,0xb8,0x41,0x33,0x0d,0x2e,0x4d,0xa5,0xe6,0x13,0xb9,0x89, + 0xda,0xce,0xc5,0x8e), + }, + /* 1 octet */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0xc4,0xea,0xb0,0x5d,0x35,0x70,0x07,0xc6,0x32,0xf3,0xdb,0xb4,0x84,0x89,0x92,0x4d, + 0x55,0x2b,0x08,0xfe,0x0c,0x35,0x3a,0x0d,0x4a,0x1f,0x00,0xac,0xda,0x2c,0x46,0x3a, + 0xfb,0xea,0x67,0xc5,0xe8,0xd2,0x87,0x7c,0x5e,0x3b,0xc3,0x97,0xa6,0x59,0x94,0x9e, + 0xf8,0x02,0x1e,0x95,0x4e,0x0a,0x12,0x27,0x4e), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x43,0xba,0x28,0xf4, + 0x30,0xcd,0xff,0x45,0x6a,0xe5,0x31,0x54,0x5f,0x7e,0xcd,0x0a,0xc8,0x34,0xa5,0x5d, + 0x93,0x58,0xc0,0x37,0x2b,0xfa,0x0c,0x6c,0x67,0x98,0xc0,0x86,0x6a,0xea,0x01,0xeb, + 0x00,0x74,0x28,0x02,0xb8,0x43,0x8e,0xa4,0xcb,0x82,0x16,0x9c,0x23,0x51,0x60,0x62, + 0x7b,0x4c,0x3a,0x94,0x80), + chunk_from_chars( + 0x03), + chunk_from_chars( + 0x26,0xb8,0xf9,0x17,0x27,0xbd,0x62,0x89,0x7a,0xf1,0x5e,0x41,0xeb,0x43,0xc3,0x77, + 0xef,0xb9,0xc6,0x10,0xd4,0x8f,0x23,0x35,0xcb,0x0b,0xd0,0x08,0x78,0x10,0xf4,0x35, + 0x25,0x41,0xb1,0x43,0xc4,0xb9,0x81,0xb7,0xe1,0x8f,0x62,0xde,0x8c,0xcd,0xf6,0x33, + 0xfc,0x1b,0xf0,0x37,0xab,0x7c,0xd7,0x79,0x80,0x5e,0x0d,0xbc,0xc0,0xaa,0xe1,0xcb, + 0xce,0xe1,0xaf,0xb2,0xe0,0x27,0xdf,0x36,0xbc,0x04,0xdc,0xec,0xbf,0x15,0x43,0x36, + 0xc1,0x9f,0x0a,0xf7,0xe0,0xa6,0x47,0x29,0x05,0xe7,0x99,0xf1,0x95,0x3d,0x2a,0x0f, + 0xf3,0x34,0x8a,0xb2,0x1a,0xa4,0xad,0xaf,0xd1,0xd2,0x34,0x44,0x1c,0xf8,0x07,0xc0, + 0x3a,0x00), + chunk_from_chars( + 0x74,0xa7,0x4b,0x23,0x69,0x98,0x17,0x46,0x1f,0xca,0xcf,0x84,0xf7,0xc6,0x3e,0x05, + 0x2a,0x1b,0xf9,0xb8), + chunk_from_chars( + 0xf6,0x76,0xf7,0x63,0x82,0x2b,0x53,0x5c,0x61,0x9c,0xfa,0x4a,0x59,0x7d,0xdd,0xae, + 0x13,0x34,0xf0,0xb1), + }, + /* 11 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0xcd,0x23,0xd2,0x4f,0x71,0x42,0x74,0xe7,0x44,0x34,0x32,0x37,0xb9,0x32,0x90,0xf5, + 0x11,0xf6,0x42,0x5f,0x98,0xe6,0x44,0x59,0xff,0x20,0x3e,0x89,0x85,0x08,0x3f,0xfd, + 0xf6,0x05,0x00,0x55,0x3a,0xbc,0x0e,0x05,0xcd,0x02,0x18,0x4b,0xdb,0x89,0xc4,0xcc, + 0xd6,0x7e,0x18,0x79,0x51,0x26,0x7e,0xb3,0x28), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdc,0xea,0x9e,0x78, + 0xf3,0x5a,0x1b,0xf3,0x49,0x9a,0x83,0x1b,0x10,0xb8,0x6c,0x90,0xaa,0xc0,0x1c,0xd8, + 0x4b,0x67,0xa0,0x10,0x9b,0x55,0xa3,0x6e,0x93,0x28,0xb1,0xe3,0x65,0xfc,0xe1,0x61, + 0xd7,0x1c,0xe7,0x13,0x1a,0x54,0x3e,0xa4,0xcb,0x5f,0x7e,0x9f,0x1d,0x8b,0x00,0x69, + 0x64,0x47,0x00,0x14,0x00), + chunk_from_chars( + 0x0c,0x3e,0x54,0x40,0x74,0xec,0x63,0xb0,0x26,0x5e,0x0c), + chunk_from_chars( + 0x1f,0x0a,0x88,0x88,0xce,0x25,0xe8,0xd4,0x58,0xa2,0x11,0x30,0x87,0x9b,0x84,0x0a, + 0x90,0x89,0xd9,0x99,0xaa,0xba,0x03,0x9e,0xaf,0x3e,0x3a,0xfa,0x09,0x0a,0x09,0xd3, + 0x89,0xdb,0xa8,0x2c,0x4f,0xf2,0xae,0x8a,0xc5,0xcd,0xfb,0x7c,0x55,0xe9,0x4d,0x5d, + 0x96,0x1a,0x29,0xfe,0x01,0x09,0x94,0x1e,0x00,0xb8,0xdb,0xde,0xea,0x6d,0x3b,0x05, + 0x10,0x68,0xdf,0x72,0x54,0xc0,0xcd,0xc1,0x29,0xcb,0xe6,0x2d,0xb2,0xdc,0x95,0x7d, + 0xbb,0x47,0xb5,0x1f,0xd3,0xf2,0x13,0xfb,0x86,0x98,0xf0,0x64,0x77,0x42,0x50,0xa5, + 0x02,0x89,0x61,0xc9,0xbf,0x8f,0xfd,0x97,0x3f,0xe5,0xd5,0xc2,0x06,0x49,0x2b,0x14, + 0x0e,0x00), + chunk_from_chars( + 0x3b,0x56,0x55,0xa4,0xce,0x4c,0xec,0x67,0x77,0x9c,0x9f,0xeb,0xfe,0x6f,0x38,0xba, + 0x88,0xc2,0x25,0x10), + chunk_from_chars( + 0x71,0xcb,0xf2,0xb7,0x1b,0x3b,0x77,0xcb,0xd6,0x41,0x05,0x02,0x72,0x31,0xa6,0x91, + 0x27,0x3f,0xe5,0x51), + }, + /* 12 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0x25,0x8c,0xdd,0x4a,0xda,0x32,0xed,0x9c,0x9f,0xf5,0x4e,0x63,0x75,0x6a,0xe5,0x82, + 0xfb,0x8f,0xab,0x2a,0xc7,0x21,0xf2,0xc8,0xe6,0x76,0xa7,0x27,0x68,0x51,0x3d,0x93, + 0x9f,0x63,0xdd,0xdb,0x55,0x60,0x91,0x33,0xf2,0x9a,0xdf,0x86,0xec,0x99,0x29,0xdc, + 0xcb,0x52,0xc1,0xc5,0xfd,0x2f,0xf7,0xe2,0x1b), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x3b,0xa1,0x6d,0xa0, + 0xc6,0xf2,0xcc,0x1f,0x30,0x18,0x77,0x40,0x75,0x6f,0x5e,0x79,0x8d,0x6b,0xc5,0xfc, + 0x01,0x5d,0x7c,0x63,0xcc,0x95,0x10,0xee,0x3f,0xd4,0x4a,0xdc,0x24,0xd8,0xe9,0x68, + 0xb6,0xe4,0x6e,0x6f,0x94,0xd1,0x9b,0x94,0x53,0x61,0x72,0x6b,0xd7,0x5e,0x14,0x9e, + 0xf0,0x98,0x17,0xf5,0x80), + chunk_from_chars( + 0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15), + chunk_from_chars( + 0x7e,0xee,0xab,0x7c,0x4e,0x50,0xfb,0x79,0x9b,0x41,0x8e,0xe5,0xe3,0x19,0x7f,0xf6, + 0xbf,0x15,0xd4,0x3a,0x14,0xc3,0x43,0x89,0xb5,0x9d,0xd1,0xa7,0xb1,0xb8,0x5b,0x4a, + 0xe9,0x04,0x38,0xac,0xa6,0x34,0xbe,0xa4,0x5e,0x3a,0x26,0x95,0xf1,0x27,0x0f,0x07, + 0xfd,0xcd,0xf7,0xc6,0x2b,0x8e,0xfe,0xaf,0x00,0xb4,0x5c,0x2c,0x96,0xba,0x45,0x7e, + 0xb1,0xa8,0xbf,0x07,0x5a,0x3d,0xb2,0x8e,0x5c,0x24,0xf6,0xb9,0x23,0xed,0x4a,0xd7, + 0x47,0xc3,0xc9,0xe0,0x3c,0x70,0x79,0xef,0xb8,0x7c,0xb1,0x10,0xd3,0xa9,0x98,0x61, + 0xe7,0x20,0x03,0xcb,0xae,0x6d,0x6b,0x8b,0x82,0x7e,0x4e,0x6c,0x14,0x30,0x64,0xff, + 0x3c,0x00), + chunk_from_chars( + 0x56,0x8e,0xad,0x67,0xa7,0x83,0x78,0xfe,0x8f,0xaf,0xa7,0x87,0x2e,0xc8,0x95,0xa0, + 0xde,0x05,0x37,0x4c), + chunk_from_chars( + 0xed,0x1b,0xe5,0xa1,0x97,0x23,0x59,0x4d,0x86,0x6b,0x6b,0xef,0xfb,0x81,0xe4,0x8e, + 0xf7,0x42,0xe0,0x81), + }, + /* 13 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0x7e,0xf4,0xe8,0x45,0x44,0x23,0x67,0x52,0xfb,0xb5,0x6b,0x8f,0x31,0xa2,0x3a,0x10, + 0xe4,0x28,0x14,0xf5,0xf5,0x5c,0xa0,0x37,0xcd,0xcc,0x11,0xc6,0x4c,0x9a,0x3b,0x29, + 0x49,0xc1,0xbb,0x60,0x70,0x03,0x14,0x61,0x17,0x32,0xa6,0xc2,0xfe,0xa9,0x8e,0xeb, + 0xc0,0x26,0x6a,0x11,0xa9,0x39,0x70,0x10,0x0e), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xb3,0xda,0x07,0x9b, + 0x0a,0xa4,0x93,0xa5,0x77,0x20,0x29,0xf0,0x46,0x7b,0xae,0xbe,0xe5,0xa8,0x11,0x2d, + 0x9d,0x3a,0x22,0x53,0x23,0x61,0xda,0x29,0x4f,0x7b,0xb3,0x81,0x5c,0x5d,0xc5,0x9e, + 0x17,0x6b,0x4d,0x9f,0x38,0x1c,0xa0,0x93,0x8e,0x13,0xc6,0xc0,0x7b,0x17,0x4b,0xe6, + 0x5d,0xfa,0x57,0x8e,0x80), + chunk_from_chars( + 0x64,0xa6,0x5f,0x3c,0xde,0xdc,0xdd,0x66,0x81,0x1e,0x29,0x15,0xe7), + chunk_from_chars( + 0x6a,0x12,0x06,0x6f,0x55,0x33,0x1b,0x6c,0x22,0xac,0xd5,0xd5,0xbf,0xc5,0xd7,0x12, + 0x28,0xfb,0xda,0x80,0xae,0x8d,0xec,0x26,0xbd,0xd3,0x06,0x74,0x3c,0x50,0x27,0xcb, + 0x48,0x90,0x81,0x0c,0x16,0x2c,0x02,0x74,0x68,0x67,0x5e,0xcf,0x64,0x5a,0x83,0x17, + 0x6c,0x0d,0x73,0x23,0xa2,0xcc,0xde,0x2d,0x80,0xef,0xe5,0xa1,0x26,0x8e,0x8a,0xca, + 0x1d,0x6f,0xbc,0x19,0x4d,0x3f,0x77,0xc4,0x49,0x86,0xeb,0x4a,0xb4,0x17,0x79,0x19, + 0xad,0x8b,0xec,0x33,0xeb,0x47,0xbb,0xb5,0xfc,0x6e,0x28,0x19,0x6f,0xd1,0xca,0xf5, + 0x6b,0x4e,0x7e,0x0b,0xa5,0x51,0x92,0x34,0xd0,0x47,0x15,0x5a,0xc7,0x27,0xa1,0x05, + 0x31,0x00), + chunk_from_chars( + 0x6e,0xb1,0xb6,0x33,0x76,0xa8,0x0f,0x84,0x26,0x23,0xfb,0xaa,0x9e,0xaa,0x1d,0x8d, + 0x6d,0xa5,0x75,0x4e), + chunk_from_chars( + 0xfa,0x2f,0xeb,0xff,0x13,0xc0,0xee,0xd0,0x3b,0xc6,0xf2,0x7d,0xb8,0x61,0xe5,0x9d, + 0x16,0x53,0xb1,0x11), + }, + /* 64 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0xd6,0x5d,0xf3,0x41,0xad,0x13,0xe0,0x08,0x56,0x76,0x88,0xba,0xed,0xda,0x8e,0x9d, + 0xcd,0xc1,0x7d,0xc0,0x24,0x97,0x4e,0xa5,0xb4,0x22,0x7b,0x65,0x30,0xe3,0x39,0xbf, + 0xf2,0x1f,0x99,0xe6,0x8c,0xa6,0x96,0x8f,0x3c,0xca,0x6d,0xfe,0x0f,0xb9,0xf4,0xfa, + 0xb4,0xfa,0x13,0x5d,0x55,0x42,0xea,0x3f,0x01), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xdf,0x97,0x05,0xf5, + 0x8e,0xdb,0xab,0x80,0x2c,0x7f,0x83,0x63,0xcf,0xe5,0x56,0x0a,0xb1,0xc6,0x13,0x2c, + 0x20,0xa9,0xf1,0xdd,0x16,0x34,0x83,0xa2,0x6f,0x8a,0xc5,0x3a,0x39,0xd6,0x80,0x8b, + 0xf4,0xa1,0xdf,0xbd,0x26,0x1b,0x09,0x9b,0xb0,0x3b,0x3f,0xb5,0x09,0x06,0xcb,0x28, + 0xbd,0x8a,0x08,0x1f,0x00), + chunk_from_chars( + 0xbd,0x0f,0x6a,0x37,0x47,0xcd,0x56,0x1b,0xdd,0xdf,0x46,0x40,0xa3,0x32,0x46,0x1a, + 0x4a,0x30,0xa1,0x2a,0x43,0x4c,0xd0,0xbf,0x40,0xd7,0x66,0xd9,0xc6,0xd4,0x58,0xe5, + 0x51,0x22,0x04,0xa3,0x0c,0x17,0xd1,0xf5,0x0b,0x50,0x79,0x63,0x1f,0x64,0xeb,0x31, + 0x12,0x18,0x2d,0xa3,0x00,0x58,0x35,0x46,0x11,0x13,0x71,0x8d,0x1a,0x5e,0xf9,0x44), + chunk_from_chars( + 0x55,0x4b,0xc2,0x48,0x08,0x60,0xb4,0x9e,0xab,0x85,0x32,0xd2,0xa5,0x33,0xb7,0xd5, + 0x78,0xef,0x47,0x3e,0xeb,0x58,0xc9,0x8b,0xb2,0xd0,0xe1,0xce,0x48,0x8a,0x98,0xb1, + 0x8d,0xfd,0xe9,0xb9,0xb9,0x07,0x75,0xe6,0x7f,0x47,0xd4,0xa1,0xc3,0x48,0x20,0x58, + 0xef,0xc9,0xf4,0x0d,0x2c,0xa0,0x33,0xa0,0x80,0x1b,0x63,0xd4,0x5b,0x3b,0x72,0x2e, + 0xf5,0x52,0xba,0xd3,0xb4,0xcc,0xb6,0x67,0xda,0x35,0x01,0x92,0xb6,0x1c,0x50,0x8c, + 0xf7,0xb6,0xb5,0xad,0xad,0xc2,0xc8,0xd9,0xa4,0x46,0xef,0x00,0x3f,0xb0,0x5c,0xba, + 0x5f,0x30,0xe8,0x8e,0x36,0xec,0x27,0x03,0xb3,0x49,0xca,0x22,0x9c,0x26,0x70,0x83, + 0x39,0x00), + chunk_from_chars( + 0x2b,0xb0,0xd4,0x29,0xb8,0x51,0x3f,0xb5,0x9d,0x07,0xd0,0xb0,0x1f,0x4a,0x39,0x25, + 0x33,0xae,0x3e,0x64), + chunk_from_chars( + 0x79,0xbb,0x37,0xe4,0x2a,0xf9,0x58,0xb7,0xa4,0x58,0x18,0x88,0x4b,0x82,0x8f,0xfb, + 0x9c,0x74,0xce,0x9d), + }, + /* 256 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0x2e,0xc5,0xfe,0x3c,0x17,0x04,0x5a,0xbd,0xb1,0x36,0xa5,0xe6,0xa9,0x13,0xe3,0x2a, + 0xb7,0x5a,0xe6,0x8b,0x53,0xd2,0xfc,0x14,0x9b,0x77,0xe5,0x04,0x13,0x2d,0x37,0x56, + 0x9b,0x7e,0x76,0x6b,0xa7,0x4a,0x19,0xbd,0x61,0x62,0x34,0x3a,0x21,0xc8,0x59,0x0a, + 0xa9,0xce,0xbc,0xa9,0x01,0x4c,0x63,0x6d,0xf5), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x79,0x75,0x6f,0x01, + 0x4d,0xcf,0xe2,0x07,0x9f,0x5d,0xd9,0xe7,0x18,0xbe,0x41,0x71,0xe2,0xef,0x24,0x86, + 0xa0,0x8f,0x25,0x18,0x6f,0x6b,0xff,0x43,0xa9,0x93,0x6b,0x9b,0xfe,0x12,0x40,0x2b, + 0x08,0xae,0x65,0x79,0x8a,0x3d,0x81,0xe2,0x2e,0x9e,0xc8,0x0e,0x76,0x90,0x86,0x2e, + 0xf3,0xd4,0xed,0x3a,0x00), + chunk_from_chars( + 0x15,0x77,0x75,0x32,0xb0,0xbd,0xd0,0xd1,0x38,0x9f,0x63,0x6c,0x5f,0x6b,0x9b,0xa7, + 0x34,0xc9,0x0a,0xf5,0x72,0x87,0x7e,0x2d,0x27,0x2d,0xd0,0x78,0xaa,0x1e,0x56,0x7c, + 0xfa,0x80,0xe1,0x29,0x28,0xbb,0x54,0x23,0x30,0xe8,0x40,0x9f,0x31,0x74,0x50,0x41, + 0x07,0xec,0xd5,0xef,0xac,0x61,0xae,0x75,0x04,0xda,0xbe,0x2a,0x60,0x2e,0xde,0x89, + 0xe5,0xcc,0xa6,0x25,0x7a,0x7c,0x77,0xe2,0x7a,0x70,0x2b,0x3a,0xe3,0x9f,0xc7,0x69, + 0xfc,0x54,0xf2,0x39,0x5a,0xe6,0xa1,0x17,0x8c,0xab,0x47,0x38,0xe5,0x43,0x07,0x2f, + 0xc1,0xc1,0x77,0xfe,0x71,0xe9,0x2e,0x25,0xbf,0x03,0xe4,0xec,0xb7,0x2f,0x47,0xb6, + 0x4d,0x04,0x65,0xaa,0xea,0x4c,0x7f,0xad,0x37,0x25,0x36,0xc8,0xba,0x51,0x6a,0x60, + 0x39,0xc3,0xc2,0xa3,0x9f,0x0e,0x4d,0x83,0x2b,0xe4,0x32,0xdf,0xa9,0xa7,0x06,0xa6, + 0xe5,0xc7,0xe1,0x9f,0x39,0x79,0x64,0xca,0x42,0x58,0x00,0x2f,0x7c,0x05,0x41,0xb5, + 0x90,0x31,0x6d,0xbc,0x56,0x22,0xb6,0xb2,0xa6,0xfe,0x7a,0x4a,0xbf,0xfd,0x96,0x10, + 0x5e,0xca,0x76,0xea,0x7b,0x98,0x81,0x6a,0xf0,0x74,0x8c,0x10,0xdf,0x04,0x8c,0xe0, + 0x12,0xd9,0x01,0x01,0x5a,0x51,0xf1,0x89,0xf3,0x88,0x81,0x45,0xc0,0x36,0x50,0xaa, + 0x23,0xce,0x89,0x4c,0x3b,0xd8,0x89,0xe0,0x30,0xd5,0x65,0x07,0x1c,0x59,0xf4,0x09, + 0xa9,0x98,0x1b,0x51,0x87,0x8f,0xd6,0xfc,0x11,0x06,0x24,0xdc,0xbc,0xde,0x0b,0xf7, + 0xa6,0x9c,0xcc,0xe3,0x8f,0xab,0xdf,0x86,0xf3,0xbe,0xf6,0x04,0x48,0x19,0xde,0x11), + chunk_from_chars( + 0xc6,0x50,0xdd,0xbb,0x06,0x01,0xc1,0x9c,0xa1,0x14,0x39,0xe1,0x64,0x0d,0xd9,0x31, + 0xf4,0x3c,0x51,0x8e,0xa5,0xbe,0xa7,0x0d,0x3d,0xcd,0xe5,0xf4,0x19,0x1f,0xe5,0x3f, + 0x00,0xcf,0x96,0x65,0x46,0xb7,0x2b,0xcc,0x7d,0x58,0xbe,0x2b,0x9b,0xad,0xef,0x28, + 0x74,0x39,0x54,0xe3,0xa4,0x4a,0x23,0xf8,0x80,0xe8,0xd4,0xf1,0xcf,0xce,0x2d,0x7a, + 0x61,0x45,0x2d,0x26,0xda,0x05,0x89,0x6f,0x0a,0x50,0xda,0x66,0xa2,0x39,0xa8,0xa1, + 0x88,0xb6,0xd8,0x25,0xb3,0x30,0x5a,0xd7,0x7b,0x73,0xfb,0xac,0x08,0x36,0xec,0xc6, + 0x09,0x87,0xfd,0x08,0x52,0x7c,0x1a,0x8e,0x80,0xd5,0x82,0x3e,0x65,0xca,0xfe,0x2a, + 0x3d,0x00), + chunk_from_chars( + 0xfc,0x02,0xc5,0x25,0x74,0x09,0x8f,0xbb,0xaf,0x8c,0xad,0x02,0x14,0x9d,0xef,0x0d, + 0x94,0xb7,0x96,0x5f), + chunk_from_chars( + 0x63,0x03,0x8e,0x1f,0xcc,0x69,0x1e,0x2f,0x9d,0xb3,0x57,0x0f,0xad,0xbc,0x01,0x35, + 0x63,0xdb,0x06,0xba), + }, + /* 1023 octets */ + { chunk_from_chars( + 0x30,0x47,0x02,0x01,0x00,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x04,0x3b,0x04,0x39, + 0x87,0x2d,0x09,0x37,0x80,0xf5,0xd3,0x73,0x0d,0xf7,0xc2,0x12,0x66,0x4b,0x37,0xb8, + 0xa0,0xf2,0x4f,0x56,0x81,0x0d,0xaa,0x83,0x82,0xcd,0x4f,0xa3,0xf7,0x76,0x34,0xec, + 0x44,0xdc,0x54,0xf1,0xc2,0xed,0x9b,0xea,0x86,0xfa,0xfb,0x76,0x32,0xd8,0xbe,0x19, + 0x9e,0xa1,0x65,0xf5,0xad,0x55,0xdd,0x9c,0xe8), + chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0xa8,0x1b,0x2e,0x8a, + 0x70,0xa5,0xac,0x94,0xff,0xdb,0xcc,0x9b,0xad,0xfc,0x3f,0xeb,0x08,0x01,0xf2,0x58, + 0x57,0x8b,0xb1,0x14,0xad,0x44,0xec,0xe1,0xec,0x0e,0x79,0x9d,0xa0,0x8e,0xff,0xb8, + 0x1c,0x5d,0x68,0x5c,0x0c,0x56,0xf6,0x4e,0xec,0xae,0xf8,0xcd,0xf1,0x1c,0xc3,0x87, + 0x37,0x83,0x8c,0xf4,0x00), + chunk_from_chars( + 0x6d,0xdf,0x80,0x2e,0x1a,0xae,0x49,0x86,0x93,0x5f,0x7f,0x98,0x1b,0xa3,0xf0,0x35, + 0x1d,0x62,0x73,0xc0,0xa0,0xc2,0x2c,0x9c,0x0e,0x83,0x39,0x16,0x8e,0x67,0x54,0x12, + 0xa3,0xde,0xbf,0xaf,0x43,0x5e,0xd6,0x51,0x55,0x80,0x07,0xdb,0x43,0x84,0xb6,0x50, + 0xfc,0xc0,0x7e,0x3b,0x58,0x6a,0x27,0xa4,0xf7,0xa0,0x0a,0xc8,0xa6,0xfe,0xc2,0xcd, + 0x86,0xae,0x4b,0xf1,0x57,0x0c,0x41,0xe6,0xa4,0x0c,0x93,0x1d,0xb2,0x7b,0x2f,0xaa, + 0x15,0xa8,0xce,0xdd,0x52,0xcf,0xf7,0x36,0x2c,0x4e,0x6e,0x23,0xda,0xec,0x0f,0xbc, + 0x3a,0x79,0xb6,0x80,0x6e,0x31,0x6e,0xfc,0xc7,0xb6,0x81,0x19,0xbf,0x46,0xbc,0x76, + 0xa2,0x60,0x67,0xa5,0x3f,0x29,0x6d,0xaf,0xdb,0xdc,0x11,0xc7,0x7f,0x77,0x77,0xe9, + 0x72,0x66,0x0c,0xf4,0xb6,0xa9,0xb3,0x69,0xa6,0x66,0x5f,0x02,0xe0,0xcc,0x9b,0x6e, + 0xdf,0xad,0x13,0x6b,0x4f,0xab,0xe7,0x23,0xd2,0x81,0x3d,0xb3,0x13,0x6c,0xfd,0xe9, + 0xb6,0xd0,0x44,0x32,0x2f,0xee,0x29,0x47,0x95,0x2e,0x03,0x1b,0x73,0xab,0x5c,0x60, + 0x33,0x49,0xb3,0x07,0xbd,0xc2,0x7b,0xc6,0xcb,0x8b,0x8b,0xbd,0x7b,0xd3,0x23,0x21, + 0x9b,0x80,0x33,0xa5,0x81,0xb5,0x9e,0xad,0xeb,0xb0,0x9b,0x3c,0x4f,0x3d,0x22,0x77, + 0xd4,0xf0,0x34,0x36,0x24,0xac,0xc8,0x17,0x80,0x47,0x28,0xb2,0x5a,0xb7,0x97,0x17, + 0x2b,0x4c,0x5c,0x21,0xa2,0x2f,0x9c,0x78,0x39,0xd6,0x43,0x00,0x23,0x2e,0xb6,0x6e, + 0x53,0xf3,0x1c,0x72,0x3f,0xa3,0x7f,0xe3,0x87,0xc7,0xd3,0xe5,0x0b,0xdf,0x98,0x13, + 0xa3,0x0e,0x5b,0xb1,0x2c,0xf4,0xcd,0x93,0x0c,0x40,0xcf,0xb4,0xe1,0xfc,0x62,0x25, + 0x92,0xa4,0x95,0x88,0x79,0x44,0x94,0xd5,0x6d,0x24,0xea,0x4b,0x40,0xc8,0x9f,0xc0, + 0x59,0x6c,0xc9,0xeb,0xb9,0x61,0xc8,0xcb,0x10,0xad,0xde,0x97,0x6a,0x5d,0x60,0x2b, + 0x1c,0x3f,0x85,0xb9,0xb9,0xa0,0x01,0xed,0x3c,0x6a,0x4d,0x3b,0x14,0x37,0xf5,0x20, + 0x96,0xcd,0x19,0x56,0xd0,0x42,0xa5,0x97,0xd5,0x61,0xa5,0x96,0xec,0xd3,0xd1,0x73, + 0x5a,0x8d,0x57,0x0e,0xa0,0xec,0x27,0x22,0x5a,0x2c,0x4a,0xaf,0xf2,0x63,0x06,0xd1, + 0x52,0x6c,0x1a,0xf3,0xca,0x6d,0x9c,0xf5,0xa2,0xc9,0x8f,0x47,0xe1,0xc4,0x6d,0xb9, + 0xa3,0x32,0x34,0xcf,0xd4,0xd8,0x1f,0x2c,0x98,0x53,0x8a,0x09,0xeb,0xe7,0x69,0x98, + 0xd0,0xd8,0xfd,0x25,0x99,0x7c,0x7d,0x25,0x5c,0x6d,0x66,0xec,0xe6,0xfa,0x56,0xf1, + 0x11,0x44,0x95,0x0f,0x02,0x77,0x95,0xe6,0x53,0x00,0x8f,0x4b,0xd7,0xca,0x2d,0xee, + 0x85,0xd8,0xe9,0x0f,0x3d,0xc3,0x15,0x13,0x0c,0xe2,0xa0,0x03,0x75,0xa3,0x18,0xc7, + 0xc3,0xd9,0x7b,0xe2,0xc8,0xce,0x5b,0x6d,0xb4,0x1a,0x62,0x54,0xff,0x26,0x4f,0xa6, + 0x15,0x5b,0xae,0xe3,0xb0,0x77,0x3c,0x0f,0x49,0x7c,0x57,0x3f,0x19,0xbb,0x4f,0x42, + 0x40,0x28,0x1f,0x0b,0x1f,0x4f,0x7b,0xe8,0x57,0xa4,0xe5,0x9d,0x41,0x6c,0x06,0xb4, + 0xc5,0x0f,0xa0,0x9e,0x18,0x10,0xdd,0xc6,0xb1,0x46,0x7b,0xae,0xac,0x5a,0x36,0x68, + 0xd1,0x1b,0x6e,0xca,0xa9,0x01,0x44,0x00,0x16,0xf3,0x89,0xf8,0x0a,0xcc,0x4d,0xb9, + 0x77,0x02,0x5e,0x7f,0x59,0x24,0x38,0x8c,0x7e,0x34,0x0a,0x73,0x2e,0x55,0x44,0x40, + 0xe7,0x65,0x70,0xf8,0xdd,0x71,0xb7,0xd6,0x40,0xb3,0x45,0x0d,0x1f,0xd5,0xf0,0x41, + 0x0a,0x18,0xf9,0xa3,0x49,0x4f,0x70,0x7c,0x71,0x7b,0x79,0xb4,0xbf,0x75,0xc9,0x84, + 0x00,0xb0,0x96,0xb2,0x16,0x53,0xb5,0xd2,0x17,0xcf,0x35,0x65,0xc9,0x59,0x74,0x56, + 0xf7,0x07,0x03,0x49,0x7a,0x07,0x87,0x63,0x82,0x9b,0xc0,0x1b,0xb1,0xcb,0xc8,0xfa, + 0x04,0xea,0xdc,0x9a,0x6e,0x3f,0x66,0x99,0x58,0x7a,0x9e,0x75,0xc9,0x4e,0x5b,0xab, + 0x00,0x36,0xe0,0xb2,0xe7,0x11,0x39,0x2c,0xff,0x00,0x47,0xd0,0xd6,0xb0,0x5b,0xd2, + 0xa5,0x88,0xbc,0x10,0x97,0x18,0x95,0x42,0x59,0xf1,0xd8,0x66,0x78,0xa5,0x79,0xa3, + 0x12,0x0f,0x19,0xcf,0xb2,0x96,0x3f,0x17,0x7a,0xeb,0x70,0xf2,0xd4,0x84,0x48,0x26, + 0x26,0x2e,0x51,0xb8,0x02,0x71,0x27,0x20,0x68,0xef,0x5b,0x38,0x56,0xfa,0x85,0x35, + 0xaa,0x2a,0x88,0xb2,0xd4,0x1f,0x2a,0x0e,0x2f,0xda,0x76,0x24,0xc2,0x85,0x02,0x72, + 0xac,0x4a,0x2f,0x56,0x1f,0x8f,0x2f,0x7a,0x31,0x8b,0xfd,0x5c,0xaf,0x96,0x96,0x14, + 0x9e,0x4a,0xc8,0x24,0xad,0x34,0x60,0x53,0x8f,0xdc,0x25,0x42,0x1b,0xee,0xc2,0xcc, + 0x68,0x18,0x16,0x2d,0x06,0xbb,0xed,0x0c,0x40,0xa3,0x87,0x19,0x23,0x49,0xdb,0x67, + 0xa1,0x18,0xba,0xda,0x6c,0xd5,0xab,0x01,0x40,0xee,0x27,0x32,0x04,0xf6,0x28,0xaa, + 0xd1,0xc1,0x35,0xf7,0x70,0x27,0x9a,0x65,0x1e,0x24,0xd8,0xc1,0x4d,0x75,0xa6,0x05, + 0x9d,0x76,0xb9,0x6a,0x6f,0xd8,0x57,0xde,0xf5,0xe0,0xb3,0x54,0xb2,0x7a,0xb9,0x37, + 0xa5,0x81,0x5d,0x16,0xb5,0xfa,0xe4,0x07,0xff,0x18,0x22,0x2c,0x6d,0x1e,0xd2,0x63, + 0xbe,0x68,0xc9,0x5f,0x32,0xd9,0x08,0xbd,0x89,0x5c,0xd7,0x62,0x07,0xae,0x72,0x64, + 0x87,0x56,0x7f,0x9a,0x67,0xda,0xd7,0x9a,0xbe,0xc3,0x16,0xf6,0x83,0xb1,0x7f,0x2d, + 0x02,0xbf,0x07,0xe0,0xac,0x8b,0x5b,0xc6,0x16,0x2c,0xf9,0x46,0x97,0xb3,0xc2,0x7c, + 0xd1,0xfe,0xa4,0x9b,0x27,0xf2,0x3b,0xa2,0x90,0x18,0x71,0x96,0x25,0x06,0x52,0x0c, + 0x39,0x2d,0xa8,0xb6,0xad,0x0d,0x99,0xf7,0x01,0x3f,0xbc,0x06,0xc2,0xc1,0x7a,0x56, + 0x95,0x00,0xc8,0xa7,0x69,0x64,0x81,0xc1,0xcd,0x33,0xe9,0xb1,0x4e,0x40,0xb8,0x2e, + 0x79,0xa5,0xf5,0xdb,0x82,0x57,0x1b,0xa9,0x7b,0xae,0x3a,0xd3,0xe0,0x47,0x95,0x15, + 0xbb,0x0e,0x2b,0x0f,0x3b,0xfc,0xd1,0xfd,0x33,0x03,0x4e,0xfc,0x62,0x45,0xed,0xdd, + 0x7e,0xe2,0x08,0x6d,0xda,0xe2,0x60,0x0d,0x8c,0xa7,0x3e,0x21,0x4e,0x8c,0x2b,0x0b, + 0xdb,0x2b,0x04,0x7c,0x6a,0x46,0x4a,0x56,0x2e,0xd7,0x7b,0x73,0xd2,0xd8,0x41,0xc4, + 0xb3,0x49,0x73,0x55,0x12,0x57,0x71,0x3b,0x75,0x36,0x32,0xef,0xba,0x34,0x81,0x69, + 0xab,0xc9,0x0a,0x68,0xf4,0x26,0x11,0xa4,0x01,0x26,0xd7,0xcb,0x21,0xb5,0x86,0x95, + 0x56,0x81,0x86,0xf7,0xe5,0x69,0xd2,0xff,0x0f,0x9e,0x74,0x5d,0x04,0x87,0xdd,0x2e, + 0xb9,0x97,0xca,0xfc,0x5a,0xbf,0x9d,0xd1,0x02,0xe6,0x2f,0xf6,0x6c,0xba,0x87), + chunk_from_chars( + 0xe3,0x01,0x34,0x5a,0x41,0xa3,0x9a,0x4d,0x72,0xff,0xf8,0xdf,0x69,0xc9,0x80,0x75, + 0xa0,0xcc,0x08,0x2b,0x80,0x2f,0xc9,0xb2,0xb6,0xbc,0x50,0x3f,0x92,0x6b,0x65,0xbd, + 0xdf,0x7f,0x4c,0x8f,0x1c,0xb4,0x9f,0x63,0x96,0xaf,0xc8,0xa7,0x0a,0xbe,0x6d,0x8a, + 0xef,0x0d,0xb4,0x78,0xd4,0xc6,0xb2,0x97,0x00,0x76,0xc6,0xa0,0x48,0x4f,0xe7,0x6d, + 0x76,0xb3,0xa9,0x76,0x25,0xd7,0x9f,0x1c,0xe2,0x40,0xe7,0xc5,0x76,0x75,0x0d,0x29, + 0x55,0x28,0x28,0x6f,0x71,0x9b,0x41,0x3d,0xe9,0xad,0xa3,0xe8,0xeb,0x78,0xed,0x57, + 0x36,0x03,0xce,0x30,0xd8,0xbb,0x76,0x17,0x85,0xdc,0x30,0xdb,0xc3,0x20,0x86,0x9e, + 0x1a,0x00), + chunk_from_chars( + 0x89,0x30,0xb4,0x62,0xe0,0x28,0x45,0xf1,0x37,0xc0,0x0e,0x47,0xfe,0x64,0x3d,0x07, + 0x02,0x7b,0x66,0xec), + chunk_from_chars( + 0xc1,0x6c,0x19,0x0e,0x3e,0xe9,0x2c,0x5e,0xd0,0x35,0x19,0x93,0x77,0x2c,0xd6,0x38, + 0xf0,0xbc,0xe1,0x62), + }, +}; + +START_TEST(test_ed448_sign) +{ + private_key_t *key; + public_key_t *pubkey, *public; + chunk_t sig, encoding, fp; + + /* load private key */ + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END); + ck_assert(key != NULL); + ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding)); + ck_assert_chunk_eq(encoding, sig_tests[_i].key); + chunk_free(&encoding); + + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp); + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp); + + /* load public key */ + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END); + ck_assert(pubkey != NULL); + ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding)); + ck_assert_chunk_eq(encoding, sig_tests[_i].pubkey); + chunk_free(&encoding); + + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_pk, fp); + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, &fp)); + ck_assert_chunk_eq(sig_tests[_i].fp_spki, fp); + + /* compare public keys */ + public = key->get_public_key(key); + ck_assert(public != NULL); + ck_assert(public->equals(public, pubkey)); + + /* sign */ + ck_assert(key->sign(key, SIGN_ED448, NULL, sig_tests[_i].msg, &sig)); + ck_assert_chunk_eq(sig, sig_tests[_i].sig); + + /* verify */ + ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[_i].msg, + sig_tests[_i].sig)); + + /* cleanup */ + key->destroy(key); + pubkey->destroy(pubkey); + public->destroy(public); + chunk_free(&sig); +} +END_TEST + +START_TEST(test_ed448_gen) +{ + private_key_t *key, *key2; + public_key_t *pubkey, *pubkey2; + chunk_t msg = chunk_from_str("Ed448"), sig, encoding, fp_priv, fp_pub; + + /* generate private key */ + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_KEY_SIZE, 456, BUILD_END); + ck_assert(key != NULL); + ck_assert(key->get_type(key) == KEY_ED448); + ck_assert(key->get_keysize(key) == 456); + ck_assert(!key->get_encoding(key, PRIVKEY_PGP, &encoding)); + ck_assert(key->get_encoding(key, PRIVKEY_PEM, &encoding)); + ck_assert(encoding.ptr != NULL); + ck_assert(strstr(encoding.ptr, "PRIVATE KEY")); + chunk_free(&encoding); + + /* clone private key */ + key2 = key->get_ref(key); + ck_assert(key2); + key2->destroy(key2); + + /* decryption not supported */ + ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL)); + + /* wrong signature scheme */ + ck_assert(!key->sign(key, SIGN_ED25519, NULL, msg, &sig)); + + /* correct signature scheme*/ + ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig)); + + /* export public key */ + pubkey = key->get_public_key(key); + ck_assert(pubkey != NULL); + ck_assert(pubkey->get_type(pubkey) == KEY_ED448); + ck_assert(pubkey->get_keysize(pubkey) == 456); + ck_assert(pubkey->get_encoding(pubkey, PUBKEY_PEM, &encoding)); + ck_assert(encoding.ptr != NULL); + ck_assert(strstr(encoding.ptr, "PUBLIC KEY")); + chunk_free(&encoding); + + /* generate and compare public and private key fingerprints */ + ck_assert(!key->get_fingerprint(key, KEYID_PGPV4, &fp_priv)); + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv)); + ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv)); + ck_assert(fp_priv.ptr != NULL); + ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp_pub)); + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub)); + ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub)); + ck_assert(fp_pub.ptr != NULL); + ck_assert_chunk_eq(fp_pub, fp_priv); + + /* clone public key */ + pubkey2 = pubkey->get_ref(pubkey); + ck_assert(pubkey2 != NULL); + pubkey2->destroy(pubkey2); + + /* encryption not supported */ + ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL)); + + /* verify with wrong signature scheme */ + ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, msg, sig)); + + /* verify with correct signature scheme */ + ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig)); + + /* cleanup */ + key->destroy(key); + pubkey->destroy(pubkey); + chunk_free(&sig); +} +END_TEST + +START_TEST(test_ed448_speed) +{ + private_key_t *key; + public_key_t *pubkey; + chunk_t msg = chunk_from_str("Hello Ed448"), sig; + int i, count = 500; + +#ifdef HAVE_CLOCK_GETTIME + struct timespec start, stop; + clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start); +#endif + + for (i = 0; i < count; i++) + { + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_KEY_SIZE, 456, BUILD_END); + ck_assert(key != NULL); + ck_assert(key->sign(key, SIGN_ED448, NULL, msg, &sig)); + pubkey = key->get_public_key(key); + ck_assert(pubkey != NULL); + ck_assert(pubkey->verify(pubkey, SIGN_ED448, NULL, msg, sig)); + key->destroy(key); + pubkey->destroy(pubkey); + chunk_free(&sig); + } + +#ifdef HAVE_CLOCK_GETTIME + clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop); + DBG0(DBG_LIB, "%d Ed448 keys and signatures in %d ms\n", count, + (stop.tv_nsec - start.tv_nsec) / 1000000 + + (stop.tv_sec - start.tv_sec) * 1000); +#endif +} +END_TEST + +static chunk_t zero_pk = chunk_from_chars( + 0x30,0x43,0x30,0x05,0x06,0x03,0x2b,0x65,0x71,0x03,0x3a,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00); + +/* sig_tests[0].sig with s+L, note that only the 9 most significant bits are 0 */ +static chunk_t malleable_sig = chunk_from_chars( + 0x53,0x3a,0x37,0xf6,0xbb,0xe4,0x57,0x25,0x1f,0x02,0x3c,0x0d,0x88,0xf9,0x76,0xae, + 0x2d,0xfb,0x50,0x4a,0x84,0x3e,0x34,0xd2,0x07,0x4f,0xd8,0x23,0xd4,0x1a,0x59,0x1f, + 0x2b,0x23,0x3f,0x03,0x4f,0x62,0x82,0x81,0xf2,0xfd,0x7a,0x22,0xdd,0xd4,0x7d,0x78, + 0x28,0xc5,0x9b,0xd0,0xa2,0x1b,0xfd,0x39,0x80,0xf2,0x52,0x78,0xd3,0x66,0x74,0x03, + 0xc1,0x4b,0xce,0xc5,0xf9,0xcf,0xde,0x99,0x55,0xeb,0xc8,0x33,0x3c,0x0a,0xe7,0x8f, + 0xc8,0x6e,0x51,0x83,0x17,0xc5,0xc7,0xcd,0xda,0x85,0x30,0xa1,0x13,0xa0,0xf4,0xdb, + 0xb6,0x11,0x49,0xf0,0x5a,0x73,0x63,0x26,0x8c,0x71,0xd9,0x58,0x08,0xff,0x2e,0x65, + 0x66,0x00); + +START_TEST(test_ed448_fail) +{ + private_key_t *key; + public_key_t *pubkey; + chunk_t blob, sig; + uint8_t sig1[114]; + + /* Invalid private key format */ + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END); + ck_assert(key == NULL); + + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_EDDSA_PRIV_ASN1_DER, chunk_empty, BUILD_END); + ck_assert(key == NULL); + + blob = chunk_from_chars(0x04, 0x01, 0x9d); + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED448, + BUILD_EDDSA_PRIV_ASN1_DER, blob, BUILD_END); + ck_assert(key == NULL); + + /* Invalid public key format */ + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END); + ck_assert(pubkey == NULL); + + blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, + 0x71, 0x03, 0x02, 0x00, 0xd7); + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, blob, BUILD_END); + ck_assert(pubkey == NULL); + + blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x00, + 0x71, 0x03, 0x02, 0x00, 0xd7); + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, blob, BUILD_END); + ck_assert(pubkey == NULL); + + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_KEY_SIZE, 456, BUILD_BLOB_ASN1_DER, blob, BUILD_END); + ck_assert(pubkey == NULL); + + /* Invalid signature format */ + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END); + ck_assert(pubkey != NULL); + + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, chunk_empty, + chunk_empty)); + + /* RFC 8032, section 5.2.7 requires that 0 <= s < L to prevent signature + * malleability. Only a warning because OpenSSL is vulnerable to this. */ + if (pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg, + malleable_sig)) + { + warn("Ed448 signature verification is vulnerable to malleable " + "signatures"); + } + + /* malformed signature */ + sig = chunk_from_thing(sig1); + memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len); + sig1[113] |= 0xFF; + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg, + sig)); + + /* wrong signature */ + memcpy(sig1, sig_tests[0].sig.ptr, sig_tests[0].sig.len); + sig1[0] = 0xe4; + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg, + sig)); + + /* detect all-zeroes public key */ + pubkey->destroy(pubkey); + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED448, + BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END); + ck_assert(pubkey != NULL); + ck_assert(!pubkey->verify(pubkey, SIGN_ED448, NULL, sig_tests[0].msg, + sig)); + pubkey->destroy(pubkey); +} +END_TEST + +Suite *ed448_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("ed448"); + + tc = tcase_create("ed448_sign"); + tcase_add_loop_test(tc, test_ed448_sign, 0, countof(sig_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("ed448_gen"); + tcase_add_test(tc, test_ed448_gen); + suite_add_tcase(s, tc); + + tc = tcase_create("ed448_fail"); + tcase_add_test(tc, test_ed448_fail); + suite_add_tcase(s, tc); + + tc = tcase_create("ed448_speed"); + test_case_set_timeout(tc, 10); + tcase_add_test(tc, test_ed448_speed); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c index e6dc7744a..a71fa0ce5 100644 --- a/src/libstrongswan/tests/suites/test_rsa.c +++ b/src/libstrongswan/tests/suites/test_rsa.c @@ -40,7 +40,7 @@ static signature_scheme_t schemes[] = { static rsa_pss_params_t default_pss_params = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, - .salt_len = RSA_PSS_SALT_LEN_DEFAULT, + .salt_len = HASH_SIZE_SHA256, }; /** diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c index 38cb5803f..cbf1a2861 100644 --- a/src/libstrongswan/tests/suites/test_signature_params.c +++ b/src/libstrongswan/tests/suites/test_signature_params.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Tobias Brunner + * Copyright (C) 2017-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -138,27 +138,27 @@ static struct { 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x03, 0x02,0x01,0x20), - { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, /* default salt length: SHA-1 */ { chunk_from_chars(0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x00), - { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }}, /* default salt length: SHA-224 */ { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,0x05,0x00, 0xa2,0x03,0x02,0x01,0x1c), - { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { .hash = HASH_SHA224, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA224, }}, /* default salt length: SHA-384 */ { chunk_from_chars(0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x16,0xa0, 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00, 0xa2,0x03,0x02,0x01,0x30), - { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA384, }}, /* SHA-512 */ { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00, 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30, 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0xa2,0x03, 0x02,0x01,0x40), - { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { .hash = HASH_SHA512, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA512, }}, /* SHA-256, no salt */ { chunk_from_chars(0x30,0x41,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x34,0xa0, 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00, @@ -199,6 +199,8 @@ rsa_pss_params_t rsa_pss_build_invalid_tests[] = { { .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }, /* invalid mgf */ { .hash = HASH_SHA256, .mgf1_hash = HASH_UNKNOWN, .salt_len = HASH_SIZE_SHA256, }, + /* undetermined salt */ + { .hash = HASH_UNKNOWN, .mgf1_hash = HASH_SHA1, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }, }; START_TEST(test_rsa_pss_params_build_invalid) @@ -209,6 +211,49 @@ START_TEST(test_rsa_pss_params_build_invalid) } END_TEST + +static struct { + ssize_t expected; + size_t modbits; + rsa_pss_params_t params; +} rsa_pss_salt_len_tests[] = { + { HASH_SIZE_SHA256, 0, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { HASH_SIZE_SHA256, 3072, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_DEFAULT, }}, + { -1, 0, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 0, 256, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 350, 3071, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 350, 3072, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 350, 3073, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 478, 4096, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = RSA_PSS_SALT_LEN_MAX, }}, + { 10, 0, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }}, + { 10, 3072, + { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = 10, }}, +}; + +START_TEST(test_rsa_pss_params_set_salt_len) +{ + if (rsa_pss_params_set_salt_len(&rsa_pss_salt_len_tests[_i].params, + rsa_pss_salt_len_tests[_i].modbits)) + { + ck_assert_int_eq(rsa_pss_salt_len_tests[_i].expected, + rsa_pss_salt_len_tests[_i].params.salt_len); + } + else + { + ck_assert(rsa_pss_salt_len_tests[_i].expected < 0); + } +} +END_TEST + static rsa_pss_params_t rsa_pss_params_sha1 = { .hash = HASH_SHA1, .mgf1_hash = HASH_SHA1, .salt_len = HASH_SIZE_SHA1, }; static rsa_pss_params_t rsa_pss_params_sha256 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }; static rsa_pss_params_t rsa_pss_params_sha256_mgf1 = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA512, .salt_len = HASH_SIZE_SHA256, }; @@ -430,6 +475,10 @@ Suite *signature_params_suite_create() tcase_add_loop_test(tc, test_rsa_pss_params_build_invalid, 0, countof(rsa_pss_build_invalid_tests)); suite_add_tcase(s, tc); + tc = tcase_create("rsa/pss salt len"); + tcase_add_loop_test(tc, test_rsa_pss_params_set_salt_len, 0, countof(rsa_pss_salt_len_tests)); + suite_add_tcase(s, tc); + tc = tcase_create("params compare"); tcase_add_loop_test(tc, test_params_compare, 0, countof(params_compare_tests)); tcase_add_test(tc, test_params_compare_null); diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index 9fc38d480..26ff161a4 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -52,5 +52,6 @@ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256) TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT) TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://") TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519) +TEST_SUITE_DEPEND(ed448_suite_create, PRIVKEY_GEN, KEY_ED448) TEST_SUITE(signature_params_suite_create) diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h index e60cd8ad0..0dbe9dc80 100644 --- a/src/libstrongswan/utils/chunk.h +++ b/src/libstrongswan/utils/chunk.h @@ -332,7 +332,7 @@ static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b) } /** - * Increment a chunk, as it would reprensent a network order integer. + * Increment a chunk, as it would represent a network order integer. * * @param chunk chunk to increment * @return TRUE if an overflow occurred diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index efeb0f478..63b7453f3 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -582,6 +582,16 @@ static char *whitelist[] = { "OPENSSL_init_crypto", "CRYPTO_THREAD_lock_new", "ERR_add_error_data", + "ERR_set_mark", + "ENGINE_load_builtin_engines", + "OPENSSL_load_builtin_modules", + "CONF_modules_load_file", + "CONF_module_add", + "RAND_DRBG_bytes", + "RAND_DRBG_generate", + "RAND_DRBG_get0_master", + "RAND_DRBG_get0_private", + "RAND_DRBG_get0_public", /* OpenSSL libssl */ "SSL_COMP_get_compression_methods", /* NSPR */ @@ -619,6 +629,7 @@ static char *whitelist[] = { "botan_privkey_create_ecdsa", "botan_privkey_create_ecdh", "botan_privkey_load_ecdh", + "botan_privkey_load", }; /** @@ -673,7 +684,8 @@ static int print_traces(private_leak_detective_t *this, int leaks = 0; memory_header_t *hdr; enumerator_t *enumerator; - hashtable_t *entries; + hashtable_t *entries, *ignored = NULL; + backtrace_t *bt; struct { /** associated backtrace */ backtrace_t *backtrace; @@ -688,15 +700,32 @@ static int print_traces(private_leak_detective_t *this, entries = hashtable_create((hashtable_hash_t)hash, (hashtable_equals_t)equals, 1024); + if (whitelisted) + { + ignored = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 1024); + } + lock->lock(lock); for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { - if (whitelisted && - hdr->backtrace->contains_function(hdr->backtrace, - whitelist, countof(whitelist))) + if (whitelisted) { - (*whitelisted)++; - continue; + bt = ignored->get(ignored, hdr->backtrace); + if (!bt) + { + if (hdr->backtrace->contains_function(hdr->backtrace, whitelist, + countof(whitelist))) + { + bt = hdr->backtrace; + ignored->put(ignored, bt, bt); + } + } + if (bt) + { + (*whitelisted)++; + continue; + } } entry = entries->get(entries, hdr->backtrace); if (entry) @@ -720,6 +749,7 @@ static int print_traces(private_leak_detective_t *this, leaks++; } lock->unlock(lock); + DESTROY_IF(ignored); enumerator = entries->create_enumerator(entries); while (enumerator->enumerate(enumerator, NULL, &entry)) diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c index 3b7582ae3..d946fbe56 100644 --- a/src/libtpmtss/plugins/tpm/tpm_private_key.c +++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2017 Andreas Steffen + * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2017-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -75,6 +76,12 @@ METHOD(private_key_t, get_keysize, int, return this->pubkey->get_keysize(this->pubkey); } +METHOD(private_key_t, supported_signature_schemes, enumerator_t*, + private_tpm_private_key_t *this) +{ + return this->tpm->supported_signature_schemes(this->tpm, this->handle); +} + METHOD(private_key_t, sign, bool, private_tpm_private_key_t *this, signature_scheme_t scheme, void *params, chunk_t data, chunk_t *signature) @@ -201,6 +208,7 @@ tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args) .sign = _sign, .decrypt = _decrypt, .get_keysize = _get_keysize, + .supported_signature_schemes = _supported_signature_schemes, .get_public_key = _get_public_key, .equals = private_key_equals, .belongs_to = private_key_belongs_to, diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h index 11e4a7c15..aab7a4d6c 100644 --- a/src/libtpmtss/tpm_tss.h +++ b/src/libtpmtss/tpm_tss.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2016 Andreas Steffen + * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2016-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -79,6 +80,15 @@ struct tpm_tss_t { */ chunk_t (*get_public)(tpm_tss_t *this, uint32_t handle); + /** + * Return signature schemes supported by the given key (TPM 2.0 only) + * + * @param handle key object handle + * @return enumerator over signature_params_t* + */ + enumerator_t *(*supported_signature_schemes)(tpm_tss_t *this, + uint32_t handle); + /** * Retrieve the current value of a PCR register in a given PCR bank * diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c index 81e542d02..937373354 100644 --- a/src/libtpmtss/tpm_tss_trousers.c +++ b/src/libtpmtss/tpm_tss_trousers.c @@ -390,6 +390,12 @@ METHOD(tpm_tss_t, get_public, chunk_t, return aik_pubkey; } +METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*, + private_tpm_tss_trousers_t *this, uint32_t handle) +{ + return enumerator_create_empty(); +} + METHOD(tpm_tss_t, read_pcr, bool, private_tpm_tss_trousers_t *this, uint32_t pcr_num, chunk_t *pcr_value, hash_algorithm_t alg) @@ -642,6 +648,7 @@ tpm_tss_t *tpm_tss_trousers_create() .get_version_info = _get_version_info, .generate_aik = _generate_aik, .get_public = _get_public, + .supported_signature_schemes = _supported_signature_schemes, .read_pcr = _read_pcr, .extend_pcr = _extend_pcr, .quote = _quote, diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c index 9ed2798f7..f904442ed 100644 --- a/src/libtpmtss/tpm_tss_tss2_v1.c +++ b/src/libtpmtss/tpm_tss_tss2_v1.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2016-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -24,9 +25,9 @@ #include -#ifdef TSS2_TCTI_TABRMD_V1 +#ifdef TSS2_TCTI_TABRMD #include -#endif /* TSS2_TCTI_TABRMD_V1 */ +#endif /* TSS2_TCTI_TABRMD */ #ifdef TSS2_TCTI_SOCKET #include @@ -68,6 +69,12 @@ struct private_tpm_tss_tss2_t { * List of supported algorithms */ TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET]; + + /** + * Is TPM FIPS 186-4 compliant ? + */ + bool fips_186_4; + }; /** @@ -153,6 +160,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this) TPMS_TAGGED_PROPERTY tp; TPMI_YES_NO more_data; TPM_ALG_ID alg; + bool fips_140_2 = FALSE; uint32_t rval, i, offset, revision = 0, year = 0; size_t len = BUF_LEN; char buf[BUF_LEN], manufacturer[5], vendor_string[17]; @@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this) offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1); htoun32(vendor_string + offset, tp.value); break; + case TPM_PT_MODES: + if (tp.value & TPMA_MODES_FIPS_140_2) + { + this->fips_186_4 = fips_140_2 = TRUE; + } + break; default: break; } } - DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer, - vendor_string, (float)revision/100, year); + + if (!fips_140_2) + { + this->fips_186_4 = lib->settings->get_bool(lib->settings, + "%s.plugins.tpm.fips_186_4", FALSE, lib->ns); + } + DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL, + manufacturer, vendor_string, (float)revision/100, year, + fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : "")); /* get supported algorithms */ rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS, @@ -400,7 +421,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t, } /** - * read the public key portion of a TSS 2.0 AIK key from NVRAM + * read the public key portion of a TSS 2.0 key from NVRAM */ bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle, TPM2B_PUBLIC *public) @@ -450,9 +471,9 @@ METHOD(tpm_tss_t, get_public, chunk_t, } aik_blob = chunk_create((u_char*)&public, sizeof(public)); - DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob); + DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob); - /* convert TSS 2.0 AIK public key blot into PKCS#1 format */ + /* convert TSS 2.0 public key blot into PKCS#1 format */ switch (public.t.publicArea.type) { case TPM_ALG_RSA: @@ -469,12 +490,12 @@ METHOD(tpm_tss_t, get_public, chunk_t, aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size); aik_exponent = chunk_from_chars(0x01, 0x00, 0x01); - /* subjectPublicKeyInfo encoding of AIK RSA key */ + /* subjectPublicKeyInfo encoding of RSA public key */ if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus, CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END)) { - DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key " + DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key " "failed", LABEL); return chunk_empty; } @@ -505,7 +526,7 @@ METHOD(tpm_tss_t, get_public, chunk_t, pos += ecc->x.t.size; /* copy y coordinate of ECC point */ memcpy(pos, ecc->y.t.buffer, ecc->y.t.size); - /* subjectPublicKeyInfo encoding of AIK ECC key */ + /* subjectPublicKeyInfo encoding of ECC public key */ aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EC_PUBLICKEY), @@ -515,14 +536,101 @@ METHOD(tpm_tss_t, get_public, chunk_t, break; } default: - DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL); + DBG1(DBG_PTS, "%s unsupported key type", LABEL); return chunk_empty; } - DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash", + DBG1(DBG_PTS, "signature algorithm is %N with %N hash", tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg); return aik_pubkey; } +METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*, + private_tpm_tss_tss2_t *this, uint32_t handle) +{ + TPM2B_PUBLIC public = { { 0, } }; + hash_algorithm_t digest; + signature_params_t supported_scheme; + + if (!read_public(this, handle, &public)) + { + return enumerator_create_empty(); + } + + switch (public.t.publicArea.type) + { + case TPM_ALG_RSA: + { + TPMS_RSA_PARMS *rsa; + TPMT_RSA_SCHEME *scheme; + + rsa = &public.t.publicArea.parameters.rsaDetail; + scheme = &rsa->scheme; + digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg); + + switch (scheme->scheme) + { + case TPM_ALG_RSAPSS: + { + ssize_t salt_len; + + salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT : + RSA_PSS_SALT_LEN_MAX; + rsa_pss_params_t pss_params = { + .hash = digest, + .mgf1_hash = digest, + .salt_len = salt_len, + }; + supported_scheme = (signature_params_t){ + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss_params, + }; + if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits)) + { + return enumerator_create_empty(); + } + break; + } + case TPM_ALG_RSASSA: + supported_scheme = (signature_params_t){ + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + KEY_RSA)), + }; + break; + default: + return enumerator_create_empty(); + } + break; + } + case TPM_ALG_ECC: + { + TPMT_ECC_SCHEME *scheme; + + scheme = &public.t.publicArea.parameters.eccDetail.scheme; + digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg); + + switch (scheme->scheme) + { + case TPM_ALG_ECDSA: + supported_scheme = (signature_params_t){ + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + KEY_ECDSA)), + }; + break; + default: + return enumerator_create_empty(); + } + break; + } + default: + DBG1(DBG_PTS, "%s unsupported key type", LABEL); + return enumerator_create_empty(); + } + return enumerator_create_single(signature_params_clone(&supported_scheme), + (void*)signature_params_destroy); +} + /** * Configure a PCR Selection assuming a maximum of 24 registers */ @@ -809,7 +917,7 @@ METHOD(tpm_tss_t, quote, bool, DBG1(DBG_PTS, "%s unsupported %N signature algorithm", LABEL, tpm_alg_id_names, sig.sigAlg); return FALSE; - }; + } DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg); pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg); @@ -1036,7 +1144,7 @@ METHOD(tpm_tss_t, sign, bool, DBG1(DBG_PTS, "%s unsupported %N signature scheme", LABEL, signature_scheme_names, scheme); return FALSE; - }; + } return TRUE; } @@ -1174,6 +1282,7 @@ tpm_tss_t *tpm_tss_tss2_create() .get_version_info = _get_version_info, .generate_aik = _generate_aik, .get_public = _get_public, + .supported_signature_schemes = _supported_signature_schemes, .read_pcr = _read_pcr, .extend_pcr = _extend_pcr, .quote = _quote, diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c index 7cb0d48a9..6bbbce238 100644 --- a/src/libtpmtss/tpm_tss_tss2_v2.c +++ b/src/libtpmtss/tpm_tss_tss2_v2.