From 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 22 Oct 2015 11:43:58 +0200 Subject: Imported Upstream version 5.3.3 --- src/libstrongswan/settings/settings.h | 54 +++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'src/libstrongswan/settings/settings.h') diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index 3b87c8feb..4ef80d0f6 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -334,6 +334,50 @@ struct settings_t { bool (*load_files_section)(settings_t *this, char *pattern, bool merge, char *section, ...); + /** + * Load settings from the given string. + * + * If merge is TRUE, existing sections are extended, existing values + * replaced, by those found in the string. If it is FALSE, existing + * sections are purged before reading the new config. + * + * @note If the string contains _include_ statements they should be + * absolute paths. + * + * @note If any failures occur, no settings are added at all. So, it's all + * or nothing. + * + * @param settings string to parse + * @param merge TRUE to merge config with existing values + * @return TRUE, if settings were loaded successfully + */ + bool (*load_string)(settings_t *this, char *settings, bool merge); + + /** + * Load settings from the given string. + * + * If merge is TRUE, existing sections are extended, existing values + * replaced, by those found in the string. If it is FALSE, existing + * sections are purged before reading the new config. + * + * All settings are loaded relative to the given section. The section is + * created, if it does not yet exist. + * + * @note If the string contains _include_ statements they should be + * absolute paths. + * + * @note If any failures occur, no settings are added at all. So, it's all + * or nothing. + * + * @param settings string to parse + * @param merge TRUE to merge config with existing values + * @param section section name of parent section, printf style + * @param ... argument list for section + * @return TRUE, if settings were loaded successfully + */ + bool (*load_string_section)(settings_t *this, char *settings, bool merge, + char *section, ...); + /** * Destroy a settings instance. */ @@ -350,4 +394,14 @@ struct settings_t { */ settings_t *settings_create(char *file); +/** + * Load settings from a string. + * + * @note If parsing the file fails the object is still created. + * + * @param settings string to read settings from + * @return settings object, or NULL + */ +settings_t *settings_create_string(char *settings); + #endif /** SETTINGS_H_ @}*/ -- cgit v1.2.3 From 1e980d6be0ef0e243c6fe82b5e855454b97e24a4 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 18 Nov 2015 14:49:27 +0100 Subject: Imported Upstream version 5.3.4 --- Android.common.mk | 2 +- NEWS | 16 +- conf/options/charon-logging.conf | 5 + conf/options/charon-logging.opt | 4 + conf/options/charon.conf | 8 + conf/options/charon.opt | 8 + conf/strongswan.conf.5.main | 17 + config.h.in | 3 + configure | 75 +- configure.ac | 16 +- init/systemd/strongswan.service.in | 2 +- src/_updown/_updown.in | 31 + src/charon-cmd/charon-cmd.c | 12 +- src/charon-nm/charon-nm.c | 10 +- src/charon-systemd/charon-systemd.c | 10 +- src/charon-tkm/src/charon-tkm.c | 14 +- src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 7 +- src/charon-tkm/src/tkm/tkm_spi_generator.c | 98 +++ src/charon-tkm/src/tkm/tkm_spi_generator.h | 36 + src/charon/charon.c | 11 +- src/conftest/conftest.c | 10 +- src/include/Makefile.am | 2 +- src/include/Makefile.in | 2 +- src/include/linux/socket.h | 21 + src/ipsec/_ipsec.8 | 2 +- src/ipsec/_ipsec.in | 4 +- src/libcharon/Android.mk | 1 - src/libcharon/bus/listeners/file_logger.c | 32 +- src/libcharon/bus/listeners/file_logger.h | 7 +- src/libcharon/config/peer_cfg.c | 2 +- src/libcharon/daemon.c | 46 +- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 115 ++- .../plugins/eap_radius/eap_radius_provider.c | 32 +- .../plugins/error_notify/error_notify_listener.c | 2 +- src/libcharon/plugins/ha/ha_child.c | 2 +- src/libcharon/plugins/ha/ha_dispatcher.c | 2 +- .../kernel_libipsec/kernel_libipsec_ipsec.c | 7 +- .../plugins/kernel_wfp/kernel_wfp_ipsec.c | 9 +- .../plugins/load_tester/load_tester_ipsec.c | 5 +- .../plugins/socket_default/socket_default_socket.c | 281 +++++--- .../plugins/socket_dynamic/socket_dynamic_socket.c | 94 ++- src/libcharon/plugins/stroke/stroke_config.c | 6 +- src/libcharon/plugins/stroke/stroke_control.c | 71 +- src/libcharon/plugins/stroke/stroke_list.c | 6 +- src/libcharon/plugins/vici/README.md | 21 +- src/libcharon/plugins/vici/vici_attribute.c | 28 +- src/libcharon/plugins/vici/vici_cred.c | 12 +- src/libcharon/plugins/vici/vici_query.c | 47 ++ .../processing/jobs/initiate_mediation_job.c | 4 + src/libcharon/sa/child_sa.c | 178 ++--- src/libcharon/sa/ike_sa_manager.c | 84 ++- src/libcharon/sa/ike_sa_manager.h | 21 +- src/libcharon/sa/ikev1/keymat_v1.c | 20 +- src/libcharon/sa/ikev1/task_manager_v1.c | 110 ++- src/libcharon/sa/ikev1/tasks/mode_config.c | 4 +- src/libcharon/sa/ikev1/tasks/quick_delete.c | 4 +- src/libcharon/sa/ikev1/tasks/quick_mode.c | 6 +- src/libcharon/sa/ikev1/tasks/xauth.c | 10 +- src/libcharon/sa/ikev2/keymat_v2.c | 1 + src/libcharon/sa/ikev2/tasks/child_create.c | 4 +- src/libcharon/sa/ikev2/tasks/child_delete.c | 4 +- src/libcharon/sa/ikev2/tasks/ike_mobike.c | 6 +- src/libcharon/sa/ikev2/tasks/ike_natd.c | 28 +- src/libcharon/sa/shunt_manager.c | 66 +- src/libcharon/sa/trap_manager.c | 2 + src/libfast/fast_dispatcher.c | 3 +- src/libhydra/Android.mk | 1 - src/libhydra/kernel/kernel_interface.c | 27 +- src/libhydra/kernel/kernel_interface.h | 53 +- src/libhydra/kernel/kernel_ipsec.c | 7 +- src/libhydra/kernel/kernel_ipsec.h | 23 +- src/libhydra/kernel/kernel_net.c | 7 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 81 +-- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 19 +- src/libimcv/imv/data.sql | 48 ++ src/libipsec/Android.mk | 1 - src/libipsec/esp_context.c | 14 +- src/libstrongswan/Android.mk | 4 +- src/libstrongswan/AndroidConfigLocal.h | 22 - src/libstrongswan/Makefile.am | 14 +- src/libstrongswan/Makefile.in | 257 +++---- src/libstrongswan/asn1/oid.c | 511 +++++++------- src/libstrongswan/asn1/oid.h | 201 +++--- src/libstrongswan/asn1/oid.txt | 17 +- src/libstrongswan/credentials/auth_cfg.c | 6 +- src/libstrongswan/credentials/keys/public_key.c | 64 +- src/libstrongswan/credentials/keys/public_key.h | 20 +- src/libstrongswan/crypto/hashers/hasher.c | 75 +- src/libstrongswan/crypto/hashers/hasher.h | 4 + src/libstrongswan/crypto/iv/iv_gen.c | 5 + src/libstrongswan/crypto/iv/iv_gen_null.c | 63 ++ src/libstrongswan/crypto/iv/iv_gen_null.h | 32 + src/libstrongswan/plugins/bliss/bliss_plugin.c | 24 +- .../plugins/bliss/bliss_private_key.c | 12 +- src/libstrongswan/plugins/bliss/bliss_public_key.c | 12 +- .../plugins/bliss/tests/suites/test_bliss_sign.c | 10 +- src/libstrongswan/plugins/curl/curl_fetcher.c | 6 +- .../plugins/openssl/openssl_diffie_hellman.c | 1 + .../plugins/openssl/openssl_ec_diffie_hellman.c | 1 + .../plugins/openssl/openssl_rsa_private_key.c | 1 + .../plugins/openssl/openssl_rsa_public_key.c | 1 + src/libstrongswan/plugins/openssl/openssl_util.c | 1 + src/libstrongswan/plugins/plugin_loader.c | 17 +- src/libstrongswan/plugins/random/random_rng.c | 1 + .../plugins/revocation/revocation_validator.c | 2 +- src/libstrongswan/plugins/sha3/Makefile.am | 16 + src/libstrongswan/plugins/sha3/Makefile.in | 774 +++++++++++++++++++++ src/libstrongswan/plugins/sha3/sha3_hasher.c | 527 ++++++++++++++ src/libstrongswan/plugins/sha3/sha3_hasher.h | 48 ++ src/libstrongswan/plugins/sha3/sha3_plugin.c | 79 +++ src/libstrongswan/plugins/sha3/sha3_plugin.h | 42 ++ src/libstrongswan/plugins/test_vectors/Makefile.am | 1 + src/libstrongswan/plugins/test_vectors/Makefile.in | 11 +- .../plugins/test_vectors/test_vectors.h | 24 + .../plugins/test_vectors/test_vectors/sha3.c | 328 +++++++++ src/libstrongswan/plugins/x509/x509_ocsp_request.c | 4 +- src/libstrongswan/selectors/traffic_selector.c | 9 +- src/libstrongswan/settings/settings.c | 25 + src/libstrongswan/settings/settings.h | 9 + src/libstrongswan/tests/suites/test_hasher.c | 137 +++- .../tests/suites/test_identification.c | 1 + src/libstrongswan/tests/suites/test_settings.c | 24 + .../tests/suites/test_traffic_selector.c | 6 +- src/libstrongswan/tests/suites/test_utils.c | 6 +- src/libstrongswan/utils/compat/android.h | 31 + src/libstrongswan/utils/compat/windows.h | 5 + src/libstrongswan/utils/utils.c | 25 +- src/libstrongswan/utils/utils.h | 19 +- src/libtnccs/plugins/tnc_imc/tnc_imc.c | 8 +- src/libtnccs/plugins/tnc_imv/tnc_imv.c | 8 +- src/medsrv/Makefile.am | 4 +- src/medsrv/Makefile.in | 4 +- src/medsrv/templates/peer/add.cs | 2 +- src/medsrv/templates/peer/edit.cs | 2 +- src/medsrv/templates/static/mootools.js | 341 --------- src/medsrv/templates/static/script.js | 13 - src/medsrv/templates/static/style.css | 28 +- src/medsrv/templates/user/add.cs | 2 +- src/medsrv/templates/user/login.cs | 2 +- src/pki/commands/acert.c | 3 +- src/pki/commands/issue.c | 3 +- src/pki/commands/req.c | 3 +- src/pki/commands/self.c | 3 +- src/pki/commands/signcrl.c | 2 +- src/scepclient/scepclient.8 | 9 - src/swanctl/commands/list_pools.c | 32 +- src/swanctl/commands/list_sas.c | 12 +- testing/do-tests | 79 ++- testing/hosts/default/etc/strongswan.conf.testing | 7 + testing/hosts/winnetou/etc/openssl/generate-crl | 2 +- testing/scripts/build-strongswan | 14 + testing/scripts/recipes/010_tkm.mk | 2 +- testing/scripts/recipes/013_strongswan.mk | 5 +- testing/tests/af-alg/alg-camellia/pretest.dat | 3 +- testing/tests/af-alg/rw-cert/pretest.dat | 6 +- testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat | 2 +- testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat | 2 +- .../tests/gcrypt-ikev2/alg-camellia/pretest.dat | 3 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 3 +- testing/tests/ha/active-passive/evaltest.dat | 2 +- testing/tests/ha/active-passive/pretest.dat | 5 +- testing/tests/ha/both-active/pretest.dat | 3 +- testing/tests/ike/rw-cert/pretest.dat | 4 +- testing/tests/ike/rw_v1-net_v2/pretest.dat | 4 +- testing/tests/ikev1/alg-3des-md5/pretest.dat | 2 +- testing/tests/ikev1/alg-blowfish/pretest.dat | 3 +- testing/tests/ikev1/alg-modp-subgroup/pretest.dat | 3 +- testing/tests/ikev1/alg-sha256/pretest.dat | 2 +- testing/tests/ikev1/alg-sha384/pretest.dat | 2 +- testing/tests/ikev1/alg-sha512/pretest.dat | 2 +- testing/tests/ikev1/compress/pretest.dat | 2 +- .../tests/ikev1/config-payload-push/pretest.dat | 4 +- testing/tests/ikev1/config-payload/pretest.dat | 4 +- testing/tests/ikev1/double-nat-net/pretest.dat | 3 +- testing/tests/ikev1/double-nat/pretest.dat | 3 +- testing/tests/ikev1/dpd-clear/description.txt | 2 +- testing/tests/ikev1/dpd-clear/evaltest.dat | 4 +- .../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/ikev1/dpd-clear/pretest.dat | 2 +- testing/tests/ikev1/dpd-restart/description.txt | 6 +- testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +- .../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf | 4 +- testing/tests/ikev1/dpd-restart/pretest.dat | 2 +- testing/tests/ikev1/dynamic-initiator/posttest.dat | 1 - testing/tests/ikev1/dynamic-initiator/pretest.dat | 5 +- testing/tests/ikev1/dynamic-responder/posttest.dat | 1 - testing/tests/ikev1/dynamic-responder/pretest.dat | 7 +- testing/tests/ikev1/dynamic-two-peers/posttest.dat | 1 - testing/tests/ikev1/dynamic-two-peers/pretest.dat | 4 +- testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-null/pretest.dat | 3 +- testing/tests/ikev1/host2host-ah/pretest.dat | 2 +- testing/tests/ikev1/host2host-cert/pretest.dat | 2 +- .../tests/ikev1/host2host-transport/pretest.dat | 2 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev1/ip-pool-db/posttest.dat | 1 - testing/tests/ikev1/ip-pool-db/pretest.dat | 10 +- testing/tests/ikev1/ip-pool-db/test.conf | 4 + testing/tests/ikev1/ip-pool/pretest.dat | 4 +- .../tests/ikev1/multi-level-ca-cr-init/pretest.dat | 3 +- .../tests/ikev1/multi-level-ca-cr-resp/pretest.dat | 3 +- testing/tests/ikev1/multi-level-ca/pretest.dat | 5 +- testing/tests/ikev1/nat-rw/pretest.dat | 5 +- testing/tests/ikev1/nat-virtual-ip/pretest.dat | 3 +- testing/tests/ikev1/net2net-ah/pretest.dat | 4 +- testing/tests/ikev1/net2net-cert/pretest.dat | 4 +- .../tests/ikev1/net2net-fragmentation/pretest.dat | 4 +- testing/tests/ikev1/net2net-ntru-cert/pretest.dat | 2 +- testing/tests/ikev1/net2net-psk-fail/pretest.dat | 4 +- testing/tests/ikev1/net2net-psk/pretest.dat | 4 +- testing/tests/ikev1/protoport-dual/pretest.dat | 3 +- testing/tests/ikev1/rw-cert-aggressive/pretest.dat | 3 +- testing/tests/ikev1/rw-cert-unity/pretest.dat | 2 +- testing/tests/ikev1/rw-cert/pretest.dat | 4 +- .../hosts/dave/etc/strongswan.conf | 4 - testing/tests/ikev1/rw-initiator-only/pretest.dat | 3 +- testing/tests/ikev1/rw-ntru-psk/pretest.dat | 4 +- testing/tests/ikev1/rw-psk-aggressive/pretest.dat | 5 +- testing/tests/ikev1/rw-psk-fqdn/pretest.dat | 5 +- testing/tests/ikev1/rw-psk-ipv4/pretest.dat | 5 +- testing/tests/ikev1/virtual-ip/pretest.dat | 3 +- .../tests/ikev1/xauth-id-psk-config/pretest.dat | 3 +- .../ikev1/xauth-id-rsa-aggressive/pretest.dat | 3 +- .../tests/ikev1/xauth-id-rsa-config/pretest.dat | 3 +- .../tests/ikev1/xauth-id-rsa-hybrid/pretest.dat | 3 +- testing/tests/ikev1/xauth-psk/pretest.dat | 3 +- .../ikev1/xauth-rsa-eap-md5-radius/pretest.dat | 3 +- testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 3 +- testing/tests/ikev1/xauth-rsa/pretest.dat | 3 +- testing/tests/ikev2/acert-cached/evaltest.dat | 2 +- testing/tests/ikev2/acert-cached/pretest.dat | 3 +- testing/tests/ikev2/acert-fallback/evaltest.dat | 2 +- testing/tests/ikev2/acert-fallback/pretest.dat | 2 +- testing/tests/ikev2/acert-inline/evaltest.dat | 2 +- testing/tests/ikev2/acert-inline/pretest.dat | 3 +- testing/tests/ikev2/after-2038-certs/pretest.dat | 2 +- testing/tests/ikev2/alg-3des-md5/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-ccm/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-ctr/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-gcm/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-xcbc/pretest.dat | 2 +- testing/tests/ikev2/alg-blowfish/pretest.dat | 3 +- .../tests/ikev2/alg-chacha20poly1305/pretest.dat | 2 +- testing/tests/ikev2/alg-modp-subgroup/pretest.dat | 3 +- testing/tests/ikev2/alg-sha256-96/pretest.dat | 2 +- testing/tests/ikev2/alg-sha256/pretest.dat | 2 +- testing/tests/ikev2/alg-sha384/pretest.dat | 2 +- testing/tests/ikev2/alg-sha512/pretest.dat | 2 +- testing/tests/ikev2/any-interface/pretest.dat | 9 +- testing/tests/ikev2/compress/pretest.dat | 2 +- .../tests/ikev2/config-payload-swapped/pretest.dat | 4 +- testing/tests/ikev2/config-payload/pretest.dat | 4 +- testing/tests/ikev2/critical-extension/pretest.dat | 2 +- testing/tests/ikev2/crl-from-cache/pretest.dat | 2 +- testing/tests/ikev2/crl-ldap/pretest.dat | 3 +- testing/tests/ikev2/crl-revoked/pretest.dat | 2 +- testing/tests/ikev2/crl-to-cache/pretest.dat | 2 +- testing/tests/ikev2/default-keys/pretest.dat | 4 +- testing/tests/ikev2/dhcp-dynamic/pretest.dat | 4 +- .../tests/ikev2/dhcp-static-client-id/pretest.dat | 4 +- testing/tests/ikev2/dhcp-static-mac/pretest.dat | 4 +- testing/tests/ikev2/double-nat-net/pretest.dat | 3 +- testing/tests/ikev2/double-nat/pretest.dat | 3 +- testing/tests/ikev2/dpd-clear/description.txt | 2 +- testing/tests/ikev2/dpd-clear/evaltest.dat | 4 +- testing/tests/ikev2/dpd-clear/pretest.dat | 2 +- testing/tests/ikev2/dpd-hold/evaltest.dat | 8 +- testing/tests/ikev2/dpd-hold/pretest.dat | 2 +- testing/tests/ikev2/dpd-restart/evaltest.dat | 6 +- testing/tests/ikev2/dpd-restart/pretest.dat | 2 +- .../tests/ikev2/dynamic-initiator/description.txt | 6 +- testing/tests/ikev2/dynamic-initiator/posttest.dat | 1 - testing/tests/ikev2/dynamic-initiator/pretest.dat | 5 +- testing/tests/ikev2/dynamic-two-peers/posttest.dat | 1 - testing/tests/ikev2/dynamic-two-peers/pretest.dat | 4 +- testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat | 2 +- testing/tests/ikev2/esp-alg-md5-128/pretest.dat | 3 +- testing/tests/ikev2/esp-alg-null/pretest.dat | 3 +- testing/tests/ikev2/esp-alg-sha1-160/pretest.dat | 3 +- testing/tests/ikev2/farp/pretest.dat | 4 +- testing/tests/ikev2/force-udp-encaps/pretest.dat | 4 +- testing/tests/ikev2/forecast/pretest.dat | 4 +- testing/tests/ikev2/host2host-ah/pretest.dat | 2 +- testing/tests/ikev2/host2host-cert/pretest.dat | 2 +- testing/tests/ikev2/host2host-swapped/pretest.dat | 2 +- .../tests/ikev2/host2host-transport/pretest.dat | 2 +- .../tests/ikev2/inactivity-timeout/evaltest.dat | 4 +- testing/tests/ikev2/inactivity-timeout/pretest.dat | 3 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-pool-db/posttest.dat | 1 - testing/tests/ikev2/ip-pool-db/pretest.dat | 10 +- testing/tests/ikev2/ip-pool-db/test.conf | 4 + testing/tests/ikev2/ip-pool-wish/pretest.dat | 4 +- testing/tests/ikev2/ip-pool/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-split-pools-db/posttest.dat | 1 - testing/tests/ikev2/ip-split-pools-db/pretest.dat | 8 +- testing/tests/ikev2/ip-split-pools-db/test.conf | 4 + .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-two-pools-db/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools-db/pretest.dat | 12 +- testing/tests/ikev2/ip-two-pools-db/test.conf | 4 + .../hosts/moon/etc/strongswan.conf | 2 +- .../tests/ikev2/ip-two-pools-mixed/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools-mixed/pretest.dat | 10 +- testing/tests/ikev2/ip-two-pools-mixed/test.conf | 4 + .../hosts/moon/etc/strongswan.conf | 2 +- .../tests/ikev2/ip-two-pools-v4v6-db/posttest.dat | 1 - .../tests/ikev2/ip-two-pools-v4v6-db/pretest.dat | 6 +- testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf | 4 + testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat | 2 +- testing/tests/ikev2/ip-two-pools/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools/pretest.dat | 4 +- testing/tests/ikev2/lookip/pretest.dat | 4 +- .../mobike-nat/hosts/alice/etc/iptables.rules | 6 +- testing/tests/ikev2/mobike-nat/pretest.dat | 3 +- .../hosts/alice/etc/iptables.rules | 4 + testing/tests/ikev2/mobike-virtual-ip/pretest.dat | 3 +- .../ikev2/mobike/hosts/alice/etc/iptables.rules | 4 + testing/tests/ikev2/mobike/pretest.dat | 3 +- .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat | 2 +- .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat | 4 +- .../tests/ikev2/multi-level-ca-cr-init/pretest.dat | 3 +- .../tests/ikev2/multi-level-ca-cr-resp/pretest.dat | 3 +- .../tests/ikev2/multi-level-ca-ldap/pretest.dat | 7 +- .../tests/ikev2/multi-level-ca-loop/pretest.dat | 2 +- .../tests/ikev2/multi-level-ca-pathlen/pretest.dat | 4 +- .../tests/ikev2/multi-level-ca-revoked/pretest.dat | 2 +- .../tests/ikev2/multi-level-ca-strict/pretest.dat | 5 +- testing/tests/ikev2/multi-level-ca/posttest.dat | 1 - testing/tests/ikev2/multi-level-ca/pretest.dat | 5 +- testing/tests/ikev2/nat-rw-mark/pretest.dat | 5 +- testing/tests/ikev2/nat-rw-psk/pretest.dat | 5 +- testing/tests/ikev2/nat-rw/pretest.dat | 5 +- testing/tests/ikev2/nat-virtual-ip/pretest.dat | 3 +- testing/tests/ikev2/net2net-ah/pretest.dat | 2 +- testing/tests/ikev2/net2net-cert-sha2/pretest.dat | 2 +- testing/tests/ikev2/net2net-cert/pretest.dat | 2 +- testing/tests/ikev2/net2net-dnscert/pretest.dat | 2 +- testing/tests/ikev2/net2net-dnssec/pretest.dat | 2 +- testing/tests/ikev2/net2net-esn/pretest.dat | 2 +- .../tests/ikev2/net2net-ntru-bandwidth/pretest.dat | 2 +- testing/tests/ikev2/net2net-ntru-cert/pretest.dat | 2 +- testing/tests/ikev2/net2net-pgp-v3/pretest.dat | 2 +- testing/tests/ikev2/net2net-pgp-v4/pretest.dat | 2 +- testing/tests/ikev2/net2net-pkcs12/pretest.dat | 2 +- testing/tests/ikev2/net2net-psk-dscp/pretest.dat | 5 +- testing/tests/ikev2/net2net-psk-fail/pretest.dat | 2 +- testing/tests/ikev2/net2net-psk/pretest.dat | 2 +- testing/tests/ikev2/net2net-rfc3779/pretest.dat | 3 +- testing/tests/ikev2/net2net-route/pretest.dat | 4 +- testing/tests/ikev2/net2net-rsa/pretest.dat | 2 +- testing/tests/ikev2/net2net-same-nets/pretest.dat | 2 +- testing/tests/ikev2/net2net-start/pretest.dat | 3 +- testing/tests/ikev2/ocsp-local-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-multi-level/pretest.dat | 3 +- .../tests/ikev2/ocsp-no-signer-cert/pretest.dat | 4 +- testing/tests/ikev2/ocsp-revoked/pretest.dat | 2 +- testing/tests/ikev2/ocsp-root-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-signer-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat | 2 +- testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat | 3 +- .../tests/ikev2/ocsp-timeouts-good/description.txt | 2 +- .../tests/ikev2/ocsp-timeouts-good/evaltest.dat | 4 +- .