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -64,6 +65,12 @@ struct private_tpm_tss_tss2_t { * List of supported algorithms */ TPM2_ALG_ID supported_algs[TPM2_PT_ALGORITHM_SET]; + + /** + * Is TPM FIPS 186-4 compliant ? + */ + bool fips_186_4; + }; /** @@ -152,6 +159,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this) TPMS_TAGGED_PROPERTY tp; TPMI_YES_NO more_data; TPM2_ALG_ID alg; + bool fips_140_2 = FALSE; uint32_t rval, i, offset, revision = 0, year = 0; size_t len = BUF_LEN; char buf[BUF_LEN], manufacturer[5], vendor_string[17]; @@ -193,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this) offset = 4 * (tp.property - TPM2_PT_VENDOR_STRING_1); htoun32(vendor_string + offset, tp.value); break; + case TPM2_PT_MODES: + if (tp.value & TPMA_MODES_FIPS_140_2) + { + this->fips_186_4 = fips_140_2 = TRUE; + } + break; default: break; } } - DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer, - vendor_string, (float)revision/100, year); + + if (!fips_140_2) + { + this->fips_186_4 = lib->settings->get_bool(lib->settings, + "%s.plugins.tpm.fips_186_4", FALSE, lib->ns); + } + DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL, + manufacturer, vendor_string, (float)revision/100, year, + fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : "")); /* get supported algorithms */ rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM2_CAP_ALGS, @@ -360,7 +381,7 @@ METHOD(tpm_tss_t, get_version_info, chunk_t, } /** - * read the public key portion of a TSS 2.0 AIK key from NVRAM + * read the public key portion of a TSS 2.0 key from NVRAM */ bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle, TPM2B_PUBLIC *public) @@ -404,9 +425,9 @@ METHOD(tpm_tss_t, get_public, chunk_t, } aik_blob = chunk_create((u_char*)&public, sizeof(public)); - DBG3(DBG_LIB, "%s AIK public key blob: %B", LABEL, &aik_blob); + DBG3(DBG_LIB, "%s public key blob: %B", LABEL, &aik_blob); - /* convert TSS 2.0 AIK public key blot into PKCS#1 format */ + /* convert TSS 2.0 public key blot into PKCS#1 format */ switch (public.publicArea.type) { case TPM2_ALG_RSA: @@ -423,12 +444,12 @@ METHOD(tpm_tss_t, get_public, chunk_t, aik_modulus = chunk_create(rsa->buffer, rsa->size); aik_exponent = chunk_from_chars(0x01, 0x00, 0x01); - /* subjectPublicKeyInfo encoding of AIK RSA key */ + /* subjectPublicKeyInfo encoding of RSA public key */ if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, NULL, &aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus, CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END)) { - DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key " + DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of public key " "failed", LABEL); return chunk_empty; } @@ -459,7 +480,7 @@ METHOD(tpm_tss_t, get_public, chunk_t, pos += ecc->x.size; /* copy y coordinate of ECC point */ memcpy(pos, ecc->y.buffer, ecc->y.size); - /* subjectPublicKeyInfo encoding of AIK ECC key */ + /* subjectPublicKeyInfo encoding of ECC public key */ aik_pubkey = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EC_PUBLICKEY), @@ -469,14 +490,101 @@ METHOD(tpm_tss_t, get_public, chunk_t, break; } default: - DBG1(DBG_PTS, "%s unsupported AIK key type", LABEL); + DBG1(DBG_PTS, "%s unsupported key type", LABEL); return chunk_empty; } - DBG1(DBG_PTS, "AIK signature algorithm is %N with %N hash", + DBG1(DBG_PTS, "signature algorithm is %N with %N hash", tpm_alg_id_names, sig_alg, tpm_alg_id_names, digest_alg); return aik_pubkey; } +METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*, + private_tpm_tss_tss2_t *this, uint32_t handle) +{ + TPM2B_PUBLIC public = { 0, }; + hash_algorithm_t digest; + signature_params_t supported_scheme; + + if (!read_public(this, handle, &public)) + { + return enumerator_create_empty(); + } + + switch (public.publicArea.type) + { + case TPM2_ALG_RSA: + { + TPMS_RSA_PARMS *rsa; + TPMT_RSA_SCHEME *scheme; + + rsa = &public.publicArea.parameters.rsaDetail; + scheme = &rsa->scheme; + digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg); + + switch (scheme->scheme) + { + case TPM2_ALG_RSAPSS: + { + ssize_t salt_len; + + salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT : + RSA_PSS_SALT_LEN_MAX; + rsa_pss_params_t pss_params = { + .hash = digest, + .mgf1_hash = digest, + .salt_len = salt_len, + }; + supported_scheme = (signature_params_t){ + .scheme = SIGN_RSA_EMSA_PSS, + .params = &pss_params, + }; + if (!rsa_pss_params_set_salt_len(&pss_params, rsa->keyBits)) + { + return enumerator_create_empty(); + } + break; + } + case TPM2_ALG_RSASSA: + supported_scheme = (signature_params_t){ + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + KEY_RSA)), + }; + break; + default: + return enumerator_create_empty(); + } + break; + } + case TPM2_ALG_ECC: + { + TPMT_ECC_SCHEME *scheme; + + scheme = &public.publicArea.parameters.eccDetail.scheme; + digest = hash_alg_from_tpm_alg_id(scheme->details.anySig.hashAlg); + + switch (scheme->scheme) + { + case TPM2_ALG_ECDSA: + supported_scheme = (signature_params_t){ + .scheme = signature_scheme_from_oid( + hasher_signature_algorithm_to_oid(digest, + KEY_ECDSA)), + }; + break; + default: + return enumerator_create_empty(); + } + break; + } + default: + DBG1(DBG_PTS, "%s unsupported key type", LABEL); + return enumerator_create_empty(); + } + return enumerator_create_single(signature_params_clone(&supported_scheme), + (void*)signature_params_destroy); +} + /** * Configure a PCR Selection assuming a maximum of 24 registers */ @@ -729,7 +837,7 @@ METHOD(tpm_tss_t, quote, bool, DBG1(DBG_PTS, "%s unsupported %N signature algorithm", LABEL, tpm_alg_id_names, sig.sigAlg); return FALSE; - }; + } DBG2(DBG_PTS, "PCR digest algorithm is %N", tpm_alg_id_names, hash_alg); pcr_digest_alg = hash_alg_from_tpm_alg_id(hash_alg); @@ -940,7 +1048,7 @@ METHOD(tpm_tss_t, sign, bool, DBG1(DBG_PTS, "%s unsupported %N signature scheme", LABEL, signature_scheme_names, scheme); return FALSE; - }; + } return TRUE; } @@ -1061,6 +1169,7 @@ tpm_tss_t *tpm_tss_tss2_create() .get_version_info = _get_version_info, .generate_aik = _generate_aik, .get_public = _get_public, + .supported_signature_schemes = _supported_signature_schemes, .read_pcr = _read_pcr, .extend_pcr = _extend_pcr, .quote = _quote, diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index d1ea5c65e..4cbe06c9e 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -228,6 +228,11 @@ static int acert() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } ac = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 1ccbca89f..b117fa171 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -536,6 +536,11 @@ static int issue() chunk_from_chars(ASN1_SEQUENCE, 0)); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index cfddbc455..8f5380a4a 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -168,6 +168,11 @@ static int req() goto end; } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 6f7adef0f..a08ee9931 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -378,6 +378,11 @@ static int self() rng->destroy(rng); } scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto end; + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index ca208a5cf..a399d21be 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -399,6 +399,12 @@ static int sign_crl() chunk_increment(crl_serial); scheme = get_signature_scheme(private, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + goto error; + } + enumerator = enumerator_create_filter(list->create_enumerator(list), filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, diff --git a/src/pki/pki.c b/src/pki/pki.c index ec60f7d42..d03e96f9b 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -264,7 +264,30 @@ static hash_algorithm_t get_default_digest(private_key_t *private) signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss) { - signature_params_t *scheme; + signature_params_t *scheme, *selected = NULL; + enumerator_t *enumerator; + + if (private->supported_signature_schemes) + { + enumerator = private->supported_signature_schemes(private); + while (enumerator->enumerate(enumerator, &scheme)) + { + if (private->get_type(private) == KEY_RSA && + pss != (scheme->scheme == SIGN_RSA_EMSA_PSS)) + { + continue; + } + if (digest == HASH_UNKNOWN || + digest == hasher_from_signature_scheme(scheme->scheme, + scheme->params)) + { + selected = signature_params_clone(scheme); + break; + } + } + enumerator->destroy(enumerator); + return selected; + } if (digest == HASH_UNKNOWN) { @@ -281,6 +304,7 @@ signature_params_t *get_signature_scheme(private_key_t *private, .scheme = SIGN_RSA_EMSA_PSS, .params = &pss_params, }; + rsa_pss_params_set_salt_len(&pss_params, 0); scheme = signature_params_clone(&pss_scheme); } else diff --git a/src/pki/pki.h b/src/pki/pki.h index 3f0793cfd..3976c33b7 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -65,7 +65,8 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc); * @param digest hash algorithm (if HASH_UNKNOWN a default is determined * based on the key) * @param pss use PSS padding for RSA keys - * @return allocated signature scheme and parameters + * @return allocated signature scheme and parameters (NULL if none + * found) */ signature_params_t *get_signature_scheme(private_key_t *private, hash_algorithm_t digest, bool pss); diff --git a/src/pool/pool.c b/src/pool/pool.c index b755365ec..ba1889dd8 100644 --- a/src/pool/pool.c +++ b/src/pool/pool.c @@ -710,7 +710,6 @@ static enumerator_t *create_lease_query(char *filter, array_t **to_free) default: fprintf(stderr, "invalid filter string.\n"); exit(EXIT_FAILURE); - break; } } query = db->query(db, @@ -1142,7 +1141,6 @@ static void do_args(int argc, char *argv[]) default: usage(); exit(EXIT_FAILURE); - break; } break; } diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in index 3e14cbe37..6bd3c642e 100644 --- a/src/pt-tls-client/pt-tls-client.1.in +++ b/src/pt-tls-client/pt-tls-client.1.in @@ -1,4 +1,4 @@ -.TH PT-TLS-CLIENT 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan" +.TH PT-TLS-CLIENT 1 "2018-11-20" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -9,7 +9,7 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information .SY "pt-tls-client" .BI \-\-connect .IR hostname |\fIaddress -.OP \-\-port hex +.OP \-\-port port .RB [ \-\-certid .IR hex |\fB\-\-cert .IR file ]+ diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 83079f3d8..754393455 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -455,6 +455,7 @@ int main(int argc, char **argv) /* distinguished name for requested certificate, ASCII format */ char *distinguishedName = NULL; + char default_distinguished_name[BUF_LEN]; /* challenge password */ char challenge_password_buffer[MAX_PASSWORD_LENGTH]; @@ -1105,16 +1106,16 @@ int main(int argc, char **argv) { if (distinguishedName == NULL) { - char buf[BUF_LEN]; - int n = sprintf(buf, DEFAULT_DN); + int n = sprintf(default_distinguished_name, DEFAULT_DN); /* set the common name to the hostname */ - if (gethostname(buf + n, BUF_LEN - n) || strlen(buf) == n) + if (gethostname(default_distinguished_name + n, BUF_LEN - n) || + strlen(default_distinguished_name) == n) { exit_scepclient("no hostname defined, use " "--dn option"); } - distinguishedName = buf; + distinguishedName = default_distinguished_name; } DBG2(DBG_APP, "dn: '%s'", distinguishedName); diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh index ca7b89841..16e561459 100755 --- a/src/sec-updater/sec-updater.sh +++ b/src/sec-updater/sec-updater.sh @@ -4,11 +4,11 @@ DIR="/etc/pts" DISTS_DIR="$DIR/dists" DATE=`date +%Y%m%d-%H%M` UBUNTU="http://security.ubuntu.com/ubuntu" -UBUNTU_VERSIONS="xenial" +UBUNTU_VERSIONS="bionic xenial" UBUNTU_DIRS="main multiverse restricted universe" UBUNTU_ARCH="binary-amd64" DEBIAN="http://security.debian.org" -DEBIAN_VERSIONS="jessie wheezy" +DEBIAN_VERSIONS="stretch jessie wheezy" DEBIAN_DIRS="main contrib non-free" DEBIAN_ARCH="binary-amd64 binary-armhf" RASPIAN="http://archive.raspberrypi.org/debian" @@ -48,8 +48,14 @@ do mkdir -p $v-updates/$a for d in $DEBIAN_DIRS do - wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 + if [ $v = "stretch" ] + then + wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.xz -O $v-updates/$a/Packages-$d.xz + unxz -f $v-updates/$a/Packages-$d.xz + else + wget -nv $DEBIAN/dists/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 + bunzip2 -f $v-updates/$a/Packages-$d.bz2 + fi done done done @@ -71,6 +77,28 @@ done # Run sec-updater in distribution information +for f in bionic-security/binary-amd64/* +do + echo "security: $f" + $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f --security \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + +for f in bionic-updates/binary-amd64/* +do + echo "updates: $f" + $CMD --os "Ubuntu 18.04" --arch "x86_64" --file $f \ + --uri $UBUNTU >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + for f in xenial-security/binary-amd64/* do echo "security: $f" @@ -93,6 +121,17 @@ do fi done +for f in stretch-updates/binary-amd64/* +do + echo "security: $f" + $CMD --os "Debian 9.0" --arch "x86_64" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + for f in jessie-updates/binary-amd64/* do echo "security: $f" @@ -115,6 +154,17 @@ do fi done +for f in stretch-updates/binary-armhf/* +do + echo "security: $f" + $CMD --os "Debian 9.0" --arch "armhf" --file $f --security \ + --uri $DEBIAN >> $CMD_LOG 2>&1 + if [ $? -eq 0 ] + then + DEL_LOG=0 + fi +done + for f in jessie-updates/binary-armhf/* do echo "security: $f" diff --git a/src/starter/keywords.c b/src/starter/keywords.c index a8f50169a..f4da67e8a 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -1,4 +1,4 @@ -/* C code produced by gperf version 3.0.4 */ +/* ANSI-C code produced by gperf version 3.1 */ /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t */ /* Computed positions: -k'2-3,6,$' */ @@ -26,7 +26,7 @@ && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \ && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126)) /* The character set is not based on ISO-646. */ -error "gperf generated tables don't work with this execution character set. Please report a bug to ." +#error "gperf generated tables don't work with this execution character set. Please report a bug to ." #endif @@ -70,9 +70,7 @@ inline #endif #endif static unsigned int -hash (str, len) - register const char *str; - register unsigned int len; +hash (register const char *str, register size_t len) { static const unsigned short asso_values[] = { @@ -103,7 +101,7 @@ hash (str, len) 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258, 258 }; - register int hval = len; + register unsigned int hval = len; switch (hval) { @@ -296,22 +294,14 @@ static const short lookup[] = 138, -1, -1, -1, -1, -1, -1, 139 }; -#ifdef __GNUC__ -__inline -#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__ -__attribute__ ((__gnu_inline__)) -#endif -#endif const struct kw_entry * -in_word_set (str, len) - register const char *str; - register unsigned int len; +in_word_set (register const char *str, register size_t len) { if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH) { - register int key = hash (str, len); + register unsigned int key = hash (str, len); - if (key <= MAX_HASH_VALUE && key >= 0) + if (key <= MAX_HASH_VALUE) { register int index = lookup[key]; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index d017134d9..c987f187d 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -197,7 +197,7 @@ struct kw_entry_t { }; #ifndef IN_GPERF_GENERATED_FILE -const kw_entry_t *in_word_set(register const char*, register unsigned); +const kw_entry_t *in_word_set(register const char*, register size_t); #endif #endif /* _KEYWORDS_H_ */ diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c index ff7c75bb7..9fb25e1ee 100644 --- a/src/starter/parser/lexer.c +++ b/src/starter/parser/lexer.c @@ -7,7 +7,6 @@ /* A lexical scanner generated by flex */ /* %not-for-header */ - /* %if-c-only */ /* %if-not-reentrant */ /* %endif */ @@ -17,7 +16,7 @@ #define FLEX_SCANNER #define YY_FLEX_MAJOR_VERSION 2 #define YY_FLEX_MINOR_VERSION 6 -#define YY_FLEX_SUBMINOR_VERSION 0 +#define YY_FLEX_SUBMINOR_VERSION 4 #if YY_FLEX_SUBMINOR_VERSION > 0 #define FLEX_BETA #endif @@ -26,9 +25,230 @@ /* %endif */ /* %if-c-only */ - +#ifdef yy_create_buffer +#define conf_parser__create_buffer_ALREADY_DEFINED +#else +#define yy_create_buffer conf_parser__create_buffer +#endif + +#ifdef yy_delete_buffer +#define conf_parser__delete_buffer_ALREADY_DEFINED +#else +#define yy_delete_buffer conf_parser__delete_buffer +#endif + +#ifdef yy_scan_buffer +#define conf_parser__scan_buffer_ALREADY_DEFINED +#else +#define yy_scan_buffer conf_parser__scan_buffer +#endif + +#ifdef yy_scan_string +#define conf_parser__scan_string_ALREADY_DEFINED +#else +#define yy_scan_string conf_parser__scan_string +#endif + +#ifdef yy_scan_bytes +#define conf_parser__scan_bytes_ALREADY_DEFINED +#else +#define yy_scan_bytes conf_parser__scan_bytes +#endif + +#ifdef yy_init_buffer +#define conf_parser__init_buffer_ALREADY_DEFINED +#else +#define yy_init_buffer conf_parser__init_buffer +#endif + +#ifdef yy_flush_buffer +#define conf_parser__flush_buffer_ALREADY_DEFINED +#else +#define yy_flush_buffer conf_parser__flush_buffer +#endif + +#ifdef yy_load_buffer_state +#define conf_parser__load_buffer_state_ALREADY_DEFINED +#else +#define yy_load_buffer_state conf_parser__load_buffer_state +#endif + +#ifdef yy_switch_to_buffer +#define conf_parser__switch_to_buffer_ALREADY_DEFINED +#else +#define yy_switch_to_buffer conf_parser__switch_to_buffer +#endif + +#ifdef yypush_buffer_state +#define conf_parser_push_buffer_state_ALREADY_DEFINED +#else +#define yypush_buffer_state conf_parser_push_buffer_state +#endif + +#ifdef yypop_buffer_state +#define conf_parser_pop_buffer_state_ALREADY_DEFINED +#else +#define yypop_buffer_state conf_parser_pop_buffer_state +#endif + +#ifdef yyensure_buffer_stack +#define conf_parser_ensure_buffer_stack_ALREADY_DEFINED +#else +#define yyensure_buffer_stack conf_parser_ensure_buffer_stack +#endif + +#ifdef yylex +#define conf_parser_lex_ALREADY_DEFINED +#else +#define yylex conf_parser_lex +#endif + +#ifdef yyrestart +#define conf_parser_restart_ALREADY_DEFINED +#else +#define yyrestart conf_parser_restart +#endif + +#ifdef yylex_init +#define conf_parser_lex_init_ALREADY_DEFINED +#else +#define yylex_init conf_parser_lex_init +#endif + +#ifdef yylex_init_extra +#define conf_parser_lex_init_extra_ALREADY_DEFINED +#else +#define yylex_init_extra conf_parser_lex_init_extra +#endif + +#ifdef yylex_destroy +#define conf_parser_lex_destroy_ALREADY_DEFINED +#else +#define yylex_destroy conf_parser_lex_destroy +#endif + +#ifdef yyget_debug +#define conf_parser_get_debug_ALREADY_DEFINED +#else +#define yyget_debug conf_parser_get_debug +#endif + +#ifdef yyset_debug +#define conf_parser_set_debug_ALREADY_DEFINED +#else +#define yyset_debug conf_parser_set_debug +#endif + +#ifdef yyget_extra +#define conf_parser_get_extra_ALREADY_DEFINED +#else +#define yyget_extra conf_parser_get_extra +#endif + +#ifdef yyset_extra +#define conf_parser_set_extra_ALREADY_DEFINED +#else +#define yyset_extra conf_parser_set_extra +#endif + +#ifdef yyget_in +#define conf_parser_get_in_ALREADY_DEFINED +#else +#define yyget_in conf_parser_get_in +#endif + +#ifdef yyset_in +#define conf_parser_set_in_ALREADY_DEFINED +#else +#define yyset_in conf_parser_set_in +#endif + +#ifdef yyget_out +#define conf_parser_get_out_ALREADY_DEFINED +#else +#define yyget_out conf_parser_get_out +#endif + +#ifdef yyset_out +#define conf_parser_set_out_ALREADY_DEFINED +#else +#define yyset_out conf_parser_set_out +#endif + +#ifdef yyget_leng +#define conf_parser_get_leng_ALREADY_DEFINED +#else +#define yyget_leng conf_parser_get_leng +#endif + +#ifdef yyget_text +#define conf_parser_get_text_ALREADY_DEFINED +#else +#define yyget_text conf_parser_get_text +#endif + +#ifdef yyget_lineno +#define conf_parser_get_lineno_ALREADY_DEFINED +#else +#define yyget_lineno conf_parser_get_lineno +#endif + +#ifdef yyset_lineno +#define conf_parser_set_lineno_ALREADY_DEFINED +#else +#define yyset_lineno conf_parser_set_lineno +#endif + +#ifdef yyget_column +#define conf_parser_get_column_ALREADY_DEFINED +#else +#define yyget_column conf_parser_get_column +#endif + +#ifdef yyset_column +#define conf_parser_set_column_ALREADY_DEFINED +#else +#define yyset_column conf_parser_set_column +#endif + +#ifdef yywrap +#define conf_parser_wrap_ALREADY_DEFINED +#else +#define yywrap conf_parser_wrap +#endif + /* %endif */ +#ifdef yyget_lval +#define conf_parser_get_lval_ALREADY_DEFINED +#else +#define yyget_lval conf_parser_get_lval +#endif + +#ifdef yyset_lval +#define conf_parser_set_lval_ALREADY_DEFINED +#else +#define yyset_lval conf_parser_set_lval +#endif + +#ifdef yyalloc +#define conf_parser_alloc_ALREADY_DEFINED +#else +#define yyalloc conf_parser_alloc +#endif + +#ifdef yyrealloc +#define conf_parser_realloc_ALREADY_DEFINED +#else +#define yyrealloc conf_parser_realloc +#endif + +#ifdef yyfree +#define conf_parser_free_ALREADY_DEFINED +#else +#define yyfree conf_parser_free +#endif + /* %if-c-only */ /* %endif */ @@ -108,50 +328,39 @@ typedef unsigned int flex_uint32_t; #define UINT32_MAX (4294967295U) #endif +#ifndef SIZE_MAX +#define SIZE_MAX (~(size_t)0) +#endif + #endif /* ! C99 */ #endif /* ! FLEXINT_H */ /* %endif */ +/* begin standard C++ headers. */ /* %if-c++-only */ /* %endif */ -#ifdef __cplusplus - -/* The "const" storage-class-modifier is valid. */ -#define YY_USE_CONST - -#else /* ! __cplusplus */ - -/* C99 requires __STDC__ to be defined as 1. */ -#if defined (__STDC__) - -#define YY_USE_CONST - -#endif /* defined (__STDC__) */ -#endif /* ! __cplusplus */ - -#ifdef YY_USE_CONST +/* TODO: this is always defined, so inline it */ #define yyconst const + +#if defined(__GNUC__) && __GNUC__ >= 3 +#define yynoreturn __attribute__((__noreturn__)) #else -#define yyconst +#define yynoreturn #endif /* %not-for-header */ - /* Returned upon end-of-file. */ #define YY_NULL 0 /* %ok-for-header */ /* %not-for-header */ - -/* Promotes a possibly negative, possibly signed char to an unsigned - * integer for use as an array index. If the signed char is negative, - * we want to instead treat it as an 8-bit unsigned char, hence the - * double cast. +/* Promotes a possibly negative, possibly signed char to an + * integer in range [0..255] for use as an array index. */ -#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c) +#define YY_SC_TO_UI(c) ((YY_CHAR) (c)) /* %ok-for-header */ /* %if-reentrant */ @@ -183,20 +392,16 @@ typedef void* yyscan_t; * definition of BEGIN. */ #define BEGIN yyg->yy_start = 1 + 2 * - /* Translate the current start state into a value that can be later handed * to BEGIN to return to the state. The YYSTATE alias is for lex * compatibility. */ #define YY_START ((yyg->yy_start - 1) / 2) #define YYSTATE YY_START - /* Action number for EOF rule of a given start state. */ #define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) - /* Special action meaning "start processing a new file". */ -#define YY_NEW_FILE conf_parser_restart(yyin ,yyscanner ) - +#define YY_NEW_FILE yyrestart( yyin , yyscanner ) #define YY_END_OF_BUFFER_CHAR 0 /* Size of default input buffer. */ @@ -237,10 +442,10 @@ typedef size_t yy_size_t; #define EOB_ACT_CONTINUE_SCAN 0 #define EOB_ACT_END_OF_FILE 1 #define EOB_ACT_LAST_MATCH 2 - + /* Note: We specifically omit the test for yy_rule_can_match_eol because it requires * access to the local variable yy_act. Since yyless() is a macro, it would break - * existing scanners that call yyless() from OUTSIDE conf_parser_lex. + * existing scanners that call yyless() from OUTSIDE yylex. * One obvious solution it to make yy_act a global. I tried that, and saw * a 5% performance hit in a non-yylineno scanner, because yy_act is * normally declared as a register variable-- so it is not worth it. @@ -273,7 +478,6 @@ typedef size_t yy_size_t; YY_DO_BEFORE_ACTION; /* set up yytext again */ \ } \ while ( 0 ) - #define unput(c) yyunput( c, yyg->yytext_ptr , yyscanner ) #ifndef YY_STRUCT_YY_BUFFER_STATE @@ -293,7 +497,7 @@ struct yy_buffer_state /* Size of input buffer in bytes, not including room for EOB * characters. */ - yy_size_t yy_buf_size; + int yy_buf_size; /* Number of characters read into yy_ch_buf, not including EOB * characters. @@ -321,7 +525,7 @@ struct yy_buffer_state int yy_bs_lineno; /**< The line count. */ int yy_bs_column; /**< The column count. */ - + /* Whether to try to fill the input buffer when we reach the * end of it. */ @@ -338,7 +542,7 @@ struct yy_buffer_state * possible backing-up. * * When we actually see the EOF, we change the status to "new" - * (via conf_parser_restart()), so that the user can continue scanning by + * (via yyrestart()), so that the user can continue scanning by * just pointing yyin at a new input file. */ #define YY_BUFFER_EOF_PENDING 2 @@ -348,7 +552,6 @@ struct yy_buffer_state /* %if-c-only Standard (non-C++) definition */ /* %not-for-header */ - /* %if-not-reentrant */ /* %endif */ /* %ok-for-header */ @@ -364,7 +567,6 @@ struct yy_buffer_state #define YY_CURRENT_BUFFER ( yyg->yy_buffer_stack \ ? yyg->yy_buffer_stack[yyg->yy_buffer_stack_top] \ : NULL) - /* Same as previous macro, but useful when we know that the buffer stack is not * NULL or when we need an lvalue. For internal use only. */ @@ -374,57 +576,52 @@ struct yy_buffer_state /* %if-not-reentrant */ /* %not-for-header */ - /* %ok-for-header */ /* %endif */ -void conf_parser_restart (FILE *input_file ,yyscan_t yyscanner ); -void conf_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner ); -YY_BUFFER_STATE conf_parser__create_buffer (FILE *file,int size ,yyscan_t yyscanner ); -void conf_parser__delete_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner ); -void conf_parser__flush_buffer (YY_BUFFER_STATE b ,yyscan_t yyscanner ); -void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer ,yyscan_t yyscanner ); -void conf_parser_pop_buffer_state (yyscan_t yyscanner ); - -static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner ); -static void conf_parser__load_buffer_state (yyscan_t yyscanner ); -static void conf_parser__init_buffer (YY_BUFFER_STATE b,FILE *file ,yyscan_t yyscanner ); +void yyrestart ( FILE *input_file , yyscan_t yyscanner ); +void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size , yyscan_t yyscanner ); +void yy_delete_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner ); +void yy_flush_buffer ( YY_BUFFER_STATE b , yyscan_t yyscanner ); +void yypush_buffer_state ( YY_BUFFER_STATE new_buffer , yyscan_t yyscanner ); +void yypop_buffer_state ( yyscan_t yyscanner ); -#define YY_FLUSH_BUFFER conf_parser__flush_buffer(YY_CURRENT_BUFFER ,yyscanner) +static void yyensure_buffer_stack ( yyscan_t yyscanner ); +static void yy_load_buffer_state ( yyscan_t yyscanner ); +static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file , yyscan_t yyscanner ); +#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER , yyscanner) -YY_BUFFER_STATE conf_parser__scan_buffer (char *base,yy_size_t size ,yyscan_t yyscanner ); -YY_BUFFER_STATE conf_parser__scan_string (yyconst char *yy_str ,yyscan_t yyscanner ); -YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char *bytes,yy_size_t len ,yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_string ( const char *yy_str , yyscan_t yyscanner ); +YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len , yyscan_t yyscanner ); /* %endif */ -void *conf_parser_alloc (yy_size_t ,yyscan_t yyscanner ); -void *conf_parser_realloc (void *,yy_size_t ,yyscan_t yyscanner ); -void conf_parser_free (void * ,yyscan_t yyscanner ); - -#define yy_new_buffer conf_parser__create_buffer +void *yyalloc ( yy_size_t , yyscan_t yyscanner ); +void *yyrealloc ( void *, yy_size_t , yyscan_t yyscanner ); +void yyfree ( void * , yyscan_t yyscanner ); +#define yy_new_buffer yy_create_buffer #define yy_set_interactive(is_interactive) \ { \ if ( ! YY_CURRENT_BUFFER ){ \ - conf_parser_ensure_buffer_stack (yyscanner); \ + yyensure_buffer_stack (yyscanner); \ YY_CURRENT_BUFFER_LVALUE = \ - conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \ + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \ } \ YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \ } - #define yy_set_bol(at_bol) \ { \ if ( ! YY_CURRENT_BUFFER ){\ - conf_parser_ensure_buffer_stack (yyscanner); \ + yyensure_buffer_stack (yyscanner); \ YY_CURRENT_BUFFER_LVALUE = \ - conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); \ + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); \ } \ YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \ } - #define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol) /* %% [1.0] yytext/yyin/yyout/yy_state_type/yylineno etc. def's & init go here */ @@ -434,8 +631,7 @@ void conf_parser_free (void * ,yyscan_t yyscanner ); #define YY_SKIP_YYWRAP #define FLEX_DEBUG - -typedef unsigned char YY_CHAR; +typedef flex_uint8_t YY_CHAR; typedef int yy_state_type; @@ -445,13 +641,10 @@ typedef int yy_state_type; /* %if-c-only Standard (non-C++) definition */ -static yy_state_type yy_get_previous_state (yyscan_t yyscanner ); -static yy_state_type yy_try_NUL_trans (yy_state_type current_state ,yyscan_t yyscanner); -static int yy_get_next_buffer (yyscan_t yyscanner ); -#if defined(__GNUC__) && __GNUC__ >= 3 -__attribute__((__noreturn__)) -#endif -static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); +static yy_state_type yy_get_previous_state ( yyscan_t yyscanner ); +static yy_state_type yy_try_NUL_trans ( yy_state_type current_state , yyscan_t yyscanner); +static int yy_get_next_buffer ( yyscan_t yyscanner ); +static void yynoreturn yy_fatal_error ( const char* msg , yyscan_t yyscanner ); /* %endif */ @@ -461,12 +654,11 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); #define YY_DO_BEFORE_ACTION \ yyg->yytext_ptr = yy_bp; \ /* %% [2.0] code to fiddle yytext and yyleng for yymore() goes here \ */\ - yyleng = (size_t) (yy_cp - yy_bp); \ + yyleng = (int) (yy_cp - yy_bp); \ yyg->yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ /* %% [3.0] code to copy yytext_ptr to yytext[] goes here, if %array \ */\ yyg->yy_c_buf_p = yy_cp; - /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ #define YY_NUM_RULES 26 #define YY_END_OF_BUFFER 27 @@ -477,7 +669,7 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[80] = +static const flex_int16_t yy_accept[80] = { 0, 0, 0, 0, 0, 0, 0, 27, 12, 3, 5, 11, 4, 6, 12, 12, 2, 12, 12, 17, 13, @@ -489,7 +681,7 @@ static yyconst flex_int16_t yy_accept[80] = 0, 1, 10, 10, 0, 0, 0, 7, 0 } ; -static yyconst YY_CHAR yy_ec[256] = +static const YY_CHAR yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, 1, 1, 4, 1, 1, 1, 1, 1, 1, 1, @@ -521,14 +713,14 @@ static yyconst YY_CHAR yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst YY_CHAR yy_meta[28] = +static const YY_CHAR yy_meta[28] = { 0, 1, 2, 3, 1, 2, 4, 2, 5, 1, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 } ; -static yyconst flex_uint16_t yy_base[91] = +static const flex_int16_t yy_base[91] = { 0, 0, 16, 41, 50, 4, 5, 101, 0, 24, 184, 184, 0, 184, 92, 79, 32, 16, 83, 0, 184, @@ -541,7 +733,7 @@ static yyconst flex_uint16_t yy_base[91] = 125, 131, 137, 143, 149, 154, 159, 165, 171, 177 } ; -static yyconst flex_int16_t yy_def[91] = +static const flex_int16_t yy_def[91] = { 0, 80, 80, 81, 81, 82, 82, 79, 83, 79, 79, 79, 84, 79, 83, 83, 79, 83, 83, 85, 79, @@ -554,7 +746,7 @@ static yyconst flex_int16_t yy_def[91] = 79, 79, 79, 79, 79, 79, 79, 79, 79, 79 } ; -static yyconst flex_uint16_t yy_nxt[212] = +static const flex_int16_t yy_nxt[212] = { 0, 79, 9, 10, 79, 9, 11, 12, 13, 14, 24, 24, 79, 79, 25, 25, 52, 15, 16, 10, 53, @@ -582,7 +774,7 @@ static yyconst flex_uint16_t yy_nxt[212] = 79 } ; -static yyconst flex_int16_t yy_chk[212] = +static const flex_int16_t yy_chk[212] = { 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 5, 6, 0, 0, 5, 6, 48, 1, 2, 2, 48, @@ -611,16 +803,16 @@ static yyconst flex_int16_t yy_chk[212] = } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[27] = +static const flex_int32_t yy_rule_can_match_eol[27] = { 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, }; -static yyconst flex_int16_t yy_rule_linenum[26] = +static const flex_int16_t yy_rule_linenum[26] = { 0, - 60, 61, 62, 63, 65, 67, 68, 69, 70, 72, - 77, 82, 90, 109, 112, 115, 118, 124, 126, 145, - 146, 147, 148, 149, 150 + 65, 66, 67, 68, 70, 72, 73, 74, 75, 77, + 82, 87, 95, 114, 117, 120, 123, 129, 131, 150, + 151, 152, 153, 154, 155 } ; /* The intent behind this definition is that it'll catch @@ -656,9 +848,13 @@ bool conf_parser_open_next_file(parser_helper_t *ctx); static void include_files(parser_helper_t *ctx); +#line 852 "parser/lexer.c" /* use start conditions stack */ /* do not declare unneeded functions */ #define YY_NO_INPUT 1 +/* do not include unistd.h as it might conflict with our scanner states */ +#define YY_NO_UNISTD_H 1 +/* due to that disable interactive mode, which requires isatty() */ /* don't use global variables, and interact properly with bison */ /* maintain the line number */ /* don't generate a default rule */ @@ -669,7 +865,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ -#line 673 "parser/lexer.c" +#line 869 "parser/lexer.c" #define INITIAL 0 #define inc 1 @@ -706,7 +902,7 @@ struct yyguts_t YY_BUFFER_STATE * yy_buffer_stack; /**< Stack as an array. */ char yy_hold_char; int yy_n_chars; - yy_size_t yyleng_r; + int yyleng_r; char *yy_c_buf_p; int yy_init; int yy_start; @@ -730,7 +926,7 @@ struct yyguts_t /* %if-c-only */ -static int yy_init_globals (yyscan_t yyscanner ); +static int yy_init_globals ( yyscan_t yyscanner ); /* %endif */ @@ -740,9 +936,9 @@ static int yy_init_globals (yyscan_t yyscanner ); * from bison output in section 1.*/ # define yylval yyg->yylval_r -int conf_parser_lex_init (yyscan_t* scanner); +int yylex_init (yyscan_t* scanner); -int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner); +int yylex_init_extra ( YY_EXTRA_TYPE user_defined, yyscan_t* scanner); /* %endif */ @@ -751,41 +947,41 @@ int conf_parser_lex_init_extra (YY_EXTRA_TYPE user_defined,yyscan_t* scanner); /* Accessor methods to globals. These are made visible to non-reentrant scanners for convenience. */ -int conf_parser_lex_destroy (yyscan_t yyscanner ); +int yylex_destroy ( yyscan_t yyscanner ); -int conf_parser_get_debug (yyscan_t yyscanner ); +int yyget_debug ( yyscan_t yyscanner ); -void conf_parser_set_debug (int debug_flag ,yyscan_t yyscanner ); +void yyset_debug ( int debug_flag , yyscan_t yyscanner ); -YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner ); +YY_EXTRA_TYPE yyget_extra ( yyscan_t yyscanner ); -void conf_parser_set_extra (YY_EXTRA_TYPE user_defined ,yyscan_t yyscanner ); +void yyset_extra ( YY_EXTRA_TYPE user_defined , yyscan_t yyscanner ); -FILE *conf_parser_get_in (yyscan_t yyscanner ); +FILE *yyget_in ( yyscan_t yyscanner ); -void conf_parser_set_in (FILE * _in_str ,yyscan_t yyscanner ); +void yyset_in ( FILE * _in_str , yyscan_t yyscanner ); -FILE *conf_parser_get_out (yyscan_t yyscanner ); +FILE *yyget_out ( yyscan_t yyscanner ); -void conf_parser_set_out (FILE * _out_str ,yyscan_t yyscanner ); +void yyset_out ( FILE * _out_str , yyscan_t yyscanner ); -yy_size_t conf_parser_get_leng (yyscan_t yyscanner ); + int yyget_leng ( yyscan_t yyscanner ); -char *conf_parser_get_text (yyscan_t yyscanner ); +char *yyget_text ( yyscan_t yyscanner ); -int conf_parser_get_lineno (yyscan_t yyscanner ); +int yyget_lineno ( yyscan_t yyscanner ); -void conf_parser_set_lineno (int _line_number ,yyscan_t yyscanner ); +void yyset_lineno ( int _line_number , yyscan_t yyscanner ); -int conf_parser_get_column (yyscan_t yyscanner ); +int yyget_column ( yyscan_t yyscanner ); -void conf_parser_set_column (int _column_no ,yyscan_t yyscanner ); +void yyset_column ( int _column_no , yyscan_t yyscanner ); /* %if-bison-bridge */ -YYSTYPE * conf_parser_get_lval (yyscan_t yyscanner ); +YYSTYPE * yyget_lval ( yyscan_t yyscanner ); -void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner ); +void yyset_lval ( YYSTYPE * yylval_param , yyscan_t yyscanner ); /* %endif */ @@ -795,17 +991,16 @@ void conf_parser_set_lval (YYSTYPE * yylval_param ,yyscan_t yyscanner ); #ifndef YY_SKIP_YYWRAP #ifdef __cplusplus -extern "C" int conf_parser_wrap (yyscan_t yyscanner ); +extern "C" int yywrap ( yyscan_t yyscanner ); #else -extern int conf_parser_wrap (yyscan_t yyscanner ); +extern int yywrap ( yyscan_t yyscanner ); #endif #endif /* %not-for-header */ - #ifndef YY_NO_UNPUT - static void yyunput (int c,char *buf_ptr ,yyscan_t yyscanner); + static void yyunput ( int c, char *buf_ptr , yyscan_t yyscanner); #endif /* %ok-for-header */ @@ -813,21 +1008,20 @@ extern int conf_parser_wrap (yyscan_t yyscanner ); /* %endif */ #ifndef yytext_ptr -static void yy_flex_strncpy (char *,yyconst char *,int ,yyscan_t yyscanner); +static void yy_flex_strncpy ( char *, const char *, int , yyscan_t yyscanner); #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * ,yyscan_t yyscanner); +static int yy_flex_strlen ( const char * , yyscan_t yyscanner); #endif #ifndef YY_NO_INPUT /* %if-c-only Standard (non-C++) definition */ /* %not-for-header */ - #ifdef __cplusplus -static int yyinput (yyscan_t yyscanner ); +static int yyinput ( yyscan_t yyscanner ); #else -static int input (yyscan_t yyscanner ); +static int input ( yyscan_t yyscanner ); #endif /* %ok-for-header */ @@ -836,11 +1030,11 @@ static int input (yyscan_t yyscanner ); /* %if-c-only */ - static void yy_push_state (int _new_state ,yyscan_t yyscanner); + static void yy_push_state ( int _new_state , yyscan_t yyscanner); - static void yy_pop_state (yyscan_t yyscanner ); + static void yy_pop_state ( yyscan_t yyscanner ); - static int yy_top_state (yyscan_t yyscanner ); + static int yy_top_state ( yyscan_t yyscanner ); /* %endif */ @@ -860,7 +1054,7 @@ static int input (yyscan_t yyscanner ); /* This used to be an fputs(), but since the string might contain NUL's, * we now use fwrite(). */ -#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0) +#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0) /* %endif */ /* %if-c++-only C++ definition */ /* %endif */ @@ -875,7 +1069,7 @@ static int input (yyscan_t yyscanner ); if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \ { \ int c = '*'; \ - size_t n; \ + int n; \ for ( n = 0; n < max_size && \ (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ buf[n] = (char) c; \ @@ -888,7 +1082,7 @@ static int input (yyscan_t yyscanner ); else \ { \ errno=0; \ - while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \ + while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \ { \ if( errno != EINTR) \ { \ @@ -929,11 +1123,9 @@ static int input (yyscan_t yyscanner ); /* %if-tables-serialization structures and prototypes */ /* %not-for-header */ - /* %ok-for-header */ /* %not-for-header */ - /* %tables-yydmap generated elements */ /* %endif */ /* end tables serialization structures and prototypes */ @@ -947,10 +1139,10 @@ static int input (yyscan_t yyscanner ); #define YY_DECL_IS_OURS 1 /* %if-c-only Standard (non-C++) definition */ -extern int conf_parser_lex \ - (YYSTYPE * yylval_param ,yyscan_t yyscanner); +extern int yylex \ + (YYSTYPE * yylval_param , yyscan_t yyscanner); -#define YY_DECL int conf_parser_lex \ +#define YY_DECL int yylex \ (YYSTYPE * yylval_param , yyscan_t yyscanner) /* %endif */ /* %if-c++-only C++ definition */ @@ -977,7 +1169,6 @@ extern int conf_parser_lex \ YY_USER_ACTION /* %not-for-header */ - /** The main scanner function which does all the work. */ YY_DECL @@ -1015,20 +1206,20 @@ YY_DECL /* %endif */ if ( ! YY_CURRENT_BUFFER ) { - conf_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); YY_CURRENT_BUFFER_LVALUE = - conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); } - conf_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); } { /* %% [7.0] user's declarations go here */ -#line 58 "parser/lexer.l" +#line 63 "parser/lexer.l" -#line 1032 "parser/lexer.c" +#line 1223 "parser/lexer.c" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -1059,22 +1250,18 @@ yy_match: { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 80 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 184 ); + while ( yy_current_state != 79 ); + yy_cp = yyg->yy_last_accepting_cpos; + yy_current_state = yyg->yy_last_accepting_state; yy_find_action: /* %% [10.0] code to find the action number goes here */ yy_act = yy_accept[yy_current_state]; - if ( yy_act == 0 ) - { /* have to back up */ - yy_cp = yyg->yy_last_accepting_cpos; - yy_current_state = yyg->yy_last_accepting_state; - yy_act = yy_accept[yy_current_state]; - } YY_DO_BEFORE_ACTION; @@ -1082,10 +1269,10 @@ yy_find_action: if ( yy_act != YY_END_OF_BUFFER && yy_rule_can_match_eol[yy_act] ) { - yy_size_t yyl; + int yyl; for ( yyl = 0; yyl < yyleng; ++yyl ) if ( yytext[yyl] == '\n' ) - + do{ yylineno++; yycolumn=0; }while(0) @@ -1126,48 +1313,48 @@ case 1: yyg->yy_c_buf_p = yy_cp -= 1; YY_DO_BEFORE_ACTION; /* set up yytext again */ YY_RULE_SETUP -#line 60 "parser/lexer.l" +#line 65 "parser/lexer.l" /* eat legacy version delcaration */ YY_BREAK case 2: YY_RULE_SETUP -#line 61 "parser/lexer.l" +#line 66 "parser/lexer.l" return SPACES; YY_BREAK case 3: YY_RULE_SETUP -#line 62 "parser/lexer.l" +#line 67 "parser/lexer.l" /* eat other whitespace */ YY_BREAK case 4: YY_RULE_SETUP -#line 63 "parser/lexer.l" +#line 68 "parser/lexer.l" /* eat comments */ YY_BREAK case 5: /* rule 5 can match eol */ YY_RULE_SETUP -#line 65 "parser/lexer.l" +#line 70 "parser/lexer.l" return NEWLINE; YY_BREAK case 6: YY_RULE_SETUP -#line 67 "parser/lexer.l" +#line 72 "parser/lexer.l" return EQ; YY_BREAK case 7: YY_RULE_SETUP -#line 68 "parser/lexer.l" +#line 73 "parser/lexer.l" return CONFIG_SETUP; YY_BREAK case 8: YY_RULE_SETUP -#line 69 "parser/lexer.l" +#line 74 "parser/lexer.l" return CONN; YY_BREAK case 9: YY_RULE_SETUP -#line 70 "parser/lexer.l" +#line 75 "parser/lexer.l" return CA; YY_BREAK case 10: @@ -1177,7 +1364,7 @@ YY_LINENO_REWIND_TO(yy_cp - 1); yyg->yy_c_buf_p = yy_cp -= 1; YY_DO_BEFORE_ACTION; /* set up yytext again */ YY_RULE_SETUP -#line 72 "parser/lexer.l" +#line 77 "parser/lexer.l" { yyextra->string_init(yyextra); yy_push_state(inc, yyscanner); @@ -1185,7 +1372,7 @@ YY_RULE_SETUP YY_BREAK case 11: YY_RULE_SETUP -#line 77 "parser/lexer.l" +#line 82 "parser/lexer.l" { yyextra->string_init(yyextra); yy_push_state(str, yyscanner); @@ -1193,7 +1380,7 @@ YY_RULE_SETUP YY_BREAK case 12: YY_RULE_SETUP -#line 82 "parser/lexer.l" +#line 87 "parser/lexer.l" { yylval->s = strdup(yytext); return STRING; @@ -1202,11 +1389,11 @@ YY_RULE_SETUP /* we allow all characters except # and spaces, they can be escaped */ case YY_STATE_EOF(inc): -#line 89 "parser/lexer.l" +#line 94 "parser/lexer.l" case 13: /* rule 13 can match eol */ YY_RULE_SETUP -#line 90 "parser/lexer.l" +#line 95 "parser/lexer.l" { if (*yytext) { @@ -1229,28 +1416,28 @@ YY_RULE_SETUP YY_BREAK case 14: YY_RULE_SETUP -#line 109 "parser/lexer.l" +#line 114 "parser/lexer.l" { /* string include */ yy_push_state(str, yyscanner); } YY_BREAK case 15: YY_RULE_SETUP -#line 112 "parser/lexer.l" +#line 117 "parser/lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case 16: YY_RULE_SETUP -#line 115 "parser/lexer.l" +#line 120 "parser/lexer.l" { yyextra->string_add(yyextra, yytext+1); } YY_BREAK case 17: YY_RULE_SETUP -#line 118 "parser/lexer.l" +#line 123 "parser/lexer.l" { yyextra->string_add(yyextra, yytext); } @@ -1258,13 +1445,13 @@ YY_RULE_SETUP case 18: -#line 125 "parser/lexer.l" +#line 130 "parser/lexer.l" YY_RULE_SETUP case YY_STATE_EOF(str): -#line 125 "parser/lexer.l" +#line 130 "parser/lexer.l" case 19: YY_RULE_SETUP -#line 126 "parser/lexer.l" +#line 131 "parser/lexer.l" { if (!streq(yytext, "\"")) { @@ -1287,41 +1474,41 @@ YY_RULE_SETUP YY_BREAK case 20: YY_RULE_SETUP -#line 145 "parser/lexer.l" +#line 150 "parser/lexer.l" yyextra->string_add(yyextra, "\n"); YY_BREAK case 21: YY_RULE_SETUP -#line 146 "parser/lexer.l" +#line 151 "parser/lexer.l" yyextra->string_add(yyextra, "\r"); YY_BREAK case 22: YY_RULE_SETUP -#line 147 "parser/lexer.l" +#line 152 "parser/lexer.l" yyextra->string_add(yyextra, "\t"); YY_BREAK case 23: /* rule 23 can match eol */ YY_RULE_SETUP -#line 148 "parser/lexer.l" +#line 153 "parser/lexer.l" /* merge lines that end with EOL characters */ YY_BREAK case 24: YY_RULE_SETUP -#line 149 "parser/lexer.l" +#line 154 "parser/lexer.l" yyextra->string_add(yyextra, yytext+1); YY_BREAK case 25: /* rule 25 can match eol */ YY_RULE_SETUP -#line 150 "parser/lexer.l" +#line 155 "parser/lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 155 "parser/lexer.l" +#line 160 "parser/lexer.l" { conf_parser_pop_buffer_state(yyscanner); if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1332,10 +1519,10 @@ case YY_STATE_EOF(INITIAL): YY_BREAK case 26: YY_RULE_SETUP -#line 163 "parser/lexer.l" +#line 168 "parser/lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1339 "parser/lexer.c" +#line 1526 "parser/lexer.c" case YY_END_OF_BUFFER: { @@ -1351,7 +1538,7 @@ YY_FATAL_ERROR( "flex scanner jammed" ); /* We're scanning a new file or input source. It's * possible that this happened because the user * just pointed yyin at a new source and called - * conf_parser_lex(). If so, then we have to assure + * yylex(). If so, then we have to assure * consistency between YY_CURRENT_BUFFER and our * globals. Here is the right place to do so, because * this is the first action (other than possibly a @@ -1405,7 +1592,8 @@ YY_FATAL_ERROR( "flex scanner jammed" ); else { /* %% [14.0] code to do back-up for compressed tables and set up yy_cp goes here */ - yy_cp = yyg->yy_c_buf_p; + yy_cp = yyg->yy_last_accepting_cpos; + yy_current_state = yyg->yy_last_accepting_state; goto yy_find_action; } } @@ -1416,7 +1604,7 @@ YY_FATAL_ERROR( "flex scanner jammed" ); { yyg->yy_did_buffer_switch_on_eof = 0; - if ( conf_parser_wrap(yyscanner ) ) + if ( yywrap( yyscanner ) ) { /* Note: because we've taken care in * yy_get_next_buffer() to have set up @@ -1470,12 +1658,11 @@ YY_FATAL_ERROR( "flex scanner jammed" ); } /* end of action switch */ } /* end of scanning one token */ } /* end of user's declarations */ -} /* end of conf_parser_lex */ +} /* end of yylex */ /* %ok-for-header */ /* %if-c++-only */ /* %not-for-header */ - /* %ok-for-header */ /* %endif */ @@ -1496,7 +1683,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf; char *source = yyg->yytext_ptr; - yy_size_t number_to_move, i; + int number_to_move, i; int ret_val; if ( yyg->yy_c_buf_p > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[yyg->yy_n_chars + 1] ) @@ -1525,7 +1712,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* Try to read more data. */ /* First move last chars to start of buffer. */ - number_to_move = (yy_size_t) (yyg->yy_c_buf_p - yyg->yytext_ptr) - 1; + number_to_move = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr - 1); for ( i = 0; i < number_to_move; ++i ) *(dest++) = *(source++); @@ -1538,7 +1725,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) @@ -1552,7 +1739,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( b->yy_is_our_buffer ) { - yy_size_t new_size = b->yy_buf_size * 2; + int new_size = b->yy_buf_size * 2; if ( new_size <= 0 ) b->yy_buf_size += b->yy_buf_size / 8; @@ -1561,11 +1748,12 @@ static int yy_get_next_buffer (yyscan_t yyscanner) b->yy_ch_buf = (char *) /* Include room in for 2 EOB chars. */ - conf_parser_realloc((void *) b->yy_ch_buf,b->yy_buf_size + 2 ,yyscanner ); + yyrealloc( (void *) b->yy_ch_buf, + (yy_size_t) (b->yy_buf_size + 2) , yyscanner ); } else /* Can't grow it, we don't own it. */ - b->yy_ch_buf = 0; + b->yy_ch_buf = NULL; if ( ! b->yy_ch_buf ) YY_FATAL_ERROR( @@ -1593,7 +1781,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( number_to_move == YY_MORE_ADJ ) { ret_val = EOB_ACT_END_OF_FILE; - conf_parser_restart(yyin ,yyscanner); + yyrestart( yyin , yyscanner); } else @@ -1607,12 +1795,15 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else ret_val = EOB_ACT_CONTINUE_SCAN; - if ((int) (yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) { + if ((yyg->yy_n_chars + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) { /* Extend the array by 50%, plus the number we really need. */ int new_size = yyg->yy_n_chars + number_to_move + (yyg->yy_n_chars >> 1); - YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) conf_parser_realloc((void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf,new_size ,yyscanner ); + YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc( + (void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size , yyscanner ); if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" ); + /* "- 2" to take care of EOB's */ + YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2); } yyg->yy_n_chars += number_to_move; @@ -1628,7 +1819,6 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* %if-c-only */ /* %not-for-header */ - static yy_state_type yy_get_previous_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ @@ -1655,9 +1845,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner) { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 80 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; } return yy_current_state; @@ -1689,9 +1879,9 @@ static int yy_get_next_buffer (yyscan_t yyscanner) { yy_current_state = (int) yy_def[yy_current_state]; if ( yy_current_state >= 80 ) - yy_c = yy_meta[(unsigned int) yy_c]; + yy_c = yy_meta[yy_c]; } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; + yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c]; yy_is_jam = (yy_current_state == 79); (void)yyg; @@ -1717,7 +1907,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) { /* need to shift things up to make room */ /* +2 for EOB chars. */ - yy_size_t number_to_move = yyg->yy_n_chars + 2; + int number_to_move = yyg->yy_n_chars + 2; char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[ YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2]; char *source = @@ -1729,7 +1919,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) yy_cp += (int) (dest - source); yy_bp += (int) (dest - source); YY_CURRENT_BUFFER_LVALUE->yy_n_chars = - yyg->yy_n_chars = YY_CURRENT_BUFFER_LVALUE->yy_buf_size; + yyg->yy_n_chars = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size; if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) YY_FATAL_ERROR( "flex scanner push-back overflow" ); @@ -1781,7 +1971,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) else { /* need more input */ - yy_size_t offset = yyg->yy_c_buf_p - yyg->yytext_ptr; + int offset = (int) (yyg->yy_c_buf_p - yyg->yytext_ptr); ++yyg->yy_c_buf_p; switch ( yy_get_next_buffer( yyscanner ) ) @@ -1798,14 +1988,14 @@ static int yy_get_next_buffer (yyscan_t yyscanner) */ /* Reset buffer status. */ - conf_parser_restart(yyin ,yyscanner); + yyrestart( yyin , yyscanner); /*FALLTHROUGH*/ case EOB_ACT_END_OF_FILE: { - if ( conf_parser_wrap(yyscanner ) ) - return EOF; + if ( yywrap( yyscanner ) ) + return 0; if ( ! yyg->yy_did_buffer_switch_on_eof ) YY_NEW_FILE; @@ -1830,7 +2020,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* %% [19.0] update BOL and yylineno */ YY_CURRENT_BUFFER_LVALUE->yy_at_bol = (c == '\n'); if ( YY_CURRENT_BUFFER_LVALUE->yy_at_bol ) - + do{ yylineno++; yycolumn=0; }while(0) @@ -1848,7 +2038,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) * @note This function does not reset the start condition to @c INITIAL . */ /* %if-c-only */ - void conf_parser_restart (FILE * input_file , yyscan_t yyscanner) + void yyrestart (FILE * input_file , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -1856,13 +2046,13 @@ static int yy_get_next_buffer (yyscan_t yyscanner) struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; if ( ! YY_CURRENT_BUFFER ){ - conf_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); YY_CURRENT_BUFFER_LVALUE = - conf_parser__create_buffer(yyin,YY_BUF_SIZE ,yyscanner); + yy_create_buffer( yyin, YY_BUF_SIZE , yyscanner); } - conf_parser__init_buffer(YY_CURRENT_BUFFER,input_file ,yyscanner); - conf_parser__load_buffer_state(yyscanner ); + yy_init_buffer( YY_CURRENT_BUFFER, input_file , yyscanner); + yy_load_buffer_state( yyscanner ); } /* %if-c++-only */ @@ -1873,7 +2063,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ - void conf_parser__switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) + void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -1882,10 +2072,10 @@ static int yy_get_next_buffer (yyscan_t yyscanner) /* TODO. We should be able to replace this entire function body * with - * conf_parser_pop_buffer_state(); - * conf_parser_push_buffer_state(new_buffer); + * yypop_buffer_state(); + * yypush_buffer_state(new_buffer); */ - conf_parser_ensure_buffer_stack (yyscanner); + yyensure_buffer_stack (yyscanner); if ( YY_CURRENT_BUFFER == new_buffer ) return; @@ -1898,18 +2088,18 @@ static int yy_get_next_buffer (yyscan_t yyscanner) } YY_CURRENT_BUFFER_LVALUE = new_buffer; - conf_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); /* We don't actually know whether we did this switch during - * EOF (conf_parser_wrap()) processing, but the only time this flag - * is looked at is after conf_parser_wrap() is called, so it's safe + * EOF (yywrap()) processing, but the only time this flag + * is looked at is after yywrap() is called, so it's safe * to go ahead and always set it. */ yyg->yy_did_buffer_switch_on_eof = 1; } /* %if-c-only */ -static void conf_parser__load_buffer_state (yyscan_t yyscanner) +static void yy_load_buffer_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -1932,29 +2122,29 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) * @return the allocated buffer state. */ /* %if-c-only */ - YY_BUFFER_STATE conf_parser__create_buffer (FILE * file, int size , yyscan_t yyscanner) + YY_BUFFER_STATE yy_create_buffer (FILE * file, int size , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ { YY_BUFFER_STATE b; - b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner ); + b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner ); if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); - b->yy_buf_size = (yy_size_t)size; + b->yy_buf_size = size; /* yy_ch_buf has to be 2 characters longer than the size given because * we need to put in 2 end-of-buffer characters. */ - b->yy_ch_buf = (char *) conf_parser_alloc(b->yy_buf_size + 2 ,yyscanner ); + b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) , yyscanner ); if ( ! b->yy_ch_buf ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser__create_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); b->yy_is_our_buffer = 1; - conf_parser__init_buffer(b,file ,yyscanner); + yy_init_buffer( b, file , yyscanner); return b; } @@ -1963,11 +2153,11 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) /* %endif */ /** Destroy the buffer. - * @param b a buffer created with conf_parser__create_buffer() + * @param b a buffer created with yy_create_buffer() * @param yyscanner The scanner object. */ /* %if-c-only */ - void conf_parser__delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) + void yy_delete_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -1981,17 +2171,17 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0; if ( b->yy_is_our_buffer ) - conf_parser_free((void *) b->yy_ch_buf ,yyscanner ); + yyfree( (void *) b->yy_ch_buf , yyscanner ); - conf_parser_free((void *) b ,yyscanner ); + yyfree( (void *) b , yyscanner ); } /* Initializes or reinitializes a buffer. * This function is sometimes called more than once on the same buffer, - * such as during a conf_parser_restart() or at EOF. + * such as during a yyrestart() or at EOF. */ /* %if-c-only */ - static void conf_parser__init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner) + static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2000,7 +2190,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) int oerrno = errno; struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - conf_parser__flush_buffer(b ,yyscanner); + yy_flush_buffer( b , yyscanner); /* %if-c-only */ b->yy_input_file = file; @@ -2009,8 +2199,8 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) /* %endif */ b->yy_fill_buffer = 1; - /* If b is the current buffer, then conf_parser__init_buffer was _probably_ - * called from conf_parser_restart() or through yy_get_next_buffer. + /* If b is the current buffer, then yy_init_buffer was _probably_ + * called from yyrestart() or through yy_get_next_buffer. * In that case, we don't want to reset the lineno or column. */ if (b != YY_CURRENT_BUFFER){ @@ -2020,7 +2210,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) /* %if-c-only */ - b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; + b->yy_is_interactive = 0; /* %endif */ /* %if-c++-only */ @@ -2033,7 +2223,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ - void conf_parser__flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) + void yy_flush_buffer (YY_BUFFER_STATE b , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2057,7 +2247,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) b->yy_buffer_status = YY_BUFFER_NEW; if ( b == YY_CURRENT_BUFFER ) - conf_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); } /* %if-c-or-c++ */ @@ -2068,7 +2258,7 @@ static void conf_parser__load_buffer_state (yyscan_t yyscanner) * @param yyscanner The scanner object. */ /* %if-c-only */ -void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) +void yypush_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2077,9 +2267,9 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan if (new_buffer == NULL) return; - conf_parser_ensure_buffer_stack(yyscanner); + yyensure_buffer_stack(yyscanner); - /* This block is copied from conf_parser__switch_to_buffer. */ + /* This block is copied from yy_switch_to_buffer. */ if ( YY_CURRENT_BUFFER ) { /* Flush out information for old buffer. */ @@ -2093,8 +2283,8 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan yyg->yy_buffer_stack_top++; YY_CURRENT_BUFFER_LVALUE = new_buffer; - /* copied from conf_parser__switch_to_buffer. */ - conf_parser__load_buffer_state(yyscanner ); + /* copied from yy_switch_to_buffer. */ + yy_load_buffer_state( yyscanner ); yyg->yy_did_buffer_switch_on_eof = 1; } /* %endif */ @@ -2105,7 +2295,7 @@ void conf_parser_push_buffer_state (YY_BUFFER_STATE new_buffer , yyscan_t yyscan * @param yyscanner The scanner object. */ /* %if-c-only */ -void conf_parser_pop_buffer_state (yyscan_t yyscanner) +void yypop_buffer_state (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2114,13 +2304,13 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner) if (!YY_CURRENT_BUFFER) return; - conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner); + yy_delete_buffer(YY_CURRENT_BUFFER , yyscanner); YY_CURRENT_BUFFER_LVALUE = NULL; if (yyg->yy_buffer_stack_top > 0) --yyg->yy_buffer_stack_top; if (YY_CURRENT_BUFFER) { - conf_parser__load_buffer_state(yyscanner ); + yy_load_buffer_state( yyscanner ); yyg->yy_did_buffer_switch_on_eof = 1; } } @@ -2131,7 +2321,7 @@ void conf_parser_pop_buffer_state (yyscan_t yyscanner) * Guarantees space for at least one push. */ /* %if-c-only */ -static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner) +static void yyensure_buffer_stack (yyscan_t yyscanner) /* %endif */ /* %if-c++-only */ /* %endif */ @@ -2145,15 +2335,15 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner) * scanner will even need a stack. We use 2 instead of 1 to avoid an * immediate realloc on the next call. */ - num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */ - yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_alloc + num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */ + yyg->yy_buffer_stack = (struct yy_buffer_state**)yyalloc (num_to_alloc * sizeof(struct yy_buffer_state*) , yyscanner); if ( ! yyg->yy_buffer_stack ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" ); - + YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" ); + memset(yyg->yy_buffer_stack, 0, num_to_alloc * sizeof(struct yy_buffer_state*)); - + yyg->yy_buffer_stack_max = num_to_alloc; yyg->yy_buffer_stack_top = 0; return; @@ -2165,12 +2355,12 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner) yy_size_t grow_size = 8 /* arbitrary grow size */; num_to_alloc = yyg->yy_buffer_stack_max + grow_size; - yyg->yy_buffer_stack = (struct yy_buffer_state**)conf_parser_realloc + yyg->yy_buffer_stack = (struct yy_buffer_state**)yyrealloc (yyg->yy_buffer_stack, num_to_alloc * sizeof(struct yy_buffer_state*) , yyscanner); if ( ! yyg->yy_buffer_stack ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser_ensure_buffer_stack()" ); + YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" ); /* zero only the new slots.*/ memset(yyg->yy_buffer_stack + yyg->yy_buffer_stack_max, 0, grow_size * sizeof(struct yy_buffer_state*)); @@ -2184,9 +2374,9 @@ static void conf_parser_ensure_buffer_stack (yyscan_t yyscanner) * @param base the character buffer * @param size the size in bytes of the character buffer * @param yyscanner The scanner object. - * @return the newly allocated buffer state object. + * @return the newly allocated buffer state object. */ -YY_BUFFER_STATE conf_parser__scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size , yyscan_t yyscanner) { YY_BUFFER_STATE b; @@ -2194,73 +2384,73 @@ YY_BUFFER_STATE conf_parser__scan_buffer (char * base, yy_size_t size , yyscan base[size-2] != YY_END_OF_BUFFER_CHAR || base[size-1] != YY_END_OF_BUFFER_CHAR ) /* They forgot to leave room for the EOB's. */ - return 0; + return NULL; - b = (YY_BUFFER_STATE) conf_parser_alloc(sizeof( struct yy_buffer_state ) ,yyscanner ); + b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) , yyscanner ); if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_buffer()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" ); - b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */ + b->yy_buf_size = (int) (size - 2); /* "- 2" to take care of EOB's */ b->yy_buf_pos = b->yy_ch_buf = base; b->yy_is_our_buffer = 0; - b->yy_input_file = 0; + b->yy_input_file = NULL; b->yy_n_chars = b->yy_buf_size; b->yy_is_interactive = 0; b->yy_at_bol = 1; b->yy_fill_buffer = 0; b->yy_buffer_status = YY_BUFFER_NEW; - conf_parser__switch_to_buffer(b ,yyscanner ); + yy_switch_to_buffer( b , yyscanner ); return b; } /* %endif */ /* %if-c-only */ -/** Setup the input buffer state to scan a string. The next call to conf_parser_lex() will +/** Setup the input buffer state to scan a string. The next call to yylex() will * scan from a @e copy of @a str. * @param yystr a NUL-terminated string to scan * @param yyscanner The scanner object. * @return the newly allocated buffer state object. * @note If you want to scan bytes that may contain NUL values, then use - * conf_parser__scan_bytes() instead. + * yy_scan_bytes() instead. */ -YY_BUFFER_STATE conf_parser__scan_string (yyconst char * yystr , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_string (const char * yystr , yyscan_t yyscanner) { - return conf_parser__scan_bytes(yystr,strlen(yystr) ,yyscanner); + return yy_scan_bytes( yystr, (int) strlen(yystr) , yyscanner); } /* %endif */ /* %if-c-only */ -/** Setup the input buffer state to scan the given bytes. The next call to conf_parser_lex() will +/** Setup the input buffer state to scan the given bytes. The next call to yylex() will * scan from a @e copy of @a bytes. * @param yybytes the byte buffer to scan * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes. * @param yyscanner The scanner object. * @return the newly allocated buffer state object. */ -YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yybytes_len , yyscan_t yyscanner) +YY_BUFFER_STATE yy_scan_bytes (const char * yybytes, int _yybytes_len , yyscan_t yyscanner) { YY_BUFFER_STATE b; char *buf; yy_size_t n; - yy_size_t i; + int i; /* Get memory for full buffer, including space for trailing EOB's. */ - n = _yybytes_len + 2; - buf = (char *) conf_parser_alloc(n ,yyscanner ); + n = (yy_size_t) (_yybytes_len + 2); + buf = (char *) yyalloc( n , yyscanner ); if ( ! buf ) - YY_FATAL_ERROR( "out of dynamic memory in conf_parser__scan_bytes()" ); + YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); for ( i = 0; i < _yybytes_len; ++i ) buf[i] = yybytes[i]; buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR; - b = conf_parser__scan_buffer(buf,n ,yyscanner); + b = yy_scan_buffer( buf, n , yyscanner); if ( ! b ) - YY_FATAL_ERROR( "bad buffer in conf_parser__scan_bytes()" ); + YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" ); /* It's okay to grow etc. this buffer, and we should throw it * away when we're done. @@ -2283,13 +2473,14 @@ YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yy yy_size_t new_size; yyg->yy_start_stack_depth += YY_START_STACK_INCR; - new_size = yyg->yy_start_stack_depth * sizeof( int ); + new_size = (yy_size_t) yyg->yy_start_stack_depth * sizeof( int ); if ( ! yyg->yy_start_stack ) - yyg->yy_start_stack = (int *) conf_parser_alloc(new_size ,yyscanner ); + yyg->yy_start_stack = (int *) yyalloc( new_size , yyscanner ); else - yyg->yy_start_stack = (int *) conf_parser_realloc((void *) yyg->yy_start_stack,new_size ,yyscanner ); + yyg->yy_start_stack = (int *) yyrealloc( + (void *) yyg->yy_start_stack, new_size , yyscanner ); if ( ! yyg->yy_start_stack ) YY_FATAL_ERROR( "out of memory expanding start-condition stack" ); @@ -2328,11 +2519,11 @@ YY_BUFFER_STATE conf_parser__scan_bytes (yyconst char * yybytes, yy_size_t _yy #endif /* %if-c-only */ -static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner) +static void yynoreturn yy_fatal_error (const char* msg , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - (void) fprintf( stderr, "%s\n", msg ); + fprintf( stderr, "%s\n", msg ); exit( YY_EXIT_FAILURE ); } /* %endif */ @@ -2364,7 +2555,7 @@ static void yy_fatal_error (yyconst char* msg , yyscan_t yyscanner) /** Get the user-defined data for this scanner. * @param yyscanner The scanner object. */ -YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner) +YY_EXTRA_TYPE yyget_extra (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyextra; @@ -2375,10 +2566,10 @@ YY_EXTRA_TYPE conf_parser_get_extra (yyscan_t yyscanner) /** Get the current line number. * @param yyscanner The scanner object. */ -int conf_parser_get_lineno (yyscan_t yyscanner) +int yyget_lineno (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - + if (! YY_CURRENT_BUFFER) return 0; @@ -2388,10 +2579,10 @@ int conf_parser_get_lineno (yyscan_t yyscanner) /** Get the current column number. * @param yyscanner The scanner object. */ -int conf_parser_get_column (yyscan_t yyscanner) +int yyget_column (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; - + if (! YY_CURRENT_BUFFER) return 0; @@ -2401,7 +2592,7 @@ int conf_parser_get_column (yyscan_t yyscanner) /** Get the input stream. * @param yyscanner The scanner object. */ -FILE *conf_parser_get_in (yyscan_t yyscanner) +FILE *yyget_in (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyin; @@ -2410,7 +2601,7 @@ FILE *conf_parser_get_in (yyscan_t yyscanner) /** Get the output stream. * @param yyscanner The scanner object. */ -FILE *conf_parser_get_out (yyscan_t yyscanner) +FILE *yyget_out (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyout; @@ -2419,7 +2610,7 @@ FILE *conf_parser_get_out (yyscan_t yyscanner) /** Get the length of the current token. * @param yyscanner The scanner object. */ -yy_size_t conf_parser_get_leng (yyscan_t yyscanner) +int yyget_leng (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yyleng; @@ -2429,7 +2620,7 @@ yy_size_t conf_parser_get_leng (yyscan_t yyscanner) * @param yyscanner The scanner object. */ -char *conf_parser_get_text (yyscan_t yyscanner) +char *yyget_text (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yytext; @@ -2441,7 +2632,7 @@ char *conf_parser_get_text (yyscan_t yyscanner) * @param user_defined The data to be associated with this scanner. * @param yyscanner The scanner object. */ -void conf_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner) +void yyset_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyextra = user_defined ; @@ -2453,13 +2644,13 @@ void conf_parser_set_extra (YY_EXTRA_TYPE user_defined , yyscan_t yyscanner) * @param _line_number line number * @param yyscanner The scanner object. */ -void conf_parser_set_lineno (int _line_number , yyscan_t yyscanner) +void yyset_lineno (int _line_number , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* lineno is only valid if an input buffer exists. */ if (! YY_CURRENT_BUFFER ) - YY_FATAL_ERROR( "conf_parser_set_lineno called with no buffer" ); + YY_FATAL_ERROR( "yyset_lineno called with no buffer" ); yylineno = _line_number; } @@ -2468,13 +2659,13 @@ void conf_parser_set_lineno (int _line_number , yyscan_t yyscanner) * @param _column_no column number * @param yyscanner The scanner object. */ -void conf_parser_set_column (int _column_no , yyscan_t yyscanner) +void yyset_column (int _column_no , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* column is only valid if an input buffer exists. */ if (! YY_CURRENT_BUFFER ) - YY_FATAL_ERROR( "conf_parser_set_column called with no buffer" ); + YY_FATAL_ERROR( "yyset_column called with no buffer" ); yycolumn = _column_no; } @@ -2483,27 +2674,27 @@ void conf_parser_set_column (int _column_no , yyscan_t yyscanner) * input buffer. * @param _in_str A readable stream. * @param yyscanner The scanner object. - * @see conf_parser__switch_to_buffer + * @see yy_switch_to_buffer */ -void conf_parser_set_in (FILE * _in_str , yyscan_t yyscanner) +void yyset_in (FILE * _in_str , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyin = _in_str ; } -void conf_parser_set_out (FILE * _out_str , yyscan_t yyscanner) +void yyset_out (FILE * _out_str , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yyout = _out_str ; } -int conf_parser_get_debug (yyscan_t yyscanner) +int yyget_debug (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yy_flex_debug; } -void conf_parser_set_debug (int _bdebug , yyscan_t yyscanner) +void yyset_debug (int _bdebug , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yy_flex_debug = _bdebug ; @@ -2516,13 +2707,13 @@ void conf_parser_set_debug (int _bdebug , yyscan_t yyscanner) /* %if-bison-bridge */ -YYSTYPE * conf_parser_get_lval (yyscan_t yyscanner) +YYSTYPE * yyget_lval (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; return yylval; } -void conf_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) +void yyset_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; yylval = yylval_param; @@ -2532,20 +2723,18 @@ void conf_parser_set_lval (YYSTYPE * yylval_param , yyscan_t yyscanner) /* User-visible API */ -/* conf_parser_lex_init is special because it creates the scanner itself, so it is +/* yylex_init is special because it creates the scanner itself, so it is * the ONLY reentrant function that doesn't take the scanner as the last argument. * That's why we explicitly handle the declaration, instead of using our macros. */ - -int conf_parser_lex_init(yyscan_t* ptr_yy_globals) - +int yylex_init(yyscan_t* ptr_yy_globals) { if (ptr_yy_globals == NULL){ errno = EINVAL; return 1; } - *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), NULL ); + *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL ); if (*ptr_yy_globals == NULL){ errno = ENOMEM; @@ -2558,39 +2747,37 @@ int conf_parser_lex_init(yyscan_t* ptr_yy_globals) return yy_init_globals ( *ptr_yy_globals ); } -/* conf_parser_lex_init_extra has the same functionality as conf_parser_lex_init, but follows the +/* yylex_init_extra has the same functionality as yylex_init, but follows the * convention of taking the scanner as the last argument. Note however, that * this is a *pointer* to a scanner, as it will be allocated by this call (and * is the reason, too, why this function also must handle its own declaration). - * The user defined value in the first argument will be available to conf_parser_alloc in + * The user defined value in the first argument will be available to yyalloc in * the yyextra field. */ - -int conf_parser_lex_init_extra(YY_EXTRA_TYPE yy_user_defined,yyscan_t* ptr_yy_globals ) - +int yylex_init_extra( YY_EXTRA_TYPE yy_user_defined, yyscan_t* ptr_yy_globals ) { struct yyguts_t dummy_yyguts; - conf_parser_set_extra (yy_user_defined, &dummy_yyguts); + yyset_extra (yy_user_defined, &dummy_yyguts); if (ptr_yy_globals == NULL){ errno = EINVAL; return 1; } - - *ptr_yy_globals = (yyscan_t) conf_parser_alloc ( sizeof( struct yyguts_t ), &dummy_yyguts ); - + + *ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), &dummy_yyguts ); + if (*ptr_yy_globals == NULL){ errno = ENOMEM; return 1; } - + /* By setting to 0xAA, we expose bugs in yy_init_globals. Leave at 0x00 for releases. */ memset(*ptr_yy_globals,0x00,sizeof(struct yyguts_t)); - - conf_parser_set_extra (yy_user_defined, *ptr_yy_globals); - + + yyset_extra (yy_user_defined, *ptr_yy_globals); + return yy_init_globals ( *ptr_yy_globals ); } @@ -2601,13 +2788,13 @@ static int yy_init_globals (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* Initialization is the same as for the non-reentrant scanner. - * This function is called from conf_parser_lex_destroy(), so don't allocate here. + * This function is called from yylex_destroy(), so don't allocate here. */ - yyg->yy_buffer_stack = 0; + yyg->yy_buffer_stack = NULL; yyg->yy_buffer_stack_top = 0; yyg->yy_buffer_stack_max = 0; - yyg->yy_c_buf_p = (char *) 0; + yyg->yy_c_buf_p = NULL; yyg->yy_init = 0; yyg->yy_start = 0; @@ -2620,45 +2807,45 @@ static int yy_init_globals (yyscan_t yyscanner) yyin = stdin; yyout = stdout; #else - yyin = (FILE *) 0; - yyout = (FILE *) 0; + yyin = NULL; + yyout = NULL; #endif /* For future reference: Set errno on error, since we are called by - * conf_parser_lex_init() + * yylex_init() */ return 0; } /* %endif */ /* %if-c-only SNIP! this currently causes conflicts with the c++ scanner */ -/* conf_parser_lex_destroy is for both reentrant and non-reentrant scanners. */ -int conf_parser_lex_destroy (yyscan_t yyscanner) +/* yylex_destroy is for both reentrant and non-reentrant scanners. */ +int yylex_destroy (yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; /* Pop the buffer stack, destroying each element. */ while(YY_CURRENT_BUFFER){ - conf_parser__delete_buffer(YY_CURRENT_BUFFER ,yyscanner ); + yy_delete_buffer( YY_CURRENT_BUFFER , yyscanner ); YY_CURRENT_BUFFER_LVALUE = NULL; - conf_parser_pop_buffer_state(yyscanner); + yypop_buffer_state(yyscanner); } /* Destroy the stack itself. */ - conf_parser_free(yyg->yy_buffer_stack ,yyscanner); + yyfree(yyg->yy_buffer_stack , yyscanner); yyg->yy_buffer_stack = NULL; /* Destroy the start condition stack. */ - conf_parser_free(yyg->yy_start_stack ,yyscanner ); + yyfree( yyg->yy_start_stack , yyscanner ); yyg->yy_start_stack = NULL; /* Reset the globals. This is important in a non-reentrant scanner so the next time - * conf_parser_lex() is called, initialization will occur. */ + * yylex() is called, initialization will occur. */ yy_init_globals( yyscanner); /* %if-reentrant */ /* Destroy the main struct (reentrant only). */ - conf_parser_free ( yyscanner , yyscanner ); + yyfree ( yyscanner , yyscanner ); yyscanner = NULL; /* %endif */ return 0; @@ -2670,7 +2857,7 @@ int conf_parser_lex_destroy (yyscan_t yyscanner) */ #ifndef yytext_ptr -static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yyscanner) +static void yy_flex_strncpy (char* s1, const char * s2, int n , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; @@ -2682,7 +2869,7 @@ static void yy_flex_strncpy (char* s1, yyconst char * s2, int n , yyscan_t yysca #endif #ifdef YY_NEED_STRLEN -static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner) +static int yy_flex_strlen (const char * s , yyscan_t yyscanner) { int n; for ( n = 0; s[n]; ++n ) @@ -2692,14 +2879,14 @@ static int yy_flex_strlen (yyconst char * s , yyscan_t yyscanner) } #endif -void *conf_parser_alloc (yy_size_t size , yyscan_t yyscanner) +void *yyalloc (yy_size_t size , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - return (void *) malloc( size ); + return malloc(size); } -void *conf_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner) +void *yyrealloc (void * ptr, yy_size_t size , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; @@ -2711,14 +2898,14 @@ void *conf_parser_realloc (void * ptr, yy_size_t size , yyscan_t yyscanner) * any pointer type to void*, and deal with argument conversions * as though doing an assignment. */ - return (void *) realloc( (char *) ptr, size ); + return realloc(ptr, size); } -void conf_parser_free (void * ptr , yyscan_t yyscanner) +void yyfree (void * ptr , yyscan_t yyscanner) { struct yyguts_t * yyg = (struct yyguts_t*)yyscanner; (void)yyg; - free( (char *) ptr ); /* see conf_parser_realloc() for (char *) cast */ + free( (char *) ptr ); /* see yyrealloc() for (char *) cast */ } /* %if-tables-serialization definitions */ @@ -2728,8 +2915,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 163 "parser/lexer.l" - +#line 168 "parser/lexer.l" /** diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l index fb23a0f93..b81d6ce74 100644 --- a/src/starter/parser/lexer.l +++ b/src/starter/parser/lexer.l @@ -33,6 +33,11 @@ static void include_files(parser_helper_t *ctx); /* do not declare unneeded functions */ %option noinput noyywrap +/* do not include unistd.h as it might conflict with our scanner states */ +%option nounistd +/* due to that disable interactive mode, which requires isatty() */ +%option never-interactive + /* don't use global variables, and interact properly with bison */ %option reentrant bison-bridge diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index 17a3663fe..33d735164 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -1,4 +1,4 @@ -/* C code produced by gperf version 3.0.4 */ +/* ANSI-C code produced by gperf version 3.1 */ /* Command-line: /usr/bin/gperf -m 10 -D -C -G -t */ /* Computed positions: -k'1,5,7' */ @@ -26,7 +26,7 @@ && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \ && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126)) /* The character set is not based on ISO-646. */ -error "gperf generated tables don't work with this execution character set. Please report a bug to ." +#error "gperf generated tables don't work with this execution character set. Please report a bug to ." #endif @@ -69,9 +69,7 @@ inline #endif #endif static unsigned int -hash (str, len) - register const char *str; - register unsigned int len; +hash (register const char *str, register size_t len) { static const unsigned char asso_values[] = { @@ -102,7 +100,7 @@ hash (str, len) 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60, 60 }; - register int hval = len; + register unsigned int hval = len; switch (hval) { @@ -175,7 +173,7 @@ static const struct stroke_token wordlist[] = {"resetcounters", STROKE_COUNTERS_RESET} }; -static const short lookup[] = +static const signed char lookup[] = { -1, -1, -1, 0, 1, 2, -1, 3, -1, 4, -1, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, @@ -184,22 +182,14 @@ static const short lookup[] = -1, 46, -1, 47 }; -#ifdef __GNUC__ -__inline -#if defined __GNUC_STDC_INLINE__ || defined __GNUC_GNU_INLINE__ -__attribute__ ((__gnu_inline__)) -#endif -#endif const struct stroke_token * -in_word_set (str, len) - register const char *str; - register unsigned int len; +in_word_set (register const char *str, register size_t len) { if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH) { - register int key = hash (str, len); + register unsigned int key = hash (str, len); - if (key <= MAX_HASH_VALUE && key >= 0) + if (key <= MAX_HASH_VALUE) { register int index = lookup[key]; diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 4e0b66b3d..fa86ccb47 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -74,6 +74,6 @@ typedef enum { typedef struct stroke_token stroke_token_t; extern const stroke_token_t* in_word_set(register const char *str, - register unsigned len); + register size_t len); #endif /* _STROKE_KEYWORDS_H_ */ diff --git a/src/sw-collector/sw-collector.c b/src/sw-collector/sw-collector.c index f8229a192..5453eeb60 100644 --- a/src/sw-collector/sw-collector.c +++ b/src/sw-collector/sw-collector.c @@ -27,7 +27,7 @@ #include "sw_collector_history.h" #include "sw_collector_rest_api.h" #include "sw_collector_dpkg.h" -# + #include #include #include @@ -165,7 +165,6 @@ static collector_op_t do_args(int argc, char *argv[], bool *full_tags, case 'h': usage(); exit(SUCCESS); - break; case 'C': op = COLLECTOR_OP_CHECK; continue; diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c index 26f043a6a..d0032467a 100644 --- a/src/swanctl/commands/load_all.c +++ b/src/swanctl/commands/load_all.c @@ -31,7 +31,7 @@ static int load_all(vici_conn_t *conn) bool clear = FALSE, noprompt = FALSE; command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg, *file = SWANCTL_CONF; + char *arg, *file = NULL; int ret = 0; while (TRUE) @@ -63,10 +63,9 @@ static int load_all(vici_conn_t *conn) break; } - cfg = settings_create(file); + cfg = load_swanctl_conf(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c index 61682a386..a4e1f46d3 100644 --- a/src/swanctl/commands/load_authorities.c +++ b/src/swanctl/commands/load_authorities.c @@ -55,8 +55,9 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value) else { path = buf; - snprintf(path, PATH_MAX, "%s%s%s", - SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value); + snprintf(path, PATH_MAX, "%s%s%s%s%s", swanctl_dir, + DIRECTORY_SEPARATOR, SWANCTL_X509CADIR, + DIRECTORY_SEPARATOR, value); } map = chunk_map(path, FALSE); @@ -83,7 +84,6 @@ static bool add_key_values(vici_req_t *req, enumerator_t *enumerator) char *key, *value; bool ret = TRUE; - while (enumerator->enumerate(enumerator, &key, &value)) { if (streq(key, "cacert")) @@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg, *file = SWANCTL_CONF; + char *arg, *file = NULL; int ret; while (TRUE) @@ -336,10 +336,9 @@ static int load_authorities(vici_conn_t *conn) break; } - cfg = settings_create(file); + cfg = load_swanctl_conf(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index dad03945d..de23816fb 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -120,20 +120,23 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value) { if (streq(key, "certs")) { - snprintf(buf, sizeof(buf), "%s%s%s", - SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token); + snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir, + DIRECTORY_SEPARATOR, SWANCTL_X509DIR, + DIRECTORY_SEPARATOR, token); token = buf; } else if (streq(key, "cacerts")) { - snprintf(buf, sizeof(buf), "%s%s%s", - SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token); + snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir, + DIRECTORY_SEPARATOR, SWANCTL_X509CADIR, + DIRECTORY_SEPARATOR, token); token = buf; } else if (streq(key, "pubkeys")) { - snprintf(buf, sizeof(buf), "%s%s%s", - SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token); + snprintf(buf, sizeof(buf), "%s%s%s%s%s", swanctl_dir, + DIRECTORY_SEPARATOR, SWANCTL_PUBKEYDIR, + DIRECTORY_SEPARATOR, token); token = buf; } } @@ -425,7 +428,7 @@ static int load_conns(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg, *file = SWANCTL_CONF; + char *arg, *file = NULL; int ret; while (TRUE) @@ -451,10 +454,9 @@ static int load_conns(vici_conn_t *conn) break; } - cfg = settings_create(file); + cfg = load_swanctl_conf(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index a9e352f7e..9a38b5d1e 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -106,10 +106,13 @@ static void load_certs(load_ctx_t *ctx, char *type_str, char *dir) x509_flag_t flag; struct stat st; chunk_t *map; - char *path; + char *path, buf[PATH_MAX]; vici_cert_info_from_str(type_str, &type, &flag); + snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir); + dir = buf; + enumerator = enumerator_create_directory(dir); if (enumerator) { @@ -428,7 +431,10 @@ static void load_keys(load_ctx_t *ctx, char *type, char *dir) enumerator_t *enumerator; struct stat st; chunk_t *map; - char *path, *rel; + char *path, *rel, buf[PATH_MAX]; + + snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir); + dir = buf; enumerator = enumerator_create_directory(dir); if (enumerator) @@ -535,7 +541,10 @@ static void load_containers(load_ctx_t *ctx, char *type, char *dir) enumerator_t *enumerator; struct stat st; chunk_t *map; - char *path, *rel; + char *path, *rel, buf[PATH_MAX]; + + snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, DIRECTORY_SEPARATOR, dir); + dir = buf; enumerator = enumerator_create_directory(dir); if (enumerator) @@ -946,7 +955,7 @@ static int load_creds(vici_conn_t *conn) bool clear = FALSE, noprompt = FALSE; command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg, *file = SWANCTL_CONF; + char *arg, *file = NULL; int ret; while (TRUE) @@ -978,10 +987,9 @@ static int load_creds(vici_conn_t *conn) break; } - cfg = settings_create(file); + cfg = load_swanctl_conf(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c index ec9508efb..0ff6827e1 100644 --- a/src/swanctl/commands/load_pools.c +++ b/src/swanctl/commands/load_pools.c @@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg, *file = SWANCTL_CONF; + char *arg, *file = NULL; int ret; while (TRUE) @@ -277,10 +277,9 @@ static int load_pools(vici_conn_t *conn) break; } - cfg = settings_create(file); + cfg = load_swanctl_conf(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c index f44ecaa3c..65a402029 100644 --- a/src/swanctl/commands/rekey.c +++ b/src/swanctl/commands/rekey.c @@ -118,7 +118,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { rekey, 'R', "rekey", "rekey an SA", - {"--child | --ike | --ike-id ", + {"--child | --ike | --child-id | --ike-id ", "[--reauth] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c index bce404a54..2309843b2 100644 --- a/src/swanctl/commands/terminate.c +++ b/src/swanctl/commands/terminate.c @@ -150,7 +150,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { terminate, 't', "terminate", "terminate a connection", - {"--child | --ike | --ike-id ", + {"--child | --ike | --child-id | --ike-id ", "[--timeout ] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/swanctl/swanctl.c b/src/swanctl/swanctl.c index dc5af79a7..cfc82f9d7 100644 --- a/src/swanctl/swanctl.c +++ b/src/swanctl/swanctl.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -13,17 +16,55 @@ * for more details. */ +#include "swanctl.h" #include "command.h" #include #include +/* + * Described in header + */ +char *swanctl_dir; + +/* + * Described in header + */ +settings_t *load_swanctl_conf(char *file) +{ + settings_t *cfg; + char buf[PATH_MAX]; + + if (!file) + { + if (!strlen(swanctl_dir)) + { + free(swanctl_dir); + swanctl_dir = strdup(getcwd(buf, sizeof(buf))); + } + file = buf; + snprintf(buf, sizeof(buf), "%s%s%s", swanctl_dir, + DIRECTORY_SEPARATOR, SWANCTL_CONF); + } + + cfg = settings_create(file); + if (!cfg) + { + fprintf(stderr, "parsing '%s' failed\n", file); + return NULL; + } + free(swanctl_dir); + swanctl_dir = path_dirname(file); + return cfg; +} + /** * Cleanup library atexit() */ static void cleanup() { + free(swanctl_dir); lib->processor->cancel(lib->processor); library_deinit(); } @@ -49,6 +90,9 @@ int main(int argc, char *argv[]) { exit(SS_RC_INITIALIZATION_FAILED); } + + swanctl_dir = strdup(getenv("SWANCTL_DIR") ?: SWANCTLDIR); + dbg_default_set_level(0); lib->processor->set_threads(lib->processor, 4); dbg_default_set_level(1); diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index eac1fc6d0..f0c334f7e 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -1,11 +1,11 @@ /* - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2018 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -25,74 +25,90 @@ #ifndef SWANCTL_H_ #define SWANCTL_H_ +#include + +/** + * Base directory for credentials and config + */ +char *swanctl_dir; + /** * Configuration file for connections, etc. */ -#define SWANCTL_CONF SWANCTLDIR "/swanctl.conf" +#define SWANCTL_CONF "swanctl.conf" /** * Directory for X.509 end entity certs */ -#define SWANCTL_X509DIR SWANCTLDIR "/x509" +#define SWANCTL_X509DIR "x509" /** * Directory for X.509 CA certs */ -#define SWANCTL_X509CADIR SWANCTLDIR "/x509ca" +#define SWANCTL_X509CADIR "x509ca" /** * Directory for X.509 Attribute Authority certs */ -#define SWANCTL_X509AADIR SWANCTLDIR "/x509aa" +#define SWANCTL_X509AADIR "x509aa" /** * Directory for X.509 OCSP Signer certs */ -#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp" +#define SWANCTL_X509OCSPDIR "x509ocsp" /** * Directory for X.509 CRLs */ -#define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl" +#define SWANCTL_X509CRLDIR "x509crl" /** * Directory for X.509 Attribute certificates */ -#define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac" +#define SWANCTL_X509ACDIR "x509ac" /** * Directory for raw public keys */ -#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" +#define SWANCTL_PUBKEYDIR "pubkey" /** * Directory for private keys */ -#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private" +#define SWANCTL_PRIVATEDIR "private" /** * Directory for RSA private keys */ -#define SWANCTL_RSADIR SWANCTLDIR "/rsa" +#define SWANCTL_RSADIR "rsa" /** * Directory for ECDSA private keys */ -#define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa" +#define SWANCTL_ECDSADIR "ecdsa" /** * Directory for BLISS private keys */ -#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss" +#define SWANCTL_BLISSDIR "bliss" /** * Directory for PKCS#8 encoded private keys */ -#define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8" +#define SWANCTL_PKCS8DIR "pkcs8" /** * Directory for PKCS#12 containers */ -#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12" +#define SWANCTL_PKCS12DIR "pkcs12" + +/** + * Load swanctl.conf, optionally from a custom path. Sets the base dir relative + * to that file. + * + * @param file optional custom path to swanctl.conf, NULL to use default + * @return settings, or NULL if loading failed + */ +settings_t *load_swanctl_conf(char *file); #endif /** SWANCTL_H_ @}*/ diff --git a/testing/config/kernel/config-4.19 b/testing/config/kernel/config-4.19 new file mode 100644 index 000000000..79cf9e71e --- /dev/null +++ b/testing/config/kernel/config-4.19 @@ -0,0 +1,2690 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.19.0 Kernel Configuration +# + +# +# Compiler: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 +# +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=70300 +CONFIG_CLANG_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_BUILD_SALT="" +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_CHECKPOINT_RESTORE is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +# CONFIG_BPF_SYSCALL is not set +# CONFIG_USERFAULTFD is not set +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_RSEQ=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_PROFILING is not set +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_FILTER_PGPROT=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_CC_HAS_SANE_STACKPROTECTOR=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +CONFIG_RETPOLINE=y +# CONFIG_INTEL_RDT is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_NR_CPUS_RANGE_BEGIN=1 +CONFIG_NR_CPUS_RANGE_END=1 +CONFIG_NR_CPUS_DEFAULT=1 +CONFIG_NR_CPUS=1 +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +CONFIG_X86_INTEL_UMIP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# PCI controller drivers +# + +# +# Cadence PCIe controllers support +# +# CONFIG_VMD is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT_HOST is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Binary Emulations +# +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_HAVE_GENERIC_GUP=y + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# Tegra firmware driver +# +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# General architecture-dependent options +# +CONFIG_CRASH_CORE=y +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_CC_HAS_STACKPROTECTOR_NONE=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_ARCH_HAS_REFCOUNT=y +# CONFIG_REFCOUNT_FULL is not set +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +CONFIG_PLUGIN_HOSTCC="" +CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_ASN1=y +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y + +# +# Memory Management options +# +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_GUP_BENCHMARK is not set +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +# CONFIG_TLS_DEVICE is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +# CONFIG_XFRM_INTERFACE is not set +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +# CONFIG_NETFILTER_NETLINK_OSF is not set +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CONNTRACK_LABELS is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_TPROXY_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_TPROXY_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +# CONFIG_IP6_NF_MATCH_SRH is not set +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +CONFIG_NF_DEFRAG_IPV6=y +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_FAILOVER=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_GNSS is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC & related support +# + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_MISC_RTSX_PCI is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_SYSTEMPORT is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +CONFIG_CAVIUM_PTP=y +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +CONFIG_NET_VENDOR_CORTINA=y +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_ICE is not set +# CONFIG_FM10K is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETERION=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_NI=y +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_VENDOR_PACKET_ENGINES=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_NET_FAILOVER=y +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set +# CONFIG_RANDOM_TRUST_CPU is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CROS_EC is not set +# CONFIG_MFD_MADERA is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +CONFIG_RC_MAP=y +# CONFIG_LIRC is not set +CONFIG_RC_DECODERS=y +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_IR_IMON_DECODER is not set +# CONFIG_RC_DEVICES is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set +# CONFIG_DRM_DP_CEC is not set + +# +# ACP (Audio CoProcessor) Configuration +# + +# +# AMD Library routines +# + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_REDRAGON=y +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEAM is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACER_WIRELESS is not set +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMBIOS is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# + +# +# Broadcom SoC drivers +# + +# +# NXP/Freescale QorIQ SoC drivers +# + +# +# i.MX SoC drivers +# + +# +# Qualcomm SoC drivers +# +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# CONFIG_XILINX_VCU is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# CONFIG_FPGA is not set +# CONFIG_UNISYS_VISORBUS is not set +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +CONFIG_AUTOFS_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +CONFIG_MEMFD_CREATE=y +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +# CONFIG_CRYPTO_AEGIS128 is not set +# CONFIG_CRYPTO_AEGIS128L is not set +# CONFIG_CRYPTO_AEGIS256 is not set +# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set +# CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2 is not set +# CONFIG_CRYPTO_AEGIS256_AESNI_SSE2 is not set +# CONFIG_CRYPTO_MORUS640 is not set +# CONFIG_CRYPTO_MORUS640_SSE2 is not set +# CONFIG_CRYPTO_MORUS1280 is not set +# CONFIG_CRYPTO_MORUS1280_SSE2 is not set +# CONFIG_CRYPTO_MORUS1280_AVX2 is not set +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_SM4=y +# CONFIG_CRYPTO_SPECK is not set +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +# CONFIG_CRYPTO_ZSTD is not set + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_HASH_INFO=y +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC64 is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DMA_DIRECT_OPS=y +CONFIG_SWIOTLB=y +CONFIG_SGL_ALLOC=y +CONFIG_IOMMU_HELPER=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_SBITMAP=y +# CONFIG_STRING_SELFTEST is not set + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_STACK_VALIDATION=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_PREEMPTIRQ_EVENTS is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +CONFIG_RUNTIME_TESTING_MENU=y +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_BITFIELD is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_OVERFLOW is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_TEST_IDA is not set +# CONFIG_FIND_BIT_BENCHMARK is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml index 0bf1eb596..c8ff289db 100644 --- a/testing/config/kvm/alice.xml +++ b/testing/config/kvm/alice.xml @@ -1,13 +1,13 @@ alice 1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9 - 131072 - 131072 + 163840 + 163840 1 hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml index f2425b222..0b433a437 100644 --- a/testing/config/kvm/bob.xml +++ b/testing/config/kvm/bob.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml index 51a7d8336..3eb163f6c 100644 --- a/testing/config/kvm/carol.xml +++ b/testing/config/kvm/carol.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml index 9e26b9629..d8d05a9e9 100644 --- a/testing/config/kvm/dave.xml +++ b/testing/config/kvm/dave.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml index 954af7aa1..943ab35b5 100644 --- a/testing/config/kvm/moon.xml +++ b/testing/config/kvm/moon.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml index c2d26737c..893a4aa37 100644 --- a/testing/config/kvm/sun.xml +++ b/testing/config/kvm/sun.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml index acc0d361a..a0b60171b 100644 --- a/testing/config/kvm/venus.xml +++ b/testing/config/kvm/venus.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml index b21cb7b08..59d7184f6 100644 --- a/testing/config/kvm/winnetou.xml +++ b/testing/config/kvm/winnetou.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/do-tests b/testing/do-tests index 52d0d70eb..fad3af8cd 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -51,11 +51,15 @@ subdir_cnt="0" ############################################################################## # parse optional arguments # -while getopts "v" opt +while getopts "vt" opt do case "$opt" in v) verbose=YES + timestamps=YES + ;; + t) + timestamps=YES ;; esac done @@ -64,7 +68,7 @@ shift $((OPTIND-1)) function print_time() { - [ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ " + [ "$timestamps" == "YES" ] && echo "$(date +%T.%N) ~ " } ############################################################################## @@ -689,21 +693,25 @@ do do eval HOSTLOGIN=root@\$ipv4_${host} - for file in clients.conf eap.conf radiusd.conf proxy.conf users + RADIUS_DIR=/etc/freeradius/3.0 + RADIUS_EAP_FILE=mods-enabled/eap + RADIUS_EAP_NAME=eap + if [ "$BASEIMGSUITE" == "jessie" ] + then + RADIUS_DIR=/etc/freeradius + RADIUS_EAP_FILE=eap.conf + RADIUS_EAP_NAME=eap.conf + fi + + for file in clients.conf radiusd.conf proxy.conf users sites-enabled/default sites-enabled/inner-tunnel $RADIUS_EAP_FILE do - scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \ - $TESTRESULTDIR/${host}.$file > /dev/null 2>&1 + scp $SSHCONF $HOSTLOGIN:$RADIUS_DIR/$file \ + $TESTRESULTDIR/${host}.$(basename $file) > /dev/null 2>&1 done - scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \ - $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1 - scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \ $TESTRESULTDIR/${host}.radius.log > /dev/null 2>&1 - ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \ - >> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null - chmod a+r $TESTRESULTDIR/* cat >> $TESTRESULTDIR/index.html <<@EOF

$host

@@ -713,14 +721,14 @@ do diff --git a/testing/hosts/alice/etc/freeradius/3.0/clients.conf b/testing/hosts/alice/etc/freeradius/3.0/clients.conf new file mode 100644 index 000000000..7fad83c33 --- /dev/null +++ b/testing/hosts/alice/etc/freeradius/3.0/clients.conf @@ -0,0 +1,5 @@ +client moon { + ipaddr = 10.1.0.1 + secret = gv6URkSs + require_message_authenticator = yes +} diff --git a/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf new file mode 100644 index 000000000..6139bb90f --- /dev/null +++ b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf @@ -0,0 +1,99 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius/3.0 +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = freeradius + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${sysconfdir}/raddb/certs +cadir = ${sysconfdir}/raddb/certs +run_dir = ${localstatedir}/run/${name} + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# correct_escapes: use correct backslash escaping +correct_escapes = true + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Logging section +log { + destination = files + colourise = yes + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +security { + user = freerad + group = freerad + allow_core_dumps = no + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/mods-enabled/ +} + +# Policies +policy { + $INCLUDE policy.d/ +} + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary index 59a874b3e..4c2c7ebb4 100644 --- a/testing/hosts/alice/etc/freeradius/dictionary +++ b/testing/hosts/alice/etc/freeradius/dictionary @@ -11,7 +11,7 @@ # # The filename given here should be an absolute path. # -$INCLUDE /usr/local/share/freeradius/dictionary +$INCLUDE /usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf index e4f721738..bcdc369d2 100644 --- a/testing/hosts/alice/etc/freeradius/radiusd.conf +++ b/testing/hosts/alice/etc/freeradius/radiusd.conf @@ -101,8 +101,6 @@ thread pool { modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf } # Instantiation diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config index 46b1f0231..cc6f43541 100644 --- a/testing/hosts/default/etc/ssh/sshd_config +++ b/testing/hosts/default/etc/ssh/sshd_config @@ -1,7 +1,7 @@ Port 22 Protocol 2 +Ciphers aes128-gcm@openssh.com HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation no PermitRootLogin yes diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector index c522de874..df1462862 100755 --- a/testing/hosts/default/usr/local/bin/init_collector +++ b/testing/hosts/default/usr/local/bin/init_collector @@ -1,4 +1,6 @@ #! /bin/sh cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db +sed -i "s:DEBIAN_VERSION:`cat /etc/debian_version`:" /etc/pts/collector.sql +cat /etc/pts/collector.sql | sqlite3 /etc/db.d/collector.db LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector diff --git a/testing/hosts/venus/etc/default/isc-dhcp-server b/testing/hosts/venus/etc/default/isc-dhcp-server new file mode 100644 index 000000000..57a5c81f9 --- /dev/null +++ b/testing/hosts/venus/etc/default/isc-dhcp-server @@ -0,0 +1,3 @@ +# explicitly set an interface to avoid having to configure and run DHCPv6 +INTERFACESv4="eth0" +INTERFACESv6="" diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf index 68438a656..e362e138c 100644 --- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf +++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf @@ -2,3 +2,4 @@ AddType text/plain .conf .log .sql .users AddType text/plain .secrets .listall .statusall AddType text/plain .conns .certs .sas .pools .authorities .stats AddType text/plain .policy .state .route .iptables .iptables-save +AddType text/plain .eap .default .inner-tunnel diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text deleted file mode 100644 index 68438a656..000000000 --- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text +++ /dev/null @@ -1,4 +0,0 @@ -AddType text/plain .conf .log .sql .users -AddType text/plain .secrets .listall .statusall -AddType text/plain .conns .certs .sas .pools .authorities .stats -AddType text/plain .policy .state .route .iptables .iptables-save diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf index 0772c34ea..fb9e98424 100644 --- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf +++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf @@ -12,13 +12,7 @@ AddHandler cgi-script .cgi DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined @@ -34,13 +28,7 @@ Listen 8881 DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined @@ -56,13 +44,7 @@ Listen 8882 DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf index 260171cfd..b610836fc 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/duck RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -154,7 +146,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf index d31752e30..ddd94d061 100644 --- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/ecdsa +CAHOME = /etc/openssl/ecdsa RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -156,7 +148,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf index 5985b5650..170daba56 100644 --- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/monster RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -156,7 +148,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan-monster.crl diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf index 9078b2043..b1ef68a11 100644 --- a/testing/hosts/winnetou/etc/openssl/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl +CAHOME = /etc/openssl RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -157,7 +149,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf index 7099413f0..f5ae64e36 100644 --- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/research RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -155,7 +147,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME crlDistributionPoints = URI:http://crl.strongswan.org/research.crl #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf index 12da734aa..11ff172ac 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/rfc3779 +CAHOME = /etc/openssl/rfc3779 RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -113,12 +105,12 @@ organizationName = Organization Name (eg, company) organizationName_default = Linux strongSwan 0.organizationalUnitName = Organizational Unit Name (eg, section) -0.organizationalUnitName_default = RFC3779 +0.organizationalUnitName_default = RFC3779 #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -173,7 +165,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf index f3ec7e168..f1d080c0b 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/sales +CAHOME = /etc/openssl/sales RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -155,7 +147,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl #authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882 diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 95453d620..7c30758bf 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -12,29 +12,34 @@ running_any $STRONGSWANHOSTS && die "Please stop test environment before running check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk # package includes/excludes -INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less +INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev -INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen +INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https -INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev +INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev +INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute case "$BASEIMGSUITE" in -wheezy) - INC=$INC,libxerces-c2-dev,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev - INC=$INC,libalog0.4.1-base-dev - ;; jessie) - INC=$INC,libxerces-c-dev,libahven4-dev,libxmlada5-dev,libgmpada5-dev - INC=$INC,libalog1-dev,libgcrypt20-dev + INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev + INC=$INC,libalog1-dev + ;; +stretch) + INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev + INC=$INC,libalog2-dev ;; *) echo_warn "Package list for '$BASEIMGSUITE' might has to be updated" esac -SERVICES="apache2 dbus isc-dhcp-server slapd bind9" +SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius" INC=$INC,${SERVICES// /,} +# packages to install via APT, for SWIMA tests +APT="tmux" +# additional services to disable +SERVICES="$SERVICES systemd-timesyncd.service" CACHEDIR=$BUILDDIR/cache APTCACHE=$LOOPDIR/var/cache/apt/archives @@ -86,6 +91,13 @@ execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $ execute "mount -t proc none $LOOPDIR/proc" 0 do_on_exit graceful_umount $LOOPDIR/proc +log_action "Generating locales" +cat > $LOOPDIR/etc/locale.gen << EOF +de_CH.UTF-8 UTF-8 +en_US.UTF-8 UTF-8 +EOF +execute_chroot "locale-gen" + log_action "Downloading signing key for custom apt repo" execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key" log_action "Installing signing key for custom apt repo" @@ -107,18 +119,15 @@ log_status $? log_action "Update package sources" execute_chroot "apt-get update" +log_action "Install packages via APT" +execute_chroot "apt-get -y install $APT" log_action "Install packages from custom repo" execute_chroot "apt-get -y upgrade" for service in $SERVICES do log_action "Disabling service $service" - if [ "$BASEIMGSUITE" == "wheezy" ] - then - execute_chroot "update-rc.d -f $service remove" - else - execute_chroot "systemctl disable $service" - fi + execute_chroot "systemctl disable $service" done log_action "Disabling root password" diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages index 7dd7188c2..5116d095e 100755 --- a/testing/scripts/build-guestimages +++ b/testing/scripts/build-guestimages @@ -76,12 +76,7 @@ do for service in "apache2 slapd bind9" do - if [ "$BASEIMGSUITE" == "wheezy" ] - then - execute_chroot "update-rc.d $service defaults" 0 - else - execute_chroot "systemctl enable $service" 0 - fi + execute_chroot "systemctl enable $service" 0 done fi sync diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage index a84104a90..c6c41ada3 100755 --- a/testing/scripts/build-rootimage +++ b/testing/scripts/build-rootimage @@ -55,8 +55,11 @@ do_on_exit umount $LOOPDIR/root/shared echo "Installing software from source" RECPDIR=$DIR/recipes +if [ -d "$RECPDIR/patches" ] +then + execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0 +fi RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename` -execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0 for r in $RECIPES do cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk deleted file mode 100644 index b835958b7..000000000 --- a/testing/scripts/recipes/001_libtnc.mk +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/make - -PV = 1.25 -PKG = libtnc-$(PV) -TAR = $(PKG).tar.gz -SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - --sysconfdir=/etc - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-configured: .$(PKG)-unpacked - cd $(PKG) && ./configure $(CONFIG_OPTS) - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG) && make install diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk deleted file mode 100644 index d4ed4f99c..000000000 --- a/testing/scripts/recipes/002_tnc-fhh.mk +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/make - -PKG = fhhtnc -SRC = git://github.com/trustatfhh/tnc-fhh.git - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - -DCOMPONENT=all \ - -DNAL=8021x - -PATCHES = \ - tnc-fhh-tncsim - -all: install - -.$(PKG)-cloned: - git clone $(SRC) $(PKG) - mkdir $(PKG)/build - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-cloned - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cd $(PKG)/build && cmake $(CONFIG_OPTS) ../ - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/build && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/build && make install diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk deleted file mode 100644 index 71cfc238c..000000000 --- a/testing/scripts/recipes/003_freeradius.mk +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/make - -PV = 2.2.8 -PKG = freeradius-server-$(PV) -TAR = $(PKG).tar.bz2 -SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - --with-raddbdir=/etc/freeradius \ - --sysconfdir=/etc \ - --with-logdir=/var/log/freeradius \ - --enable-developer \ - --with-experimental-modules - -PATCHES = \ - freeradius-eap-sim-identity \ - freeradius-tnc-fhh - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfj $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cd $(PKG) && ./configure $(CONFIG_OPTS) - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG) && make install diff --git a/testing/scripts/recipes/004_hostapd.mk b/testing/scripts/recipes/004_hostapd.mk deleted file mode 100644 index 0acd428c9..000000000 --- a/testing/scripts/recipes/004_hostapd.mk +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/make - -PV = 2.0 -PKG = hostapd-$(PV) -TAR = $(PKG).tar.gz -SRC = http://w1.fi/releases/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = - -PATCHES = \ - hostapd-config - -SUBDIR = hostapd - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/$(SUBDIR) && make install diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk deleted file mode 100644 index 4cc870c12..000000000 --- a/testing/scripts/recipes/004_wpa_supplicant.mk +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/make - -PV = 2.0 -PKG = wpa_supplicant-$(PV) -TAR = $(PKG).tar.gz -SRC = http://w1.fi/releases/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = - -PATCHES = \ - wpa_supplicant-eap-tnc - -SUBDIR = wpa_supplicant - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/$(SUBDIR) && make install diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk index a6af5df5c..b311c0a99 100644 --- a/testing/scripts/recipes/005_anet.mk +++ b/testing/scripts/recipes/005_anet.mk @@ -8,14 +8,15 @@ PREFIX = /usr/local/ada all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make LIBRARY_KIND=static @touch $@ diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk index 5f2e207c8..ed2a62396 100644 --- a/testing/scripts/recipes/006_tkm-rpc.mk +++ b/testing/scripts/recipes/006_tkm-rpc.mk @@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk index 7899f6dec..57a106dea 100644 --- a/testing/scripts/recipes/007_x509-ada.mk +++ b/testing/scripts/recipes/007_x509-ada.mk @@ -8,14 +8,15 @@ PREFIX = /usr/local/ada all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make tests && make @touch $@ diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk index ad1cbb2bc..64ada0e45 100644 --- a/testing/scripts/recipes/008_xfrm-ada.mk +++ b/testing/scripts/recipes/008_xfrm-ada.mk @@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk index a7c9d31cc..bdf5b1211 100644 --- a/testing/scripts/recipes/009_xfrm-proxy.mk +++ b/testing/scripts/recipes/009_xfrm-proxy.mk @@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 03ee5b526..2651660db 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk index ef0f6d066..215e92365 100644 --- a/testing/scripts/recipes/011_botan.mk +++ b/testing/scripts/recipes/011_botan.mk @@ -2,8 +2,7 @@ PKG = botan SRC = https://github.com/randombit/$(PKG).git -# will have to be changed to the 2.8.0 tag later -REV = 1872f899716854927ecc68022fac318735be8824 +REV = 2.8.0 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) @@ -15,14 +14,15 @@ CONFIG_OPTS = \ all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && python ./configure.py $(CONFIG_OPTS) && make -j $(NUM_CPUS) @touch $@ diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity deleted file mode 100644 index 1ab95ecc6..000000000 --- a/testing/scripts/recipes/patches/freeradius-eap-sim-identity +++ /dev/null @@ -1,30 +0,0 @@ ---- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:03:05.081225276 +0100 -+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:46:59.746289881 +0100 -@@ -246,14 +246,21 @@ - newvp->vp_integer = ess->sim_id++; - pairreplace(outvps, newvp); - -+ ess->keys.identitylen = strlen(handler->identity); -+ memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen); -+ - /* make a copy of the identity */ - newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY); -- if (newvp) { -- ess->keys.identitylen = newvp->length; -- memcpy(ess->keys.identity, newvp->vp_octets, newvp->length); -- } else { -- ess->keys.identitylen = strlen(handler->identity); -- memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen); -+ if (newvp && newvp->length > 2) { -+ uint16_t len; -+ -+ memcpy(&len, newvp->vp_octets, sizeof(uint16_t)); -+ len = ntohs(len); -+ if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) { -+ ess->keys.identitylen = len; -+ memcpy(ess->keys.identity, newvp->vp_octets + 2, -+ ess->keys.identitylen); -+ } - } - - /* all set, calculate keys! */ diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh deleted file mode 100644 index 26a233d48..000000000 --- a/testing/scripts/recipes/patches/freeradius-tnc-fhh +++ /dev/null @@ -1,6687 +0,0 @@ -diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary ---- freeradius-server-2.2.0.orig/share/dictionary 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/share/dictionary 2012-12-04 19:39:42.261423097 +0100 -@@ -196,6 +196,7 @@ - $INCLUDE dictionary.starent - $INCLUDE dictionary.symbol - $INCLUDE dictionary.telebit -+$INCLUDE dictionary.tncfhh - $INCLUDE dictionary.terena - $INCLUDE dictionary.trapeze - $INCLUDE dictionary.tropos -diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh ---- freeradius-server-2.2.0.orig/share/dictionary.tncfhh 1970-01-01 01:00:00.000000000 +0100 -+++ freeradius-server-2.2.0/share/dictionary.tncfhh 2012-12-04 19:39:49.645421869 +0100 -@@ -0,0 +1,20 @@ -+# -*- text -*- -+# Dictionary for the tnc@fhh Server. -+# -+# Website: http://trust.inform.fh-hannover.de -+# -+# Version: 0.8.4 -+# Author: Bastian Hellmann -+# Email: trust@f4-i.fh-hannover.de -+# -+ -+VENDOR tncfhh 10000 -+BEGIN-VENDOR tncfhh -+ -+ATTRIBUTE TNC-Status 1 integer -+ -+VALUE TNC-Status Access 0 -+VALUE TNC-Status Isolate 1 -+VALUE TNC-Status None 2 -+ -+END-VENDOR tncfhh -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-12-04 19:38:00.237420970 +0100 -@@ -1,61 +1,84 @@ - #! /bin/sh - # From configure.in Revision. - # Guess values for system-dependent variables and create Makefiles. --# Generated by GNU Autoconf 2.61. -+# Generated by GNU Autoconf 2.67. -+# - # - # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, --# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software -+# Foundation, Inc. -+# -+# - # This configure script is free software; the Free Software Foundation - # gives unlimited permission to copy, distribute and modify it. --## --------------------- ## --## M4sh Initialization. ## --## --------------------- ## -+## -------------------- ## -+## M4sh Initialization. ## -+## -------------------- ## - - # Be more Bourne compatible - DUALCASE=1; export DUALCASE # for MKS sh --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST - else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; -+ case `(set -o) 2>/dev/null` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; - esac -- - fi - - -- -- --# PATH needs CR --# Avoid depending upon Character Ranges. --as_cr_letters='abcdefghijklmnopqrstuvwxyz' --as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' --as_cr_Letters=$as_cr_letters$as_cr_LETTERS --as_cr_digits='0123456789' --as_cr_alnum=$as_cr_Letters$as_cr_digits -- --# The user is always right. --if test "${PATH_SEPARATOR+set}" != set; then -- echo "#! /bin/sh" >conf$$.sh -- echo "exit 0" >>conf$$.sh -- chmod +x conf$$.sh -- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then -- PATH_SEPARATOR=';' -+as_nl=' -+' -+export as_nl -+# Printing a long string crashes Solaris 7 /usr/bin/printf. -+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -+# Prefer a ksh shell builtin over an external printf program on Solaris, -+# but without wasting forks for bash or zsh. -+if test -z "$BASH_VERSION$ZSH_VERSION" \ -+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='print -r --' -+ as_echo_n='print -rn --' -+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='printf %s\n' -+ as_echo_n='printf %s' -+else -+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then -+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' -+ as_echo_n='/usr/ucb/echo -n' - else -- PATH_SEPARATOR=: -+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' -+ as_echo_n_body='eval -+ arg=$1; -+ case $arg in #( -+ *"$as_nl"*) -+ expr "X$arg" : "X\\(.*\\)$as_nl"; -+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; -+ esac; -+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" -+ ' -+ export as_echo_n_body -+ as_echo_n='sh -c $as_echo_n_body as_echo' - fi -- rm -f conf$$.sh -+ export as_echo_body -+ as_echo='sh -c $as_echo_body as_echo' - fi - --# Support unset when possible. --if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then -- as_unset=unset --else -- as_unset=false -+# The user is always right. -+if test "${PATH_SEPARATOR+set}" != set; then -+ PATH_SEPARATOR=: -+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { -+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || -+ PATH_SEPARATOR=';' -+ } - fi - - -@@ -64,20 +87,18 @@ - # there to prevent editors from complaining about space-tab. - # (If _AS_PATH_WALK were called with IFS unset, it would disable word - # splitting by setting IFS to empty value.) --as_nl=' --' - IFS=" "" $as_nl" - - # Find who we are. Look in the path if we contain no directory separator. --case $0 in -+case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR - for as_dir in $PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break --done -+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -+ done - IFS=$as_save_IFS - - ;; -@@ -88,354 +109,321 @@ - as_myself=$0 - fi - if test ! -f "$as_myself"; then -- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -- { (exit 1); exit 1; } -+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -+ exit 1 - fi - --# Work around bugs in pre-3.0 UWIN ksh. --for as_var in ENV MAIL MAILPATH --do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+# Unset variables that we do not need and which cause bugs (e.g. in -+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -+# suppresses any "Segmentation fault" message there. '((' could -+# trigger a bug in pdksh 5.2.14. -+for as_var in BASH_ENV ENV MAIL MAILPATH -+do eval test x\${$as_var+set} = xset \ -+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : - done - PS1='$ ' - PS2='> ' - PS4='+ ' - - # NLS nuisances. --for as_var in \ -- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ -- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ -- LC_TELEPHONE LC_TIME --do -- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then -- eval $as_var=C; export $as_var -- else -- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -- fi --done -- --# Required to use basename. --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- --if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then -- as_basename=basename --else -- as_basename=false --fi -- -- --# Name of the executable. --as_me=`$as_basename -- "$0" || --$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ -- X"$0" : 'X\(//\)$' \| \ -- X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X/"$0" | -- sed '/^.*\/\([^/][^/]*\)\/*$/{ -- s//\1/ -- q -- } -- /^X\/\(\/\/\)$/{ -- s//\1/ -- q -- } -- /^X\/\(\/\).*/{ -- s//\1/ -- q -- } -- s/.*/./; q'` -+LC_ALL=C -+export LC_ALL -+LANGUAGE=C -+export LANGUAGE - - # CDPATH. --$as_unset CDPATH -- -+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - - if test "x$CONFIG_SHELL" = x; then -- if (eval ":") 2>/dev/null; then -- as_have_required=yes -+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : -+ emulate sh -+ NULLCMD=: -+ # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which -+ # is contrary to our usage. Disable this feature. -+ alias -g '\${1+\"\$@\"}'='\"\$@\"' -+ setopt NO_GLOB_SUBST - else -- as_have_required=no -+ case \`(set -o) 2>/dev/null\` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; -+esac - fi -- -- if test $as_have_required = yes && (eval ": --(as_func_return () { -- (exit \$1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 --} -+" -+ as_required="as_fn_return () { (exit \$1); } -+as_fn_success () { as_fn_return 0; } -+as_fn_failure () { as_fn_return 1; } -+as_fn_ret_success () { return 0; } -+as_fn_ret_failure () { return 1; } - - exitcode=0 --if as_func_success; then -- : --else -- exitcode=1 -- echo as_func_success failed. --fi -- --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. --fi -- --if as_func_ret_success; then -- : --else -- exitcode=1 -- echo as_func_ret_success failed. --fi -- --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. --fi -- --if ( set x; as_func_ret_success y && test x = \"\$1\" ); then -- : -+as_fn_success || { exitcode=1; echo as_fn_success failed.; } -+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } -+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } -+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } -+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : -+ -+else -+ exitcode=1; echo positional parameters were not saved. -+fi -+test x\$exitcode = x0 || exit 1" -+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO -+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO -+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && -+ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 -+test \$(( 1 + 1 )) = 2 || exit 1" -+ if (eval "$as_required") 2>/dev/null; then : -+ as_have_required=yes - else -- exitcode=1 -- echo positional parameters were not saved. -+ as_have_required=no - fi -+ if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : - --test \$exitcode = 0) || { (exit 1); exit 1; } -- --( -- as_lineno_1=\$LINENO -- as_lineno_2=\$LINENO -- test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" && -- test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; } --") 2> /dev/null; then -- : - else -- as_candidate_shells= -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+as_found=false - for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- case $as_dir in -+ as_found=: -+ case $as_dir in #( - /*) - for as_base in sh bash ksh sh5; do -- as_candidate_shells="$as_candidate_shells $as_dir/$as_base" -+ # Try only shells that exist, to save several forks. -+ as_shell=$as_dir/$as_base -+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } && -+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : -+ CONFIG_SHELL=$as_shell as_have_required=yes -+ if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : -+ break 2 -+fi -+fi - done;; - esac -+ as_found=false - done -+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && -+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : -+ CONFIG_SHELL=$SHELL as_have_required=yes -+fi; } - IFS=$as_save_IFS - - -- for as_shell in $as_candidate_shells $SHELL; do -- # Try only shells that exist, to save several forks. -- if { test -f "$as_shell" || test -f "$as_shell.exe"; } && -- { ("$as_shell") 2> /dev/null <<\_ASEOF --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -- emulate sh -- NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -- # is contrary to our usage. Disable this feature. -- alias -g '${1+"$@"}'='"$@"' -- setopt NO_GLOB_SUBST --else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; --esac -- -+ if test "x$CONFIG_SHELL" != x; then : -+ # We cannot yet assume a decent shell, so we have to provide a -+ # neutralization value for shells without unset; and this also -+ # works around shells that cannot unset nonexistent variables. -+ BASH_ENV=/dev/null -+ ENV=/dev/null -+ (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -+ export CONFIG_SHELL -+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} -+fi -+ -+ if test x$as_have_required = xno; then : -+ $as_echo "$0: This script requires a shell more modern than all" -+ $as_echo "$0: the shells that I found on your system." -+ if test x${ZSH_VERSION+set} = xset ; then -+ $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" -+ $as_echo "$0: be upgraded to zsh 4.3.4 or later." -+ else -+ $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, -+$0: including any error possibly output before this -+$0: message. Then install a modern shell, or manually run -+$0: the script under such a shell if you do have one." -+ fi -+ exit 1 - fi -- -- --: --_ASEOF --}; then -- CONFIG_SHELL=$as_shell -- as_have_required=yes -- if { "$as_shell" 2> /dev/null <<\_ASEOF --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -- emulate sh -- NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -- # is contrary to our usage. Disable this feature. -- alias -g '${1+"$@"}'='"$@"' -- setopt NO_GLOB_SUBST --else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; --esac -- - fi -+fi -+SHELL=${CONFIG_SHELL-/bin/sh} -+export SHELL -+# Unset more variables known to interfere with behavior of common tools. -+CLICOLOR_FORCE= GREP_OPTIONS= -+unset CLICOLOR_FORCE GREP_OPTIONS - -- --: --(as_func_return () { -- (exit $1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 -+## --------------------- ## -+## M4sh Shell Functions. ## -+## --------------------- ## -+# as_fn_unset VAR -+# --------------- -+# Portably unset VAR. -+as_fn_unset () -+{ -+ { eval $1=; unset $1;} - } -+as_unset=as_fn_unset - --exitcode=0 --if as_func_success; then -- : --else -- exitcode=1 -- echo as_func_success failed. --fi -+# as_fn_set_status STATUS -+# ----------------------- -+# Set $? to STATUS, without forking. -+as_fn_set_status () -+{ -+ return $1 -+} # as_fn_set_status - --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. --fi -+# as_fn_exit STATUS -+# ----------------- -+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -+as_fn_exit () -+{ -+ set +e -+ as_fn_set_status $1 -+ exit $1 -+} # as_fn_exit -+ -+# as_fn_mkdir_p -+# ------------- -+# Create "$as_dir" as a directory, including parents if necessary. -+as_fn_mkdir_p () -+{ - --if as_func_ret_success; then -- : --else -- exitcode=1 -- echo as_func_ret_success failed. --fi -+ case $as_dir in #( -+ -*) as_dir=./$as_dir;; -+ esac -+ test -d "$as_dir" || eval $as_mkdir_p || { -+ as_dirs= -+ while :; do -+ case $as_dir in #( -+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( -+ *) as_qdir=$as_dir;; -+ esac -+ as_dirs="'$as_qdir' $as_dirs" -+ as_dir=`$as_dirname -- "$as_dir" || -+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_dir" : 'X\(//\)[^/]' \| \ -+ X"$as_dir" : 'X\(//\)$' \| \ -+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_dir" | -+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)[^/].*/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` -+ test -d "$as_dir" && break -+ done -+ test -z "$as_dirs" || eval "mkdir $as_dirs" -+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. --fi - --if ( set x; as_func_ret_success y && test x = "$1" ); then -- : -+} # as_fn_mkdir_p -+# as_fn_append VAR VALUE -+# ---------------------- -+# Append the text in VALUE to the end of the definition contained in VAR. Take -+# advantage of any shell optimizations that allow amortized linear growth over -+# repeated appends, instead of the typical quadratic growth present in naive -+# implementations. -+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : -+ eval 'as_fn_append () -+ { -+ eval $1+=\$2 -+ }' - else -- exitcode=1 -- echo positional parameters were not saved. --fi -- --test $exitcode = 0) || { (exit 1); exit 1; } -- --( -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; } -- --_ASEOF --}; then -- break --fi -- --fi -- -- done -- -- if test "x$CONFIG_SHELL" != x; then -- for as_var in BASH_ENV ENV -- do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -- done -- export CONFIG_SHELL -- exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} --fi -- -- -- if test $as_have_required = no; then -- echo This script requires a shell more modern than all the -- echo shells that I found on your system. Please install a -- echo modern shell, or manually run the script under such a -- echo shell if you do have one. -- { (exit 1); exit 1; } --fi -- -- --fi -- --fi -- -+ as_fn_append () -+ { -+ eval $1=\$$1\$2 -+ } -+fi # as_fn_append -+ -+# as_fn_arith ARG... -+# ------------------ -+# Perform arithmetic evaluation on the ARGs, and store the result in the -+# global $as_val. Take advantage of shells that can avoid forks. The arguments -+# must be portable across $(()) and expr. -+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : -+ eval 'as_fn_arith () -+ { -+ as_val=$(( $* )) -+ }' -+else -+ as_fn_arith () -+ { -+ as_val=`expr "$@" || test $? -eq 1` -+ } -+fi # as_fn_arith - - --(eval "as_func_return () { -- (exit \$1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 --} -+# as_fn_error STATUS ERROR [LINENO LOG_FD] -+# ---------------------------------------- -+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -+# script with STATUS, using 1 if that was 0. -+as_fn_error () -+{ -+ as_status=$1; test $as_status -eq 0 && as_status=1 -+ if test "$4"; then -+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 -+ fi -+ $as_echo "$as_me: error: $2" >&2 -+ as_fn_exit $as_status -+} # as_fn_error - --exitcode=0 --if as_func_success; then -- : -+if expr a : '\(a\)' >/dev/null 2>&1 && -+ test "X`expr 00001 : '.*\(...\)'`" = X001; then -+ as_expr=expr - else -- exitcode=1 -- echo as_func_success failed. --fi -- --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. -+ as_expr=false - fi - --if as_func_ret_success; then -- : -+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then -+ as_basename=basename - else -- exitcode=1 -- echo as_func_ret_success failed. --fi -- --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. -+ as_basename=false - fi - --if ( set x; as_func_ret_success y && test x = \"\$1\" ); then -- : -+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -+ as_dirname=dirname - else -- exitcode=1 -- echo positional parameters were not saved. -+ as_dirname=false - fi - --test \$exitcode = 0") || { -- echo No shell found that supports shell functions. -- echo Please tell autoconf@gnu.org about your system, -- echo including any error possibly output before this -- echo message --} -+as_me=`$as_basename -- "$0" || -+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ -+ X"$0" : 'X\(//\)$' \| \ -+ X"$0" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X/"$0" | -+ sed '/^.*\/\([^/][^/]*\)\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\/\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\/\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` - -+# Avoid depending upon Character Ranges. -+as_cr_letters='abcdefghijklmnopqrstuvwxyz' -+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -+as_cr_Letters=$as_cr_letters$as_cr_LETTERS -+as_cr_digits='0123456789' -+as_cr_alnum=$as_cr_Letters$as_cr_digits - - -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { -- -- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO -- # uniformly replaced by the line number. The first 'sed' inserts a -- # line-number line after each line using $LINENO; the second 'sed' -- # does the real work. The second script uses 'N' to pair each -- # line-number line with the line containing $LINENO, and appends -- # trailing '-' during substitution so that $LINENO is not a special -- # case at line end. -- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the -- # scripts with optimization help from Paolo Bonzini. Blame Lee -- # E. McMahon (1931-1989) for sed's syntax. :-) -+ as_lineno_1=$LINENO as_lineno_1a=$LINENO -+ as_lineno_2=$LINENO as_lineno_2a=$LINENO -+ eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && -+ test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { -+ # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= -@@ -452,8 +440,7 @@ - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || -- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 -- { (exit 1); exit 1; }; } -+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the -@@ -463,49 +450,40 @@ - exit - } - -- --if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -- as_dirname=dirname --else -- as_dirname=false --fi -- - ECHO_C= ECHO_N= ECHO_T= --case `echo -n x` in -+case `echo -n x` in #((((( - -n*) -- case `echo 'x\c'` in -+ case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. -- *) ECHO_C='\c';; -+ xy) ECHO_C='\c';; -+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null -+ ECHO_T=' ';; - esac;; - *) - ECHO_N='-n';; - esac - --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- - rm -f conf$$ conf$$.exe conf$$.file - if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file - else - rm -f conf$$.dir -- mkdir conf$$.dir -+ mkdir conf$$.dir 2>/dev/null - fi --echo >conf$$.file --if ln -s conf$$.file conf$$ 2>/dev/null; then -- as_ln_s='ln -s' -- # ... but there are two gotchas: -- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+if (echo >conf$$.file) 2>/dev/null; then -+ if ln -s conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s='ln -s' -+ # ... but there are two gotchas: -+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -+ # In both cases, we have to default to `cp -p'. -+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+ as_ln_s='cp -p' -+ elif ln conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s=ln -+ else - as_ln_s='cp -p' --elif ln conf$$.file conf$$ 2>/dev/null; then -- as_ln_s=ln -+ fi - else - as_ln_s='cp -p' - fi -@@ -513,7 +491,7 @@ - rmdir conf$$.dir 2>/dev/null - - if mkdir -p . 2>/dev/null; then -- as_mkdir_p=: -+ as_mkdir_p='mkdir -p "$as_dir"' - else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -@@ -530,12 +508,12 @@ - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then -- test -d "$1/."; -+ test -d "$1/."; - else -- case $1 in -- -*)set "./$1";; -+ case $1 in #( -+ -*)set "./$1";; - esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in -+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -@@ -549,11 +527,11 @@ - as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -- --exec 7<&0 &1 -+test -n "$DJDIR" || exec 7<&0 &1 - - # Name of the host. --# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, -+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, - # so uname gets run too. - ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` - -@@ -568,7 +546,6 @@ - subdirs= - MFLAGS= - MAKEFLAGS= --SHELL=${CONFIG_SHELL-/bin/sh} - - # Identity of this package. - PACKAGE_NAME= -@@ -576,58 +553,102 @@ - PACKAGE_VERSION= - PACKAGE_STRING= - PACKAGE_BUGREPORT= -+PACKAGE_URL= - - ac_unique_file="rlm_eap_tnc.c" --ac_subst_vars='SHELL --PATH_SEPARATOR --PACKAGE_NAME --PACKAGE_TARNAME --PACKAGE_VERSION --PACKAGE_STRING --PACKAGE_BUGREPORT --exec_prefix --prefix --program_transform_name --bindir --sbindir --libexecdir --datarootdir --datadir --sysconfdir --sharedstatedir --localstatedir --includedir --oldincludedir --docdir --infodir --htmldir --dvidir --pdfdir --psdir --libdir --localedir --mandir --DEFS --ECHO_C --ECHO_N --ECHO_T --LIBS --build_alias --host_alias --target_alias --CC --CFLAGS --LDFLAGS --CPPFLAGS --ac_ct_CC --EXEEXT --OBJEXT --eap_tnc_cflags --eap_tnc_ldflags --targetname -+# Factoring default headers for most tests. -+ac_includes_default="\ -+#include -+#ifdef HAVE_SYS_TYPES_H -+# include -+#endif -+#ifdef HAVE_SYS_STAT_H -+# include -+#endif -+#ifdef STDC_HEADERS -+# include -+# include -+#else -+# ifdef HAVE_STDLIB_H -+# include -+# endif -+#endif -+#ifdef HAVE_STRING_H -+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H -+# include -+# endif -+# include -+#endif -+#ifdef HAVE_STRINGS_H -+# include -+#endif -+#ifdef HAVE_INTTYPES_H -+# include -+#endif -+#ifdef HAVE_STDINT_H -+# include -+#endif -+#ifdef HAVE_UNISTD_H -+# include -+#endif" -+ -+ac_subst_vars='LTLIBOBJS - LIBOBJS --LTLIBOBJS' -+targetname -+eap_tnc_ldflags -+eap_tnc_cflags -+EGREP -+GREP -+CPP -+OBJEXT -+EXEEXT -+ac_ct_CC -+CPPFLAGS -+LDFLAGS -+CFLAGS -+CC -+target_alias -+host_alias -+build_alias -+LIBS -+ECHO_T -+ECHO_N -+ECHO_C -+DEFS -+mandir -+localedir -+libdir -+psdir -+pdfdir -+dvidir -+htmldir -+infodir -+docdir -+oldincludedir -+includedir -+localstatedir -+sharedstatedir -+sysconfdir -+datadir -+datarootdir -+libexecdir -+sbindir -+bindir -+program_transform_name -+prefix -+exec_prefix -+PACKAGE_URL -+PACKAGE_BUGREPORT -+PACKAGE_STRING -+PACKAGE_VERSION -+PACKAGE_TARNAME -+PACKAGE_NAME -+PATH_SEPARATOR -+SHELL' - ac_subst_files='' -+ac_user_opts=' -+enable_option_checking -+' - ac_precious_vars='build_alias - host_alias - target_alias -@@ -635,12 +656,15 @@ - CFLAGS - LDFLAGS - LIBS --CPPFLAGS' -+CPPFLAGS -+CPP' - - - # Initialize some variables set by options. - ac_init_help= - ac_init_version=false -+ac_unrecognized_opts= -+ac_unrecognized_sep= - # The variables have the same names as the options, with - # dashes changed to underlines. - cache_file=/dev/null -@@ -696,8 +720,9 @@ - fi - - case $ac_option in -- *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; -- *) ac_optarg=yes ;; -+ *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; -+ *=) ac_optarg= ;; -+ *) ac_optarg=yes ;; - esac - - # Accept the important Cygnus configure options, so we can diagnose typos. -@@ -739,13 +764,20 @@ - datarootdir=$ac_optarg ;; - - -disable-* | --disable-*) -- ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid feature name: $ac_feature" >&2 -- { (exit 1); exit 1; }; } -- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` -- eval enable_$ac_feature=no ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid feature name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"enable_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval enable_$ac_useropt=no ;; - - -docdir | --docdir | --docdi | --doc | --do) - ac_prev=docdir ;; -@@ -758,13 +790,20 @@ - dvidir=$ac_optarg ;; - - -enable-* | --enable-*) -- ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid feature name: $ac_feature" >&2 -- { (exit 1); exit 1; }; } -- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` -- eval enable_$ac_feature=\$ac_optarg ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid feature name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"enable_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval enable_$ac_useropt=\$ac_optarg ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ -@@ -955,22 +994,36 @@ - ac_init_version=: ;; - - -with-* | --with-*) -- ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid package name: $ac_package" >&2 -- { (exit 1); exit 1; }; } -- ac_package=`echo $ac_package | sed 's/[-.]/_/g'` -- eval with_$ac_package=\$ac_optarg ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid package name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"with_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval with_$ac_useropt=\$ac_optarg ;; - - -without-* | --without-*) -- ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid package name: $ac_package" >&2 -- { (exit 1); exit 1; }; } -- ac_package=`echo $ac_package | sed 's/[-.]/_/g'` -- eval with_$ac_package=no ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid package name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"with_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval with_$ac_useropt=no ;; - - --x) - # Obsolete; use --with-x. -@@ -990,25 +1043,25 @@ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries=$ac_optarg ;; - -- -*) { echo "$as_me: error: unrecognized option: $ac_option --Try \`$0 --help' for more information." >&2 -- { (exit 1); exit 1; }; } -+ -*) as_fn_error $? "unrecognized option: \`$ac_option' -+Try \`$0 --help' for more information" - ;; - - *=*) - ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` - # Reject names that are not valid shell variable names. -- expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid variable name: $ac_envvar" >&2 -- { (exit 1); exit 1; }; } -+ case $ac_envvar in #( -+ '' | [0-9]* | *[!_$as_cr_alnum]* ) -+ as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; -+ esac - eval $ac_envvar=\$ac_optarg - export $ac_envvar ;; - - *) - # FIXME: should be removed in autoconf 3.0. -- echo "$as_me: WARNING: you should use --build, --host, --target" >&2 -+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 - expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && -- echo "$as_me: WARNING: invalid host type: $ac_option" >&2 -+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 - : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} - ;; - -@@ -1017,23 +1070,36 @@ - - if test -n "$ac_prev"; then - ac_option=--`echo $ac_prev | sed 's/_/-/g'` -- { echo "$as_me: error: missing argument to $ac_option" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "missing argument to $ac_option" -+fi -+ -+if test -n "$ac_unrecognized_opts"; then -+ case $enable_option_checking in -+ no) ;; -+ fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; -+ *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; -+ esac - fi - --# Be sure to have absolute directory names. -+# Check all directory arguments for consistency. - for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir - do - eval ac_val=\$$ac_var -+ # Remove trailing slashes. -+ case $ac_val in -+ */ ) -+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` -+ eval $ac_var=\$ac_val;; -+ esac -+ # Be sure to have absolute directory names. - case $ac_val in - [\\/$]* | ?:[\\/]* ) continue;; - NONE | '' ) case $ac_var in *prefix ) continue;; esac;; - esac -- { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" - done - - # There might be people who depend on the old broken behavior: `$host' -@@ -1047,8 +1113,8 @@ - if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe -- echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. -- If a cross compiler is detected then cross compile mode will be used." >&2 -+ $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. -+ If a cross compiler is detected then cross compile mode will be used" >&2 - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -@@ -1063,23 +1129,21 @@ - ac_pwd=`pwd` && test -n "$ac_pwd" && - ac_ls_di=`ls -di .` && - ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || -- { echo "$as_me: error: Working directory cannot be determined" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "working directory cannot be determined" - test "X$ac_ls_di" = "X$ac_pwd_ls_di" || -- { echo "$as_me: error: pwd does not report name of working directory" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "pwd does not report name of working directory" - - - # Find the source files, if location was not specified. - if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then the parent directory. -- ac_confdir=`$as_dirname -- "$0" || --$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -- X"$0" : 'X\(//\)[^/]' \| \ -- X"$0" : 'X\(//\)$' \| \ -- X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X"$0" | -+ ac_confdir=`$as_dirname -- "$as_myself" || -+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_myself" : 'X\(//\)[^/]' \| \ -+ X"$as_myself" : 'X\(//\)$' \| \ -+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_myself" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q -@@ -1106,13 +1170,11 @@ - fi - if test ! -r "$srcdir/$ac_unique_file"; then - test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." -- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" - fi - ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" - ac_abs_confdir=`( -- cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2 -- { (exit 1); exit 1; }; } -+ cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" - pwd)` - # When building in place, set srcdir=. - if test "$ac_abs_confdir" = "$ac_pwd"; then -@@ -1152,7 +1214,7 @@ - --help=short display options specific to this package - --help=recursive display the short help of all the included packages - -V, --version display version information and exit -- -q, --quiet, --silent do not print \`checking...' messages -+ -q, --quiet, --silent do not print \`checking ...' messages - --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' - -n, --no-create do not create output files -@@ -1160,9 +1222,9 @@ - - Installation directories: - --prefix=PREFIX install architecture-independent files in PREFIX -- [$ac_default_prefix] -+ [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX -- [PREFIX] -+ [PREFIX] - - By default, \`make install' will install all the files in - \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -@@ -1172,25 +1234,25 @@ - For better control, use the options below. - - Fine tuning of the installation directories: -- --bindir=DIR user executables [EPREFIX/bin] -- --sbindir=DIR system admin executables [EPREFIX/sbin] -- --libexecdir=DIR program executables [EPREFIX/libexec] -- --sysconfdir=DIR read-only single-machine data [PREFIX/etc] -- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] -- --localstatedir=DIR modifiable single-machine data [PREFIX/var] -- --libdir=DIR object code libraries [EPREFIX/lib] -- --includedir=DIR C header files [PREFIX/include] -- --oldincludedir=DIR C header files for non-gcc [/usr/include] -- --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] -- --datadir=DIR read-only architecture-independent data [DATAROOTDIR] -- --infodir=DIR info documentation [DATAROOTDIR/info] -- --localedir=DIR locale-dependent data [DATAROOTDIR/locale] -- --mandir=DIR man documentation [DATAROOTDIR/man] -- --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] -- --htmldir=DIR html documentation [DOCDIR] -- --dvidir=DIR dvi documentation [DOCDIR] -- --pdfdir=DIR pdf documentation [DOCDIR] -- --psdir=DIR ps documentation [DOCDIR] -+ --bindir=DIR user executables [EPREFIX/bin] -+ --sbindir=DIR system admin executables [EPREFIX/sbin] -+ --libexecdir=DIR program executables [EPREFIX/libexec] -+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] -+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] -+ --localstatedir=DIR modifiable single-machine data [PREFIX/var] -+ --libdir=DIR object code libraries [EPREFIX/lib] -+ --includedir=DIR C header files [PREFIX/include] -+ --oldincludedir=DIR C header files for non-gcc [/usr/include] -+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] -+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR] -+ --infodir=DIR info documentation [DATAROOTDIR/info] -+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale] -+ --mandir=DIR man documentation [DATAROOTDIR/man] -+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] -+ --htmldir=DIR html documentation [DOCDIR] -+ --dvidir=DIR dvi documentation [DOCDIR] -+ --pdfdir=DIR pdf documentation [DOCDIR] -+ --psdir=DIR ps documentation [DOCDIR] - _ACEOF - - cat <<\_ACEOF -@@ -1207,12 +1269,14 @@ - LDFLAGS linker flags, e.g. -L if you have libraries in a - nonstandard directory - LIBS libraries to pass to the linker, e.g. -l -- CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if -+ CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if - you have headers in a nonstandard directory -+ CPP C preprocessor - - Use these variables to override the choices made by `configure' or to help - it to find libraries and programs with nonstandard names/locations. - -+Report bugs to the package provider. - _ACEOF - ac_status=$? - fi -@@ -1220,15 +1284,17 @@ - if test "$ac_init_help" = "recursive"; then - # If there are subdirs, report their specific --help. - for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue -- test -d "$ac_dir" || continue -+ test -d "$ac_dir" || -+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || -+ continue - ac_builddir=. - - case "$ac_dir" in - .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) -- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` -+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. -- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` -+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; -@@ -1264,7 +1330,7 @@ - echo && - $SHELL "$ac_srcdir/configure" --help=recursive - else -- echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 -+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi || ac_status=$? - cd "$ac_pwd" || { ac_status=$?; break; } - done -@@ -1274,21 +1340,305 @@ - if $ac_init_version; then - cat <<\_ACEOF - configure --generated by GNU Autoconf 2.61 -+generated by GNU Autoconf 2.67 - --Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, --2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -+Copyright (C) 2010 Free Software Foundation, Inc. - This configure script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it. - _ACEOF - exit - fi -+ -+## ------------------------ ## -+## Autoconf initialization. ## -+## ------------------------ ## -+ -+# ac_fn_c_try_compile LINENO -+# -------------------------- -+# Try to compile conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_compile () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext -+ if { { ac_try="$ac_compile" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_compile") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest.$ac_objext; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ $as_test_x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link -+ -+# ac_fn_c_try_cpp LINENO -+# ---------------------- -+# Try to preprocess conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_cpp () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if { { ac_try="$ac_cpp conftest.$ac_ext" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } > conftest.i && { -+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || -+ test ! -s conftest.err -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_cpp -+ -+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES -+# ------------------------------------------------------- -+# Tests whether HEADER exists, giving a warning if it cannot be compiled using -+# the include files in INCLUDES and setting the cache variable VAR -+# accordingly. -+ac_fn_c_check_header_mongrel () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if eval "test \"\${$3+set}\"" = set; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+else -+ # Is the header compilable? -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 -+$as_echo_n "checking $2 usability... " >&6; } -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+$4 -+#include <$2> -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ ac_header_compiler=yes -+else -+ ac_header_compiler=no -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 -+$as_echo "$ac_header_compiler" >&6; } -+ -+# Is the header present? -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 -+$as_echo_n "checking $2 presence... " >&6; } -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include <$2> -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ ac_header_preproc=yes -+else -+ ac_header_preproc=no -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 -+$as_echo "$ac_header_preproc" >&6; } -+ -+# So? What about this header? -+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( -+ yes:no: ) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 -+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -+ ;; -+ no:yes:* ) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 -+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 -+$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 -+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 -+$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -+ ;; -+esac -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ eval "$3=\$ac_header_compiler" -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ -+} # ac_fn_c_check_header_mongrel -+ -+# ac_fn_c_try_run LINENO -+# ---------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes -+# that executables *can* be run. -+ac_fn_c_try_run () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' -+ { { case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_try") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: program exited with status $ac_status" >&5 -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=$ac_status -+fi -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_run -+ -+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -+# ------------------------------------------------------- -+# Tests whether HEADER exists and can be compiled using the include files in -+# INCLUDES, setting the cache variable VAR accordingly. -+ac_fn_c_check_header_compile () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+$4 -+#include <$2> -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ eval "$3=yes" -+else -+ eval "$3=no" -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ -+} # ac_fn_c_check_header_compile - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. - - It was created by $as_me, which was --generated by GNU Autoconf 2.61. Invocation command line was -+generated by GNU Autoconf 2.67. Invocation command line was - - $ $0 $@ - -@@ -1324,8 +1674,8 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- echo "PATH: $as_dir" --done -+ $as_echo "PATH: $as_dir" -+ done - IFS=$as_save_IFS - - } >&5 -@@ -1359,12 +1709,12 @@ - | -silent | --silent | --silen | --sile | --sil) - continue ;; - *\'*) -- ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; -+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case $ac_pass in -- 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; -+ 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; - 2) -- ac_configure_args1="$ac_configure_args1 '$ac_arg'" -+ as_fn_append ac_configure_args1 " '$ac_arg'" - if test $ac_must_keep_next = true; then - ac_must_keep_next=false # Got value, back to normal. - else -@@ -1380,13 +1730,13 @@ - -* ) ac_must_keep_next=true ;; - esac - fi -- ac_configure_args="$ac_configure_args '$ac_arg'" -+ as_fn_append ac_configure_args " '$ac_arg'" - ;; - esac - done - done --$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; } --$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; } -+{ ac_configure_args0=; unset ac_configure_args0;} -+{ ac_configure_args1=; unset ac_configure_args1;} - - # When interrupted or exit'd, cleanup temporary files, and complete - # config.log. We remove comments because anyway the quotes in there -@@ -1398,11 +1748,9 @@ - { - echo - -- cat <<\_ASBOX --## ---------------- ## -+ $as_echo "## ---------------- ## - ## Cache variables. ## --## ---------------- ## --_ASBOX -+## ---------------- ##" - echo - # The following way of writing the cache mishandles newlines in values, - ( -@@ -1411,12 +1759,13 @@ - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( -- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 --echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; -+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( -- *) $as_unset $ac_var ;; -+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( -+ *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done -@@ -1435,128 +1784,136 @@ - ) - echo - -- cat <<\_ASBOX --## ----------------- ## -+ $as_echo "## ----------------- ## - ## Output variables. ## --## ----------------- ## --_ASBOX -+## ----------------- ##" - echo - for ac_var in $ac_subst_vars - do - eval ac_val=\$$ac_var - case $ac_val in -- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; -+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac -- echo "$ac_var='\''$ac_val'\''" -+ $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - - if test -n "$ac_subst_files"; then -- cat <<\_ASBOX --## ------------------- ## -+ $as_echo "## ------------------- ## - ## File substitutions. ## --## ------------------- ## --_ASBOX -+## ------------------- ##" - echo - for ac_var in $ac_subst_files - do - eval ac_val=\$$ac_var - case $ac_val in -- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; -+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac -- echo "$ac_var='\''$ac_val'\''" -+ $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - fi - - if test -s confdefs.h; then -- cat <<\_ASBOX --## ----------- ## -+ $as_echo "## ----------- ## - ## confdefs.h. ## --## ----------- ## --_ASBOX -+## ----------- ##" - echo - cat confdefs.h - echo - fi - test "$ac_signal" != 0 && -- echo "$as_me: caught signal $ac_signal" -- echo "$as_me: exit $exit_status" -+ $as_echo "$as_me: caught signal $ac_signal" -+ $as_echo "$as_me: exit $exit_status" - } >&5 - rm -f core *.core core.conftest.