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi | 2 +- testing/tests/ikev2/ocsp-timeouts-good/pretest.dat | 2 +- .../tests/ikev2/ocsp-timeouts-unknown/evaltest.dat | 2 +- .../tests/ikev2/ocsp-timeouts-unknown/pretest.dat | 6 +- .../tests/ikev2/ocsp-untrusted-cert/pretest.dat | 4 +- testing/tests/ikev2/protoport-dual/pretest.dat | 3 +- testing/tests/ikev2/protoport-route/pretest.dat | 6 +- testing/tests/ikev2/reauth-early/pretest.dat | 2 +- testing/tests/ikev2/reauth-late/pretest.dat | 2 +- .../tests/ikev2/reauth-mbb-virtual-ip/pretest.dat | 2 +- testing/tests/ikev2/reauth-mbb/pretest.dat | 2 +- .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/rw-cert/pretest.dat | 4 +- testing/tests/ikev2/rw-dnssec/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-dynamic/pretest.dat | 4 +- .../ikev2/rw-eap-framed-ip-radius/pretest.dat | 8 +- .../ikev2/rw-eap-md5-class-radius/pretest.dat | 6 +- .../tests/ikev2/rw-eap-md5-id-prompt/pretest.dat | 3 +- .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-md5-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat | 3 +- .../tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-peap-md5/pretest.dat | 4 +- .../tests/ikev2/rw-eap-peap-mschapv2/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-peap-radius/pretest.dat | 4 +- .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat | 3 +- .../ikev2/rw-eap-sim-only-radius/evaltest.dat | 2 +- .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat | 3 +- .../tests/ikev2/rw-eap-tls-fragments/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-tls-only/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-tls-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-ttls-only/pretest.dat | 4 +- .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-hash-and-url/pretest.dat | 3 +- .../hosts/dave/etc/strongswan.conf | 4 - testing/tests/ikev2/rw-initiator-only/pretest.dat | 3 +- testing/tests/ikev2/rw-mark-in-out/pretest.dat | 11 +- testing/tests/ikev2/rw-ntru-bliss/evaltest.dat | 8 +- .../ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/rw-ntru-bliss/pretest.dat | 4 +- testing/tests/ikev2/rw-ntru-psk/pretest.dat | 4 +- testing/tests/ikev2/rw-pkcs8/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-fqdn/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-ipv4/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-no-idr/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-rsa-split/pretest.dat | 3 +- .../tests/ikev2/rw-radius-accounting/pretest.dat | 3 +- testing/tests/ikev2/rw-sig-auth/pretest.dat | 6 +- testing/tests/ikev2/rw-whitelist/evaltest.dat | 2 +- testing/tests/ikev2/strong-keys-certs/pretest.dat | 4 +- testing/tests/ikev2/trap-any/evaltest.dat | 10 +- testing/tests/ikev2/two-certs/pretest.dat | 4 +- .../tests/ikev2/virtual-ip-override/pretest.dat | 3 +- testing/tests/ikev2/virtual-ip/pretest.dat | 3 +- testing/tests/ikev2/wildcards/pretest.dat | 5 +- .../hosts/sun/etc/ipsec.conf | 2 +- .../hosts/sun/etc/ipsec.conf | 2 +- testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 3 +- testing/tests/libipsec/host2host-cert/pretest.dat | 2 +- testing/tests/libipsec/net2net-3des/pretest.dat | 2 +- testing/tests/libipsec/net2net-cert/pretest.dat | 2 +- .../tests/libipsec/net2net-null/description.txt | 11 + testing/tests/libipsec/net2net-null/evaltest.dat | 11 + .../net2net-null/hosts/moon/etc/ipsec.conf | 24 + .../net2net-null/hosts/moon/etc/strongswan.conf | 6 + .../libipsec/net2net-null/hosts/moon/etc/updown | 566 +++++++++++++++ .../libipsec/net2net-null/hosts/sun/etc/ipsec.conf | 24 + .../net2net-null/hosts/sun/etc/strongswan.conf | 6 + .../libipsec/net2net-null/hosts/sun/etc/updown | 566 +++++++++++++++ testing/tests/libipsec/net2net-null/posttest.dat | 4 + testing/tests/libipsec/net2net-null/pretest.dat | 6 + testing/tests/libipsec/net2net-null/test.conf | 21 + testing/tests/libipsec/rw-suite-b/pretest.dat | 4 +- .../tests/openssl-ikev1/alg-camellia/pretest.dat | 3 +- .../tests/openssl-ikev1/alg-ecp-high/pretest.dat | 3 +- .../tests/openssl-ikev1/alg-ecp-low/pretest.dat | 3 +- .../tests/openssl-ikev1/ecdsa-certs/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-aes-gcm/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-blowfish/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-camellia/pretest.dat | 3 +- .../alg-ecp-brainpool-high/pretest.dat | 3 +- .../alg-ecp-brainpool-low/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-ecp-high/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-ecp-low/pretest.dat | 3 +- .../openssl-ikev2/critical-extension/pretest.dat | 2 +- .../tests/openssl-ikev2/ecdsa-certs/pretest.dat | 3 +- .../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat | 3 +- .../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 2 +- .../tests/openssl-ikev2/net2net-pkcs12/pretest.dat | 2 +- testing/tests/openssl-ikev2/rw-cert/pretest.dat | 5 +- .../openssl-ikev2/rw-eap-tls-only/pretest.dat | 3 +- .../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 3 - .