* && - rm -f -r conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status - ' 0 - for ac_signal in 1 2 13 15; do -- trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal -+ trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal - done - ac_signal=0 - - # confdefs.h avoids OS command line length limits that DEFS can exceed. - rm -f -r conftest* confdefs.h - -+$as_echo "/* confdefs.h */" > confdefs.h -+ - # Predefined preprocessor variables. - - cat >>confdefs.h <<_ACEOF - #define PACKAGE_NAME "$PACKAGE_NAME" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_TARNAME "$PACKAGE_TARNAME" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_VERSION "$PACKAGE_VERSION" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_STRING "$PACKAGE_STRING" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" - _ACEOF - -+cat >>confdefs.h <<_ACEOF -+#define PACKAGE_URL "$PACKAGE_URL" -+_ACEOF -+ - - # Let the site file select an alternate cache file if it wants to. --# Prefer explicitly selected file to automatically selected ones. -+# Prefer an explicitly selected file to automatically selected ones. -+ac_site_file1=NONE -+ac_site_file2=NONE - if test -n "$CONFIG_SITE"; then -- set x "$CONFIG_SITE" -+ # We do not want a PATH search for config.site. -+ case $CONFIG_SITE in #(( -+ -*) ac_site_file1=./$CONFIG_SITE;; -+ */*) ac_site_file1=$CONFIG_SITE;; -+ *) ac_site_file1=./$CONFIG_SITE;; -+ esac - elif test "x$prefix" != xNONE; then -- set x "$prefix/share/config.site" "$prefix/etc/config.site" -+ ac_site_file1=$prefix/share/config.site -+ ac_site_file2=$prefix/etc/config.site - else -- set x "$ac_default_prefix/share/config.site" \ -- "$ac_default_prefix/etc/config.site" -+ ac_site_file1=$ac_default_prefix/share/config.site -+ ac_site_file2=$ac_default_prefix/etc/config.site - fi --shift --for ac_site_file -+for ac_site_file in "$ac_site_file1" "$ac_site_file2" - do -- if test -r "$ac_site_file"; then -- { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 --echo "$as_me: loading site script $ac_site_file" >&6;} -+ test "x$ac_site_file" = xNONE && continue -+ if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 -+$as_echo "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 -- . "$ac_site_file" -+ . "$ac_site_file" \ -+ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "failed to load site script $ac_site_file -+See \`config.log' for more details" "$LINENO" 5 ; } - fi - done - - if test -r "$cache_file"; then -- # Some versions of bash will fail to source /dev/null (special -- # files actually), so we avoid doing that. -- if test -f "$cache_file"; then -- { echo "$as_me:$LINENO: loading cache $cache_file" >&5 --echo "$as_me: loading cache $cache_file" >&6;} -+ # Some versions of bash will fail to source /dev/null (special files -+ # actually), so we avoid doing that. DJGPP emulates it as a regular file. -+ if test /dev/null != "$cache_file" && test -f "$cache_file"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 -+$as_echo "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . "$cache_file";; - *) . "./$cache_file";; - esac - fi - else -- { echo "$as_me:$LINENO: creating cache $cache_file" >&5 --echo "$as_me: creating cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 -+$as_echo "$as_me: creating cache $cache_file" >&6;} - >$cache_file - fi - -@@ -1570,60 +1927,56 @@ - eval ac_new_val=\$ac_env_${ac_var}_value - case $ac_old_set,$ac_new_set in - set,) -- { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 --echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) -- { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 --echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then -- { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 --echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} -- { echo "$as_me:$LINENO: former value: $ac_old_val" >&5 --echo "$as_me: former value: $ac_old_val" >&2;} -- { echo "$as_me:$LINENO: current value: $ac_new_val" >&5 --echo "$as_me: current value: $ac_new_val" >&2;} -- ac_cache_corrupted=: -+ # differences in whitespace do not lead to failure. -+ ac_old_val_w=`echo x $ac_old_val` -+ ac_new_val_w=`echo x $ac_new_val` -+ if test "$ac_old_val_w" != "$ac_new_val_w"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} -+ ac_cache_corrupted=: -+ else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} -+ eval $ac_var=\$ac_old_val -+ fi -+ { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in -- *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; -+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. -- *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; -+ *) as_fn_append ac_configure_args " '$ac_arg'" ;; - esac - fi - done - if $ac_cache_corrupted; then -- { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 --echo "$as_me: error: changes in the environment can compromise the build" >&2;} -- { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 --echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} -- { (exit 1); exit 1; }; } --fi -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 -+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} -+ as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 -+fi -+## -------------------- ## -+## Main body of script. ## -+## -------------------- ## - - ac_ext=c - ac_cpp='$CPP $CPPFLAGS' -@@ -1635,6 +1988,9 @@ - - - -+eap_tnc_cflags= -+eap_tnc_ldflags=-lnaaeap -+ - if test x$with_rlm_eap_tnc != xno; then - - ac_ext=c -@@ -1645,10 +2001,10 @@ - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. - set dummy ${ac_tool_prefix}gcc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1658,25 +2014,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1685,10 +2041,10 @@ - ac_ct_CC=$CC - # Extract the first word of "gcc", so it can be a program name with args. - set dummy gcc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_ac_ct_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -@@ -1698,25 +2054,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CC="gcc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - ac_ct_CC=$ac_cv_prog_ac_ct_CC - if test -n "$ac_ct_CC"; then -- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 --echo "${ECHO_T}$ac_ct_CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -+$as_echo "$ac_ct_CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - if test "x$ac_ct_CC" = x; then -@@ -1724,12 +2080,8 @@ - else - case $cross_compiling:$ac_tool_warned in - yes:) --{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&5 --echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&2;} -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} - ac_tool_warned=yes ;; - esac - CC=$ac_ct_CC -@@ -1742,10 +2094,10 @@ - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. - set dummy ${ac_tool_prefix}cc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1755,25 +2107,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="${ac_tool_prefix}cc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1782,10 +2134,10 @@ - if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. - set dummy cc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1796,18 +2148,18 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - if test $ac_prog_rejected = yes; then -@@ -1826,11 +2178,11 @@ - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1841,10 +2193,10 @@ - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. - set dummy $ac_tool_prefix$ac_prog; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1854,25 +2206,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1885,10 +2237,10 @@ - do - # Extract the first word of "$ac_prog", so it can be a program name with args. - set dummy $ac_prog; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_ac_ct_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -@@ -1898,25 +2250,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CC="$ac_prog" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - ac_ct_CC=$ac_cv_prog_ac_ct_CC - if test -n "$ac_ct_CC"; then -- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 --echo "${ECHO_T}$ac_ct_CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -+$as_echo "$ac_ct_CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1928,12 +2280,8 @@ - else - case $cross_compiling:$ac_tool_warned in - yes:) --{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&5 --echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&2;} -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} - ac_tool_warned=yes ;; - esac - CC=$ac_ct_CC -@@ -1943,51 +2291,37 @@ - fi - - --test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH --See \`config.log' for more details." >&5 --echo "$as_me: error: no acceptable C compiler found in \$PATH --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "no acceptable C compiler found in \$PATH -+See \`config.log' for more details" "$LINENO" 5 ; } - - # Provide some information about the compiler. --echo "$as_me:$LINENO: checking for C compiler version" >&5 --ac_compiler=`set X $ac_compile; echo $2` --{ (ac_try="$ac_compiler --version >&5" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler --version >&5") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } --{ (ac_try="$ac_compiler -v >&5" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler -v >&5") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } --{ (ac_try="$ac_compiler -V >&5" -+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 -+set X $ac_compile -+ac_compiler=$2 -+for ac_option in --version -v -V -qversion; do -+ { { ac_try="$ac_compiler $ac_option >&5" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler -V >&5") 2>&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_compiler $ac_option >&5") 2>conftest.err - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } -+ if test -s conftest.err; then -+ sed '10a\ -+... rest of stderr output deleted ... -+ 10q' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ fi -+ rm -f conftest.er1 conftest.err -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } -+done - --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -1999,42 +2333,38 @@ - } - _ACEOF - ac_clean_files_save=$ac_clean_files --ac_clean_files="$ac_clean_files a.out a.exe b.out" -+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" - # Try to create an executable without -o first, disregard a.out. - # It will help us diagnose broken compilers, and finding out an intuition - # of exeext. --{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 --echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; } --ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` --# --# List of possible output files, starting from the most likely. --# The algorithm is not robust to junk in `.', hence go to wildcards (a.*) --# only as a last resort. b.out is created by i960 compilers. --ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out' --# --# The IRIX 6 linker writes into existing files which may not be --# executable, retaining their permissions. Remove them first so a --# subsequent execution test works. -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -+$as_echo_n "checking whether the C compiler works... " >&6; } -+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` -+ -+# The possible output files: -+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" -+ - ac_rmfiles= - for ac_file in $ac_files - do - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - * ) ac_rmfiles="$ac_rmfiles $ac_file";; - esac - done - rm -f $ac_rmfiles - --if { (ac_try="$ac_link_default" -+if { { ac_try="$ac_link_default" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link_default") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. - # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' - # in a Makefile. We should not override ac_cv_exeext if it was cached, -@@ -2044,14 +2374,14 @@ - do - test -f "$ac_file" || continue - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) - ;; - [ab].out ) - # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) -- if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; -+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; - then :; else - ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - fi -@@ -2070,116 +2400,132 @@ - else - ac_file='' - fi -- --{ echo "$as_me:$LINENO: result: $ac_file" >&5 --echo "${ECHO_T}$ac_file" >&6; } --if test -z "$ac_file"; then -- echo "$as_me: failed program was:" >&5 -+if test -z "$ac_file"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+$as_echo "$as_me: failed program was:" >&5 - sed 's/^/| /' conftest.$ac_ext >&5 - --{ { echo "$as_me:$LINENO: error: C compiler cannot create executables --See \`config.log' for more details." >&5 --echo "$as_me: error: C compiler cannot create executables --See \`config.log' for more details." >&2;} -- { (exit 77); exit 77; }; } --fi -- -+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error 77 "C compiler cannot create executables -+See \`config.log' for more details" "$LINENO" 5 ; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -+$as_echo_n "checking for C compiler default output file name... " >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -+$as_echo "$ac_file" >&6; } - ac_exeext=$ac_cv_exeext - -+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out -+ac_clean_files=$ac_clean_files_save -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 -+$as_echo_n "checking for suffix of executables... " >&6; } -+if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : -+ # If both `conftest.exe' and `conftest' are `present' (well, observable) -+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -+# work properly (i.e., refer to `conftest.exe'), while it won't with -+# `rm'. -+for ac_file in conftest.exe conftest conftest.*; do -+ test -f "$ac_file" || continue -+ case $ac_file in -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; -+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` -+ break;; -+ * ) break;; -+ esac -+done -+else -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot compute suffix of executables: cannot compile and link -+See \`config.log' for more details" "$LINENO" 5 ; } -+fi -+rm -f conftest conftest$ac_cv_exeext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 -+$as_echo "$ac_cv_exeext" >&6; } -+ -+rm -f conftest.$ac_ext -+EXEEXT=$ac_cv_exeext -+ac_exeext=$EXEEXT -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+FILE *f = fopen ("conftest.out", "w"); -+ return ferror (f) || fclose (f) != 0; -+ -+ ; -+ return 0; -+} -+_ACEOF -+ac_clean_files="$ac_clean_files conftest.out" - # Check that the compiler produces executables we can run. If not, either - # the compiler is broken, or we cross compile. --{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5 --echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; } --# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 --# If not cross compiling, check that we can run a simple program. -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -+$as_echo_n "checking whether we are cross compiling... " >&6; } - if test "$cross_compiling" != yes; then -- if { ac_try='./$ac_file' -- { (case "(($ac_try" in -+ { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } -+ if { ac_try='./conftest$ac_cv_exeext' -+ { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else -- { { echo "$as_me:$LINENO: error: cannot run C compiled programs. --If you meant to cross compile, use \`--host'. --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot run C compiled programs. -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot run C compiled programs. - If you meant to cross compile, use \`--host'. --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+See \`config.log' for more details" "$LINENO" 5 ; } - fi - fi - fi --{ echo "$as_me:$LINENO: result: yes" >&5 --echo "${ECHO_T}yes" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -+$as_echo "$cross_compiling" >&6; } - --rm -f a.out a.exe conftest$ac_cv_exeext b.out -+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out - ac_clean_files=$ac_clean_files_save --# Check that the compiler produces executables we can run. If not, either --# the compiler is broken, or we cross compile. --{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 --echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; } --{ echo "$as_me:$LINENO: result: $cross_compiling" >&5 --echo "${ECHO_T}$cross_compiling" >&6; } -- --{ echo "$as_me:$LINENO: checking for suffix of executables" >&5 --echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; } --if { (ac_try="$ac_link" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_link") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -- # If both `conftest.exe' and `conftest' are `present' (well, observable) --# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will --# work properly (i.e., refer to `conftest.exe'), while it won't with --# `rm'. --for ac_file in conftest.exe conftest conftest.*; do -- test -f "$ac_file" || continue -- case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; -- *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` -- break;; -- * ) break;; -- esac --done -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 -+$as_echo_n "checking for suffix of object files... " >&6; } -+if test "${ac_cv_objext+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else -- { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot compute suffix of executables: cannot compile and link --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } --fi -- --rm -f conftest$ac_cv_exeext --{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 --echo "${ECHO_T}$ac_cv_exeext" >&6; } -- --rm -f conftest.$ac_ext --EXEEXT=$ac_cv_exeext --ac_exeext=$EXEEXT --{ echo "$as_me:$LINENO: checking for suffix of object files" >&5 --echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; } --if test "${ac_cv_objext+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2191,51 +2537,46 @@ - } - _ACEOF - rm -f conftest.o conftest.obj --if { (ac_try="$ac_compile" -+if { { ac_try="$ac_compile" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : - for ac_file in conftest.o conftest.obj conftest.*; do - test -f "$ac_file" || continue; - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;; -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac - done - else -- echo "$as_me: failed program was:" >&5 -+ $as_echo "$as_me: failed program was:" >&5 - sed 's/^/| /' conftest.$ac_ext >&5 - --{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot compute suffix of object files: cannot compile --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot compute suffix of object files: cannot compile -+See \`config.log' for more details" "$LINENO" 5 ; } - fi -- - rm -f conftest.$ac_cv_objext conftest.$ac_ext - fi --{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 --echo "${ECHO_T}$ac_cv_objext" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 -+$as_echo "$ac_cv_objext" >&6; } - OBJEXT=$ac_cv_objext - ac_objext=$OBJEXT --{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 --echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; } --if test "${ac_cv_c_compiler_gnu+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 -+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -+if test "${ac_cv_c_compiler_gnu+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2249,54 +2590,34 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_compiler_gnu=yes - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- ac_compiler_gnu=no -+ ac_compiler_gnu=no - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_cv_c_compiler_gnu=$ac_compiler_gnu - - fi --{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 --echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; } --GCC=`test $ac_compiler_gnu = yes && echo yes` -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 -+$as_echo "$ac_cv_c_compiler_gnu" >&6; } -+if test $ac_compiler_gnu = yes; then -+ GCC=yes -+else -+ GCC= -+fi - ac_test_CFLAGS=${CFLAGS+set} - ac_save_CFLAGS=$CFLAGS --{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 --echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; } --if test "${ac_cv_prog_cc_g+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 -+$as_echo_n "checking whether $CC accepts -g... " >&6; } -+if test "${ac_cv_prog_cc_g+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_save_c_werror_flag=$ac_c_werror_flag - ac_c_werror_flag=yes - ac_cv_prog_cc_g=no - CFLAGS="-g" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2307,34 +2628,11 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- CFLAGS="" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ CFLAGS="" -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2345,35 +2643,12 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -- : --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -+if ac_fn_c_try_compile "$LINENO"; then : - -- ac_c_werror_flag=$ac_save_c_werror_flag -+else -+ ac_c_werror_flag=$ac_save_c_werror_flag - CFLAGS="-g" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2384,42 +2659,18 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag - fi --{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 --echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 -+$as_echo "$ac_cv_prog_cc_g" >&6; } - if test "$ac_test_CFLAGS" = set; then - CFLAGS=$ac_save_CFLAGS - elif test $ac_cv_prog_cc_g = yes; then -@@ -2435,18 +2686,14 @@ - CFLAGS= - fi - fi --{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 --echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; } --if test "${ac_cv_prog_cc_c89+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 -+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -+if test "${ac_cv_prog_cc_c89+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_cv_prog_cc_c89=no - ac_save_CC=$CC --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - #include - #include -@@ -2503,31 +2750,9 @@ - -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" - do - CC="$ac_save_CC $ac_arg" -- rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+ if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_c89=$ac_arg --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- - fi -- - rm -f core conftest.err conftest.$ac_objext - test "x$ac_cv_prog_cc_c89" != "xno" && break - done -@@ -2538,17 +2763,19 @@ - # AC_CACHE_VAL - case "x$ac_cv_prog_cc_c89" in - x) -- { echo "$as_me:$LINENO: result: none needed" >&5 --echo "${ECHO_T}none needed" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -+$as_echo "none needed" >&6; } ;; - xno) -- { echo "$as_me:$LINENO: result: unsupported" >&5 --echo "${ECHO_T}unsupported" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -+$as_echo "unsupported" >&6; } ;; - *) - CC="$CC $ac_cv_prog_cc_c89" -- { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 --echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 -+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; - esac -+if test "x$ac_cv_prog_cc_c89" != xno; then : - -+fi - - ac_ext=c - ac_cpp='$CPP $CPPFLAGS' -@@ -2557,81 +2784,474 @@ - ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -- --{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5 --echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; } --if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5 -+$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; } -+if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_check_lib_save_LIBS=$LIBS --LIBS="-lTNCS $LIBS" --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ -+LIBS="-lnaaeap $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char processEAPTNCData (); -+int -+main () -+{ -+return processEAPTNCData (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ ac_cv_lib_naaeap_processEAPTNCData=yes -+else -+ ac_cv_lib_naaeap_processEAPTNCData=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5 -+$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; } -+if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_LIBNAAEAP 1 -+_ACEOF -+ -+ LIBS="-lnaaeap $LIBS" -+ -+else -+ fail="$fail -lnaaeap" -+fi -+ -+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5 -+$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;} -+ fail="$fail -lNAAEAP" -+ fi -+ -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 -+$as_echo_n "checking how to run the C preprocessor... " >&6; } -+# On Suns, sometimes $CPP names a directory. -+if test -n "$CPP" && test -d "$CPP"; then -+ CPP= -+fi -+if test -z "$CPP"; then -+ if test "${ac_cv_prog_CPP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ # Double quotes because CPP needs to be expanded -+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" -+ do -+ ac_preproc_ok=false -+for ac_c_preproc_warn_flag in '' yes -+do -+ # Use a header file that comes with gcc, so configuring glibc -+ # with a fresh cross-compiler works. -+ # Prefer to if __STDC__ is defined, since -+ # exists even on freestanding compilers. -+ # On the NeXT, cc -E runs the code through the compiler's parser, -+ # not just through cpp. "Syntax error" is here to catch this case. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#ifdef __STDC__ -+# include -+#else -+# include -+#endif -+ Syntax error -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ -+else -+ # Broken: fails on valid input. -+continue -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+ # OK, works on sane cases. Now check whether nonexistent headers -+ # can be detected and how. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ # Broken: success on invalid input. -+continue -+else -+ # Passes both tests. -+ac_preproc_ok=: -+break -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+done -+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -+rm -f conftest.i conftest.err conftest.$ac_ext -+if $ac_preproc_ok; then : -+ break -+fi -+ -+ done -+ ac_cv_prog_CPP=$CPP -+ -+fi -+ CPP=$ac_cv_prog_CPP -+else -+ ac_cv_prog_CPP=$CPP -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 -+$as_echo "$CPP" >&6; } -+ac_preproc_ok=false -+for ac_c_preproc_warn_flag in '' yes -+do -+ # Use a header file that comes with gcc, so configuring glibc -+ # with a fresh cross-compiler works. -+ # Prefer to if __STDC__ is defined, since -+ # exists even on freestanding compilers. -+ # On the NeXT, cc -E runs the code through the compiler's parser, -+ # not just through cpp. "Syntax error" is here to catch this case. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#ifdef __STDC__ -+# include -+#else -+# include -+#endif -+ Syntax error -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ -+else -+ # Broken: fails on valid input. -+continue -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+ # OK, works on sane cases. Now check whether nonexistent headers -+ # can be detected and how. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ # Broken: success on invalid input. -+continue -+else -+ # Passes both tests. -+ac_preproc_ok=: -+break -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+done -+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -+rm -f conftest.i conftest.err conftest.$ac_ext -+if $ac_preproc_ok; then : -+ -+else -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -+See \`config.log' for more details" "$LINENO" 5 ; } -+fi -+ -+ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 -+$as_echo_n "checking for grep that handles long lines and -e... " >&6; } -+if test "${ac_cv_path_GREP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if test -z "$GREP"; then -+ ac_path_GREP_found=false -+ # Loop through the user's path and test for each of PROGNAME-LIST -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_prog in grep ggrep; do -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" -+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue -+# Check for GNU ac_path_GREP and select it if it is found. -+ # Check for GNU $ac_path_GREP -+case `"$ac_path_GREP" --version 2>&1` in -+*GNU*) -+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; -+*) -+ ac_count=0 -+ $as_echo_n 0123456789 >"conftest.in" -+ while : -+ do -+ cat "conftest.in" "conftest.in" >"conftest.tmp" -+ mv "conftest.tmp" "conftest.in" -+ cp "conftest.in" "conftest.nl" -+ $as_echo 'GREP' >> "conftest.nl" -+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break -+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break -+ as_fn_arith $ac_count + 1 && ac_count=$as_val -+ if test $ac_count -gt ${ac_path_GREP_max-0}; then -+ # Best one so far, save it but keep looking for a better one -+ ac_cv_path_GREP="$ac_path_GREP" -+ ac_path_GREP_max=$ac_count -+ fi -+ # 10*(2^10) chars as input seems more than enough -+ test $ac_count -gt 10 && break -+ done -+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -+esac -+ -+ $ac_path_GREP_found && break 3 -+ done -+ done -+ done -+IFS=$as_save_IFS -+ if test -z "$ac_cv_path_GREP"; then -+ as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 -+ fi -+else -+ ac_cv_path_GREP=$GREP -+fi -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 -+$as_echo "$ac_cv_path_GREP" >&6; } -+ GREP="$ac_cv_path_GREP" -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -+$as_echo_n "checking for egrep... " >&6; } -+if test "${ac_cv_path_EGREP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 -+ then ac_cv_path_EGREP="$GREP -E" -+ else -+ if test -z "$EGREP"; then -+ ac_path_EGREP_found=false -+ # Loop through the user's path and test for each of PROGNAME-LIST -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_prog in egrep; do -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" -+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue -+# Check for GNU ac_path_EGREP and select it if it is found. -+ # Check for GNU $ac_path_EGREP -+case `"$ac_path_EGREP" --version 2>&1` in -+*GNU*) -+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; -+*) -+ ac_count=0 -+ $as_echo_n 0123456789 >"conftest.in" -+ while : -+ do -+ cat "conftest.in" "conftest.in" >"conftest.tmp" -+ mv "conftest.tmp" "conftest.in" -+ cp "conftest.in" "conftest.nl" -+ $as_echo 'EGREP' >> "conftest.nl" -+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break -+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break -+ as_fn_arith $ac_count + 1 && ac_count=$as_val -+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then -+ # Best one so far, save it but keep looking for a better one -+ ac_cv_path_EGREP="$ac_path_EGREP" -+ ac_path_EGREP_max=$ac_count -+ fi -+ # 10*(2^10) chars as input seems more than enough -+ test $ac_count -gt 10 && break -+ done -+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -+esac -+ -+ $ac_path_EGREP_found && break 3 -+ done -+ done -+ done -+IFS=$as_save_IFS -+ if test -z "$ac_cv_path_EGREP"; then -+ as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 -+ fi -+else -+ ac_cv_path_EGREP=$EGREP -+fi -+ -+ fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -+$as_echo "$ac_cv_path_EGREP" >&6; } -+ EGREP="$ac_cv_path_EGREP" -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 -+$as_echo_n "checking for ANSI C header files... " >&6; } -+if test "${ac_cv_header_stdc+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+#include -+#include -+#include -+ -+int -+main () -+{ -+ -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ ac_cv_header_stdc=yes -+else -+ ac_cv_header_stdc=no -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+ -+if test $ac_cv_header_stdc = yes; then -+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+ - _ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | -+ $EGREP "memchr" >/dev/null 2>&1; then : -+ -+else -+ ac_cv_header_stdc=no -+fi -+rm -f conftest* -+ -+fi -+ -+if test $ac_cv_header_stdc = yes; then -+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+ -+_ACEOF -+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | -+ $EGREP "free" >/dev/null 2>&1; then : -+ -+else -+ ac_cv_header_stdc=no -+fi -+rm -f conftest* -+ -+fi -+ -+if test $ac_cv_header_stdc = yes; then -+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. -+ if test "$cross_compiling" = yes; then : -+ : -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- --/* Override any GCC internal prototype to avoid an error. -- Use char because int might match the return type of a GCC -- builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" -+#include -+#include -+#if ((' ' & 0x0FF) == 0x020) -+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -+#else -+# define ISLOWER(c) \ -+ (('a' <= (c) && (c) <= 'i') \ -+ || ('j' <= (c) && (c) <= 'r') \ -+ || ('s' <= (c) && (c) <= 'z')) -+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) - #endif --char exchangeTNCCSMessages (); -+ -+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) - int - main () - { --return exchangeTNCCSMessages (); -- ; -+ int i; -+ for (i = 0; i < 256; i++) -+ if (XOR (islower (i), ISLOWER (i)) -+ || toupper (i) != TOUPPER (i)) -+ return 2; - return 0; - } - _ACEOF --rm -f conftest.$ac_objext conftest$ac_exeext --if { (ac_try="$ac_link" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_link") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest$ac_exeext && -- $as_test_x conftest$ac_exeext; then -- ac_cv_lib_TNCS_exchangeTNCCSMessages=yes -+if ac_fn_c_try_run "$LINENO"; then : -+ - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -+ ac_cv_header_stdc=no -+fi -+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ -+ conftest.$ac_objext conftest.beam conftest.$ac_ext -+fi - -- ac_cv_lib_TNCS_exchangeTNCCSMessages=no - fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 -+$as_echo "$ac_cv_header_stdc" >&6; } -+if test $ac_cv_header_stdc = yes; then -+ -+$as_echo "#define STDC_HEADERS 1" >>confdefs.h - --rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS - fi --{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5 --echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; } --if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then -+ -+# On IRIX 5.3, sys/types and inttypes.h are conflicting. -+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ -+ inttypes.h stdint.h unistd.h -+do : -+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default -+" -+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF --#define HAVE_LIBTNCS 1 -+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 - _ACEOF - -- LIBS="-lTNCS $LIBS" -+fi -+ -+done -+ -+ -+for ac_header in naaeap/naaeap.h -+do : -+ ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default" -+if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_NAAEAP_NAAEAP_H 1 -+_ACEOF - -+else -+ fail="$fail -Inaaeap.h" - fi - -- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then -- { echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5 --echo "$as_me: WARNING: the TNCS library isn't found!" >&2;} -- fail="$fail -lTNCS" -+done -+ -+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5 -+$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;} -+ fail="$fail -Inaaeap.h" - fi - - targetname=rlm_eap_tnc -@@ -2642,14 +3262,12 @@ - - if test x"$fail" != x""; then - if test x"${enable_strict_dependencies}" = x"yes"; then -- { { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5 --echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;} -- { (exit 1); exit 1; }; } -+ as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5 - else -- { echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5 --echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;} -- { echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5 --echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;}; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5 -+$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5 -+$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;}; - targetname="" - fi - fi -@@ -2658,11 +3276,7 @@ - - - -- -- unset ac_cv_env_LIBS_set -- unset ac_cv_env_LIBS_value -- -- ac_config_files="$ac_config_files Makefile" -+ac_config_files="$ac_config_files Makefile" - - cat >confcache <<\_ACEOF - # This file is a shell script that caches the results of configure -@@ -2691,12 +3305,13 @@ - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( -- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 --echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; -+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( -- *) $as_unset $ac_var ;; -+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( -+ *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done -@@ -2704,8 +3319,8 @@ - (set) 2>&1 | - case $as_nl`(ac_space=' '; set) 2>&1` in #( - *${as_nl}ac_space=\ *) -- # `set' does not quote correctly, so add quotes (double-quote -- # substitution turns \\\\ into \\, and sed turns \\ into \). -+ # `set' does not quote correctly, so add quotes: double-quote -+ # substitution turns \\\\ into \\, and sed turns \\ into \. - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" -@@ -2728,12 +3343,12 @@ - if diff "$cache_file" confcache >/dev/null 2>&1; then :; else - if test -w "$cache_file"; then - test "x$cache_file" != "x/dev/null" && -- { echo "$as_me:$LINENO: updating cache $cache_file" >&5 --echo "$as_me: updating cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 -+$as_echo "$as_me: updating cache $cache_file" >&6;} - cat confcache >$cache_file - else -- { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 --echo "$as_me: not updating unwritable cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 -+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} - fi - fi - rm -f confcache -@@ -2750,6 +3365,12 @@ - # take arguments), then branch to the quote section. Otherwise, - # look for a macro that doesn't take arguments. - ac_script=' -+:mline -+/\\$/{ -+ N -+ s,\\\n,, -+ b mline -+} - t clear - :clear - s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g -@@ -2776,14 +3397,15 @@ - - ac_libobjs= - ac_ltlibobjs= -+U= - for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue - # 1. Remove the extension, and $U if already installed. - ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' -- ac_i=`echo "$ac_i" | sed "$ac_script"` -+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"` - # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR - # will be set to the directory where LIBOBJS objects are built. -- ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" -- ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' -+ as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" -+ as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' - done - LIBOBJS=$ac_libobjs - -@@ -2792,11 +3414,13 @@ - - - : ${CONFIG_STATUS=./config.status} -+ac_write_fail=0 - ac_clean_files_save=$ac_clean_files - ac_clean_files="$ac_clean_files $CONFIG_STATUS" --{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 --echo "$as_me: creating $CONFIG_STATUS" >&6;} --cat >$CONFIG_STATUS <<_ACEOF -+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 -+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} -+as_write_fail=0 -+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 - #! $SHELL - # Generated by $as_me. - # Run this file to recreate the current configuration. -@@ -2806,59 +3430,79 @@ - debug=false - ac_cs_recheck=false - ac_cs_silent=false --SHELL=\${CONFIG_SHELL-$SHELL} --_ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF --## --------------------- ## --## M4sh Initialization. ## --## --------------------- ## -+SHELL=\${CONFIG_SHELL-$SHELL} -+export SHELL -+_ASEOF -+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 -+## -------------------- ## -+## M4sh Initialization. ## -+## -------------------- ## - - # Be more Bourne compatible - DUALCASE=1; export DUALCASE # for MKS sh --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST - else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; -+ case `(set -o) 2>/dev/null` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; - esac -- - fi - - -- -- --# PATH needs CR --# Avoid depending upon Character Ranges. --as_cr_letters='abcdefghijklmnopqrstuvwxyz' --as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' --as_cr_Letters=$as_cr_letters$as_cr_LETTERS --as_cr_digits='0123456789' --as_cr_alnum=$as_cr_Letters$as_cr_digits -- --# The user is always right. --if test "${PATH_SEPARATOR+set}" != set; then -- echo "#! /bin/sh" >conf$$.sh -- echo "exit 0" >>conf$$.sh -- chmod +x conf$$.sh -- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then -- PATH_SEPARATOR=';' -+as_nl=' -+' -+export as_nl -+# Printing a long string crashes Solaris 7 /usr/bin/printf. -+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -+# Prefer a ksh shell builtin over an external printf program on Solaris, -+# but without wasting forks for bash or zsh. -+if test -z "$BASH_VERSION$ZSH_VERSION" \ -+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='print -r --' -+ as_echo_n='print -rn --' -+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='printf %s\n' -+ as_echo_n='printf %s' -+else -+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then -+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' -+ as_echo_n='/usr/ucb/echo -n' - else -- PATH_SEPARATOR=: -+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' -+ as_echo_n_body='eval -+ arg=$1; -+ case $arg in #( -+ *"$as_nl"*) -+ expr "X$arg" : "X\\(.*\\)$as_nl"; -+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; -+ esac; -+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" -+ ' -+ export as_echo_n_body -+ as_echo_n='sh -c $as_echo_n_body as_echo' - fi -- rm -f conf$$.sh -+ export as_echo_body -+ as_echo='sh -c $as_echo_body as_echo' - fi - --# Support unset when possible. --if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then -- as_unset=unset --else -- as_unset=false -+# The user is always right. -+if test "${PATH_SEPARATOR+set}" != set; then -+ PATH_SEPARATOR=: -+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { -+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || -+ PATH_SEPARATOR=';' -+ } - fi - - -@@ -2867,20 +3511,18 @@ - # there to prevent editors from complaining about space-tab. - # (If _AS_PATH_WALK were called with IFS unset, it would disable word - # splitting by setting IFS to empty value.) --as_nl=' --' - IFS=" "" $as_nl" - - # Find who we are. Look in the path if we contain no directory separator. --case $0 in -+case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR - for as_dir in $PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break --done -+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -+ done - IFS=$as_save_IFS - - ;; -@@ -2891,32 +3533,111 @@ - as_myself=$0 - fi - if test ! -f "$as_myself"; then -- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -- { (exit 1); exit 1; } -+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -+ exit 1 - fi - --# Work around bugs in pre-3.0 UWIN ksh. --for as_var in ENV MAIL MAILPATH --do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+# Unset variables that we do not need and which cause bugs (e.g. in -+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -+# suppresses any "Segmentation fault" message there. '((' could -+# trigger a bug in pdksh 5.2.14. -+for as_var in BASH_ENV ENV MAIL MAILPATH -+do eval test x\${$as_var+set} = xset \ -+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : - done - PS1='$ ' - PS2='> ' - PS4='+ ' - - # NLS nuisances. --for as_var in \ -- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ -- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ -- LC_TELEPHONE LC_TIME --do -- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then -- eval $as_var=C; export $as_var -- else -- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+LC_ALL=C -+export LC_ALL -+LANGUAGE=C -+export LANGUAGE -+ -+# CDPATH. -+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH -+ -+ -+# as_fn_error STATUS ERROR [LINENO LOG_FD] -+# ---------------------------------------- -+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -+# script with STATUS, using 1 if that was 0. -+as_fn_error () -+{ -+ as_status=$1; test $as_status -eq 0 && as_status=1 -+ if test "$4"; then -+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi --done -+ $as_echo "$as_me: error: $2" >&2 -+ as_fn_exit $as_status -+} # as_fn_error -+ -+ -+# as_fn_set_status STATUS -+# ----------------------- -+# Set $? to STATUS, without forking. -+as_fn_set_status () -+{ -+ return $1 -+} # as_fn_set_status -+ -+# as_fn_exit STATUS -+# ----------------- -+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -+as_fn_exit () -+{ -+ set +e -+ as_fn_set_status $1 -+ exit $1 -+} # as_fn_exit -+ -+# as_fn_unset VAR -+# --------------- -+# Portably unset VAR. -+as_fn_unset () -+{ -+ { eval $1=; unset $1;} -+} -+as_unset=as_fn_unset -+# as_fn_append VAR VALUE -+# ---------------------- -+# Append the text in VALUE to the end of the definition contained in VAR. Take -+# advantage of any shell optimizations that allow amortized linear growth over -+# repeated appends, instead of the typical quadratic growth present in naive -+# implementations. -+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : -+ eval 'as_fn_append () -+ { -+ eval $1+=\$2 -+ }' -+else -+ as_fn_append () -+ { -+ eval $1=\$$1\$2 -+ } -+fi # as_fn_append -+ -+# as_fn_arith ARG... -+# ------------------ -+# Perform arithmetic evaluation on the ARGs, and store the result in the -+# global $as_val. Take advantage of shells that can avoid forks. The arguments -+# must be portable across $(()) and expr. -+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : -+ eval 'as_fn_arith () -+ { -+ as_val=$(( $* )) -+ }' -+else -+ as_fn_arith () -+ { -+ as_val=`expr "$@" || test $? -eq 1` -+ } -+fi # as_fn_arith -+ - --# Required to use basename. - if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -@@ -2930,13 +3651,17 @@ - as_basename=false - fi - -+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -+ as_dirname=dirname -+else -+ as_dirname=false -+fi - --# Name of the executable. - as_me=`$as_basename -- "$0" || - $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X/"$0" | -+$as_echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q -@@ -2951,104 +3676,103 @@ - } - s/.*/./; q'` - --# CDPATH. --$as_unset CDPATH -- -- -- -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { -- -- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO -- # uniformly replaced by the line number. The first 'sed' inserts a -- # line-number line after each line using $LINENO; the second 'sed' -- # does the real work. The second script uses 'N' to pair each -- # line-number line with the line containing $LINENO, and appends -- # trailing '-' during substitution so that $LINENO is not a special -- # case at line end. -- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the -- # scripts with optimization help from Paolo Bonzini. Blame Lee -- # E. McMahon (1931-1989) for sed's syntax. :-) -- sed -n ' -- p -- /[$]LINENO/= -- ' <$as_myself | -- sed ' -- s/[$]LINENO.*/&-/ -- t lineno -- b -- :lineno -- N -- :loop -- s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ -- t loop -- s/-\n.*// -- ' >$as_me.lineno && -- chmod +x "$as_me.lineno" || -- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 -- { (exit 1); exit 1; }; } -- -- # Don't try to exec as it changes $[0], causing all sort of problems -- # (the dirname of $[0] is not the place where we might find the -- # original and so on. Autoconf is especially sensitive to this). -- . "./$as_me.lineno" -- # Exit status is that of the last command. -- exit --} -- -- --if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -- as_dirname=dirname --else -- as_dirname=false --fi -+# Avoid depending upon Character Ranges. -+as_cr_letters='abcdefghijklmnopqrstuvwxyz' -+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -+as_cr_Letters=$as_cr_letters$as_cr_LETTERS -+as_cr_digits='0123456789' -+as_cr_alnum=$as_cr_Letters$as_cr_digits - - ECHO_C= ECHO_N= ECHO_T= --case `echo -n x` in -+case `echo -n x` in #((((( - -n*) -- case `echo 'x\c'` in -+ case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. -- *) ECHO_C='\c';; -+ xy) ECHO_C='\c';; -+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null -+ ECHO_T=' ';; - esac;; - *) - ECHO_N='-n';; - esac - --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- - rm -f conf$$ conf$$.exe conf$$.file - if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file - else - rm -f conf$$.dir -- mkdir conf$$.dir -+ mkdir conf$$.dir 2>/dev/null - fi --echo >conf$$.file --if ln -s conf$$.file conf$$ 2>/dev/null; then -- as_ln_s='ln -s' -- # ... but there are two gotchas: -- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+if (echo >conf$$.file) 2>/dev/null; then -+ if ln -s conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s='ln -s' -+ # ... but there are two gotchas: -+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -+ # In both cases, we have to default to `cp -p'. -+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+ as_ln_s='cp -p' -+ elif ln conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s=ln -+ else - as_ln_s='cp -p' --elif ln conf$$.file conf$$ 2>/dev/null; then -- as_ln_s=ln -+ fi - else - as_ln_s='cp -p' - fi - rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file - rmdir conf$$.dir 2>/dev/null - -+ -+# as_fn_mkdir_p -+# ------------- -+# Create "$as_dir" as a directory, including parents if necessary. -+as_fn_mkdir_p () -+{ -+ -+ case $as_dir in #( -+ -*) as_dir=./$as_dir;; -+ esac -+ test -d "$as_dir" || eval $as_mkdir_p || { -+ as_dirs= -+ while :; do -+ case $as_dir in #( -+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( -+ *) as_qdir=$as_dir;; -+ esac -+ as_dirs="'$as_qdir' $as_dirs" -+ as_dir=`$as_dirname -- "$as_dir" || -+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_dir" : 'X\(//\)[^/]' \| \ -+ X"$as_dir" : 'X\(//\)$' \| \ -+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_dir" | -+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)[^/].*/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` -+ test -d "$as_dir" && break -+ done -+ test -z "$as_dirs" || eval "mkdir $as_dirs" -+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" -+ -+ -+} # as_fn_mkdir_p - if mkdir -p . 2>/dev/null; then -- as_mkdir_p=: -+ as_mkdir_p='mkdir -p "$as_dir"' - else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -@@ -3065,12 +3789,12 @@ - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then -- test -d "$1/."; -+ test -d "$1/."; - else -- case $1 in -- -*)set "./$1";; -+ case $1 in #( -+ -*)set "./$1";; - esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in -+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -@@ -3085,13 +3809,19 @@ - - - exec 6>&1 -+## ----------------------------------- ## -+## Main body of $CONFIG_STATUS script. ## -+## ----------------------------------- ## -+_ASEOF -+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 - --# Save the log message, to keep $[0] and so on meaningful, and to -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+# Save the log message, to keep $0 and so on meaningful, and to - # report actual input values of CONFIG_FILES etc. instead of their - # values after options handling. - ac_log=" - This file was extended by $as_me, which was --generated by GNU Autoconf 2.61. Invocation command line was -+generated by GNU Autoconf 2.67. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS -@@ -3104,59 +3834,74 @@ - - _ACEOF - --cat >>$CONFIG_STATUS <<_ACEOF -+case $ac_config_files in *" -+"*) set x $ac_config_files; shift; ac_config_files=$*;; -+esac -+ -+ -+ -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - # Files that config.status was made for. - config_files="$ac_config_files" - - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - ac_cs_usage="\ --\`$as_me' instantiates files from templates according to the --current configuration. -+\`$as_me' instantiates files and other configuration actions -+from templates according to the current configuration. Unless the files -+and actions are specified as TAGs, all are instantiated by default. - --Usage: $0 [OPTIONS] [FILE]... -+Usage: $0 [OPTION]... [TAG]... - - -h, --help print this help, then exit - -V, --version print version number and configuration settings, then exit -- -q, --quiet do not print progress messages -+ --config print configuration, then exit -+ -q, --quiet, --silent -+ do not print progress messages - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions -- --file=FILE[:TEMPLATE] -- instantiate the configuration file FILE -+ --file=FILE[:TEMPLATE] -+ instantiate the configuration file FILE - - Configuration files: - $config_files - --Report bugs to ." -+Report bugs to the package provider." - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" - ac_cs_version="\\ - config.status --configured by $0, generated by GNU Autoconf 2.61, -- with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -+configured by $0, generated by GNU Autoconf 2.67, -+ with options \\"\$ac_cs_config\\" - --Copyright (C) 2006 Free Software Foundation, Inc. -+Copyright (C) 2010 Free Software Foundation, Inc. - This config.status script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it." - - ac_pwd='$ac_pwd' - srcdir='$srcdir' -+test -n "\$AWK" || AWK=awk - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF --# If no file are specified by the user, then we need to provide default --# value. By we need to know if files were specified by the user. -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+# The default lists apply if the user does not specify any file. - ac_need_defaults=: - while test $# != 0 - do - case $1 in -- --*=*) -+ --*=?*) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` - ac_shift=: - ;; -+ --*=) -+ ac_option=`expr "X$1" : 'X\([^=]*\)='` -+ ac_optarg= -+ ac_shift=: -+ ;; - *) - ac_option=$1 - ac_optarg=$2 -@@ -3169,25 +3914,30 @@ - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - ac_cs_recheck=: ;; - --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) -- echo "$ac_cs_version"; exit ;; -+ $as_echo "$ac_cs_version"; exit ;; -+ --config | --confi | --conf | --con | --co | --c ) -+ $as_echo "$ac_cs_config"; exit ;; - --debug | --debu | --deb | --de | --d | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - $ac_shift -- CONFIG_FILES="$CONFIG_FILES $ac_optarg" -+ case $ac_optarg in -+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; -+ '') as_fn_error $? "missing file argument" ;; -+ esac -+ as_fn_append CONFIG_FILES " '$ac_optarg'" - ac_need_defaults=false;; - --he | --h | --help | --hel | -h ) -- echo "$ac_cs_usage"; exit ;; -+ $as_echo "$ac_cs_usage"; exit ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil | --si | --s) - ac_cs_silent=: ;; - - # This is an error. -- -*) { echo "$as_me: error: unrecognized option: $1 --Try \`$0 --help' for more information." >&2 -- { (exit 1); exit 1; }; } ;; -+ -*) as_fn_error $? "unrecognized option: \`$1' -+Try \`$0 --help' for more information." ;; - -- *) ac_config_targets="$ac_config_targets $1" -+ *) as_fn_append ac_config_targets " $1" - ac_need_defaults=false ;; - - esac -@@ -3202,30 +3952,32 @@ - fi - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - if \$ac_cs_recheck; then -- echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6 -- CONFIG_SHELL=$SHELL -+ set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -+ shift -+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 -+ CONFIG_SHELL='$SHELL' - export CONFIG_SHELL -- exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -+ exec "\$@" - fi - - _ACEOF --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - exec 5>>config.log - { - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX - ## Running $as_me. ## - _ASBOX -- echo "$ac_log" -+ $as_echo "$ac_log" - } >&5 - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - - # Handling of arguments. - for ac_config_target in $ac_config_targets -@@ -3233,9 +3985,7 @@ - case $ac_config_target in - "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - -- *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 --echo "$as_me: error: invalid argument: $ac_config_target" >&2;} -- { (exit 1); exit 1; }; };; -+ *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;; - esac - done - -@@ -3260,7 +4010,7 @@ - trap 'exit_status=$? - { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status - ' 0 -- trap '{ (exit 1); exit 1; }' 1 2 13 15 -+ trap 'as_fn_exit 1' 1 2 13 15 - } - # Create a (secure) tmp directory for tmp files. - -@@ -3271,145 +4021,177 @@ - { - tmp=./conf$$-$RANDOM - (umask 077 && mkdir "$tmp") --} || --{ -- echo "$me: cannot create a temporary directory in ." >&2 -- { (exit 1); exit 1; } --} -- --# --# Set up the sed scripts for CONFIG_FILES section. --# -+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 - --# No need to generate the scripts if there are no CONFIG_FILES. --# This happens for instance when ./config.status config.h -+# Set up the scripts for CONFIG_FILES section. -+# No need to generate them if there are no CONFIG_FILES. -+# This happens for instance with `./config.status config.h'. - if test -n "$CONFIG_FILES"; then - --_ACEOF - -+ac_cr=`echo X | tr X '\015'` -+# On cygwin, bash can eat \r inside `` if the user requested igncr. -+# But we know of no other shell where ac_cr would be empty at this -+# point, so we can use a bashism as a fallback. -+if test "x$ac_cr" = x; then -+ eval ac_cr=\$\'\\r\' -+fi -+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` -+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then -+ ac_cs_awk_cr='\\r' -+else -+ ac_cs_awk_cr=$ac_cr -+fi -+ -+echo 'BEGIN {' >"$tmp/subs1.awk" && -+_ACEOF - - -+{ -+ echo "cat >conf$$subs.awk <<_ACEOF" && -+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && -+ echo "_ACEOF" -+} >conf$$subs.sh || -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` - ac_delim='%!_!# ' - for ac_last_try in false false false false false :; do -- cat >conf$$subs.sed <<_ACEOF --SHELL!$SHELL$ac_delim --PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim --PACKAGE_NAME!$PACKAGE_NAME$ac_delim --PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim --PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim --PACKAGE_STRING!$PACKAGE_STRING$ac_delim --PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim --exec_prefix!$exec_prefix$ac_delim --prefix!$prefix$ac_delim --program_transform_name!$program_transform_name$ac_delim --bindir!$bindir$ac_delim --sbindir!$sbindir$ac_delim --libexecdir!$libexecdir$ac_delim --datarootdir!$datarootdir$ac_delim --datadir!$datadir$ac_delim --sysconfdir!$sysconfdir$ac_delim --sharedstatedir!$sharedstatedir$ac_delim --localstatedir!$localstatedir$ac_delim --includedir!$includedir$ac_delim --oldincludedir!$oldincludedir$ac_delim --docdir!$docdir$ac_delim --infodir!$infodir$ac_delim --htmldir!$htmldir$ac_delim --dvidir!$dvidir$ac_delim --pdfdir!$pdfdir$ac_delim --psdir!$psdir$ac_delim --libdir!$libdir$ac_delim --localedir!$localedir$ac_delim --mandir!$mandir$ac_delim --DEFS!$DEFS$ac_delim --ECHO_C!$ECHO_C$ac_delim --ECHO_N!$ECHO_N$ac_delim --ECHO_T!$ECHO_T$ac_delim --LIBS!$LIBS$ac_delim --build_alias!$build_alias$ac_delim --host_alias!$host_alias$ac_delim --target_alias!$target_alias$ac_delim --CC!$CC$ac_delim --CFLAGS!$CFLAGS$ac_delim --LDFLAGS!$LDFLAGS$ac_delim --CPPFLAGS!$CPPFLAGS$ac_delim --ac_ct_CC!$ac_ct_CC$ac_delim --EXEEXT!$EXEEXT$ac_delim --OBJEXT!$OBJEXT$ac_delim --eap_tnc_cflags!$eap_tnc_cflags$ac_delim --eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim --targetname!$targetname$ac_delim --LIBOBJS!$LIBOBJS$ac_delim --LTLIBOBJS!$LTLIBOBJS$ac_delim --_ACEOF -+ . ./conf$$subs.sh || -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - -- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then -+ ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` -+ if test $ac_delim_n = $ac_delim_num; then - break - elif $ac_last_try; then -- { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 --echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} -- { (exit 1); exit 1; }; } -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi - done -+rm -f conf$$subs.sh - --ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed` --if test -n "$ac_eof"; then -- ac_eof=`echo "$ac_eof" | sort -nru | sed 1q` -- ac_eof=`expr $ac_eof + 1` --fi -- --cat >>$CONFIG_STATUS <<_ACEOF --cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof --/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end --_ACEOF --sed ' --s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g --s/^/s,@/; s/!/@,|#_!!_#|/ --:n --t n --s/'"$ac_delim"'$/,g/; t --s/$/\\/; p --N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n --' >>$CONFIG_STATUS >$CONFIG_STATUS <<_ACEOF --:end --s/|#_!!_#|//g --CEOF$ac_eof -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+cat >>"\$tmp/subs1.awk" <<\\_ACAWK && - _ACEOF -+sed -n ' -+h -+s/^/S["/; s/!.*/"]=/ -+p -+g -+s/^[^!]*!// -+:repl -+t repl -+s/'"$ac_delim"'$// -+t delim -+:nl -+h -+s/\(.\{148\}\)..*/\1/ -+t more1 -+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ -+p -+n -+b repl -+:more1 -+s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -+p -+g -+s/.\{148\}// -+t nl -+:delim -+h -+s/\(.\{148\}\)..*/\1/ -+t more2 -+s/["\\]/\\&/g; s/^/"/; s/$/"/ -+p -+b -+:more2 -+s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -+p -+g -+s/.\{148\}// -+t delim -+' >$CONFIG_STATUS || ac_write_fail=1 -+rm -f conf$$subs.awk -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+_ACAWK -+cat >>"\$tmp/subs1.awk" <<_ACAWK && -+ for (key in S) S_is_set[key] = 1 -+ FS = "" -+ -+} -+{ -+ line = $ 0 -+ nfields = split(line, field, "@") -+ substed = 0 -+ len = length(field[1]) -+ for (i = 2; i < nfields; i++) { -+ key = field[i] -+ keylen = length(key) -+ if (S_is_set[key]) { -+ value = S[key] -+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) -+ len += length(value) + length(field[++i]) -+ substed = 1 -+ } else -+ len += 1 + keylen -+ } -+ -+ print line -+} - -+_ACAWK -+_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then -+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" -+else -+ cat -+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ -+ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 -+_ACEOF - --# VPATH may cause trouble with some makes, so we remove $(srcdir), --# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and -+# VPATH may cause trouble with some makes, so we remove sole $(srcdir), -+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and - # trailing colons and then remove the whole line if VPATH becomes empty - # (actually we leave an empty line to preserve line numbers). - if test "x$srcdir" = x.; then -- ac_vpsub='/^[ ]*VPATH[ ]*=/{ --s/:*\$(srcdir):*/:/ --s/:*\${srcdir}:*/:/ --s/:*@srcdir@:*/:/ --s/^\([^=]*=[ ]*\):*/\1/ -+ ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ -+h -+s/// -+s/^/:/ -+s/[ ]*$/:/ -+s/:\$(srcdir):/:/g -+s/:\${srcdir}:/:/g -+s/:@srcdir@:/:/g -+s/^:*// - s/:*$// -+x -+s/\(=[ ]*\).*/\1/ -+G -+s/\n// - s/^[^=]*=[ ]*$// - }' - fi - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - fi # test -n "$CONFIG_FILES" - - --for ac_tag in :F $CONFIG_FILES -+eval set X " :F $CONFIG_FILES " -+shift -+for ac_tag - do - case $ac_tag in - :[FHLC]) ac_mode=$ac_tag; continue;; - esac - case $ac_mode$ac_tag in - :[FHL]*:*);; -- :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5 --echo "$as_me: error: Invalid tag $ac_tag." >&2;} -- { (exit 1); exit 1; }; };; -+ :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;; - :[FH]-) ac_tag=-:-;; - :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; - esac -@@ -3437,26 +4219,34 @@ - [\\/$]*) false;; - *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; - esac || -- { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 --echo "$as_me: error: cannot find input file: $ac_f" >&2;} -- { (exit 1); exit 1; }; };; -+ as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;; - esac -- ac_file_inputs="$ac_file_inputs $ac_f" -+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac -+ as_fn_append ac_file_inputs " '$ac_f'" - done - - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ -- configure_input="Generated from "`IFS=: -- echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure." -+ configure_input='Generated from '` -+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' -+ `' by configure.' - if test x"$ac_file" != x-; then - configure_input="$ac_file. $configure_input" -- { echo "$as_me:$LINENO: creating $ac_file" >&5 --echo "$as_me: creating $ac_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 -+$as_echo "$as_me: creating $ac_file" >&6;} - fi -+ # Neutralize special characters interpreted by sed in replacement strings. -+ case $configure_input in #( -+ *\&* | *\|* | *\\* ) -+ ac_sed_conf_input=`$as_echo "$configure_input" | -+ sed 's/[\\\\&|]/\\\\&/g'`;; #( -+ *) ac_sed_conf_input=$configure_input;; -+ esac - - case $ac_tag in -- *:-:* | *:-) cat >"$tmp/stdin";; -+ *:-:* | *:-) cat >"$tmp/stdin" \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; - esac - ;; - esac -@@ -3466,42 +4256,7 @@ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || --echo X"$ac_file" | -- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -- s//\1/ -- q -- } -- /^X\(\/\/\)[^/].*/{ -- s//\1/ -- q -- } -- /^X\(\/\/\)$/{ -- s//\1/ -- q -- } -- /^X\(\/\).*/{ -- s//\1/ -- q -- } -- s/.*/./; q'` -- { as_dir="$ac_dir" -- case $as_dir in #( -- -*) as_dir=./$as_dir;; -- esac -- test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { -- as_dirs= -- while :; do -- case $as_dir in #( -- *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #( -- *) as_qdir=$as_dir;; -- esac -- as_dirs="'$as_qdir' $as_dirs" -- as_dir=`$as_dirname -- "$as_dir" || --$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -- X"$as_dir" : 'X\(//\)[^/]' \| \ -- X"$as_dir" : 'X\(//\)$' \| \ -- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || --echo X"$as_dir" | -+$as_echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q -@@ -3519,20 +4274,15 @@ - q - } - s/.*/./; q'` -- test -d "$as_dir" && break -- done -- test -z "$as_dirs" || eval "mkdir $as_dirs" -- } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 --echo "$as_me: error: cannot create directory $as_dir" >&2;} -- { (exit 1); exit 1; }; }; } -+ as_dir="$ac_dir"; as_fn_mkdir_p - ac_builddir=. - - case "$ac_dir" in - .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) -- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` -+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. -- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` -+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; -@@ -3568,12 +4318,12 @@ - - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - # If the template does not know about datarootdir, expand it. - # FIXME: This hack should be removed a few years after 2.60. - ac_datarootdir_hack=; ac_datarootdir_seen= -- --case `sed -n '/datarootdir/ { -+ac_sed_dataroot=' -+/datarootdir/ { - p - q - } -@@ -3581,36 +4331,37 @@ - /@docdir@/p - /@infodir@/p - /@localedir@/p --/@mandir@/p --' $ac_file_inputs` in -+/@mandir@/p' -+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in - *datarootdir*) ac_datarootdir_seen=yes;; - *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) -- { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 --echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 -+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - ac_datarootdir_hack=' - s&@datadir@&$datadir&g - s&@docdir@&$docdir&g - s&@infodir@&$infodir&g - s&@localedir@&$localedir&g - s&@mandir@&$mandir&g -- s&\\\${datarootdir}&$datarootdir&g' ;; -+ s&\\\${datarootdir}&$datarootdir&g' ;; - esac - _ACEOF - - # Neutralize VPATH when `$srcdir' = `.'