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 4 +- .../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 3 - .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 4 +- testing/tests/p2pnat/behind-same-nat/pretest.dat | 4 +- testing/tests/p2pnat/medsrv-psk/pretest.dat | 4 +- testing/tests/pfkey/alg-aes-xcbc/pretest.dat | 2 +- testing/tests/pfkey/alg-sha384/pretest.dat | 2 +- testing/tests/pfkey/alg-sha512/pretest.dat | 2 +- testing/tests/pfkey/compress/pretest.dat | 2 +- testing/tests/pfkey/esp-alg-null/pretest.dat | 2 +- .../tests/pfkey/host2host-transport/pretest.dat | 2 +- testing/tests/pfkey/nat-rw/pretest.dat | 5 +- testing/tests/pfkey/net2net-route/pretest.dat | 4 +- testing/tests/pfkey/protoport-dual/pretest.dat | 3 +- testing/tests/pfkey/protoport-route/pretest.dat | 6 +- testing/tests/pfkey/rw-cert/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db-expired/posttest.dat | 4 - testing/tests/sql/ip-pool-db-expired/pretest.dat | 15 +- testing/tests/sql/ip-pool-db-expired/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db-restart/posttest.dat | 4 - testing/tests/sql/ip-pool-db-restart/pretest.dat | 16 +- testing/tests/sql/ip-pool-db-restart/test.conf | 4 + .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db/posttest.dat | 7 +- testing/tests/sql/ip-pool-db/pretest.dat | 16 +- testing/tests/sql/ip-pool-db/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- .../sql/ip-split-pools-db-restart/posttest.dat | 4 - .../sql/ip-split-pools-db-restart/pretest.dat | 16 +- .../tests/sql/ip-split-pools-db-restart/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-split-pools-db/posttest.dat | 4 - testing/tests/sql/ip-split-pools-db/pretest.dat | 16 +- testing/tests/sql/ip-split-pools-db/test.conf | 4 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/multi-level-ca/posttest.dat | 4 - testing/tests/sql/multi-level-ca/pretest.dat | 15 +- testing/tests/sql/multi-level-ca/test.conf | 4 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +- .../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-cert/posttest.dat | 2 - testing/tests/sql/net2net-cert/pretest.dat | 10 +- testing/tests/sql/net2net-cert/test.conf | 6 +- .../sql/net2net-psk/hosts/moon/etc/strongswan.conf | 2 +- .../sql/net2net-psk/hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-psk/posttest.dat | 2 - testing/tests/sql/net2net-psk/pretest.dat | 10 +- testing/tests/sql/net2net-psk/test.conf | 6 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-route-pem/posttest.dat | 2 - testing/tests/sql/net2net-route-pem/pretest.dat | 14 +- testing/tests/sql/net2net-route-pem/test.conf | 6 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-start-pem/posttest.dat | 2 - testing/tests/sql/net2net-start-pem/pretest.dat | 10 +- testing/tests/sql/net2net-start-pem/test.conf | 6 +- .../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/moon/etc/strongswan.conf | 5 +- testing/tests/sql/rw-cert/posttest.dat | 4 - testing/tests/sql/rw-cert/pretest.dat | 15 +- testing/tests/sql/rw-cert/test.conf | 4 + .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 3 - testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 10 +- testing/tests/sql/rw-eap-aka-rsa/test.conf | 4 + .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-ipv4/posttest.dat | 4 - testing/tests/sql/rw-psk-ipv4/pretest.dat | 15 +- testing/tests/sql/rw-psk-ipv4/test.conf | 4 + .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-ipv6/posttest.dat | 3 - testing/tests/sql/rw-psk-ipv6/pretest.dat | 15 +- testing/tests/sql/rw-psk-ipv6/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-rsa-split/posttest.dat | 4 - testing/tests/sql/rw-psk-rsa-split/pretest.dat | 15 +- testing/tests/sql/rw-psk-rsa-split/test.conf | 4 + .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-rsa-keyid/posttest.dat | 4 - testing/tests/sql/rw-rsa-keyid/pretest.dat | 15 +- testing/tests/sql/rw-rsa-keyid/test.conf | 4 + .../sql/rw-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-rsa/posttest.dat | 4 - testing/tests/sql/rw-rsa/pretest.dat | 15 +- testing/tests/sql/rw-rsa/test.conf | 4 + .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 4 +- .../hosts/venus/etc/strongswan.conf | 2 +- .../tests/sql/shunt-policies-nat-rw/posttest.dat | 3 - .../tests/sql/shunt-policies-nat-rw/pretest.dat | 12 +- testing/tests/sql/shunt-policies-nat-rw/test.conf | 4 + .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/swanctl/ip-pool-db/pretest.dat | 4 +- testing/tests/swanctl/ip-pool-db/test.conf | 4 + testing/tests/swanctl/ip-pool/evaltest.dat | 2 + testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-fhh/pretest.dat | 5 +- .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 2 +- .../tests/tnc/tnccs-11-radius-block/pretest.dat | 4 +- testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 4 +- .../hosts/dave/etc/strongswan.conf | 2 + testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-11-radius-pts/test.conf | 3 + testing/tests/tnc/tnccs-11-radius/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-radius/pretest.dat | 4 +- testing/tests/tnc/tnccs-11-supplicant/pretest.dat | 2 +- testing/tests/tnc/tnccs-11/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-block/evaltest.dat | 2 +- testing/tests/tnc/tnccs-20-block/pretest.dat | 4 +- .../tests/tnc/tnccs-20-client-retry/evaltest.dat | 4 +- .../tests/tnc/tnccs-20-client-retry/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 5 +- testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20-fhh/pretest.dat | 9 +- .../alice/etc/apache2/sites-available/default | 26 - .../tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql | 61 -- .../hosts/alice/etc/strongTNC/settings.ini | 19 - .../hosts/alice/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 2 +- .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 4 +- .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 2 + .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-os-pts/test.conf | 5 +- testing/tests/tnc/tnccs-20-os/evaltest.dat | 4 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-os/posttest.dat | 1 - testing/tests/tnc/tnccs-20-os/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-os/test.conf | 5 +- testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 4 +- .../hosts/alice/etc/strongTNC/settings.ini | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 + .../hosts/dave/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 7 +- testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 4 +- .../hosts/alice/etc/strongTNC/settings.ini | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 7 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 5 +- testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 4 +- .../hosts/dave/etc/strongswan.conf | 2 + .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf | 4 +- testing/tests/tnc/tnccs-20-pts/evaltest.dat | 4 +- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 2 + .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 6 +- testing/tests/tnc/tnccs-20-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-pts/test.conf | 4 +- .../tests/tnc/tnccs-20-server-retry/evaltest.dat | 4 +- .../tests/tnc/tnccs-20-server-retry/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-tls/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20/pretest.dat | 8 +- testing/tests/tnc/tnccs-dynamic/evaltest.dat | 4 +- testing/tests/tnc/tnccs-dynamic/pretest.dat | 4 +- 671 files changed, 6798 insertions(+), 2616 deletions(-) create mode 100644 src/charon-tkm/src/tkm/tkm_spi_generator.c create mode 100644 src/charon-tkm/src/tkm/tkm_spi_generator.h create mode 100644 src/include/linux/socket.h delete mode 100644 src/libstrongswan/AndroidConfigLocal.h create mode 100644 src/libstrongswan/crypto/iv/iv_gen_null.c create mode 100644 src/libstrongswan/crypto/iv/iv_gen_null.h create mode 100644 src/libstrongswan/plugins/sha3/Makefile.am create mode 100644 src/libstrongswan/plugins/sha3/Makefile.in create mode 100644 src/libstrongswan/plugins/sha3/sha3_hasher.c create mode 100644 src/libstrongswan/plugins/sha3/sha3_hasher.h create mode 100644 src/libstrongswan/plugins/sha3/sha3_plugin.c create mode 100644 src/libstrongswan/plugins/sha3/sha3_plugin.h create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c create mode 100644 src/libstrongswan/utils/compat/android.h delete mode 100644 src/medsrv/templates/static/mootools.js delete mode 100644 src/medsrv/templates/static/script.js create mode 100644 testing/hosts/default/etc/strongswan.conf.testing create mode 100644 testing/tests/libipsec/net2net-null/description.txt create mode 100644 testing/tests/libipsec/net2net-null/evaltest.dat create mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/moon/etc/updown create mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/sun/etc/updown create mode 100644 testing/tests/libipsec/net2net-null/posttest.dat create mode 100644 testing/tests/libipsec/net2net-null/pretest.dat create mode 100644 testing/tests/libipsec/net2net-null/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini (limited to 'src/libstrongswan/settings/settings.h') diff --git a/Android.common.mk b/Android.common.mk index 33b993e8e..baeeb36e1 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.3.3" +strongswan_VERSION := "5.3.4" diff --git a/NEWS b/NEWS index 0940dff9c..4674e52e6 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,17 @@ +strongswan-5.3.4 +---------------- + +- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that + was caused by insufficient verification of the internal state when handling + MSCHAPv2 Success messages received by the client. + This vulnerability has been registered as CVE-2015-8023. + +- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family. + Within the strongSwan framework SHA3 is currently used for BLISS