. - # Shell code in configure.ac might set extrasub. - # FIXME: do we really want to maintain this feature? --cat >>$CONFIG_STATUS <<_ACEOF -- sed "$ac_vpsub -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+ac_sed_extra="$ac_vpsub - $extrasub - _ACEOF --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - :t - /@[a-zA-Z_][a-zA-Z_0-9]*@/!b --s&@configure_input@&$configure_input&;t t -+s|@configure_input@|$ac_sed_conf_input|;t t - s&@top_builddir@&$ac_top_builddir_sub&;t t -+s&@top_build_prefix@&$ac_top_build_prefix&;t t - s&@srcdir@&$ac_srcdir&;t t - s&@abs_srcdir@&$ac_abs_srcdir&;t t - s&@top_srcdir@&$ac_top_srcdir&;t t -@@ -3619,21 +4370,24 @@ - s&@abs_builddir@&$ac_abs_builddir&;t t - s&@abs_top_builddir@&$ac_abs_top_builddir&;t t - $ac_datarootdir_hack --" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out -+" -+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - - test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && -- { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' --which seems to be undefined. Please make sure it is defined." >&5 --echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' --which seems to be undefined. Please make sure it is defined." >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' -+which seems to be undefined. Please make sure it is defined" >&5 -+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -+which seems to be undefined. Please make sure it is defined" >&2;} - - rm -f "$tmp/stdin" - case $ac_file in -- -) cat "$tmp/out"; rm -f "$tmp/out";; -- *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;; -- esac -+ -) cat "$tmp/out" && rm -f "$tmp/out";; -+ *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; -+ esac \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - ;; - - -@@ -3643,11 +4397,13 @@ - done # for ac_tag - - --{ (exit 0); exit 0; } -+as_fn_exit 0 - _ACEOF --chmod +x $CONFIG_STATUS - ac_clean_files=$ac_clean_files_save - -+test $ac_write_fail = 0 || -+ as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 -+ - - # configure is writing to config.log, and then calls config.status. - # config.status does its own redirection, appending to config.log. -@@ -3667,7 +4423,10 @@ - exec 5>>config.log - # Use ||, not &&, to avoid exiting from the if with $? = 1, which - # would make configure fail if this is the last instruction. -- $ac_cs_success || { (exit 1); exit 1; } -+ $ac_cs_success || as_fn_exit 1 -+fi -+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 -+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} - fi -- - -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-12-04 19:38:00.241420966 +0100 -@@ -2,12 +2,21 @@ - AC_REVISION($Revision$) - AC_DEFUN(modname,[rlm_eap_tnc]) - -+eap_tnc_cflags= -+eap_tnc_ldflags=-lnaaeap -+ - if test x$with_[]modname != xno; then - -- AC_CHECK_LIB(TNCS, exchangeTNCCSMessages) -- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then -- AC_MSG_WARN([the TNCS library isn't found!]) -- fail="$fail -lTNCS" -+ AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",) -+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then -+ AC_MSG_WARN([the NAAEAP library was not found!]) -+ fail="$fail -lNAAEAP" -+ fi -+ -+ AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",) -+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then -+ AC_MSG_WARN([the naaeap header was not found!]) -+ fail="$fail -Inaaeap.h" - fi - - targetname=modname -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-12-04 19:38:00.241420966 +0100 -@@ -1,12 +1,12 @@ - /* - * eap_tnc.c EAP TNC functionality. - * -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -23,230 +23,41 @@ - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - * - */ --#include --RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $") -- -- --/* -- * -- * MD5 Packet Format in EAP Type-Data -- * --- ------ ------ -- --- --------- -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Value-Size | Value ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Name ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * -- * EAP-TNC Packet Format in EAP Type-Data -- * -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Flags |Ver | Data Length ... -- * |L M S R R|=1 | -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * |... | Data ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- -- * -- */ -- - #include - #include - #include "eap.h" - - #include "eap_tnc.h" - -- /* -- * WTF is wrong with htonl ? -- */ --static uint32_t ByteSwap2 (uint32_t nLongNumber) --{ -- return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+ -- ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24)); --} -- - /* -- * Allocate a new TNC_PACKET -+ * Forms an EAP_REQUEST packet from the EAP_TNC specific data. - */ --TNC_PACKET *eaptnc_alloc(void) -+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code) - { -- TNC_PACKET *rp; -- -- if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return NULL; -+ // check parameters -+ if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code); -+ return 0; - } -- memset(rp, 0, sizeof(TNC_PACKET)); -- return rp; --} -- --/* -- * Free TNC_PACKET -- */ --void eaptnc_free(TNC_PACKET **tnc_packet_ptr) --{ -- TNC_PACKET *tnc_packet; -- -- if (!tnc_packet_ptr) return; -- tnc_packet = *tnc_packet_ptr; -- if (tnc_packet == NULL) return; -- -- if (tnc_packet->data) free(tnc_packet->data); - -- free(tnc_packet); -- -- *tnc_packet_ptr = NULL; --} -- --/* -- * We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back -- */ --TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds) --{ -- tnc_packet_t *data; -- TNC_PACKET *packet; -- /* -- * We need a response, of type EAP-TNC -- */ -- if (!eap_ds || -- !eap_ds->response || -- (eap_ds->response->code != PW_TNC_RESPONSE) || -- eap_ds->response->type.type != PW_EAP_TNC || -- !eap_ds->response->type.data || -- (eap_ds->response->length <= TNC_HEADER_LEN) || -- (eap_ds->response->type.data[0] <= 0)) { -- radlog(L_ERR, "rlm_eap_tnc: corrupted data"); -- return NULL; -+ // further check parameters -+ if(handler->opaque == NULL || handler->eap_ds == NULL){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds); -+ return 0; - } -- packet = eaptnc_alloc(); -- if (!packet) return NULL; -- - -- packet->code = eap_ds->response->code; -- packet->id = eap_ds->response->id; -- packet->length = eap_ds->response->length; -- -- data = (tnc_packet_t *)eap_ds->response->type.data; -- /* -- * Already checked the size above. -- */ -- packet->flags_ver = data->flags_ver; -- unsigned char *ptr = (unsigned char*)data; -- -- -- DEBUG2("Flags/Ver: %x\n", packet->flags_ver); -- int thisDataLength; -- int dataStart; -- if(TNC_LENGTH_INCLUDED(packet->flags_ver)){ -- DEBUG2("data_length included\n"); --// memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4); -- //packet->data_length = data->data_length; -- memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH); -- DEBUG2("data_length: %x\n", packet->data_length); -- DEBUG2("data_length: %d\n", packet->data_length); -- DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length)); -- DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length)); -- packet->data_length = ByteSwap2(packet->data_length); -- thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver -- dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH; -- }else{ -- DEBUG2("no data_length included\n"); -- thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- packet->data_length = 0; -- dataStart = TNC_FLAGS_VERSION_LENGTH; -- -- } -- /* -- * Allocate room for the data, and copy over the data. -- */ -- packet->data = malloc(thisDataLength); -- if (packet->data == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- eaptnc_free(&packet); -- return NULL; -+ if(handler->eap_ds->request == NULL){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request); -+ return 0; - } -- -- memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength); -- -- return packet; --} - -- --/* -- * Compose the portions of the reply packet specific to the -- * EAP-TNC protocol, in the EAP reply typedata -- */ --int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply) --{ -- uint8_t *ptr; -- -- -- if (reply->code < 3) { -- //fill: EAP-Type (0x888e) -- eap_ds->request->type.type = PW_EAP_TNC; -- DEBUG2("TYPE: EAP-TNC set\n"); -- rad_assert(reply->length > 0); -- -- //alloc enough space for whole TNC-Packet (from Code on) -- eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*)); -- DEBUG2("Malloc %d bytes for packet\n", reply->length); -- if (eap_ds->request->type.data == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return 0; -- } -- //put pointer at position where data starts (behind Type) -- ptr = eap_ds->request->type.data; -- //*ptr = (uint8_t)(reply->data_length & 0xFF); -- -- //ptr++; -- *ptr = reply->flags_ver; -- DEBUG2("Set Flags/Version: %d\n", *ptr); -- if(reply->data_length!=0){ -- DEBUG2("Set data-length: %d\n", reply->data_length); -- ptr++; //move to start-position of "data_length" -- DEBUG2("Set data-length: %x\n", reply->data_length); -- DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length)); -- unsigned long swappedDataLength = ByteSwap2(reply->data_length); -- //DEBUG2("DATA-length: %d", reply->data_ -- memcpy(ptr, &swappedDataLength, 4); -- //*ptr = swappedDataLength; -- } -- uint16_t thisDataLength=0; -- if(reply->data!=NULL){ -- DEBUG2("Adding TNCCS-Data "); -- int offset; -- //if data_length-Field present -- if(reply->data_length !=0){ -- DEBUG2("with Fragmentation\n"); -- offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4 -- thisDataLength = reply->length-TNC_PACKET_LENGTH; -- }else{ //data_length-Field not present -- DEBUG2("without Fragmentation\n"); -- offset = 1; -- thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- } -- DEBUG2("TNCCS-Datalength: %d\n", thisDataLength); -- ptr=ptr+offset; //move to start-position of "data" -- memcpy(ptr,reply->data, thisDataLength); -- }else{ -- DEBUG2("No TNCCS-Data present"); -- } -- -- //the length of the TNC-packet (behind Type) -- if(reply->data_length!=0){ -- eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver -- }else{ -- eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver -- } -- DEBUG2("Packet built\n"); -- -- } else { -- eap_ds->request->type.length = 0; -- } -- eap_ds->request->code = reply->code; -+ // fill EAP data to handler -+ handler->eap_ds->request->code = code; -+ handler->eap_ds->request->type.type = PW_EAP_TNC; -+ // fill EAP TYPE specific data to handler -+ handler->eap_ds->request->type.length = length; -+ free(handler->eap_ds->request->type.data); -+ handler->eap_ds->request->type.data = request; - - return 1; - } -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-12-04 19:38:00.241420966 +0100 -@@ -1,10 +1,10 @@ - /* -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -26,105 +26,20 @@ - #define _EAP_TNC_H - - #include "eap.h" -+#include - --#define PW_TNC_REQUEST 1 --#define PW_TNC_RESPONSE 2 --#define PW_TNC_SUCCESS 3 --#define PW_TNC_FAILURE 4 --#define PW_TNC_MAX_CODES 4 -- --#define TNC_HEADER_LEN 4 --#define TNC_CHALLENGE_LEN 16 --#define TNC_START_LEN 8 -- --#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6 --#define TNC_PACKET_LENGTH 10 --#define TNC_DATA_LENGTH_LENGTH 4 --#define TNC_FLAGS_VERSION_LENGTH 1 -- --typedef unsigned int VlanAccessMode; -- --#define VLAN_ISOLATE 97 --#define VLAN_ACCESS 2 --/* -- **** -- * EAP - MD5 doesnot specify code, id & length but chap specifies them, -- * for generalization purpose, complete header should be sent -- * and not just value_size, value and name. -- * future implementation. -- * -- * Huh? What does that mean? -- */ -+#define SET_START(x) ((x) | (0x20)) - --/* -+/** -+ * Composes the EAP packet. - * -- * MD5 Packet Format in EAP Type-Data -- * --- ------ ------ -- --- --------- -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Value-Size | Value ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Name ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * -- * EAP-TNC Packet Format in EAP Type-Data -- * -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Flags |Ver | Data Length ... -- * |L M S R R|=1 | -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * |... | Data ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- -+ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate -+ * @param request The EAP_TNC packet received from NAA-TNCS -+ * @param length The length of the EAP_TNC packet received from NAA-TNCS -+ * @param code EAP_CODE for the request - * -+ * @return True if operation was successful, otherwise false. - */ -- --/* eap packet structure */ --typedef struct tnc_packet_t { --/* -- uint8_t code; -- uint8_t id; -- uint16_t length; --*/ -- uint8_t flags_ver; -- uint32_t data_length; -- uint8_t *data; --} tnc_packet_t; -- --typedef struct tnc_packet { -- uint8_t code; -- uint8_t id; -- uint16_t length; -- uint8_t flags_ver; -- uint32_t data_length; -- uint8_t *data; --} TNC_PACKET; -- --#define TNC_START(x) (((x) & 0x20) != 0) --#define TNC_MORE_FRAGMENTS(x) (((x) & 0x40) != 0) --#define TNC_LENGTH_INCLUDED(x) (((x) & 0x80) != 0) --#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0) --#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1) -- --#define SET_START(x) ((x) | (0x20)) --#define SET_MORE_FRAGMENTS(x) ((x) | (0x40)) --#define SET_LENGTH_INCLUDED(x) ((x) | (0x80)) -- -- --/* function declarations here */ -- --TNC_PACKET *eaptnc_alloc(void); --void eaptnc_free(TNC_PACKET **tnc_packet_ptr); -- --int eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply); --TNC_PACKET *eaptnc_extract(EAP_DS *auth); --int eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch); -- -- -- -- -+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code); - - #endif /*_EAP_TNC_H*/ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-12-04 19:38:49.277421870 +0100 -@@ -3,8 +3,8 @@ - # - - TARGET = @targetname@ --SRCS = rlm_eap_tnc.c eap_tnc.c tncs_connect.c --HEADERS = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h -+SRCS = rlm_eap_tnc.c eap_tnc.c -+HEADERS = eap_tnc.h ../../eap.h ../../rlm_eap.h - RLM_CFLAGS = -I../.. -I../../libeap @eap_tnc_cflags@ - RLM_LIBS = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la - RLM_INSTALL = -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-12-04 19:38:00.241420966 +0100 -@@ -1,12 +1,12 @@ - /* - * rlm_eap_tnc.c Handles that are called from eap - * -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -26,96 +26,262 @@ - * Copyright (C) 2007 Alan DeKok - */ - --#include --RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $") -+/* -+ * EAP-TNC Packet with EAP Header, general structure -+ * -+ * 0 1 2 3 -+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Code | Identifier | Length | -+ * | | | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Type | Flags | Ver | Data Length | -+ * | |L M S R R| =1 | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Data Length | Data ... -+ * | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ */ - - #include - - #include - #include - --#include "tncs_connect.h" - #include "eap_tnc.h" --#include "tncs.h" -+#include - #include -+//#include - --typedef struct rlm_eap_tnc_t { -- char *vlan_access; -- char *vlan_isolate; -- char *tnc_path; --} rlm_eap_tnc_t; -+#include - --static int sessionCounter=0; -+/** -+ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type. -+ * The maximum length of the calculated string is 70 (not including the trailing '\0'). -+ * -+ * @return the number of bytes written to out (not including the trailing '\0') -+ */ -+static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength) -+{ -+ VALUE_PAIR *vp = NULL; -+ uint32_t nas_port = 0; -+ uint32_t nas_ip = 0; -+ uint32_t nas_port_type = 0; -+ -+ char out_nas_port[11]; -+ char out_nas_ip_byte_0[4]; -+ char out_nas_ip_byte_1[4]; -+ char out_nas_ip_byte_2[4]; -+ char out_nas_ip_byte_3[4]; -+ char out_nas_port_type[11]; -+ -+ // check for NULL -+ if (radius_packet == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!"); -+ return 0; -+ } -+ -+ // read NAS port, ip and port type -+ for (vp = radius_packet->vps; vp; vp=vp->next) { -+ switch (vp->attribute) { -+ case PW_NAS_PORT: -+ nas_port = vp->vp_integer; -+ DEBUG("NAS scr port = %u\n", nas_port); -+ break; -+ case PW_NAS_IP_ADDRESS: -+ nas_ip = vp->vp_ipaddr; -+ DEBUG("NAS scr ip = %X\n", ntohl(nas_ip)); -+ break; -+ case PW_NAS_PORT_TYPE: -+ nas_port_type = vp->vp_integer; -+ DEBUG("NAS scr port type = %u\n", nas_port_type); -+ break; -+ } -+ } -+ -+ snprintf(out_nas_port, 11, "%u", nas_port); -+ snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF); -+ snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF); -+ snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF); -+ snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF); -+ snprintf(out_nas_port_type, 11, "%u", nas_port_type); -+ -+ return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type); -+} -+ -+/* -+ * This function is called when the FreeRADIUS attach this module. -+ */ -+static int tnc_attach(CONF_SECTION *conf, void **type_data) -+{ -+ // initialize NAA-EAP -+ DEBUG2("TNC-ATTACH initializing NAA-EAP"); -+ TNC_Result result = initializeDefault(); -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()"); -+ return -1; -+ } -+ return 0; -+} -+ -+/* -+ * This function is called when the FreeRADIUS detach this module. -+ */ -+static int tnc_detach(void *args) -+{ -+ // terminate NAA-EAP -+ DEBUG2("TNC-TERMINATE terminating NAA-EAP"); -+ TNC_Result result = terminate(); -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()"); -+ return -1; -+ } -+ return 0; -+} - - /* -- * Initiate the EAP-MD5 session by sending a challenge to the peer. -- * Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set -- * and with no data -+ * This function is called when the first EAP_IDENTITY_RESPONSE message -+ * was received. -+ * -+ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE -+ * to the peer. The packet has the Start-Bit set and contains no data. -+ * -+ * 0 1 2 3 -+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Code | Identifier | Length | -+ * | | | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Type | Flags | Ver | -+ * | |0 0 1 0 0|0 0 1| -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * -+ * For this package, only 'Identifier' has to be set dynamically. Any -+ * other information is static. - */ - static int tnc_initiate(void *type_data, EAP_HANDLER *handler) - { -- uint8_t flags_ver = 1; //set version to 1 -- rlm_eap_tnc_t *inst = type_data; -- TNC_PACKET *reply; -+ size_t buflen = 71; -+ size_t ret = 0; -+ char buf[buflen]; -+ REQUEST * request = NULL; -+ TNC_Result result; -+ TNC_ConnectionID conID; -+ TNC_BufferReference username; - -+ // check if we run inside a secure EAP method. -+ // FIXME check concrete outer EAP method - if (!handler->request || !handler->request->parent) { -- DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method."); -+ DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method."); -+ request = handler->request; - return 0; -+ } else { -+ request = handler->request->parent; - } - -- /* -- * FIXME: Update this when the TTLS and PEAP methods can -- * run EAP-TLC *after* the user has been authenticated. -- * This likely means moving the phase2 handlers to a -- * common code base. -- */ -- if (1) { -- DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated."); -+ if (request->packet == NULL) { -+ DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL."); - return 0; - } - - DEBUG("tnc_initiate: %ld", handler->timestamp); - -- if(connectToTncs(inst->tnc_path)==-1){ -- DEBUG("Could not connect to TNCS"); -+ //calculate connectionString -+ ret = calculateConnectionString(request->packet, buf, buflen); -+ if(ret == 0){ -+ radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed."); -+ return 0; - } - -+ DEBUG2("TNC-INITIATE getting connection from NAA-EAP"); -+ - /* -- * Allocate an EAP-MD5 packet. -+ * get connection -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script - */ -- reply = eaptnc_alloc(); -- if (reply == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -+ result = getConnection(buf, &conID); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection"); - return 0; - } - - /* -- * Fill it with data. -+ * tries to get the username from FreeRADIUS; -+ * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c - */ -- reply->code = PW_TNC_REQUEST; -- flags_ver = SET_START(flags_ver); //set start-flag -- DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver); -- reply->flags_ver = flags_ver; -- reply->length = 1+1; /* one byte of flags_ver */ -+ VALUE_PAIR *usernameValuePair; -+ usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME); - -+ VALUE_PAIR *eapMessageValuePair; -+ if (!usernameValuePair) { -+ eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE); -+ -+ if (eapMessageValuePair && -+ (eapMessageValuePair->length >= EAP_HEADER_LEN + 2) && -+ (eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) && -+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && -+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { -+ -+ /* -+ * Create & remember a User-Name -+ */ -+ usernameValuePair = pairmake("User-Name", "", T_OP_EQ); -+ rad_assert(usernameValuePair != NULL); -+ -+ memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5, -+ eapMessageValuePair->length - 5); -+ usernameValuePair->length = eapMessageValuePair->length - 5; -+ usernameValuePair->vp_strvalue[usernameValuePair->length] = 0; -+ } -+ } -+ -+ username = malloc(usernameValuePair->length + 1); -+ memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length); -+ username[usernameValuePair->length] = '\0'; -+ -+ RDEBUG("Username for current TNC connection: %s", username); -+ -+ /* -+ * stores the username of this connection -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script -+ */ -+ result = storeUsername(conID, username, usernameValuePair->length); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername"); -+ return 0; -+ } -+ -+ // set connection ID in FreeRADIUS -+ handler->opaque = malloc(sizeof(TNC_ConnectionID)); -+ memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID)); -+ -+ // build first EAP TNC request -+ TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char)); -+ if (eap_tnc_request == NULL) { -+ radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed."); -+ return 0; -+ } -+ *eap_tnc_request = SET_START(1); -+ TNC_UInt32 eap_tnc_length = 1; -+ type_data = type_data; /* suppress -Wunused */ - - /* - * Compose the EAP-TNC packet out of the data structure, - * and free it. - */ -- eaptnc_compose(handler->eap_ds, reply); -- eaptnc_free(&reply); -+ eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST); - -- //put sessionAttribute to Handler and increase sessionCounter -- handler->opaque = calloc(sizeof(TNC_ConnectionID), 1); -- if (handler->opaque == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return 0; -- } -- handler->free_opaque = free; -- memcpy(handler->opaque, &sessionCounter, sizeof(int)); -- sessionCounter++; -- - /* - * We don't need to authorize the user at this point. - * -@@ -124,246 +290,114 @@ - * to us... - */ - handler->stage = AUTHENTICATE; -- -- return 1; --} - --static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler, -- VlanAccessMode mode){ -- VALUE_PAIR *vp; -- char *vlanNumber = NULL; -- switch(mode){ -- case VLAN_ISOLATE: -- vlanNumber = inst->vlan_isolate; -- vp = pairfind(handler->request->config_items, -- PW_TNC_VLAN_ISOLATE); -- if (vp) vlanNumber = vp->vp_strvalue; -- break; -- case VLAN_ACCESS: -- vlanNumber = inst->vlan_access; -- vp = pairfind(handler->request->config_items, -- PW_TNC_VLAN_ACCESS); -- if (vp) vlanNumber = vp->vp_strvalue; -- break; -- -- default: -- DEBUG2(" rlm_eap_tnc: Internal error. Not setting vlan number"); -- return; -- } -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Type", "VLAN", T_OP_SET)); -- -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET)); -- -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET)); -- -+ return 1; - } - --/* -- * Authenticate a previously sent challenge. -+/** -+ * This function is called when a EAP_TNC_RESPONSE was received. -+ * It basically forwards the EAP_TNC data to NAA-TNCS and forms -+ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID -+ * based on the TNC_ConnectionState determined by NAA-TNCS. -+ * -+ * @param type_arg The configuration data -+ * @param handler The EAP_HANDLER -+ * @return True, if successfully, else false. - */ --static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) --{ -- TNC_PACKET *packet; -- TNC_PACKET *reply; -- TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque)); -- TNC_ConnectionState state; -- rlm_eap_tnc_t *inst = type_arg; -- int isAcknowledgement = 0; -- TNC_UInt32 tnccsMsgLength = 0; -- int isLengthIncluded; -- int moreFragments; -- TNC_UInt32 overallLength; -- TNC_BufferReference outMessage; -- TNC_UInt32 outMessageLength = 2; -- int outIsLengthIncluded=0; -- int outMoreFragments=0; -- TNC_UInt32 outOverallLength=0; -+static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) { - -- DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque))); -- DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId); -+ rad_assert(handler->request != NULL); // check that request has been sent previously -+ rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called - -- /* -- * Get the User-Password for this user. -- */ -- rad_assert(handler->request != NULL); -- rad_assert(handler->stage == AUTHENTICATE); -- -- /* -- * Extract the EAP-TNC packet. -- */ -- if (!(packet = eaptnc_extract(handler->eap_ds))) -+ if (handler == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL"); - return 0; -+ } -+ if (handler->eap_ds == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL"); -+ return 0; -+ } -+ if (handler->eap_ds->response == NULL) { -+ radlog( -+ L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL"); -+ return 0; -+ } -+ if (handler->eap_ds->response->type.type != PW_EAP_TNC -+ || handler->eap_ds->response->type.length < 1 -+ || handler->eap_ds->response->type.data == NULL) { -+ radlog( -+ L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p", -+ handler->eap_ds->response->type.type, -+ handler->eap_ds->response->type.length, -+ handler->eap_ds->response->type.data); -+ return 0; -+ } - -- /* -- * Create a reply, and initialize it. -- */ -- reply = eaptnc_alloc(); -- if (!reply) { -- eaptnc_free(&packet); -- return 0; -- } -- -- reply->id = handler->eap_ds->request->id; -- reply->length = 0; -- if(packet->data_length==0){ -- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- }else{ -- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH; -- } -- isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver); -- moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver); -- overallLength = packet->data_length; -- if(isLengthIncluded == 0 -- && moreFragments == 0 -- && overallLength == 0 -- && tnccsMsgLength == 0 -- && TNC_START(packet->flags_ver)==0){ -- -- isAcknowledgement = 1; -- } -- -- DEBUG("Data received: (%d)", (int) tnccsMsgLength); --/* int i; -- for(i=0;idata)[i]); -- } -- DEBUG2("\n"); -- */ -- state = exchangeTNCCSMessages(inst->tnc_path, -- connId, -- isAcknowledgement, -- packet->data, -- tnccsMsgLength, -- isLengthIncluded, -- moreFragments, -- overallLength, -- &outMessage, -- &outMessageLength, -- &outIsLengthIncluded, -- &outMoreFragments, -- &outOverallLength); -- DEBUG("GOT State %08x from TNCS", (unsigned int) state); -- if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement -- reply->code = PW_TNC_REQUEST; -- reply->data = NULL; -- reply->data_length = 0; -- reply->flags_ver = 1; -- reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- }else{ //send back normal message -- DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength); -- -- /* for(i=0;icode = PW_TNC_REQUEST; -- DEBUG2("Set Reply->Code to EAP-REQUEST\n"); -- break; -- case TNC_CONNECTION_STATE_ACCESS_ALLOWED: -- reply->code = PW_TNC_SUCCESS; -- setVlanAttribute(inst, handler,VLAN_ACCESS); -- break; -- case TNC_CONNECTION_STATE_ACCESS_NONE: -- reply->code = PW_TNC_FAILURE; -- //setVlanAttribute(inst, handler, VLAN_ISOLATE); -- break; -- case TNC_CONNECTION_STATE_ACCESS_ISOLATED: -- reply->code = PW_TNC_SUCCESS; -- setVlanAttribute(inst, handler, VLAN_ISOLATE); -- break; -- default: -- reply->code= PW_TNC_FAILURE; -- -- } -- if(outMessage!=NULL && outMessageLength!=0){ -- reply->data = outMessage; -- } -- reply->flags_ver = 1; -- if(outIsLengthIncluded){ -- reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver); -- reply->data_length = outOverallLength; -- reply->length = TNC_PACKET_LENGTH + outMessageLength; -- DEBUG("SET LENGTH: %d", reply->length); -- DEBUG("SET DATALENGTH: %d", (int) outOverallLength); -- }else{ -- reply->data_length = 0; -- reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength; -- DEBUG("SET LENGTH: %d", reply->length); -- } -- if(outMoreFragments){ -- reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver); -- } -- } -- -- /* -- * Compose the EAP-MD5 packet out of the data structure, -- * and free it. -- */ -- eaptnc_compose(handler->eap_ds, reply); -- eaptnc_free(&reply); -- -- handler->stage = AUTHENTICATE; -- -- eaptnc_free(&packet); -- return 1; --} -- --/* -- * Detach the EAP-TNC module. -- */ --static int tnc_detach(void *arg) --{ -- free(arg); -- return 0; --} -- -- --static CONF_PARSER module_config[] = { -- { "vlan_access", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL }, -- { "vlan_isolate", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL }, -- { "tnc_path", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, tnc_path), NULL, -- "/usr/local/lib/libTNCS.so"}, -+ // get connection ID -+ TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque)); - -- { NULL, -1, 0, NULL, NULL } /* end the list */ --}; -+ DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID); - --/* -- * Attach the EAP-TNC module. -- */ --static int tnc_attach(CONF_SECTION *cs, void **instance) --{ -- rlm_eap_tnc_t *inst; -+ // pass EAP_TNC data to NAA-EAP and get answer data -+ TNC_BufferReference output = NULL; -+ TNC_UInt32 outputLength = 0; -+ TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE; - -- inst = malloc(sizeof(*inst)); -- if (!inst) return -1; -- memset(inst, 0, sizeof(*inst)); -+ /* -+ * forwards the eap_tnc data to NAA-EAP and gets the response -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script -+ */ -+ TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data, -+ handler->eap_ds->response->type.length, &output, &outputLength, -+ &connectionState); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData"); -+ return 0; -+ } - -- if (cf_section_parse(cs, inst, module_config) < 0) { -- tnc_detach(inst); -- return -1; -+ // output contains now the answer from NAA-EAP -+ uint8_t eapCode = 0; -+ // determine eapCode for request -+ switch (connectionState) { -+ case TNC_CONNECTION_STATE_HANDSHAKE: -+ eapCode = PW_EAP_REQUEST; -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_NONE: -+ eapCode = PW_EAP_FAILURE; -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_ALLOWED: -+ eapCode = PW_EAP_SUCCESS; -+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET)); -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_ISOLATED: -+ eapCode = PW_EAP_SUCCESS; -+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET)); -+ break; -+ default: -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE."); -+ return 0; - } - -- -- if (!inst->vlan_access || !inst->vlan_isolate) { -- radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate"); -- tnc_detach(inst); -- return -1; -+ // form EAP_REQUEST -+ if (!eaptnc_compose(handler, output, outputLength, eapCode)) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST."); -+ return 0; - } - -- *instance = inst; -- return 0; -+ // FIXME: Why is that needed? -+ handler->stage = AUTHENTICATE; -+ -+ return 1; - } - - /* -@@ -371,10 +405,10 @@ - * That is, everything else should be 'static'. - */ - EAP_TYPE rlm_eap_tnc = { -- "eap_tnc", -- tnc_attach, /* attach */ -- tnc_initiate, /* Start the initial request */ -- NULL, /* authorization */ -- tnc_authenticate, /* authentication */ -- tnc_detach /* detach */ -+ "eap_tnc", -+ tnc_attach, /* attach */ -+ tnc_initiate, /* Start the initial request */ -+ NULL, /* authorization */ -+ tnc_authenticate, /* authentication */ -+ tnc_detach /* detach */ - }; -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 1970-01-01 01:00:00.000000000 +0100 -@@ -1,146 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ --#include --RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $") -- --#include "tncs_connect.h" --#include --#include --#include --#include -- -- /* -- * FIXME: This linking should really be done at compile time. -- */ --static lt_dlhandle handle = NULL; -- --static ExchangeTNCCSMessagePointer callTNCS = NULL; -- --/* -- * returns the function-pointer to a function of a shared-object -- * -- * soHandle: handle to a shared-object -- * name: name of the requested function -- * -- * return: the procAddress if found, else NULL -- */ --static void *getProcAddress(lt_dlhandle soHandle, const char *name){ -- void *proc = lt_dlsym(soHandle, name); -- DEBUG("Searching for function %s", name); -- if(proc == NULL){ -- DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s", -- name, lt_dlerror()); -- } -- return proc; --} -- -- --/* -- * establishs the connection to the TNCCS without calling functionality. -- * That means that the TNCS-shared-object is loaded and the function-pointer -- * to "exchangeTNCCSMessages" is explored. -- * -- * return: -1 if connect failed, 0 if connect was successful -- */ --int connectToTncs(char *pathToSO){ -- int state = -1; -- if(handle==NULL){ -- handle = lt_dlopen(pathToSO); -- DEBUG("OPENED HANDLE!"); -- } -- -- if(handle==NULL){ -- DEBUG("HANDLE IS NULL"); -- DEBUG("rlm_eap_tnc: Failed to link to library %s: %s", -- pathToSO, lt_dlerror()); -- }else{ -- DEBUG("SO %s found!", pathToSO); -- if(callTNCS==NULL){ -- callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages"); -- } -- if(callTNCS!=NULL){ -- DEBUG("TNCS is connected"); -- state = 0; --// int ret = callTNCS2(2, "Bla", NULL); -- // DEBUG("GOT %d from exchangeTNCCSMessages", ret); -- }else{ -- DEBUG("Could not find exchangeTNCCSMessages"); -- } -- -- } -- return state; --} -- --/* -- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages. -- * -pathToSO: Path to TNCCS-Shared Object -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO, -- /*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut){ -- TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; -- int connectStatus = connectToTncs(pathToSO); -- if(connectStatus!=-1){ -- state = callTNCS(connId, -- isAcknoledgement, -- input, -- inputLength, -- isFirst, -- moreFragments, -- overallLength, -- output, -- outputLength, -- answerIsFirst, -- moreFragmentsFollow, -- overallLengthOut); -- DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state); -- }else{ -- DEBUG("CAN NOT CONNECT TO TNCS"); -- } -- return state; --} -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 1970-01-01 01:00:00.000000000 +0100 -@@ -1,70 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ -- --#ifndef _TNCS_CONNECT_H_ --#define _TNCS_CONNECT_H_ -- --#include "tncs.h" -- --/* -- * establishs the connection to the TNCCS without calling functionality. -- * That means that the TNCS-shared-object is loaded and the function-pointer -- * to "exchangeTNCCSMessages" is explored. -- * -- * return: -1 if connect failed, 0 if connect was successful -- */ --int connectToTncs(char *pathToSO); --/* -- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages. -- * -pathToSO: Path to TNCCS-Shared Object -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO, -- /*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut); -- --#endif //_TNCS_CONNECT_H_ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 1970-01-01 01:00:00.000000000 +0100 -@@ -1,86 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ -- --#ifndef _TNCS_H_ --#define _TNCS_H_ -- -- -- --#ifdef __cplusplus --extern "C" { --#endif -- --/* -- * copied from tncimv.h: -- */ --typedef unsigned long TNC_UInt32; --typedef TNC_UInt32 TNC_ConnectionState; --typedef unsigned char *TNC_BufferReference; --typedef TNC_UInt32 TNC_ConnectionID; -- --#define TNC_CONNECTION_STATE_CREATE 0 --#define TNC_CONNECTION_STATE_HANDSHAKE 1 --#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2 --#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3 --#define TNC_CONNECTION_STATE_ACCESS_NONE 4 --#define TNC_CONNECTION_STATE_DELETE 5 --#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6 -- --/* -- * Accesspoint (as function-pointer) to the TNCS for sending and receiving -- * TNCCS-Messages. -- * -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut --); -- --#ifdef __cplusplus --} --#endif --#endif //_TNCS_H_ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-12-04 19:39:54.749423138 +0100 -@@ -37,6 +37,10 @@ - int copy_request_to_tunnel; - int use_tunneled_reply; - const char *virtual_server; -+ const char *tnc_virtual_server; // virtual server for EAP-TNC as the second inner method -+ VALUE_PAIR *auth_reply; // cache storage of the last reply of the first inner method -+ int auth_code; // cache storage of the reply-code of the first inner method -+ int doing_tnc; // status if we're doing EAP-TNC - } ttls_tunnel_t; - - /* -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-12-04 19:39:54.749423138 +0100 -@@ -62,6 +62,11 @@ - * Virtual server for inner tunnel session. - */ - char *virtual_server; -+ -+ /* -+ * Virtual server for the second inner tunnel method, which is EAP-TNC. -+ */ -+ char *tnc_virtual_server; - } rlm_eap_ttls_t; - - -@@ -78,6 +83,9 @@ - { "virtual_server", PW_TYPE_STRING_PTR, - offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL }, - -+ { "tnc_virtual_server", PW_TYPE_STRING_PTR, -+ offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL }, -+ - { "include_length", PW_TYPE_BOOLEAN, - offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" }, - -@@ -171,6 +179,10 @@ - t->copy_request_to_tunnel = inst->copy_request_to_tunnel; - t->use_tunneled_reply = inst->use_tunneled_reply; - t->virtual_server = inst->virtual_server; -+ t->tnc_virtual_server = inst->tnc_virtual_server; // virtual server for EAP-TNC as the second inner method -+ t->auth_reply = NULL; // cache storage of the last reply of the first inner method -+ t->auth_code = -1; // cache storage of the reply-code of the first inner method -+ t->doing_tnc = 0; // status if we're doing EAP-TNC (on start we're doing NOT) - return t; - } - -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-12-04 19:39:54.749423138 +0100 -@@ -585,6 +585,94 @@ - } - - /* -+ * Start EAP-TNC as a second inner method. -+ * Creates a new fake-request out of the original incoming request (via EAP_HANDLER). -+ * If it's the first time, we create a EAP-START-packet and send -+ * EAP-START := code = PW_EAP_REQUEST -+ * -+ */ -+static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) { -+ REQUEST* request = handler->request; -+ RDEBUG2("EAP-TNC as second inner authentication method starts now"); -+ -+ /* -+ * Allocate a fake REQUEST struct, -+ * to make a new request, based on the original request. -+ */ -+ REQUEST* fake = request_alloc_fake(request); -+ -+ /* -+ * Set the virtual server to that of EAP-TNC. -+ */ -+ fake->server = t->tnc_virtual_server; -+ -+ /* -+ * Build a new EAP-Message. -+ */ -+ VALUE_PAIR *eap_msg; -+ eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS); -+ -+ /* -+ * Set the EAP-Message to look like EAP-Start -+ */ -+ eap_msg->vp_octets[0] = PW_EAP_RESPONSE; -+ eap_msg->vp_octets[1] = 0x00; -+ -+ /* -+ * Only setting EAP-TNC here, -+ * because it is intended to do user-authentication in the first inner method, -+ * and then a hardware-authentication (like EAP-TNC) as the second method. -+ */ -+ eap_msg->vp_octets[4] = PW_EAP_TNC; -+ -+ eap_msg->length = 0; -+ -+ /* -+ * Add the EAP-Message to the request. -+ */ -+ pairadd(&(fake->packet->vps), eap_msg); -+ -+ /* -+ * Process the new request by the virtual server configured for -+ * EAP-TNC. -+ */ -+ rad_authenticate(fake); -+ -+ /* -+ * From now on we're doing EAP-TNC as the second inner authentication method. -+ */ -+ t->doing_tnc = TRUE; -+ -+ return fake; -+} -+ -+/* -+ * Stop EAP-TNC as a second inner method. -+ * Copy the value pairs from the cached Access-Accept of the first inner method -+ * to the Access-Accept/Reject package of EAP-TNC. -+ */ -+static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) { -+ RDEBUG2("EAP-TNC as second inner authentication method stops now"); -+ -+ /* -+ * Copy the value-pairs of the origina Access-Accept of the first -+ * inner authentication method to the Access-Accept/Reject of the -+ * second inner authentication method (EAP-TNC). -+ */ -+ if (request->reply->code == PW_AUTHENTICATION_ACK) { -+ pairadd(&(request->reply->vps), t->auth_reply); -+ } else if (request->reply->code == PW_AUTHENTICATION_REJECT) { -+ pairadd(&(request->reply->vps), t->auth_reply); -+ } -+ -+ pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR); -+ pairdelete(&(request->reply->vps), PW_PROXY_STATE); -+ pairdelete(&(request->reply->vps), PW_USER_NAME); -+ -+ return request; -+} -+ -+/* - * Use a reply packet to determine what to do. - */ - static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, -@@ -1135,6 +1223,16 @@ - - } /* else fake->server == request->server */ - -+ /* -+ * If we're doing EAP-TNC as a second method, -+ * then set the server to that one. -+ * Then, rad_authenticate will run EAP-TNC, -+ * so that afterwards we have to look for the state of -+ * EAP-TNC. -+ */ -+ if (t->doing_tnc) { -+ fake->server = t->tnc_virtual_server; -+ } - - if ((debug_flag > 0) && fr_log_fp) { - RDEBUG("Sending tunneled request"); -@@ -1248,6 +1346,53 @@ - - default: - /* -+ * If the result of the first method was an acknowledgment OR -+ * if were already running EAP-TNC, -+ * we're doing additional things before processing the reply. -+ * Also the configuration for EAP-TTLS has to contain a virtual server -+ * for EAP-TNC as the second method. -+ */ -+ if (t->tnc_virtual_server) { -+ /* -+ * If the reply code of the first inner method is PW_AUTHENTICATION_ACK -+ * which means that the method was successful, -+ * and we're not doing EAP-TNC as the second method, -+ * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method. -+ */ -+ if (fake->reply->code == PW_AUTHENTICATION_ACK -+ && t->doing_tnc == FALSE) { -+ RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code); -+ -+ /* -+ * Save reply-value pairs and reply-code of the first method. -+ */ -+ t->auth_reply = fake->reply->vps; -+ fake->reply->vps = NULL; -+ t->auth_code = fake->reply->code; -+ -+ /* -+ * Create the start package for EAP-TNC. -+ */ -+ fake = start_tnc(handler, t); -+ -+ /* -+ * If we're doing EAP-TNC as the second inner method, -+ * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT, -+ * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject. -+ */ -+ } else if (t->doing_tnc == TRUE -+ && (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) { -+ -+ /* -+ * Create the combined Access-Accept or -Reject. -+ */ -+ RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code, -+ fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT"); -+ fake = stop_tnc(fake, t); -+ } -+ } -+ -+ /* - * Returns RLM_MODULE_FOO, and we want to return - * PW_FOO - */ diff --git a/testing/scripts/recipes/patches/hostapd-config b/testing/scripts/recipes/patches/hostapd-config deleted file mode 100644 index b26d2783f..000000000 --- a/testing/scripts/recipes/patches/hostapd-config +++ /dev/null @@ -1,38 +0,0 @@ -diff -u -ur hostapd-2.0.orig/hostapd/defconfig hostapd-2.0/hostapd/defconfig ---- hostapd-2.0.orig/hostapd/defconfig 2013-01-12 16:42:53.000000000 +0100 -+++ hostapd-2.0/hostapd/defconfig 2016-06-15 17:32:57.000000000 +0200 -@@ -13,14 +13,14 @@ - CONFIG_DRIVER_HOSTAP=y - - # Driver interface for wired authenticator --#CONFIG_DRIVER_WIRED=y -+CONFIG_DRIVER_WIRED=y - - # Driver interface for madwifi driver - #CONFIG_DRIVER_MADWIFI=y - #CFLAGS += -I../../madwifi # change to the madwifi source directory - - # Driver interface for drivers using the nl80211 kernel interface --CONFIG_DRIVER_NL80211=y -+#CONFIG_DRIVER_NL80211=y - - # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) - #CONFIG_DRIVER_BSD=y -@@ -30,7 +30,7 @@ - #LIBS_c += -L/usr/local/lib - - # Driver interface for no driver (e.g., RADIUS server only) --#CONFIG_DRIVER_NONE=y -+CONFIG_DRIVER_NONE=y - - # IEEE 802.11F/IAPP - CONFIG_IAPP=y -@@ -152,7 +152,7 @@ - - # Add support for writing debug log to a file: -f /tmp/hostapd.log - # Disabled by default. --#CONFIG_DEBUG_FILE=y -+CONFIG_DEBUG_FILE=y - - # Remove support for RADIUS accounting - #CONFIG_NO_ACCOUNTING=y \ No newline at end of file diff --git a/testing/scripts/recipes/patches/tnc-fhh-tncsim b/testing/scripts/recipes/patches/tnc-fhh-tncsim deleted file mode 100644 index 42c714480..000000000 --- a/testing/scripts/recipes/patches/tnc-fhh-tncsim +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fe65134512ea..3c5255f21ea6 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -101,7 +101,6 @@ IF(${COMPONENT} STREQUAL "ALL") - add_subdirectory(tncxacml) - add_subdirectory(imcv) - add_subdirectory(tncs) -- add_subdirectory(tncsim) - - IF(${NAL} STREQUAL "8021X" OR ${NAL} STREQUAL "ALL") - add_subdirectory(naaeap) diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc deleted file mode 100644 index 2e00e5b44..000000000 --- a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc +++ /dev/null @@ -1,47 +0,0 @@ -diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c ---- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/src/eap_peer/tncc.c 2013-03-23 13:10:22.151059154 +0100 -@@ -465,7 +465,7 @@ - return -1; - } - #else /* CONFIG_NATIVE_WINDOWS */ -- imc->dlhandle = dlopen(imc->path, RTLD_LAZY); -+ imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL); - if (imc->dlhandle == NULL) { - wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s", - imc->name, imc->path, dlerror()); -diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig ---- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/wpa_supplicant/defconfig 2013-03-23 13:06:08.759052370 +0100 -@@ -86,7 +86,7 @@ - CONFIG_DRIVER_WEXT=y - - # Driver interface for Linux drivers using the nl80211 kernel interface --CONFIG_DRIVER_NL80211=y -+#CONFIG_DRIVER_NL80211=y - - # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) - #CONFIG_DRIVER_BSD=y -@@ -193,7 +193,7 @@ - #CONFIG_EAP_GPSK_SHA256=y - - # EAP-TNC and related Trusted Network Connect support (experimental) --#CONFIG_EAP_TNC=y -+CONFIG_EAP_TNC=y - - # Wi-Fi Protected Setup (WPS) - #CONFIG_WPS=y -diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile ---- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/wpa_supplicant/Makefile 2013-03-23 13:06:08.759052370 +0100 -@@ -6,8 +6,8 @@ - CFLAGS = -MMD -O2 -Wall -g - endif - --export LIBDIR ?= /usr/local/lib/ --export BINDIR ?= /usr/local/sbin/ -+export LIBDIR ?= /usr/lib/ -+export BINDIR ?= /usr/sbin/ - PKG_CONFIG ?= pkg-config - - CFLAGS += -I../src diff --git a/testing/testing.conf b/testing/testing.conf index 92b9693c1..7d8480c1f 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,18 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -<<<<<<< Updated upstream -: ${KERNELVERSION=4.18.9} -======= -: ${KERNELVERSION=4.15.9} ->>>>>>> Stashed changes +: ${KERNELVERSION=4.20} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} -: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15} -: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2} +: ${KERNELCONFIG=$DIR/../config/kernel/config-4.19} +: ${KERNELPATCH=ha-4.16-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.7.0} +: ${SWANVERSION=5.7.2} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} @@ -52,8 +48,8 @@ fi # Base image settings # The base image is a pristine OS installation created using debootstrap. -: ${BASEIMGSIZE=1600} -: ${BASEIMGSUITE=jessie} +: ${BASEIMGSIZE=1800} +: ${BASEIMGSUITE=stretch} : ${BASEIMGARCH=amd64} : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT} : ${BASEIMGMIRROR=http://http.debian.net/debian} diff --git a/testing/tests/botan/net2net-ed25519/description.txt b/testing/tests/botan/net2net-ed25519/description.txt new file mode 100755 index 000000000..8c67989f4 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates containing Ed25519 keys. +moon uses the botan plugin based on the Botan library for all +cryptographical functions whereas sun uses the default strongSwan +cryptographical plugins. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-ed25519/evaltest.dat b/testing/tests/botan/net2net-ed25519/evaltest.dat new file mode 100755 index 000000000..ebbb8ae75 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/evaltest.dat @@ -0,0 +1,7 @@ +moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..508c30a00 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random pem x509 revocation constraints pubkey botan +} + +charon-systemd { + load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem new file mode 100644 index 000000000..491d36430 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk +-----END PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bcc2742f7 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..e67b224b6 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA +4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw +FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww +BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX +8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..9c5a06945 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..a35aea01c --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem new file mode 100644 index 000000000..b83f62c13 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0 +-----END PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..12cee0fc6 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..70af02017 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn +HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW +gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh +bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0 +cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG +AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq +8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..9c5a06945 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/posttest.dat b/testing/tests/botan/net2net-ed25519/posttest.dat new file mode 100755 index 000000000..30f6ede76 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs8/* +sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/botan/net2net-ed25519/pretest.dat b/testing/tests/botan/net2net-ed25519/pretest.dat new file mode 100755 index 000000000..410253e54 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/pretest.dat @@ -0,0 +1,9 @@ +moon::rm /etc/swanctl/rsa/moonKey.pem +sun::rm /etc/swanctl/rsa/sunKey.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-ed25519/test.conf b/testing/tests/botan/net2net-ed25519/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt new file mode 100644 index 000000000..1d40e30f0 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and an RSA private key stored in +PKCS12 format. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat new file mode 100644 index 000000000..bfc7e76f1 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1d9a7c08b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 new file mode 100644 index 000000000..365da741f Binary files /dev/null and b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 differ diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b11cf0f3e --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-moon { + file = moonCert.p12 + secret = "kUqd8O7mzbjXNJKQ" + } +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1d9a7c08b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 new file mode 100644 index 000000000..e2cd2f21d Binary files /dev/null and b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 differ diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..28c0e87a4 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-sun { + file = sunCert.p12 + secret = "IxjQVCF3JGI+MoPi" + } +} diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat new file mode 100644 index 000000000..9802f442d --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/posttest.dat @@ -0,0 +1,6 @@ +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs12/moonCert.p12 +sun::rm /etc/swanctl/pkcs12/sunCert.p12 diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat new file mode 100644 index 000000000..22ffcf949 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/pretest.dat @@ -0,0 +1,9 @@ +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem +sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-pkcs12/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf new file mode 100644 index 000000000..87abc763b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/description.txt b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt new file mode 100755 index 000000000..2db82a941 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates with signatures consisting of +RSA-encrypted SHA-3 hashes. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat new file mode 100755 index 000000000..4c56d5299 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..51a7747d7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 revocation constraints pubkey botan random +} + +charon-systemd { + load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..f24b3ebf3 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq +pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV +T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N +Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt +UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/ +XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY +v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA +G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp +qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V +/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK +8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/ +8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc +6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G +NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE +DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU +z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD +01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU +bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId +23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/ +Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p +F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA +29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/ +XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F +/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX +SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu +8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq +TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE +miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ +p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du +ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli +CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6 +dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH +gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY +3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc +gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN +vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV +E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bcc2742f7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..bea7e81f8 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky +MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v +cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6 +ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF +kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9 +ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE +6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS +4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW +GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA +bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP +tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf +BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u +LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw +N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz +LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT +UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo +tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs +jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl +noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2 +pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc +gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA +5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79 +ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..51a7747d7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 revocation constraints pubkey botan random +} + +charon-systemd { + load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..a694bbb8f --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K +ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p +DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu +MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO ++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r +ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H +WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6 +Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/ +bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex +ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/ +d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ +e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI +zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW +63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc +Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n +vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz +aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+ +slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20 +pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0 +ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie +1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL +c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH +xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T +X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K +qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB +VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88 +oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF +dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov +2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI +pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN +VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo +qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx +JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8 +ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw +kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk +nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq +hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3 +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..12cee0fc6 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..f1c086ee9 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky +MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y +ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR +2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/ +W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu +pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA +xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC +ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G +/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt +WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5 +/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G +A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z +dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg +NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y +c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7 +nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0 +cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK +F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8 +1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB +hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS +ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+ +jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw +MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat new file mode 100755 index 000000000..755f0e5f8 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat new file mode 100755 index 000000000..9440ddab0 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/test.conf b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..b2072d1f4 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..07178dc5e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,56 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + suffix + files + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat index b4c7637ac..377aedf1b 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..27a42d00f --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,53 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + suffix + files + pap +} + +authenticate { + Auth-Type PAP { + pap + } +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { +} + +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat index b4c7637ac..377aedf1b 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt index 6be21bf8f..876aa7980 100644 --- a/testing/tests/ikev2/host2host-cert/description.txt +++ b/testing/tests/ikev2/host2host-cert/description.txt @@ -1,4 +1,6 @@ A connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat index 7e343efa5..dcf573b59 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat @@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat index 7e343efa5..dcf573b59 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat @@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..aa6f98076 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index 91425f812..2968646e5 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -2,13 +2,23 @@ authorize { preprocess chap mschap - sim_files suffix + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } unix - files expiration logintime pap diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index aaabab89e..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB -228060123456002,33000000000000000000000000000000,33112233,335566778899AABB -228060123456002,34000000000000000000000000000000,34112233,345566778899AABB -228060123456002,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users index e69de29bb..aa6f98076 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat index 6a4da6631..4069be9ce 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index 9ffd27f1e..f3fdfe6ff 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,10 +1,6 @@ -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt index c74897d9a..9bef3cd18 100644 --- a/testing/tests/ikev2/nat-rw-psk/description.txt +++ b/testing/tests/ikev2/nat-rw-psk/description.txt @@ -1,6 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. -Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway sun. +Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun. +

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt index dcf4b94bd..58b28bad2 100644 --- a/testing/tests/ikev2/nat-rw/description.txt +++ b/testing/tests/ikev2/nat-rw/description.txt @@ -1,5 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Authentication is based on X.509 certificates. +

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt index 02cddbb83..07320d731 100644 --- a/testing/tests/ikev2/net2net-psk/description.txt +++ b/testing/tests/ikev2/net2net-psk/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on Preshared Keys (PSK). Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +The authentication is based on Preshared Keys (PSK). +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt index 6d886024b..893a27230 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt @@ -1,9 +1,11 @@ -at the outset the gateway authenticates itself to the client by sending an -IKEv2 RSA signature accompanied by a certificate. The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Authentication and Key Agreement protocol -(EAP-AKA) to authenticate against the gateway. This protocol is used -in UMTS, but here a secret from ipsec.secrets is used instead of a USIM/(R)UIM. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in ipsec.secrets +is used instead of a USIM/(R)UIM device. +

In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt index 1277081b9..da5b72735 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt @@ -1,7 +1,8 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Authentication and Key Agreement protocol -(EAP-AKA) to authenticate against the gateway. This protocol is used -in UMTS, but here a secret from ipsec.secrets is used instead of a USIM/(R)UIM. -Gateway moon additionally uses an RSA signature to authenticate itself -against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in ipsec.secrets +is used instead of a USIM/(R)UIM device. \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..ba92f0080 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Framed-IP-Address = 10.3.0.1 +dave Cleartext-Password := "W7R0g3do" + Framed-IP-Address = 10.3.0.2 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..62d459115 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Class = "Research" +dave Cleartext-Password := "W7R0g3do" + Class = "Accounting" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat index 303139615..e63c57e72 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt index d376ee5a8..08fd89b65 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with an MD5 challenge and response protocol -(EAP-MD5) to authenticate against the gateway. The user password -is kept in ipsec.secrets on both gateway and client -Gateway moon additionally uses an RSA signature to authenticate itself -against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. + diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt index 4feadff4c..95afc08b5 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt @@ -1,8 +1,10 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Microsoft CHAP version 2 protocol -(EAP-MSCHAPV2) to authenticate against the gateway. This protocol is used -e.g. by the Windows 7 Agile VPN client. -In addition to her IKEv2 identity PH_IP_CAROL, roadwarrior carol -uses the EAP identy carol. Gateway moon additionally uses an RSA signature -to authenticate itself against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Microsoft CHAP version 2 (EAP-MSCHAPV2) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client. +

+In addition to her IKEv2 identity which defaults to her IP address, +roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..0ae8befe4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = peap + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + peap { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt index 0531a559f..41abb363c 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt @@ -1,13 +1,13 @@ The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol and -the gateway forwards all EAP messages to the RADIUS server alice +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice which also uses static triplets. In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity 228060123456001. - diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default index 893529324..1dc666992 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,5 +1,16 @@ authorize { - sim_files + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index c167ba940..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,3 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users index e69de29bb..1c281a974 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index 122ee2283..53aa83f0c 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -1,8 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt index d50175664..26de3c982 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt @@ -1,14 +1,15 @@ -The roadwarrior carol sets up a connection to gateway moon. -The gateway moon does not send an AUTH payload thus signalling +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway does not send an AUTH payload thus signalling a mutual EAP-only authentication. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario, triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

The gateway forwards all EAP messages to the RADIUS server alice -which also uses a static triplets file. -

+which also uses static triplets. +

The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence -the radius server alice returns an Access-Reject message -and the gateway moon sends back an EAP_FAILURE. +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default index fbdf75f4c..8d68b81fc 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,6 +1,17 @@ authorize { - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index 3e9a644eb..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB -carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB -carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB -dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB -dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB -dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users index e69de29bb..a74267d30 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 9614686c2..04b824def 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -7,10 +7,9 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt index 6c3c71987..5cb1bacdc 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt @@ -1,14 +1,15 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario, triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol. +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway authenticates itself to the clients by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

The gateway forwards all EAP messages to the RADIUS server alice -which also uses a static triplets file. -

+which also uses static triplets. +

The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence -the radius server alice returns an Access-Reject message -and the gateway moon sends back an EAP_FAILURE. +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default index 91425f812..51b64a74b 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default @@ -2,8 +2,19 @@ authorize { preprocess chap mschap - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index 3e9a644eb..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB -carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB -carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB -dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB -dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB -dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users index e69de29bb..a74267d30 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index 52d5962f4..e171997bc 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -1,13 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt index 686241809..4401e679f 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt @@ -1,7 +1,8 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module (EAP-SIM) -to authenticate against the gateway. In this scenario triplets from the file -/etc/ipsec.d/triplets.dat are used instead of a physical SIM card. -Gateway moon additionally uses an RSA signature to authenticate -itself against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e8670dbb7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,16 @@ +eap { + default_eap_type = tls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + tls { + tls = tls-common + } +} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..060702784 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,55 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index ef5666914..6907b7657 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -9,7 +9,3 @@ charon { } } } - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt deleted file mode 100644 index d5f0b267a..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The strong mutual authentication is based on EAP-TTLS only (without a separate IKEv2 -authentication) with the gateway being authenticated by a server certificate during the -EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client -authentication based on EAP-MD5 (phase2 of EAP-TTLS). -

-With the setting charon.plugins.eap-ttls.phase2_piggyback = yes the server moon -initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request -right onto the TLS Finished message. Client carol presents the correct MD5 password -and succeeds whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat deleted file mode 100644 index 2285608b8..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 576d2cb99..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf deleted file mode 100644 index fa1febe0f..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ba52ec31e..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index d5631a9f5..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf deleted file mode 100644 index fa1febe0f..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 738481257..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 0ff7725ca..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat deleted file mode 100644 index dccf85419..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7450c71c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = ttls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + ttls { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..dafe7f052 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,64 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +listen { + type = acct + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat index 98f7a6954..66416eb28 100644 --- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat @@ -1,6 +1,6 @@ carol::ipsec stop moon::ipsec stop -alice::killall radiusd +alice::killall freeradius alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/* carol::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat index 7ec7c1226..d3c345200 100644 --- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat index 186ce4e06..c792f3a7e 100644 --- a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat index 186ce4e06..c792f3a7e 100644 --- a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat index 4cf23a31b..d2db56eb8 100644 --- a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat index 4cf23a31b..d2db56eb8 100644 --- a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat index 803cf5ef5..5fef8bbb1 100644 --- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat index 803cf5ef5..5fef8bbb1 100644 --- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat index 0e125b70e..c3bbe341f 100644 --- a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat index 0e125b70e..c3bbe341f 100644 --- a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat index f6dc9aa3e..5178076a3 100644 --- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat index f6dc9aa3e..5178076a3 100644 --- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat index 16982a736..52e4bf623 100644 --- a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat index 16982a736..52e4bf623 100644 --- a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat index 5ae9d2c12..7a6fc302e 100644 --- a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat @@ -4,6 +4,6 @@ moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat index 0dfba54ea..6e6de5e96 100644 --- a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat @@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat index ef6ec2b98..b7b92d020 100644 --- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat index 23add7ae5..f3068ce8b 100644 --- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat index 877459c88..bbf6c2ea3 100644 --- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat index a3e2bad94..97e0de01c 100644 --- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 591e2da59..f85d6127f 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 2ee553a61..b776ea938 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat index 72dade743..21569bdaa 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat index 1202a99d2..a199765a0 100644 --- a/testing/tests/ipv6/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat index d5d5a6b1c..aa450e296 100644 --- a/testing/tests/ipv6/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index 026235171..394521b25 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index dd120f524..f4c8851c0 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat index e92aa028d..5009bf41f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat @@ -1,6 +1,6 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat index ce79801ec..b748003e8 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat index 082416d60..9016ba473 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat @@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block c moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat index 736425d36..659ca42ab 100644 --- a/testing/tests/ipv6/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat @@ -1,6 +1,6 @@ moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 48ddcd069..a754598f9 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,6 +1,6 @@ moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat index e9a30b9ac..cdb8ead3c 100644 --- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/description.txt +++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat index 937860593..68edc54b7 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat @@ -1,10 +1,6 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4628311d4..000000000 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bdde28391 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 1 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index da1fbf06b..000000000 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..116e06c26 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 1 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat index e34f70277..ae2c30429 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/test.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index a1f31495d..773e43a35 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes ECP_256 and ECP_521. Since moon does not support ECP_256 the roadwarriors fall back to ECP_384 and ECP_521, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat index 553c79451..2cc3382df 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat @@ -1,15 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2ed83f06a..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256,aes192-sha384-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3ed559068 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384 + } + } + version = 1 + proposals = aes128-sha256-ecp256,aes192-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 105ec3ce4..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256,aes256-sha512-ecp521! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b5a2be9e8 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521 + } + } + version = 1 + proposals = aes128-sha256-ecp256,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0a312b394..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp384,aes256-sha512-ecp521! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7c5b3080d --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521 + } + } + version = 1 + proposals = aes192-sha384-ecp384,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 84b6eb4bf..c365455d0 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_192 and ECP_224 whereas dave proposes ECP_192 and ECP_256. Since moon does not support ECP_192 the roadwarriors fall back to ECP_224 and ECP_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat index 327d63bf8..183f5e97f 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat @@ -1,17 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6fe17a9ee..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp192,3des-sha256-ecp224! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..013e6b1bc --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } + } + version = 1 + proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ade897727..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp192,aes128-sha256-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4f5c016c2 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256 + } + } + version = 1 + proposals = 3des-sha1-ecp192,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3992b52fb..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha256-ecp224,aes128-sha256-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..417ad0508 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256 + } + } + version = 1 + proposals = 3des-sha256-ecp224,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt index 4f855eb1a..3bbcdfa32 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt @@ -1,11 +1,12 @@ The hosts carol, dave, and moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures using Elliptic Curve certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat index 9a8516dad..2127b2bf4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat @@ -1,11 +1,3 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES @@ -14,6 +6,10 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECD dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1527867c7..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem new file mode 100644 index 000000000..c277ba4f6 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C + +CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH +7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB +71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..abf46a755 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + ecdsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ed9410c04..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem new file mode 100644 index 000000000..40a76935e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n +2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco +AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B +Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3981ac2ea --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 1 + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 359029d02..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1ddf9621e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 1 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat index 1865a1c60..3d10c0f1f 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/ecdsa/carolKey.pem +dave::rm /etc/swanctl/ecdsa/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt deleted file mode 100644 index cfa7a11b9..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 certificate -functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp hmac gcm and x509. -

-Roadwarrior carol proposes to gateway moon the cipher suite -AES_GCM_16_256 both for IKE and ESP by defining ike=aes256gcm16-prfsha512-modp2048 -(or alternatively aes256gcm128) and esp=aes256gcm16-modp2048 in ipsec.conf, -respectively. -

-Roadwarrior dave proposes to gateway moon the cipher suite -AES_GCM_16_128 both for IKE and ESP by defining ike=aes128gcm16-prfsha256-modp1536 -(or alternatively aes128gcm128) and esp=aes128gcm16-modp1536 in ipsec.conf, -respectively. -

-A ping by carol and dave to alice successfully checks the established tunnels. diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat deleted file mode 100644 index 44bd75895..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES -moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES -moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES -moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES -carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES -dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES -moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES -carol::ip xfrm state::aead rfc4106(gcm(aes))::YES -dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES - diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c0016ff61..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha512-modp2048! - esp=aes256gcm128-modp2048! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4a7e09c6a..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 335eda02c..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-modp1536! - esp=aes128gcm128-modp1536! - -conn home - left=PH_IP_DAVE - leftfirewall=yes - leftcert=daveCert.pem - leftid=dave@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 99069ae82..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 566298bed..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536! - esp=aes256gcm16-modp2048,aes128gcm16-modp1536! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4a7e09c6a..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf deleted file mode 100644 index c3f38054b..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol dave winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt deleted file mode 100644 index d30d9d2da..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave as well as the gateway moon -use the openssl plugin based on the OpenSSL library for all -cryptographical functions, thus making the Blowfish available as an IKEv2 cipher. -

-The roadwarriors carol and dave set up a connection each -to gateway moon using Blowfish for both IKE and ESP -encryption. Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping -the client alice behind the gateway moon. - diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat deleted file mode 100644 index a4f1f2998..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES -dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES -carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES - diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf deleted file mode 100644 index adee238e6..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf deleted file mode 100644 index e22322431..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 43bbb36a9..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha384,blowfish128-sha256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/description.txt +++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat index 937860593..8a2e36baa 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -1,10 +1,6 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f0bbfc10f..000000000 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ebdb473fb --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8481f8974..000000000 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..90c566bb6 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat index e34f70277..ae2c30429 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/test.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt index d0ae5a823..e37d5489c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the Brainpool DH groups ECP_256_BP and ECP_384_BP whereas dave proposes ECP_256_BP and ECP_512_B P. Since moon does not support ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat index ebc7752f2..746d90280 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bfca8965f..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..893130d66 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp + } + } + version = 2 + proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 2b16165dc..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e522d15d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp + } + } + version = 2 + proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8c02c9fea..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..93fc75e14 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt index 78eb0ffb3..35323dab6 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt @@ -1,17 +1,16 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the Brainpool DH groups ECP_384_BP and ECP_224_BP whereas -dave proposes ECP_192_BP and ECP_256_BP. Since moon does not support +dave proposes ECP_384_BP and ECP_256_BP. Since moon does not support ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat index ff9fb202c..1c64d0f16 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index be85b6c1e..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..deba223ce --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 1adedc048..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ab8fcf6a3 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b4cd86c60..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c12a7d4c6 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp + } + } + version = 2 + proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt index a1f31495d..773e43a35 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes ECP_256 and ECP_521. Since moon does not support ECP_256 the roadwarriors fall back to ECP_384 and ECP_521, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat index 4cee48d89..07ad135d8 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat @@ -1,17 +1,11 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2fd776e25..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256,aes192-sha384-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..46942c7e2 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384 + } + } + version = 2 + proposals = aes128-sha256-ecp256,aes192-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8d8989ed7..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256,aes256-sha512-ecp521! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..828c4d6c7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521 + } + } + version = 2 + proposals = aes128-sha256-ecp256,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index addcc6175..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384,aes256-sha512-ecp521! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..18a98ad6e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521 + } + } + version = 2 + proposals = aes192-sha384-ecp384,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt index 84b6eb4bf..c365455d0 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_192 and ECP_224 whereas dave proposes ECP_192 and ECP_256. Since moon does not support ECP_192 the roadwarriors fall back to ECP_224 and ECP_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat index 818082ca8..88fe3a1e3 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b754c29ba..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp192,3des-sha256-ecp224! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e21bcd3b5 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } + } + version = 2 + proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b5e9215c5..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp192,aes128-sha256-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f38c4353b --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256 + } + } + version = 2 + proposals = 3des-sha1-ecp192,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2e4a15ec3..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha256-ecp224,aes128-sha256-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5caa77eb9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256 + } + } + version = 2 + proposals = 3des-sha256-ecp224,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt index 8c0d37c88..4f472b83b 100644 --- a/testing/tests/openssl-ikev2/critical-extension/description.txt +++ b/testing/tests/openssl-ikev2/critical-extension/description.txt @@ -1,5 +1,5 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates which contain a critical but -unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat index cc904c8bc..e91ba2b82 100644 --- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -1,6 +1,4 @@ moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES -sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der deleted file mode 100644 index 7f78d5820..000000000 Binary files a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der and /dev/null differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 4d99866f7..000000000 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm -MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ -qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 -ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR -fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN -2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 -K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 -mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc -ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f -XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy -Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx -J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj -zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 -8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT -61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo -PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug -bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b -eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 -ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am -DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt -v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 -fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw -y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC -h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 -cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY ------END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf index a72c82525..f2104c5f8 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -1,9 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown multiple_authentication = no +} +libstrongswan { x509 { enforce_critical = no } diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0b0aa32a5 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der deleted file mode 100644 index c1efb6719..000000000 Binary files a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der and /dev/null differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem deleted file mode 100644 index d8fad9aad..000000000 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB -eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ -mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV -sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK -3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ -mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl -QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw -HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH -eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 -/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ -RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc -Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY -Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ -Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h -BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv -NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF -wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc -JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 -5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf -mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi -N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr -r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX -jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy -gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV -zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf index d67640548..77d858547 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bb068bdbe --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat index 837738fc6..83cd75a5d 100644 --- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat @@ -1,5 +1,4 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush - +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::rm /etc/swanctl/x509/moonCert.der +sun::rm /etc/swanctl/x509/sunCert.der diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat index 08ca6b54c..cc8d9d74f 100644 --- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -1,7 +1,7 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::rm /etc/swanctl/x509/moonCert.pem +sun::rm /etc/swanctl/x509/sunCert.pem +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf index b286ef6eb..d3016a886 100644 --- a/testing/tests/openssl-ikev2/critical-extension/test.conf +++ b/testing/tests/openssl-ikev2/critical-extension/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt index 4f855eb1a..3bbcdfa32 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt @@ -1,11 +1,12 @@ The hosts carol, dave, and moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures using Elliptic Curve certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 18fdacfff..a018f735d 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -1,17 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES -dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c562e359c..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem new file mode 100644 index 000000000..c277ba4f6 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C + +CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH +7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB +71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..06c23a791 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + ecdsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 62a62a463..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index d94b17950..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,6 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown - signature_authentication = no + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem new file mode 100644 index 000000000..40a76935e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n +2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco +AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B +Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f7eb029b0 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 2 + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c5e5e61b0..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0d99a8189 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 2 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat index 1865a1c60..3d10c0f1f 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/ecdsa/carolKey.pem +dave::rm /etc/swanctl/ecdsa/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 46eaccd7a..a018f735d 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -1,13 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c562e359c..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d043dfd6d..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiROOtxlAFj6QICCAAw -HQYJYIZIAWUDBAECBBBD9qsqx1EbF8RiH8mOSf9iBIGQ3URjA/8q9stwEZNsEtS5 -/EzlxReZu+hSmH4+PlOXegP8bSpVtSC+wgTierfXNKDOV4Bs+OY3F/l0D0NYYiaj -u041/vF1NuO38Fu5rwMZJcCZhlLXVuQVBqyQ5I+52RxTjoEluIQ5MvJOcMap/mc+ -saMMOFLlCeiseIuAWOjcpFzoOWUgXRcABCXJItj+6RgK ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem new file mode 100644 index 000000000..d043dfd6d --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiROOtxlAFj6QICCAAw +HQYJYIZIAWUDBAECBBBD9qsqx1EbF8RiH8mOSf9iBIGQ3URjA/8q9stwEZNsEtS5 +/EzlxReZu+hSmH4+PlOXegP8bSpVtSC+wgTierfXNKDOV4Bs+OY3F/l0D0NYYiaj +u041/vF1NuO38Fu5rwMZJcCZhlLXVuQVBqyQ5I+52RxTjoEluIQ5MvJOcMap/mc+ +saMMOFLlCeiseIuAWOjcpFzoOWUgXRcABCXJItj+6RgK +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..048f3bbf9 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + pkcs8-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 62a62a463..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index c32137ef9..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIfDUTNLH0pIECAggA -MB0GCWCGSAFlAwQBFgQQJkz6Ue4pqL1cy6jxNoXBMQSBwMn8dxyRJjcjbPvy6v7r -Zdn7Nb69xYhkH2n+8DY8vfutsh9g84HbzzBLhpl1MJZXq8xwxS1AQUYNJqoIrd9s -4j8IkGZX935I2FBABzN4JEdY2h1zX3VJxU0XgDLEPYYJUUY0PTQ+5P1ooYyDg73t -lAUw2eKPl9sgdX2f+5gTLVJZMFkWJsCFkCHFRdLaFdsaXcoB8TI0UWYSK1yJD+6K -XbCMqK/jV/jckXtwCMIG8/DSxnObFu2PEUGjzMSAVUvCWQ== ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 56f6e6365..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd" diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem new file mode 100644 index 000000000..c32137ef9 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem @@ -0,0 +1,8 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIfDUTNLH0pIECAggA +MB0GCWCGSAFlAwQBFgQQJkz6Ue4pqL1cy6jxNoXBMQSBwMn8dxyRJjcjbPvy6v7r +Zdn7Nb69xYhkH2n+8DY8vfutsh9g84HbzzBLhpl1MJZXq8xwxS1AQUYNJqoIrd9s +4j8IkGZX935I2FBABzN4JEdY2h1zX3VJxU0XgDLEPYYJUUY0PTQ+5P1ooYyDg73t +lAUw2eKPl9sgdX2f+5gTLVJZMFkWJsCFkCHFRdLaFdsaXcoB8TI0UWYSK1yJD+6K +XbCMqK/jV/jckXtwCMIG8/DSxnObFu2PEUGjzMSAVUvCWQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8557928c2 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 2 + proposals = aes256-sha384-ecp384 + } +} + + +secrets { + + pkcs8-dave { + file = daveKey.pem + secret = "OJlNZBx+80dLh4wC6fw5LmBd" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c5e5e61b0..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0d99a8189 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 2 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat index 1865a1c60..ff2860e45 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/pkcs8/carolKey.pem +dave::rm /etc/swanctl/pkcs8/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt deleted file mode 100644 index bd680b57a..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on OpenPGP V3 keys. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat deleted file mode 100644 index 468c5f7ee..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun ::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun .*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fcb9d839f..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.asc - leftid=@#71270432cd763a18020ac988c0e75aed - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightcert=sunCert.asc - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc deleted file mode 100644 index 6524773e0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd -JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 -FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 -7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 -0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN -8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 -QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v -biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= -=YFQm ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index afb1ff927..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf deleted file mode 100644 index aea93d234..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown -} - diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 91d6ef5d8..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftcert=sunCert.asc - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=moonCert.asc - rightid=@#71270432cd763a18020ac988c0e75aed - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc deleted file mode 100644 index de2393649..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI -Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 -GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg -vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 -LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn -2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs -xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu -IDxzdW4uc3Ryb25nc3dhbi5vcmc+ -=DwEu ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index ee98b1611..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA sunKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf deleted file mode 100644 index aea93d234..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown -} - diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat deleted file mode 100644 index 9a9513dc3..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -sun::rm /etc/ipsec.d/certs/* -sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat deleted file mode 100644 index 969c42337..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf deleted file mode 100644 index afa2accbe..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt index e66ea1918..1d40e30f0 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt @@ -2,7 +2,7 @@ A connection between the subnets behind the gateways moon and sun The authentication is based on X.509 certificates and an RSA private key stored in PKCS12 format.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat index fe4aa5ab1..bfc7e76f1 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 195710a7f..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 deleted file mode 100644 index 365da741f..000000000 Binary files a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 and /dev/null differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 802cfc681..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ" diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf index 2448837f3..a8ed13448 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown + load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 new file mode 100644 index 000000000..365da741f Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b11cf0f3e --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-moon { + file = moonCert.p12 + secret = "kUqd8O7mzbjXNJKQ" + } +} diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 292fbeeb6..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_SUN - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 deleted file mode 100644 index e2cd2f21d..000000000 Binary files a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 and /dev/null differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 3dc85528c..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 sunCert.p12 "IxjQVCF3JGI+MoPi" - - - - - diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf index 2448837f3..a8ed13448 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown + load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 new file mode 100644 index 000000000..e2cd2f21d Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..28c0e87a4 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-sun { + file = sunCert.p12 + secret = "IxjQVCF3JGI+MoPi" + } +} diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat index 0fbba487c..9802f442d 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/private/moonCert.p12 -sun::rm /etc/ipsec.d/private/sunCert.p12 +moon::rm /etc/swanctl/pkcs12/moonCert.p12 +sun::rm /etc/swanctl/pkcs12/sunCert.p12 diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat index 47e6d8604..22ffcf949 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat @@ -1,11 +1,9 @@ -moon::rm /etc/ipsec.d/private/moonKey.pem -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -sun::rm /etc/ipsec.d/private/sunKey.pem -sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem +sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf index 646b8b3e6..87abc763b 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt index b16faad06..ca738a1d4 100644 --- a/testing/tests/openssl-ikev2/rw-cert/description.txt +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -1,11 +1,12 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp and x509. -

-The roadwarriors carol and dave set up a connection each +plugins aes des sha1 sha2 hmac gmp and x509. +

+The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat index be78c5125..572a138a6 100644 --- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 213cd70fa..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 8197ea8b1..996be95f5 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e8504addb --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 653316fde..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 058abcad7..f2b8046e0 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..27c6f12ba --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 16299b339..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048,3des-sha1-modp1536! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 8197ea8b1..996be95f5 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..aa8d6167a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat index 1865a1c60..b909ac76c 100644 --- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index 974c22530..61fc17ba2 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -1,12 +1,11 @@ -moon::iptables-restore < /etc/iptables.rules +mmoon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -# moon runs crypto tests, so make sure it is ready +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/rw-cert/test.conf +++ b/testing/tests/openssl-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt deleted file mode 100644 index e25da6935..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon. -The strong mutual authentication of both peers is based on EAP-TLS only -(without a separate IKEv2 authentication), using TLS client and server certificates, -respectively. Elliptic curve cryptography is used by both the IKE and TLS -protocols. diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat deleted file mode 100644 index 5b525ef06..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES -carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f3d7a807c..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128-sha256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf deleted file mode 100644 index f5b116b3b..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2236a5f71..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128-sha256! - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftauth=eap-tls - leftfirewall=yes - rightauth=eap-tls - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4aa2068f4..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat deleted file mode 100644 index 046d4cfdc..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat deleted file mode 100644 index 1578796a1..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf deleted file mode 100644 index 4a5fc470f..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt deleted file mode 100644 index 26e42c4b7..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarrior dave tries to set up a connection to roadwarrior carol -but because carol has set the strongswan.conf option initiator_only = yes -she ignores the repeated IKE requests sent by dave. -

-After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 128 bit -security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM -authenticated encryption. -

-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of -an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall, -carol pings the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat deleted file mode 100644 index b00c4cd40..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 61e13df41..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c8c12c3b7..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgyh91hjqzCuAICCAAw -HQYJYIZIAWUDBAECBBBZwepsRENncvW5UJ/blAqmBIGQZdbHnD3PWEbUXZJPkbIK -VvJZkd2+k12IxdShMWwCeW93R+3nj+7T0NPAQqMbuqz51zgO+SuXDupUIKdLHKMy -vdasLrbA3fe7YFVlxQjB6fB69V059ifi61OCIO/KfC7Je4ff3TZVwJcUYpduPIkQ -BZAw46T0JtrXltFgxxGYnnTlzuYW6EDB3l6Fwb2zCyZm ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 22fcb3eb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 0f6315794..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7TCCAlCgAwIBAgIBEjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMzUyNFoXDTIzMDYxMTEyMzUyNFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATRc+i666sxHVohZ/4ld8ffz2xoa+x9+7TzM689nczQ -oZMs3+AJIjjNzdjvEe6kPHW73p51IdtlVF97Ib62hgQuo4IBEzCCAQ8wCQYDVR0T -BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDA3QkktCD5ZvWeiepNeQPWpcKP8 -MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYETZGF2ZUBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GKADCBhgJBOrfM -xT0Cn1uXVvuS977ANQZwzAX4O9y5POFXBkDKLFPL9hgWg7jxhREkDRcvViovMmiM -EAjoEZLD8SysfYrRZxcCQXtgWTfS2GAIDSQS1of1so/8Z/xZdfoIWxRoZ/xmH7jY -Yt3wK6yGjziEbX9LGN4MkOwkJKjEkTwbTygv7Wt3arz/ ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index a4041c5fa..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICEAikut4YuFnv6vLE/7Lk+LmQ+ic35apftbhu2+TICQoAoGCCqGSM49 -AwEHoUQDQgAE0XPouuurMR1aIWf+JXfH389saGvsffu08zOvPZ3M0KGTLN/gCSI4 -zc3Y7xHupDx1u96edSHbZVRfeyG+toYELg== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f7044e51d..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 961c8bec8..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7jCCAlCgAwIBAgIBEzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzE0MzEzMVoXDTIzMDYxMTE0MzEzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATCqc/Wov++N8wvG3IhsEAxa38bxoIBPQZeOqMyi/lV -breEsOSJD/POV3gkt1lKOaQ502XdJcjdAvCqjtbpzCMWo4IBEzCCAQ8wCQYDVR0T -BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFAtkayAwMYDQqnlKDRvm7HNCIxY8 -MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYITbW9vbi5zdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GLADCBhwJBVnfl -l9eV6R+jNdUCuz+yDdM7c1UpQ+Qy7rtXq50KZY7d1xJsTk152LxXIkO8EJnHmO4l -s39RHlGXItWcYGffXIICQgCLB+R8QFnMcKlgpjrxsuO/Ljg1RcMav3y3zaHJJJLT -eJBEL7RhDaPGcJ/hKU4TPwvSEIkswQaDnN+oAZiz/gFDUw== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index c0a8c852b..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIG7fewqQ4RTIWsck4m9ftByXOl4X0va0RtYqdbiF9CAHoAoGCCqGSM49 -AwEHoUQDQgAEwqnP1qL/vjfMLxtyIbBAMWt/G8aCAT0GXjqjMov5VW63hLDkiQ/z -zld4JLdZSjmkOdNl3SXI3QLwqo7W6cwjFg== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules deleted file mode 100644 index cc12d1659..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf deleted file mode 100644 index feb5d79a6..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat deleted file mode 100644 index 290f57e69..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -dave::expect-connection peer -dave::ipsec up peer -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt deleted file mode 100644 index b8cb4fb8b..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarrior dave tries to set up a connection to roadwarrior carol -but because carol has set the strongswan.conf option initiator_only = yes -she ignores the repeated IKE requests sent by dave. -

-After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 192 bit -security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM -authenticated encryption. -

-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of -an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall, -carol pings the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat deleted file mode 100644 index 3de5c94e0..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 14146ef01..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index f3f4c6671..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDjCCAm+gAwIBAgIBETAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMzQzMloXDTIzMDYxMTEyMzQzMlowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI -zj0CAQYFK4EEACIDYgAExm8lmoXGUfLL8xzhhQFmadz7SjPdubASbH9m+t7h30OV -yo+NPmtve7uqrWzttyWfqR7tFSOLtP5joj8U9E580ilT/2MsjVQJpKOFpYaggPUK -f+fhRwfQMUunyyAoIRSbo4IBFDCCARAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gw -HQYDVR0OBBYEFCQeIdu6skXTNWUg5w1Eb9HR1dU2MHgGA1UdIwRxMG+AFLpd+XG2 -E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA -9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwPAYDVR0f -BDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2Fu -X2VjLmNybDAKBggqhkjOPQQDAgOBjAAwgYgCQgGptTrYfjcWM+P66K5W+sq1d4X6 -E0+I2lXRKRiku2vPjpTQZJim4k4pAJNC19R2CCJMBgqab1ROUUsHMMHBNcyR/gJC -AN6S1J68o3UTQwAyN/zXW4ur8cxsPKV9uZYoz7O6Snz+eTliz/g8NPtfLYUseCii -VoXhdWwKkiRd8Cjck+RJHVWh ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 713942d7f..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1OV1cAp5SZcCAggA -MB0GCWCGSAFlAwQBFgQQ1SGtVnno2vKhkF+iPT6vygSBwFZQrciZs2FN8cDI0x9c -3OFxbaRawXnagMlpYq/To268rDFtcKGBN7JxwBaFGJw4NFrU/sOu2NkhLuA/Jbaz -w75aQ/MjTeOtwy2PS62J/+T1zqCdfpfCJYeYCc2CPd3E21FbsW0Mmfw1b8vZ2YeS -lsd9jvY/bob4tH68J1ZqErOLaCU0EXPgqlZiLhcDIwfZJDqrZ5xFHk3mcjB6Pc4O -TWwJN+elQoxd29HSASw9plO2p1DRDpSZPTU67UDXDOWfJA== ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b81e9b277..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f37dae945..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a71ffdca1..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDCzCCAm2gAwIBAgIBFDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzE0MzE1MVoXDTIzMDYxMTE0MzE1MVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q4+MyOBab2jzM -AVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSBwyYzL9+Nhnam -F6qMSaPBnIE2CK2hgqGjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUT4FEmRbCvjxKsXqruiQgzC50pj0weAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYsAMIGHAkIAhHCvrcHfCJbPcNDdyT4x3F3V2wq7 -96TzcVzlLJ+zSxr3Xo3eqOZaxAlnnoI4aQIukZ0RXzSCebDrOL9+k+5uRakCQU9k -W5MphqYKOys+lQmpKBEnzZlM1QvFfUUiXwoxN8Ilc9c0nSVXKl9m/uPgP7GZjvaE -J4juvRKmi2nMoxWIJtMt ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index ba7520f6c..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDDuG7KDU5nek/TFvZQIxg89wevYYa1/EDyQHLFanmbK1DTx07Wv9D/b -BL5sHWEPNMGgBwYFK4EEACKhZANiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q -4+MyOBab2jzMAVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSB -wyYzL9+NhnamF6qMSaPBnIE2CK2hgqE= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules deleted file mode 100644 index cc12d1659..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf deleted file mode 100644 index feb5d79a6..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat deleted file mode 100644 index 290f57e69..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -dave::expect-connection peer -dave::ipsec up peer -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat index 6e427b265..a067f6ded 100644 --- a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat @@ -2,8 +2,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat index 63c8b6414..c483dec2b 100644 --- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat +++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat index de62af271..1cc8d8240 100755 --- a/testing/tests/swanctl/config-payload/evaltest.dat +++ b/testing/tests/swanctl/config-payload/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat index f7af441a4..61c94618b 100755 --- a/testing/tests/swanctl/frags-ipv6/evaltest.dat +++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat @@ -11,8 +11,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES -alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES -alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org.*: icmp_seq=1::YES +alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/swanctl/host2host-cert/description.txt new file mode 100755 index 000000000..8f7e6e9f4 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat new file mode 100755 index 000000000..29cd8bfbd --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/evaltest.dat @@ -0,0 +1,6 @@ + +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..42176e76d --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..eeaaeab1d --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat new file mode 100755 index 000000000..3d7248cc8 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat new file mode 100755 index 000000000..b42dce654 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection host-host +sun::expect-connection host-hhost +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/swanctl/host2host-cert/test.conf new file mode 100755 index 000000000..52d886dcc --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt new file mode 100755 index 000000000..bc5a1299b --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/description.txt @@ -0,0 +1,6 @@ +An IPsec transport-mode connection between the hosts moon and sun +is successfully set up. The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec connection, the updown script automatically +inserts iptables-based firewall rules that let pass the protected traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat new file mode 100755 index 000000000..8b103d087 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/evaltest.dat @@ -0,0 +1,6 @@ + +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c1e33eca3 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0e94678e4 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat new file mode 100755 index 000000000..3d7248cc8 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat new file mode 100755 index 000000000..b42dce654 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection host-host +sun::expect-connection host-hhost +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/swanctl/host2host-transport/test.conf new file mode 100755 index 000000000..52d886dcc --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat index 130a0b918..5133e426f 100755 --- a/testing/tests/swanctl/ip-pool-db/evaltest.dat +++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index 51ac523b8..36ab6c119 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/swanctl/ip-two-pools-db/description.txt new file mode 100755 index 000000000..4bad7b1b7 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/description.txt @@ -0,0 +1,14 @@ +The hosts alice, venus, carol, and dave set up tunnel connections +to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP +from gateway moon which assigns virtual IP addresses from a pool named extpool +[10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual +IP addresses from a pool named intpool [10.4.0.1..10.4.1.244] to hosts connecting to +the eth1 (PH_IP_MOON1) interface. +Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, +respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, +respectively. +

+By defining the composite traffic selector 10.3.0.0/16,10.4.0.0/16, each of the four +spokes can securely reach any other spoke via the central hub moon. This is +demonstrated by alice and dave pinging the assigned virtual IP addresses +of carol and venus. diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat new file mode 100755 index 000000000..16dc23669 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat @@ -0,0 +1,35 @@ +moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES +venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES +alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES +venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES + diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7dfef4e38 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 10.1.0.10 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fca6efb2e --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1f0b361ec --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..fba531a52 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite + database = sqlite:///etc/db.d/ipsec.db +} \ No newline at end of file diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d719d7aad --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + ext { + local_addrs = 192.168.0.1 + pools = extpool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + ext { + local_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + int { + local_addrs = 10.1.0.1 + pools = intpool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + int { + local_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..906b7bdea --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 10.1.0.20 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/swanctl/ip-two-pools-db/posttest.dat new file mode 100755 index 000000000..cbb2c2498 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/posttest.dat @@ -0,0 +1,18 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +moon::ip route del 10.3.0.0/16 via PH_IP_MOON +moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 +moon::ipsec pool --del extpool 2> /dev/null +moon::ipsec pool --del intpool 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null + diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/swanctl/ip-two-pools-db/pretest.dat new file mode 100755 index 000000000..7229eee7c --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/pretest.dat @@ -0,0 +1,30 @@ +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null +moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null +moon::ipsec pool --statusattr 2> /dev/null +moon::ip route add 10.3.0.0/16 via PH_IP_MOON +moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +moon::expect-connection int +moon::expect-connection ext +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null +alice::expect-connection home +alice::swanctl --initiate --child home 2> /dev/null +venus::expect-connection home +venus::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-two-pools-db/test.conf b/testing/tests/swanctl/ip-two-pools-db/test.conf new file mode 100755 index 000000000..9394e0289 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice venus carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt new file mode 100755 index 000000000..df9f54a66 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/description.txt @@ -0,0 +1,9 @@ +The hosts alice and carol set up a tunnel connection each to gateway moon. +Both hosts request a virtual IP via the IKEv2 configuration payload. +Gateway moon assigns virtual IP addresses from pool1 with an address range of +10.3.0.0/28 to hosts connecting to the eth0 (192.168.0.1) interface and +virtual IP addresses from pool2 with an address range of 10.4.0.0/28 to hosts +connecting to the eth1 (10.1.0.1) interface. +

+Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +both ping the gateway moon. diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat new file mode 100755 index 000000000..cb3b60f4d --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/evaltest.dat @@ -0,0 +1,18 @@ +moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..509fe678f --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 10.1.0.10 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..60b216e62 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..cf4e54024 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,55 @@ +connections { + + rw1 { + local_addrs = 192.168.0.1 + pools = pool1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw1 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + rw2 { + local_addrs = 10.1.0.1 + pools = pool2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw2 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + pool1 { + addrs = 10.3.0.0/28 + } + pool2 { + addrs = 10.4.0.0/28 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat new file mode 100755 index 000000000..0cfeeb120 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +alice::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat new file mode 100755 index 000000000..95a32febc --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +alice::expect-connection home +alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-two-pools/test.conf b/testing/tests/swanctl/ip-two-pools/test.conf new file mode 100755 index 000000000..5f67b7ed5 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..aa6f98076 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index 91425f812..51b64a74b 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -2,8 +2,19 @@ authorize { preprocess chap mschap - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index aaabab89e..000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB -228060123456002,33000000000000000000000000000000,33112233,335566778899AABB -228060123456002,34000000000000000000000000000000,34112233,345566778899AABB -228060123456002,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users index e69de29bb..aa6f98076 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat index 010a4f9c4..93b379348 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ carol::systemctl stop strongswan-swanctl dave::systemctl stop strongswan-swanctl moon::systemctl stop strongswan-swanctl -alice::killall radiusd +alice::killall freeradius diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat index 57d39a5e6..10150f03c 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,10 +1,6 @@ -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::systemctl start strongswan-swanctl carol::systemctl start strongswan-swanctl dave::systemctl start strongswan-swanctl diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/swanctl/nat-rw-psk/description.txt new file mode 100644 index 000000000..7754c7f39 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/description.txt @@ -0,0 +1,8 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat new file mode 100644 index 000000000..cd171e8c9 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/evaltest.dat @@ -0,0 +1,14 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2d601c122 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + nat-t { + local_addrs = 10.1.0.10 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = 10.1.0.10 + } + remote { + auth = psk + id = 192.168.0.2 + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-sun { + id = 192.168.0.2 + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f7a542d4d --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + + local { + auth = psk + id = 192.168.0.2 + } + remote { + auth = psk + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-alice { + id = 10.1.0.10 + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + ike-venus { + id = 10.1.0.20 + secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br + } +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..654489dfc --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + nat-t { + local_addrs = 10.1.0.20 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = 10.1.0.20 + } + remote { + auth = psk + id = 192.168.0.2 + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-sun { + id = 192.168.0.2 + secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br + } +} + diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/swanctl/nat-rw-psk/posttest.dat new file mode 100644 index 000000000..a41653640 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/posttest.dat @@ -0,0 +1,7 @@ +sun::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/swanctl/nat-rw-psk/pretest.dat new file mode 100644 index 000000000..906c5b006 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/pretest.dat @@ -0,0 +1,16 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +sun::expect-connection nat-t +alice::expect-connection nat-t +alice::swanctl --initiate --child nat-t +venus::expect-connection nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/swanctl/nat-rw-psk/test.conf new file mode 100644 index 000000000..ecc95b837 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/swanctl/nat-rw/description.txt new file mode 100644 index 000000000..1ee91b74d --- /dev/null +++ b/testing/tests/swanctl/nat-rw/description.txt @@ -0,0 +1,8 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat new file mode 100644 index 000000000..ae6aaed33 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/evaltest.dat @@ -0,0 +1,14 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..61f769637 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.10 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..637260de8 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0ea7c4055 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.20 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/swanctl/nat-rw/posttest.dat new file mode 100644 index 000000000..a41653640 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/posttest.dat @@ -0,0 +1,7 @@ +sun::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/swanctl/nat-rw/pretest.dat new file mode 100644 index 000000000..63c9d359e --- /dev/null +++ b/testing/tests/swanctl/nat-rw/pretest.dat @@ -0,0 +1,13 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +sun::expect-connection nat-t +alice::expect-connection nat-t +alice::swanctl --initiate --child nat-t +venus::expect-connection nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/swanctl/nat-rw/test.conf new file mode 100644 index 000000000..ecc95b837 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-psk/description.txt b/testing/tests/swanctl/net2net-psk/description.txt new file mode 100755 index 000000000..e064a99de --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on Preshared Keys (PSK). +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat new file mode 100755 index 000000000..4c56d5299 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5e2480ee2 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,55 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-1 = moon.strongswan.org + secret = 0x45a30759df97dc26a15b88ff + } + ike-2 { + id-2 = sun.strongswan.org + secret = "This is a strong password" + } + ike-3 { + id-3a = moon.strongswan.org + id-3b =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + ike-4 { + secret = 'My "home" is my "castle"!' + } + ike-5 { + id-5 = 192.168.0.1 + secret = "Andi's home" + } +} \ No newline at end of file diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b6fc72b7a --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = sun.strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-moon = moon.strongswan.org + id-sun =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat new file mode 100755 index 000000000..755f0e5f8 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat new file mode 100755 index 000000000..e82d539fb --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/swanctl/net2net-psk/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat index a62fda968..c4106c678 100755 --- a/testing/tests/swanctl/rw-cert-pss/evaltest.dat +++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat @@ -1,7 +1,7 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +dave ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt index 6af7a39ae..f190c0752 100755 --- a/testing/tests/swanctl/rw-cert/description.txt +++ b/testing/tests/swanctl/rw-cert/description.txt @@ -1,5 +1,6 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. +

Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt new file mode 100644 index 000000000..c39829dd5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt @@ -0,0 +1,11 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in swanctl.conf +is used instead of a USIM/(R)UIM device. +

+In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol +uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat new file mode 100644 index 000000000..a655543f9 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1582b2b01 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4aabbaba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1582b2b01 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d68d1f474 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-aka + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt new file mode 100644 index 000000000..0138e35f5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in swanctl.conf +is used instead of a USIM/(R)UIM device. diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat new file mode 100644 index 000000000..0d4f74197 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..4d4fc3583 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e3d6e50c0 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d4fc3583 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..609309f05 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-aka + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt new file mode 100644 index 000000000..42db2e199 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +

+The gateway forwards all EAP messages to the RADIUS server alice. +In addition to her IKEv2 identitycarol@strongswan.org, roadwarrior +carol uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat new file mode 100644 index 000000000..3080ec15a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d2cc789b3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..590a2b7cf --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fa363c345 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9a59fc15e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat new file mode 100644 index 000000000..84ba602c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt new file mode 100644 index 000000000..f0f241dc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +The gateway forwards all EAP messages to the RADIUS server alice. \ No newline at end of file diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat new file mode 100644 index 000000000..09a78be83 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..158c26b72 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat new file mode 100644 index 000000000..84ba602c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt new file mode 100644 index 000000000..08fd89b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. + diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat new file mode 100644 index 000000000..c0026af4f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..158c26b72 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..13816d778 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-md5 + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} + diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt new file mode 100644 index 000000000..95afc08b5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Microsoft CHAP version 2 (EAP-MSCHAPV2) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client. +

+In addition to her IKEv2 identity which defaults to her IP address, +roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat new file mode 100644 index 000000000..a1c2d4e88 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -0,0 +1,11 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol +moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d9210aeb5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1b5c5d99f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d9210aeb5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d7c1f68ce --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-mschapv2 + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } + eap-dave { + id = dave + secret = W7R0g3do + } +} + diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-md5/description.txt b/testing/tests/swanctl/rw-eap-peap-md5/description.txt new file mode 100644 index 000000000..7f9ade88a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-PEAP only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on EAP-MD5 (phase2 of EAP-PEAP). +

+With the setting charon.plugins.eap-peap.phase2_piggyback = yes the server moon +initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request +right onto the TLS Finished message. Client carol presents the correct MD5 password +and succeeds whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat new file mode 100644 index 000000000..20ec1561e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..733ab2afb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..db82791b8 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..733ab2afb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7f3b8104b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4b5445999 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-peap { + phase2_method = md5 + phase2_piggyback = yes + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb3bfd28 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-md5/test.conf b/testing/tests/swanctl/rw-eap-peap-md5/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt new file mode 100644 index 000000000..ef2d24f2f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-PEAP only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on EAP-MSCHAPv2 (phase2 of EAP-PEAP). +

+Client carol presents the correct MSCHAPv2 password and succeeds whereas client +dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat new file mode 100644 index 000000000..dc56ba850 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..6f227cc3a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..db82791b8 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..6f227cc3a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7f3b8104b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3b498d93b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-peap { + phase2_method = mschapv2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb3bfd28 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt new file mode 100644 index 000000000..004068226 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-PEAP tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat new file mode 100644 index 000000000..291e249da --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..0ae8befe4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = peap + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + peap { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..11d3e2acd --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = peap + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + peap { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..cb7743f82 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7ffdd1f4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cb7743f82 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..97c0b7057 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat new file mode 100644 index 000000000..ff5f6e164 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-radius/test.conf b/testing/tests/swanctl/rw-eap-peap-radius/test.conf new file mode 100644 index 000000000..0e5512b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt new file mode 100644 index 000000000..41abb363c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt @@ -0,0 +1,13 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. In addition to her IKEv2 identity +carol@strongswan.org, roadwarrior carol uses the EAP +identity 228060123456001. diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat new file mode 100644 index 000000000..038a2c1e1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..1dc666992 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,53 @@ +authorize { + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..11ae80c1e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2576209ef --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id=228060123456001 + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fa363c345 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..682136230 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat new file mode 100644 index 000000000..5d875ee77 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt new file mode 100644 index 000000000..26de3c982 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt @@ -0,0 +1,15 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway does not send an AUTH payload thus signalling +a mutual EAP-only authentication. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. +

+The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat new file mode 100644 index 000000000..3d3359775 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat @@ -0,0 +1,13 @@ +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..51b64a74b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,72 @@ +authorize { + preprocess + chap + mschap + files + suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a73f3003c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..a02a42c0d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB +dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB +dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0b1ffc462 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..09a2a5358 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat new file mode 100644 index 000000000..66c829747 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat @@ -0,0 +1,16 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +dave::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf new file mode 100644 index 000000000..93f23f1d6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-radius/description.txt new file mode 100644 index 000000000..5cb1bacdc --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/description.txt @@ -0,0 +1,15 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway authenticates itself to the clients by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. +

+The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat new file mode 100644 index 000000000..476e4e1fc --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat @@ -0,0 +1,13 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..51b64a74b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,72 @@ +authorize { + preprocess + chap + mschap + files + suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1433bb561 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..a02a42c0d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB +dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB +dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e573c9933 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e11667564 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat new file mode 100644 index 000000000..66c829747 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat @@ -0,0 +1,16 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +dave::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-radius/test.conf new file mode 100644 index 000000000..93f23f1d6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt new file mode 100644 index 000000000..4401e679f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat new file mode 100644 index 000000000..1e967896e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1433bb561 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6028df452 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-sim + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-only/description.txt b/testing/tests/swanctl/rw-eap-tls-only/description.txt new file mode 100644 index 000000000..b3e0450a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/description.txt @@ -0,0 +1,4 @@ +The roadwarrior carol sets up a connection to gateway moon. +The strong mutual authentication of both peers is based on EAP-TLS only +(without a separate IKEv2 authentication), using TLS client and server certificates, +respectively. diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat new file mode 100644 index 000000000..52dc51a62 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c25dc8398 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..cc3e77095 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = carolCert.pem + } + remote { + auth = eap-tls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c69b0d77b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} \ No newline at end of file diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..51150c77c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = moonCert.pem + } + remote { + auth = eap-tls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat new file mode 100644 index 000000000..90445d430 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt new file mode 100644 index 000000000..d635ae33e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses a mutual EAP-TLS authentication based +on X.509 certificates. The gateway forwards all EAP messages to the +AAA RADIUS server alice. diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat new file mode 100644 index 000000000..e3b7cf39a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e8670dbb7 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,16 @@ +eap { + default_eap_type = tls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + tls { + tls = tls-common + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..060702784 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,55 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..92f96ad66 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,13 @@ +eap { + default_eap_type = tls + tls { + certdir = /etc/raddb/certs + cadir = /etc/raddb/certs + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..18ebf9e9d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,41 @@ +authorize { + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..585019e47 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown + + multiple_authentication = no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..58786ba87 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + certs = carolCert.pem + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ebe5ffab7 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + } + remote { + auth = eap-radius + id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat new file mode 100644 index 000000000..299fccfeb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/swanctl/rw-eap-tls-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/swanctl/rw-eap-ttls-only/description.txt new file mode 100644 index 000000000..19c00531e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-TTLS only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client +authentication based on EAP-MD5 (phase2 of EAP-TTLS). +

+With the default setting charon.plugins.eap-ttls.phase2_piggyback = no the server +moon passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by +sending a tunneled orphan EAP Identity response upon the reception of the server's TLS +Finished message. Client carol presents the correct MD5 password and succeeds +whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat new file mode 100644 index 000000000..00282ab2b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f39a874a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..184aaa5d3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f39a874a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a77bd0079 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..860fbf3ac --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-ttls { + phase2_method = md5 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5ee0c57a3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = moonCert.pem + } + remote { + auth = eap-ttls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-only/test.conf b/testing/tests/swanctl/rw-eap-ttls-only/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt new file mode 100644 index 000000000..479350c2f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-TTLS tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat new file mode 100644 index 000000000..df4f0d550 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7450c71c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = ttls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + ttls { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..c91cd40fb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7ffdd1f4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..97c0b7057 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat new file mode 100644 index 000000000..ff5f6e164 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf new file mode 100644 index 000000000..0e5512b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt deleted file mode 100644 index 8ce1157e9..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The Dummy IMC and IMV from the - -TNC@FHH project are used which communicate over a proprietary protocol. -

-carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. - diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat deleted file mode 100644 index 0b7655bdd..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf deleted file mode 100644 index b094a3aaa..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 0f266dd93..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = carol@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config deleted file mode 100644 index d2fabe109..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf deleted file mode 100644 index b094a3aaa..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 989ab88c7..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = dave@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config deleted file mode 100644 index d2fabe109..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf deleted file mode 100644 index aacee2221..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - phase2_tnc_method = tnc - } - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 1238c1a91..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,64 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap-carol { - id = carol@strongswan.org - secret = "Ar3etTnp" - } - eap-dave { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy deleted file mode 100644 index d00491fd7..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy deleted file mode 100644 index d8215dd3c..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy +++ /dev/null @@ -1,40 +0,0 @@ -#FTP - File Transfer Protocol -TCP 20 = whatever -TCP 21 = close - -#SSH - Secure Shell -TCP 22 = whatever - -#Telnet -TCP 23 = close - -#E-Mail -# -#SMTP - Simple Mail Transfer Protocol -TCP 25 = close -TCP 587 = close -#POP3 - Post Office Protocol version 3 -TCP 110 = close -TCP 995 = close - -#DNS - Domain Name System -UDP 53 = close -TCP 53 = close - -#BOOTP/DHCP - Bootstrap Protocol / -#Dynamic Host Configuration Protocol -UDP 67 = close -#UDP 68 = open -UDP 68 = whatever - -#www - World Wide Web -#HTTP - Hypertext Transfer Protocol -TCP 80 = close -#HTTPS - Hypertext Transfer Protocol Secure -TCP 443 = close - -#examples -TCP 8080 = close -TCP 5223 = whatever -UDP 4444 = close -UDP 631 = whatever diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties deleted file mode 100644 index 122d798b3..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config deleted file mode 100644 index 140caa98f..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so -#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat deleted file mode 100644 index 199873ba1..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat deleted file mode 100644 index 79340af29..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf deleted file mode 100644 index 61f2312af..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/test.conf +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt deleted file mode 100644 index 67b1a2a34..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The IMC and IMV communicate are using the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas -dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat deleted file mode 100644 index b2fc61949..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home::NO -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 305a9d1e6..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index ff58c7c9a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 5d17eb638..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = none - } - imc-scanner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 5af2098b6..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4c9dd6e1f..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 28b32b74c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,27 +0,0 @@ -connections { - - rw { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - } - children { - rw { - local_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat deleted file mode 100644 index 0d96563c1..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat deleted file mode 100644 index efddc609e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ /dev/null @@ -1,21 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf deleted file mode 100644 index 8d7f51449..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt deleted file mode 100644 index d5729dd7b..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between the OS and Attestation IMC and the Attestation IMV is based on the - IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat deleted file mode 100644 index 588ddf469..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index d87b5e7f9..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,29 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) -SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 16, 2, 0 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf deleted file mode 100644 index a3f4ca12c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce openssl pubkey sqlite - debug_level = 3 - database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager - assessment_result = no -} - -attest { - database = sqlite:///etc/db.d/config.db -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config deleted file mode 100644 index b5ac8c178..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf deleted file mode 100644 index a534ac66e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 1516ad726..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - proposals = aes128-sha256-ecp256 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config deleted file mode 100644 index 15dc93a0a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 469e81156..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - retransmit_tries = 5 - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 07b35dcb9..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - proposals = aes128-sha256-ecp256 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config deleted file mode 100644 index 15dc93a0a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf deleted file mode 100644 index cbaf67c89..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 096eb7b5a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,53 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-ecp256 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-ecp256 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat deleted file mode 100644 index ab96df0ed..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat deleted file mode 100644 index 7d0dfa385..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ /dev/null @@ -1,28 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::echo 0 > /proc/sys/net/ipv4/ip_forward -dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home -alice::ipsec attest --sessions -alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf deleted file mode 100644 index 05d40f98d..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# Guest instances on which databases are used -# -DBHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt deleted file mode 100644 index 4017c6eda..000000000 --- a/testing/tests/tnc/tnccs-11-radius/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat deleted file mode 100644 index cbafc1303..000000000 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1ca6c3d10..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index ff58c7c9a..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 9df983c80..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = isolate - } - imc-scanner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 5af2098b6..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4c9dd6e1f..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 3caad0c66..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,53 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat deleted file mode 100644 index 0d96563c1..000000000 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat deleted file mode 100644 index bb2ce93b3..000000000 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ /dev/null @@ -1,22 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf deleted file mode 100644 index 8d7f51449..000000000 --- a/testing/tests/tnc/tnccs-11-radius/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt deleted file mode 100644 index 5d0155382..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The layer 2 supplicants carol and dave want to connect to a network -via switch moon which delegates the IEEE 802.1X authentication to the RADIUS -server alice. carol and dave set up an EAP-TTLS tunnel -each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated -by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by switch moon to the "allow" and "isolate" VLANs, respectively. diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat deleted file mode 100644 index 2d43b3c7b..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat +++ /dev/null @@ -1,2 +0,0 @@ -carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES -dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 965752b5e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 00ef0f516..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1 +0,0 @@ -# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config deleted file mode 100644 index b4288fd53..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf deleted file mode 100644 index 92d84f570..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf +++ /dev/null @@ -1,10 +0,0 @@ - network={ - ssid="eap_ttls" - scan_ssid=0 - key_mgmt=IEEE8021X - eap=TTLS - identity="carol" - password="Ar3etTnp" - ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" - id_str="" - } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf deleted file mode 100644 index ca1f7d9a5..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - plugins { - imc-test { - command = isolate - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 00ef0f516..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1 +0,0 @@ -# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config deleted file mode 100644 index b4288fd53..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf deleted file mode 100644 index 37a343df6..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf +++ /dev/null @@ -1,10 +0,0 @@ - network={ - ssid="eap_ttls" - scan_ssid=0 - key_mgmt=IEEE8021X - eap=TTLS - identity="dave" - password="W7R0g3do" - ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" - id_str="" - } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf deleted file mode 100644 index c84fcbd91..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf +++ /dev/null @@ -1,1127 +0,0 @@ -##### hostapd configuration file ############################################## -# Empty lines and lines starting with # are ignored - -# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for -# management frames); ath0 for madwifi -interface=eth0 - -# In case of madwifi, atheros, and nl80211 driver interfaces, an additional -# configuration parameter, bridge, may be used to notify hostapd if the -# interface is included in a bridge. This parameter is not used with Host AP -# driver. If the bridge parameter is not set, the drivers will automatically -# figure out the bridge interface (assuming sysfs is enabled and mounted to -# /sys) and this parameter may not be needed. -# -# For nl80211, this parameter can be used to request the AP interface to be -# added to the bridge automatically (brctl may refuse to do this before hostapd -# has been started to change the interface mode). If needed, the bridge -# interface is also created. -#bridge=br0 - -# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd); -# default: hostap). nl80211 is used with all Linux mac80211 drivers. -# Use driver=none if building hostapd as a standalone RADIUS server that does -# not control any wireless/wired driver. -driver=wired - -# hostapd event logger configuration -# -# Two output method: syslog and stdout (only usable if not forking to -# background). -# -# Module bitfield (ORed bitfield of modules that will be logged; -1 = all -# modules): -# bit 0 (1) = IEEE 802.11 -# bit 1 (2) = IEEE 802.1X -# bit 2 (4) = RADIUS -# bit 3 (8) = WPA -# bit 4 (16) = driver interface -# bit 5 (32) = IAPP -# bit 6 (64) = MLME -# -# Levels (minimum value for logged events): -# 0 = verbose debugging -# 1 = debugging -# 2 = informational messages -# 3 = notification -# 4 = warning -# -logger_syslog=-1 -logger_syslog_level=2 -logger_stdout=-1 -logger_stdout_level=0 - -# Dump file for state information (on SIGUSR1) -dump_file=/tmp/hostapd.dump - -# Interface for separate control program. If this is specified, hostapd -# will create this directory and a UNIX domain socket for listening to requests -# from external programs (CLI/GUI, etc.) for status information and -# configuration. The socket file will be named based on the interface name, so -# multiple hostapd processes/interfaces can be run at the same time if more -# than one interface is used. -# /var/run/hostapd is the recommended directory for sockets and by default, -# hostapd_cli will use it when trying to connect with hostapd. -ctrl_interface=/var/run/hostapd - -# Access control for the control interface can be configured by setting the -# directory to allow only members of a group to use sockets. This way, it is -# possible to run hostapd as root (since it needs to change network -# configuration and open raw sockets) and still allow GUI/CLI components to be -# run as non-root users. However, since the control interface can be used to -# change the network configuration, this access needs to be protected in many -# cases. By default, hostapd is configured to use gid 0 (root). If you -# want to allow non-root users to use the contron interface, add a new group -# and change this value to match with that group. Add users that should have -# control interface access to this group. -# -# This variable can be a group name or gid. -#ctrl_interface_group=wheel -ctrl_interface_group=0 - - -##### IEEE 802.11 related configuration ####################################### - -# SSID to be used in IEEE 802.11 management frames -#ssid=test - -# Country code (ISO/IEC 3166-1). Used to set regulatory domain. -# Set as needed to indicate country in which device is operating. -# This can limit available channels and transmit power. -#country_code=US - -# Enable IEEE 802.11d. This advertises the country_code and the set of allowed -# channels and transmit power levels based on the regulatory limits. The -# country_code setting must be configured with the correct country for -# IEEE 802.11d functions. -# (default: 0 = disabled) -#ieee80211d=1 - -# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g, -# Default: IEEE 802.11b -hw_mode=g - -# Channel number (IEEE 802.11) -# (default: 0, i.e., not set) -# Please note that some drivers do not use this value from hostapd and the -# channel will need to be configured separately with iwconfig. -channel=1 - -# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) -beacon_int=100 - -# DTIM (delivery traffic information message) period (range 1..255): -# number of beacons between DTIMs (1 = every beacon includes DTIM element) -# (default: 2) -dtim_period=2 - -# Maximum number of stations allowed in station table. New stations will be -# rejected after the station table is full. IEEE 802.11 has a limit of 2007 -# different association IDs, so this number should not be larger than that. -# (default: 2007) -max_num_sta=255 - -# RTS/CTS threshold; 2347 = disabled (default); range 0..2347 -# If this field is not included in hostapd.conf, hostapd will not control -# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. -rts_threshold=2347 - -# Fragmentation threshold; 2346 = disabled (default); range 256..2346 -# If this field is not included in hostapd.conf, hostapd will not control -# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set -# it. -fragm_threshold=2346 - -# Rate configuration -# Default is to enable all rates supported by the hardware. This configuration -# item allows this list be filtered so that only the listed rates will be left -# in the list. If the list is empty, all rates are used. This list can have -# entries that are not in the list of rates the hardware supports (such entries -# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. -# If this item is present, at least one rate have to be matching with the rates -# hardware supports. -# default: use the most common supported rate setting for the selected -# hw_mode (i.e., this line can be removed from configuration file in most -# cases) -#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 - -# Basic rate set configuration -# List of rates (in 100 kbps) that are included in the basic rate set. -# If this item is not included, usually reasonable default set is used. -#basic_rates=10 20 -#basic_rates=10 20 55 110 -#basic_rates=60 120 240 - -# Short Preamble -# This parameter can be used to enable optional use of short preamble for -# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. -# This applies only to IEEE 802.11b-compatible networks and this should only be -# enabled if the local hardware supports use of short preamble. If any of the -# associated STAs do not support short preamble, use of short preamble will be -# disabled (and enabled when such STAs disassociate) dynamically. -# 0 = do not allow use of short preamble (default) -# 1 = allow use of short preamble -#preamble=1 - -# Station MAC address -based authentication -# Please note that this kind of access control requires a driver that uses -# hostapd to take care of management frame processing and as such, this can be -# used with driver=hostap or driver=nl80211, but not with driver=madwifi. -# 0 = accept unless in deny list -# 1 = deny unless in accept list -# 2 = use external RADIUS server (accept/deny lists are searched first) -macaddr_acl=0 - -# Accept/deny lists are read from separate files (containing list of -# MAC addresses, one per line). Use absolute path name to make sure that the -# files can be read on SIGHUP configuration reloads. -#accept_mac_file=/etc/hostapd.accept -#deny_mac_file=/etc/hostapd.deny - -# IEEE 802.11 specifies two authentication algorithms. hostapd can be -# configured to allow both of these or only one. Open system authentication -# should be used with IEEE 802.1X. -# Bit fields of allowed authentication algorithms: -# bit 0 = Open System Authentication -# bit 1 = Shared Key Authentication (requires WEP) -auth_algs=3 - -# Send empty SSID in beacons and ignore probe request frames that do not -# specify full SSID, i.e., require stations to know SSID. -# default: disabled (0) -# 1 = send empty (length=0) SSID in beacon and ignore probe request for -# broadcast SSID -# 2 = clear SSID (ASCII 0), but keep the original length (this may be required -# with some clients that do not support empty SSID) and ignore probe -# requests for broadcast SSID -ignore_broadcast_ssid=0 - -# TX queue parameters (EDCF / bursting) -# tx_queue__ -# queues: data0, data1, data2, data3, after_beacon, beacon -# (data0 is the highest priority queue) -# parameters: -# aifs: AIFS (default 2) -# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023) -# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin -# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for -# bursting -# -# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -# These parameters are used by the access point when transmitting frames -# to the clients. -# -# Low priority / AC_BK = background -#tx_queue_data3_aifs=7 -#tx_queue_data3_cwmin=15 -#tx_queue_data3_cwmax=1023 -#tx_queue_data3_burst=0 -# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 -# -# Normal priority / AC_BE = best effort -#tx_queue_data2_aifs=3 -#tx_queue_data2_cwmin=15 -#tx_queue_data2_cwmax=63 -#tx_queue_data2_burst=0 -# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 -# -# High priority / AC_VI = video -#tx_queue_data1_aifs=1 -#tx_queue_data1_cwmin=7 -#tx_queue_data1_cwmax=15 -#tx_queue_data1_burst=3.0 -# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 -# -# Highest priority / AC_VO = voice -#tx_queue_data0_aifs=1 -#tx_queue_data0_cwmin=3 -#tx_queue_data0_cwmax=7 -#tx_queue_data0_burst=1.5 -# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 - -# 802.1D Tag (= UP) to AC mappings -# WMM specifies following mapping of data frames to different ACs. This mapping -# can be configured using Linux QoS/tc and sch_pktpri.o module. -# 802.1D Tag 802.1D Designation Access Category WMM Designation -# 1 BK AC_BK Background -# 2 - AC_BK Background -# 0 BE AC_BE Best Effort -# 3 EE AC_BE Best Effort -# 4 CL AC_VI Video -# 5 VI AC_VI Video -# 6 VO AC_VO Voice -# 7 NC AC_VO Voice -# Data frames with no priority information: AC_BE -# Management frames: AC_VO -# PS-Poll frames: AC_BE - -# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -# for 802.11a or 802.11g networks -# These parameters are sent to WMM clients when they associate. -# The parameters will be used by WMM clients for frames transmitted to the -# access point. -# -# note - txop_limit is in units of 32microseconds -# note - acm is admission control mandatory flag. 0 = admission control not -# required, 1 = mandatory -# note - here cwMin and cmMax are in exponent form. the actual cw value used -# will be (2^n)-1 where n is the value given here -# -wmm_enabled=1 -# -# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] -# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) -#uapsd_advertisement_enabled=1 -# -# Low priority / AC_BK = background -wmm_ac_bk_cwmin=4 -wmm_ac_bk_cwmax=10 -wmm_ac_bk_aifs=7 -wmm_ac_bk_txop_limit=0 -wmm_ac_bk_acm=0 -# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 -# -# Normal priority / AC_BE = best effort -wmm_ac_be_aifs=3 -wmm_ac_be_cwmin=4 -wmm_ac_be_cwmax=10 -wmm_ac_be_txop_limit=0 -wmm_ac_be_acm=0 -# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 -# -# High priority / AC_VI = video -wmm_ac_vi_aifs=2 -wmm_ac_vi_cwmin=3 -wmm_ac_vi_cwmax=4 -wmm_ac_vi_txop_limit=94 -wmm_ac_vi_acm=0 -# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 -# -# Highest priority / AC_VO = voice -wmm_ac_vo_aifs=2 -wmm_ac_vo_cwmin=2 -wmm_ac_vo_cwmax=3 -wmm_ac_vo_txop_limit=47 -wmm_ac_vo_acm=0 -# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 - -# Static WEP key configuration -# -# The key number to use when transmitting. -# It must be between 0 and 3, and the corresponding key must be set. -# default: not set -#wep_default_key=0 -# The WEP keys to use. -# A key may be a quoted string or unquoted hexadecimal digits. -# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 -# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or -# 128-bit (152-bit) WEP is used. -# Only the default key must be supplied; the others are optional. -# default: not set -#wep_key0=123456789a -#wep_key1="vwxyz" -#wep_key2=0102030405060708090a0b0c0d -#wep_key3=".2.4.6.8.0.23" - -# Station inactivity limit -# -# If a station does not send anything in ap_max_inactivity seconds, an -# empty data frame is sent to it in order to verify whether it is -# still in range. If this frame is not ACKed, the station will be -# disassociated and then deauthenticated. This feature is used to -# clear station table of old entries when the STAs move out of the -# range. -# -# The station can associate again with the AP if it is still in range; -# this inactivity poll is just used as a nicer way of verifying -# inactivity; i.e., client will not report broken connection because -# disassociation frame is not sent immediately without first polling -# the STA with a data frame. -# default: 300 (i.e., 5 minutes) -ap_max_inactivity=30 - -# Disassociate stations based on excessive transmission failures or other -# indications of connection loss. This depends on the driver capabilities and -# may not be available with all drivers. -#disassoc_low_ack=1 - -# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to -# remain asleep). Default: 65535 (no limit apart from field size) -#max_listen_interval=100 - -# WDS (4-address frame) mode with per-station virtual interfaces -# (only supported with driver=nl80211) -# This mode allows associated stations to use 4-address frames to allow layer 2 -# bridging to be used. -#wds_sta=1 - -# If bridge parameter is set, the WDS STA interface will be added to the same -# bridge by default. This can be overridden with the wds_bridge parameter to -# use a separate bridge. -#wds_bridge=wds-br0 - -# Client isolation can be used to prevent low-level bridging of frames between -# associated stations in the BSS. By default, this bridging is allowed. -#ap_isolate=1 - -##### IEEE 802.11n related configuration ###################################### - -# ieee80211n: Whether IEEE 802.11n (HT) is enabled -# 0 = disabled (default) -# 1 = enabled -# Note: You will also need to enable WMM for full HT functionality. -#ieee80211n=1 - -# ht_capab: HT capabilities (list of flags) -# LDPC coding capability: [LDPC] = supported -# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary -# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz -# with secondary channel below the primary channel -# (20 MHz only if neither is set) -# Note: There are limits on which channels can be used with HT40- and -# HT40+. Following table shows the channels that may be available for -# HT40- and HT40+ use per IEEE 802.11n Annex J: -# freq HT40- HT40+ -# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) -# 5 GHz 40,48,56,64 36,44,52,60 -# (depending on the location, not all of these channels may be available -# for use) -# Please note that 40 MHz channels may switch their primary and secondary -# channels if needed or creation of 40 MHz channel maybe rejected based -# on overlapping BSSes. These changes are done automatically when hostapd -# is setting up the 40 MHz channel. -# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] -# (SMPS disabled if neither is set) -# HT-greenfield: [GF] (disabled if not set) -# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) -# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) -# Tx STBC: [TX-STBC] (disabled if not set) -# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial -# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC -# disabled if none of these set -# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) -# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not -# set) -# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) -# PSMP support: [PSMP] (disabled if not set) -# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) -#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] - -# Require stations to support HT PHY (reject association if they do not) -#require_ht=1 - -##### IEEE 802.1X-2004 related configuration ################################## - -# Require IEEE 802.1X authorization -ieee8021x=1 - -# IEEE 802.1X/EAPOL version -# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL -# version 2. However, there are many client implementations that do not handle -# the new version number correctly (they seem to drop the frames completely). -# In order to make hostapd interoperate with these clients, the version number -# can be set to the older version (1) with this configuration value. -#eapol_version=2 - -# Optional displayable message sent with EAP Request-Identity. The first \0 -# in this string will be converted to ASCII-0 (nul). This can be used to -# separate network info (comma separated list of attribute=value pairs); see, -# e.g., RFC 4284. -#eap_message=hello -#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com - -# WEP rekeying (disabled if key lengths are not set or are set to 0) -# Key lengths for default/broadcast and individual/unicast keys: -# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) -# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) -#wep_key_len_broadcast=5 -#wep_key_len_unicast=5 -# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) -#wep_rekey_period=300 - -# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if -# only broadcast keys are used) -eapol_key_index_workaround=0 - -# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable -# reauthentication). -#eap_reauth_period=3600 - -# Use PAE group address (01:80:c2:00:00:03) instead of individual target -# address when sending EAPOL frames with driver=wired. This is the most common -# mechanism used in wired authentication, but it also requires that the port -# is only used by one station. -#use_pae_group_addr=1 - -##### Integrated EAP server ################################################### - -# Optionally, hostapd can be configured to use an integrated EAP server -# to process EAP authentication locally without need for an external RADIUS -# server. This functionality can be used both as a local authentication server -# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - -# Use integrated EAP server instead of external RADIUS authentication -# server. This is also needed if hostapd is configured to act as a RADIUS -# authentication server. -eap_server=0 - -# Path for EAP server user database -#eap_user_file=/etc/hostapd.eap_user - -# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -#ca_cert=/etc/hostapd.ca.pem - -# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -#server_cert=/etc/hostapd.server.pem - -# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS -# This may point to the same file as server_cert if both certificate and key -# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be -# used by commenting out server_cert and specifying the PFX file as the -# private_key. -#private_key=/etc/hostapd.server.prv - -# Passphrase for private key -#private_key_passwd=secret passphrase - -# Enable CRL verification. -# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a -# valid CRL signed by the CA is required to be included in the ca_cert file. -# This can be done by using PEM format for CA certificate and CRL and -# concatenating these into one file. Whenever CRL changes, hostapd needs to be -# restarted to take the new CRL into use. -# 0 = do not verify CRLs (default) -# 1 = check the CRL of the user certificate -# 2 = check all CRLs in the certificate path -#check_crl=1 - -# dh_file: File path to DH/DSA parameters file (in PEM format) -# This is an optional configuration file for setting parameters for an -# ephemeral DH key exchange. In most cases, the default RSA authentication does -# not use this configuration. However, it is possible setup RSA to use -# ephemeral DH key exchange. In addition, ciphers with DSA keys always use -# ephemeral DH keys. This can be used to achieve forward secrecy. If the file -# is in DSA parameters format, it will be automatically converted into DH -# params. This parameter is required if anonymous EAP-FAST is used. -# You can generate DH parameters file with OpenSSL, e.g., -# "openssl dhparam -out /etc/hostapd.dh.pem 1024" -#dh_file=/etc/hostapd.dh.pem - -# Fragment size for EAP methods -#fragment_size=1400 - -# Configuration data for EAP-SIM database/authentication gateway interface. -# This is a text string in implementation specific format. The example -# implementation in eap_sim_db.c uses this as the UNIX domain socket name for -# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" -# prefix. -#eap_sim_db=unix:/tmp/hlr_auc_gw.sock - -# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, -# random value. It is configured as a 16-octet value in hex format. It can be -# generated, e.g., with the following command: -# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' -#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f - -# EAP-FAST authority identity (A-ID) -# A-ID indicates the identity of the authority that issues PACs. The A-ID -# should be unique across all issuing servers. In theory, this is a variable -# length field, but due to some existing implementations requiring A-ID to be -# 16 octets in length, it is strongly recommended to use that length for the -# field to provid interoperability with deployed peer implementations. This -# field is configured in hex format. -#eap_fast_a_id=101112131415161718191a1b1c1d1e1f - -# EAP-FAST authority identifier information (A-ID-Info) -# This is a user-friendly name for the A-ID. For example, the enterprise name -# and server name in a human-readable format. This field is encoded as UTF-8. -#eap_fast_a_id_info=test server - -# Enable/disable different EAP-FAST provisioning modes: -#0 = provisioning disabled -#1 = only anonymous provisioning allowed -#2 = only authenticated provisioning allowed -#3 = both provisioning modes allowed (default) -#eap_fast_prov=3 - -# EAP-FAST PAC-Key lifetime in seconds (hard limit) -#pac_key_lifetime=604800 - -# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard -# limit). The server will generate a new PAC-Key when this number of seconds -# (or fewer) of the lifetime remains. -#pac_key_refresh_time=86400 - -# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND -# (default: 0 = disabled). -#eap_sim_aka_result_ind=1 - -# Trusted Network Connect (TNC) -# If enabled, TNC validation will be required before the peer is allowed to -# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other -# EAP method is enabled, the peer will be allowed to connect without TNC. -#tnc=1 - - -##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### - -# Interface to be used for IAPP broadcast packets -#iapp_interface=eth0 - - -##### RADIUS client configuration ############################################# -# for IEEE 802.1X with external Authentication Server, IEEE 802.11 -# authentication with external ACL for MAC addresses, and accounting - -# The own IP address of the access point (used as NAS-IP-Address) -own_ip_addr=10.1.0.1 - -# Optional NAS-Identifier string for RADIUS messages. When used, this should be -# a unique to the NAS within the scope of the RADIUS server. For example, a -# fully qualified domain name can be used here. -# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and -# 48 octets long. -#nas_identifier=ap.example.com - -# RADIUS authentication server -auth_server_addr=10.1.0.10 -#auth_server_port=1812 -auth_server_shared_secret=gv6URkSs - -# RADIUS accounting server -#acct_server_addr=127.0.0.1 -#acct_server_port=1813 -#acct_server_shared_secret=secret - -# Secondary RADIUS servers; to be used if primary one does not reply to -# RADIUS packets. These are optional and there can be more than one secondary -# server listed. -#auth_server_addr=127.0.0.2 -#auth_server_port=1812 -#auth_server_shared_secret=secret2 -# -#acct_server_addr=127.0.0.2 -#acct_server_port=1813 -#acct_server_shared_secret=secret2 - -# Retry interval for trying to return to the primary RADIUS server (in -# seconds). RADIUS client code will automatically try to use the next server -# when the current server is not replying to requests. If this interval is set, -# primary server will be retried after configured amount of time even if the -# currently used secondary server is still working. -#radius_retry_primary_interval=600 - - -# Interim accounting update interval -# If this is set (larger than 0) and acct_server is configured, hostapd will -# send interim accounting updates every N seconds. Note: if set, this overrides -# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this -# value should not be configured in hostapd.conf, if RADIUS server is used to -# control the interim interval. -# This value should not be less 600 (10 minutes) and must not be less than -# 60 (1 minute). -#radius_acct_interim_interval=600 - -# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN -# is used for the stations. This information is parsed from following RADIUS -# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), -# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value -# VLANID as a string). vlan_file option below must be configured if dynamic -# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be -# used to set static client MAC address to VLAN ID mapping. -# 0 = disabled (default) -# 1 = option; use default interface if RADIUS server does not include VLAN ID -# 2 = required; reject authentication if RADIUS server does not include VLAN ID -#dynamic_vlan=0 - -# VLAN interface list for dynamic VLAN mode is read from a separate text file. -# This list is used to map VLAN ID from the RADIUS server to a network -# interface. Each station is bound to one interface in the same way as with -# multiple BSSIDs or SSIDs. Each line in this text file is defining a new -# interface and the line must include VLAN ID and interface name separated by -# white space (space or tab). -#vlan_file=/etc/hostapd.vlan - -# Interface where 802.1q tagged packets should appear when a RADIUS server is -# used to determine which VLAN a station is on. hostapd creates a bridge for -# each VLAN. Then hostapd adds a VLAN interface (associated with the interface -# indicated by 'vlan_tagged_interface') and the appropriate wireless interface -# to the bridge. -#vlan_tagged_interface=eth0 - - -##### RADIUS authentication server configuration ############################## - -# hostapd can be used as a RADIUS authentication server for other hosts. This -# requires that the integrated EAP server is also enabled and both -# authentication services are sharing the same configuration. - -# File name of the RADIUS clients configuration for the RADIUS server. If this -# commented out, RADIUS server is disabled. -#radius_server_clients=/etc/hostapd.radius_clients - -# The UDP port number for the RADIUS authentication server -#radius_server_auth_port=1812 - -# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) -#radius_server_ipv6=1 - - -##### WPA/IEEE 802.11i configuration ########################################## - -# Enable WPA. Setting this variable configures the AP to require WPA (either -# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either -# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. -# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), -# RADIUS authentication server must be configured, and WPA-EAP must be included -# in wpa_key_mgmt. -# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) -# and/or WPA2 (full IEEE 802.11i/RSN): -# bit0 = WPA -# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) -#wpa=1 - -# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit -# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase -# (8..63 characters) that will be converted to PSK. This conversion uses SSID -# so the PSK changes when ASCII passphrase is used and the SSID is changed. -# wpa_psk (dot11RSNAConfigPSKValue) -# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) -#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -#wpa_passphrase=secret passphrase - -# Optionally, WPA PSKs can be read from a separate text file (containing list -# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. -# Use absolute path name to make sure that the files can be read on SIGHUP -# configuration reloads. -#wpa_psk_file=/etc/hostapd.wpa_psk - -# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The -# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be -# added to enable SHA256-based stronger algorithms. -# (dot11RSNAConfigAuthenticationSuitesTable) -#wpa_key_mgmt=WPA-PSK WPA-EAP - -# Set of accepted cipher suites (encryption algorithms) for pairwise keys -# (unicast packets). This is a space separated list of algorithms: -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] -# Group cipher suite (encryption algorithm for broadcast and multicast frames) -# is automatically selected based on this configuration. If only CCMP is -# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, -# TKIP will be used as the group cipher. -# (dot11RSNAConfigPairwiseCiphersTable) -# Pairwise cipher for WPA (v1) (default: TKIP) -#wpa_pairwise=TKIP CCMP -# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) -#rsn_pairwise=CCMP - -# Time interval for rekeying GTK (broadcast/multicast encryption keys) in -# seconds. (dot11RSNAConfigGroupRekeyTime) -#wpa_group_rekey=600 - -# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. -# (dot11RSNAConfigGroupRekeyStrict) -#wpa_strict_rekey=1 - -# Time interval for rekeying GMK (master key used internally to generate GTKs -# (in seconds). -#wpa_gmk_rekey=86400 - -# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of -# PTK to mitigate some attacks against TKIP deficiencies. -#wpa_ptk_rekey=600 - -# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up -# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN -# authentication and key handshake before actually associating with a new AP. -# (dot11RSNAPreauthenticationEnabled) -#rsn_preauth=1 -# -# Space separated list of interfaces from which pre-authentication frames are -# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all -# interface that are used for connections to other APs. This could include -# wired interfaces and WDS links. The normal wireless data interface towards -# associated stations (e.g., wlan0) should not be added, since -# pre-authentication is only used with APs other than the currently associated -# one. -#rsn_preauth_interfaces=eth0 - -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is -# allowed. This is only used with RSN/WPA2. -# 0 = disabled (default) -# 1 = enabled -#peerkey=1 - -# ieee80211w: Whether management frame protection (MFP) is enabled -# 0 = disabled (default) -# 1 = optional -# 2 = required -#ieee80211w=0 - -# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) -# (maximum time to wait for a SA Query response) -# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 -#assoc_sa_query_max_timeout=1000 - -# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) -# (time between two subsequent SA Query requests) -# dot11AssociationSAQueryRetryTimeout, 1...4294967295 -#assoc_sa_query_retry_timeout=201 - -# disable_pmksa_caching: Disable PMKSA caching -# This parameter can be used to disable caching of PMKSA created through EAP -# authentication. RSN preauthentication may still end up using PMKSA caching if -# it is enabled (rsn_preauth=1). -# 0 = PMKSA caching enabled (default) -# 1 = PMKSA caching disabled -#disable_pmksa_caching=0 - -# okc: Opportunistic Key Caching (aka Proactive Key Caching) -# Allow PMK cache to be shared opportunistically among configured interfaces -# and BSSes (i.e., all configurations within a single hostapd process). -# 0 = disabled (default) -# 1 = enabled -#okc=1 - - -##### IEEE 802.11r configuration ############################################## - -# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) -# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the -# same SSID) between which a STA can use Fast BSS Transition. -# 2-octet identifier as a hex string. -#mobility_domain=a1b2 - -# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) -# 1 to 48 octet identifier. -# This is configured with nas_identifier (see RADIUS client section above). - -# Default lifetime of the PMK-RO in minutes; range 1..65535 -# (dot11FTR0KeyLifetime) -#r0_key_lifetime=10000 - -# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) -# 6-octet identifier as a hex string. -#r1_key_holder=000102030405 - -# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) -# (dot11FTReassociationDeadline) -#reassociation_deadline=1000 - -# List of R0KHs in the same Mobility Domain -# format: <128-bit key as hex string> -# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC -# address when requesting PMK-R1 key from the R0KH that the STA used during the -# Initial Mobility Domain Association. -#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f -#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff -# And so on.. One line per R0KH. - -# List of R1KHs in the same Mobility Domain -# format: <128-bit key as hex string> -# This list is used to map R1KH-ID to a destination MAC address when sending -# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD -# that can request PMK-R1 keys. -#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f -#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff -# And so on.. One line per R1KH. - -# Whether PMK-R1 push is enabled at R0KH -# 0 = do not push PMK-R1 to all configured R1KHs (default) -# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived -#pmk_r1_push=1 - -##### Neighbor table ########################################################## -# Maximum number of entries kept in AP table (either for neigbor table or for -# detecting Overlapping Legacy BSS Condition). The oldest entry will be -# removed when adding a new entry that would make the list grow over this -# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is -# enabled, so this field should not be set to 0 when using IEEE 802.11g. -# default: 255 -#ap_table_max_size=255 - -# Number of seconds of no frames received after which entries may be deleted -# from the AP table. Since passive scanning is not usually performed frequently -# this should not be set to very small value. In addition, there is no -# guarantee that every scan cycle will receive beacon frames from the -# neighboring APs. -# default: 60 -#ap_table_expiration_time=3600 - - -##### Wi-Fi Protected Setup (WPS) ############################################# - -# WPS state -# 0 = WPS disabled (default) -# 1 = WPS enabled, not configured -# 2 = WPS enabled, configured -#wps_state=2 - -# AP can be configured into a locked state where new WPS Registrar are not -# accepted, but previously authorized Registrars (including the internal one) -# can continue to add new Enrollees. -#ap_setup_locked=1 - -# Universally Unique IDentifier (UUID; see RFC 4122) of the device -# This value is used as the UUID for the internal WPS Registrar. If the AP -# is also using UPnP, this value should be set to the device's UPnP UUID. -# If not configured, UUID will be generated based on the local MAC address. -#uuid=12345678-9abc-def0-1234-56789abcdef0 - -# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs -# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the -# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of -# per-device PSKs is recommended as the more secure option (i.e., make sure to -# set wpa_psk_file when using WPS with WPA-PSK). - -# When an Enrollee requests access to the network with PIN method, the Enrollee -# PIN will need to be entered for the Registrar. PIN request notifications are -# sent to hostapd ctrl_iface monitor. In addition, they can be written to a -# text file that could be used, e.g., to populate the AP administration UI with -# pending PIN requests. If the following variable is set, the PIN requests will -# be written to the configured file. -#wps_pin_requests=/var/run/hostapd_wps_pin_requests - -# Device Name -# User-friendly description of device; up to 32 octets encoded in UTF-8 -#device_name=Wireless AP - -# Manufacturer -# The manufacturer of the device (up to 64 ASCII characters) -#manufacturer=Company - -# Model Name -# Model of the device (up to 32 ASCII characters) -#model_name=WAP - -# Model Number -# Additional device description (up to 32 ASCII characters) -#model_number=123 - -# Serial Number -# Serial number of the device (up to 32 characters) -#serial_number=12345 - -# Primary Device Type -# Used format: -- -# categ = Category as an integer value -# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for -# default WPS OUI -# subcateg = OUI-specific Sub Category as an integer value -# Examples: -# 1-0050F204-1 (Computer / PC) -# 1-0050F204-2 (Computer / Server) -# 5-0050F204-1 (Storage / NAS) -# 6-0050F204-1 (Network Infrastructure / AP) -#device_type=6-0050F204-1 - -# OS Version -# 4-octet operating system version number (hex string) -#os_version=01020300 - -# Config Methods -# List of the supported configuration methods -# Available methods: usba ethernet label display ext_nfc_token int_nfc_token -# nfc_interface push_button keypad virtual_display physical_display -# virtual_push_button physical_push_button -#config_methods=label virtual_display virtual_push_button keypad - -# WPS capability discovery workaround for PBC with Windows 7 -# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting -# as a Registrar and using M1 from the AP. The config methods attribute in that -# message is supposed to indicate only the configuration method supported by -# the AP in Enrollee role, i.e., to add an external Registrar. For that case, -# PBC shall not be used and as such, the PushButton config method is removed -# from M1 by default. If pbc_in_m1=1 is included in the configuration file, -# the PushButton config method is left in M1 (if included in config_methods -# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label -# in the AP). -#pbc_in_m1=1 - -# Static access point PIN for initial configuration and adding Registrars -# If not set, hostapd will not allow external WPS Registrars to control the -# access point. The AP PIN can also be set at runtime with hostapd_cli -# wps_ap_pin command. Use of temporary (enabled by user action) and random -# AP PIN is much more secure than configuring a static AP PIN here. As such, -# use of the ap_pin parameter is not recommended if the AP device has means for -# displaying a random PIN. -#ap_pin=12345670 - -# Skip building of automatic WPS credential -# This can be used to allow the automatically generated Credential attribute to -# be replaced with pre-configured Credential(s). -#skip_cred_build=1 - -# Additional Credential attribute(s) -# This option can be used to add pre-configured Credential attributes into M8 -# message when acting as a Registrar. If skip_cred_build=1, this data will also -# be able to override the Credential attribute that would have otherwise been -# automatically generated based on network configuration. This configuration -# option points to an external file that much contain the WPS Credential -# attribute(s) as binary data. -#extra_cred=hostapd.cred - -# Credential processing -# 0 = process received credentials internally (default) -# 1 = do not process received credentials; just pass them over ctrl_iface to -# external program(s) -# 2 = process received credentials internally and pass them over ctrl_iface -# to external program(s) -# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and -# extra_cred be used to provide the Credential data for Enrollees. -# -# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file -# both for Credential processing and for marking AP Setup Locked based on -# validation failures of AP PIN. An external program is responsible on updating -# the configuration appropriately in this case. -#wps_cred_processing=0 - -# AP Settings Attributes for M7 -# By default, hostapd generates the AP Settings Attributes for M7 based on the -# current configuration. It is possible to override this by providing a file -# with pre-configured attributes. This is similar to extra_cred file format, -# but the AP Settings attributes are not encapsulated in a Credential -# attribute. -#ap_settings=hostapd.ap_settings - -# WPS UPnP interface -# If set, support for external Registrars is enabled. -#upnp_iface=br0 - -# Friendly Name (required for UPnP) -# Short description for end use. Should be less than 64 characters. -#friendly_name=WPS Access Point - -# Manufacturer URL (optional for UPnP) -#manufacturer_url=http://www.example.com/ - -# Model Description (recommended for UPnP) -# Long description for end user. Should be less than 128 characters. -#model_description=Wireless Access Point - -# Model URL (optional for UPnP) -#model_url=http://www.example.com/model/ - -# Universal Product Code (optional for UPnP) -# 12-digit, all-numeric code that identifies the consumer package. -#upc=123456789012 - -##### Wi-Fi Direct (P2P) ###################################################### - -# Enable P2P Device management -#manage_p2p=1 - -# Allow cross connection -#allow_cross_connection=1 - -#### TDLS (IEEE 802.11z-2010) ################################################# - -# Prohibit use of TDLS in this BSS -#tdls_prohibit=1 - -# Prohibit use of TDLS Channel Switching in this BSS -#tdls_prohibit_chan_switch=1 - -##### IEEE 802.11v-2011 ####################################################### - -# Time advertisement -# 0 = disabled (default) -# 2 = UTC time at which the TSF timer is 0 -#time_advertisement=2 - -# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: -# stdoffset[dst[offset][,start[/time],end[/time]]] -#time_zone=EST5 - -##### IEEE 802.11u-2011 ####################################################### - -# Enable Interworking service -#interworking=1 - -# Access Network Type -# 0 = Private network -# 1 = Private network with guest access -# 2 = Chargeable public network -# 3 = Free public network -# 4 = Personal device network -# 5 = Emergency services only network -# 14 = Test or experimental -# 15 = Wildcard -#access_network_type=0 - -# Whether the network provides connectivity to the Internet -# 0 = Unspecified -# 1 = Network provides connectivity to the Internet -#internet=1 - -# Additional Step Required for Access -# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if -# RSN is used. -#asra=0 - -# Emergency services reachable -#esr=0 - -# Unauthenticated emergency service accessible -#uesa=0 - -# Venue Info (optional) -# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. -# Example values (group,type): -# 0,0 = Unspecified -# 1,7 = Convention Center -# 1,13 = Coffee Shop -# 2,0 = Unspecified Business -# 7,1 Private Residence -#venue_group=7 -#venue_type=1 - -# Homogeneous ESS identifier (optional; dot11HESSID) -# If set, this shall be identifical to one of the BSSIDs in the homogeneous -# ESS and this shall be set to the same value across all BSSs in homogeneous -# ESS. -#hessid=02:03:04:05:06:07 - -# Roaming Consortium List -# Arbitrary number of Roaming Consortium OIs can be configured with each line -# adding a new OI to the list. The first three entries are available through -# Beacon and Probe Response frames. Any additional entry will be available only -# through ANQP queries. Each OI is between 3 and 15 octets and is configured a -# a hexstring. -#roaming_consortium=021122 -#roaming_consortium=2233445566 - -##### Multiple BSSID support ################################################## -# -# Above configuration is using the default interface (wlan#, or multi-SSID VLAN -# interfaces). Other BSSIDs can be added by using separator 'bss' with -# default interface name to be allocated for the data packets of the new BSS. -# -# hostapd will generate BSSID mask based on the BSSIDs that are -# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is -# not the case, the MAC address of the radio must be changed before starting -# hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for -# every secondary BSS, this limitation is not applied at hostapd and other -# masks may be used if the driver supports them (e.g., swap the locally -# administered bit) -# -# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is -# specified using the 'bssid' parameter. -# If an explicit BSSID is specified, it must be chosen such that it: -# - results in a valid MASK that covers it and the dev_addr -# - is not the same as the MAC address of the radio -# - is not the same as any other explicitly specified BSSID -# -# Please note that hostapd uses some of the values configured for the first BSS -# as the defaults for the following BSSes. However, it is recommended that all -# BSSes include explicit configuration of all relevant configuration items. -# -#bss=wlan0_0 -#ssid=test2 -# most of the above items can be used here (apart from radio interface specific -# items, like channel) - -#bss=wlan0_1 -#bssid=00:13:10:95:fe:0b -# ... diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat deleted file mode 100644 index b55e0457c..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::killall wpa_supplicant -dave::killall wpa_supplicant -moon::killall hostapd -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat deleted file mode 100644 index 4dbff64a3..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -moon::hostapd -B /etc/hostapd/hostapd.conf -carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -carol::sleep 4 -dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -dave::sleep 4 diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf deleted file mode 100644 index 2069e4aa5..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS= - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql new file mode 100644 index 000000000..548c101e4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql @@ -0,0 +1,39 @@ +/* SW Identifiers */ + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libutempter0-1.1.5', 'libutempter0', '1.1.5', 1, 0 +); + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libevent-2.0-5-2.0.20', 'libevent-2.0-5', '2.0.20', 1, 0 +); + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-tmux-2.2', 'tmux', '2.2', 1, 0 +); + +/* SW Events */ + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 1, 2 +); + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 2, 2 +); + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 3, 2 +); diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat index c0049d7fd..5d0602c15 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat @@ -1,6 +1,7 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +carol::rm /etc/pts/collector.sql alice::systemctl stop strongswan-swanctl alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt deleted file mode 100644 index 8bf1543d2..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The Dummy IMC and IMV from the - -TNC@FHH project are used which communicate over a proprietary protocol. -

-carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. -

diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat deleted file mode 100644 index bf0732604..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf deleted file mode 100644 index aa4934fb1..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - imc = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 0f266dd93..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = carol@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config deleted file mode 100644 index 3ef780933..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 8fc1c8729..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - multiple_authentication = no - syslog { - daemon { - tnc = 3 - imc = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 989ab88c7..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = dave@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config deleted file mode 100644 index 8eee8068a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4732fbd4b..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - imv = 2 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 1238c1a91..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,64 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap-carol { - id = carol@strongswan.org - secret = "Ar3etTnp" - } - eap-dave { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy deleted file mode 100644 index d00491fd7..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy deleted file mode 100644 index d8215dd3c..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy +++ /dev/null @@ -1,40 +0,0 @@ -#FTP - File Transfer Protocol -TCP 20 = whatever -TCP 21 = close - -#SSH - Secure Shell -TCP 22 = whatever - -#Telnet -TCP 23 = close - -#E-Mail -# -#SMTP - Simple Mail Transfer Protocol -TCP 25 = close -TCP 587 = close -#POP3 - Post Office Protocol version 3 -TCP 110 = close -TCP 995 = close - -#DNS - Domain Name System -UDP 53 = close -TCP 53 = close - -#BOOTP/DHCP - Bootstrap Protocol / -#Dynamic Host Configuration Protocol -UDP 67 = close -#UDP 68 = open -UDP 68 = whatever - -#www - World Wide Web -#HTTP - Hypertext Transfer Protocol -TCP 80 = close -#HTTPS - Hypertext Transfer Protocol Secure -TCP 443 = close - -#examples -TCP 8080 = close -TCP 5223 = whatever -UDP 4444 = close -UDP 631 = whatever diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties deleted file mode 100644 index 122d798b3..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config deleted file mode 100644 index fa4324e38..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat deleted file mode 100644 index 199873ba1..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat deleted file mode 100644 index 79340af29..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf deleted file mode 100644 index f6db73912..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf index 4075f75bd..cd5056e83 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf @@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 1dc8b5688..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1 +0,0 @@ -Include sites-available/000-default.conf \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf index 4075f75bd..cd5056e83 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf @@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 1dc8b5688..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1 +0,0 @@ -Include sites-available/000-default.conf \ No newline at end of file -- cgit v1.2.3