signatures + only because the OIDs for other signature algorithms haven't been defined + yet. Also the use of SHA3 for IKEv2 has not been standardized yet. + + strongswan-5.3.3 ---------------- @@ -37,7 +51,7 @@ strongswan-5.3.3 since 5.0.0) and packets that have the flag set incorrectly are again ignored. - Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy - Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) + Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE Printer Working Group (PWG). - Fixed IF-M segmentation which failed in the presence of multiple small diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf index c91421dea..454405985 100644 --- a/conf/options/charon-logging.conf +++ b/conf/options/charon-logging.conf @@ -25,6 +25,11 @@ charon { # numerical identifier for each IKE_SA. # ike_name = no + # Adds the milliseconds within the current second after the + # timestamp (separated by a dot, so time_format should end with %S + # or %T). + # time_add_ms = no + # Prefix each log entry with a timestamp. The option accepts a # format string as passed to strftime(3). # time_format = diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt index b437a9cc3..2bbb5dce4 100644 --- a/conf/options/charon-logging.opt +++ b/conf/options/charon-logging.opt @@ -28,6 +28,10 @@ charon.filelog..time_format Prefix each log entry with a timestamp. The option accepts a format string as passed to **strftime**(3). +charon.filelog..time_add_ms = no + Adds the milliseconds within the current second after the timestamp + (separated by a dot, so _time_format_ should end with %S or %T). + charon.syslog {} Section to define syslog loggers, see LOGGER CONFIGURATION in **strongswan.conf**(5). diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 5f27b08e3..b55d429a7 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -24,6 +24,10 @@ charon { # strength. # dh_exponent_ansi_x9_42 = yes + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + # DNS server assigned to peer via configuration payload (CP). # dns1 = @@ -123,6 +127,10 @@ charon { # Initiate IKEv2 reauthentication with a make-before-break scheme. # make_before_break = no + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + # Maximum packet size accepted by charon. # max_packet = 10000 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 5d137aee8..816f3250c 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -65,6 +65,10 @@ charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. +charon.dlopen_use_rtld_now = no + Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing + symbols immediately. + charon.dns1 DNS server assigned to peer via configuration payload (CP). @@ -204,6 +208,10 @@ charon.load_modular = no plugin list is preserved. Enabled plugins not found in that list are ordered alphabetically before other plugins with the same priority. +charon.max_ikev1_exchanges = 3 + Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and + track concurrently. + charon.max_packet = 10000 Maximum packet size accepted by charon. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 559efcb4c..7fc421c60 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -101,6 +101,11 @@ Whether to test RNG with TRUE quality; requires a lot of entropy. Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. +.TP +.BR charon.dlopen_use_rtld_now " [no]" +Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing +symbols immediately. + .TP .BR charon.dns1 " []" DNS server assigned to peer via configuration payload (CP). @@ -151,6 +156,13 @@ Enabling this option disables block buffering and enables line buffering. Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. +.TP +.BR charon.filelog..time_add_ms " [no]" +Adds the milliseconds within the current second after the timestamp (separated +by a dot, so +.RI "" "time_format" "" +should end with %S or %T). + .TP .BR charon.filelog..time_format " []" Prefix each log entry with a timestamp. The option accepts a format string as @@ -343,6 +355,11 @@ ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer. strongSwan can handle such overlapping SAs since version 5.3.0. +.TP +.BR charon.max_ikev1_exchanges " [3]" +Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and +track concurrently. + .TP .BR charon.max_packet " [10000]" Maximum packet size accepted by charon. diff --git a/config.h.in b/config.h.in index 729ddf009..b95e01843 100644 --- a/config.h.in +++ b/config.h.in @@ -205,6 +205,9 @@ /* Define to 1 if you have the `setlinebuf' function. */ #undef HAVE_SETLINEBUF +/* Define to 1 if you have the `sigwaitinfo' function. */ +#undef HAVE_SIGWAITINFO + /* have sqlite3_prepare_v2() */ #undef HAVE_SQLITE3_PREPARE_V2 diff --git a/configure b/configure index 59a74ccc2..c810ffd91 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.3.3. +# Generated by GNU Autoconf 2.69 for strongSwan 5.3.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.3.3' -PACKAGE_STRING='strongSwan 5.3.3' +PACKAGE_VERSION='5.3.4' +PACKAGE_STRING='strongSwan 5.3.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -977,6 +977,8 @@ USE_GMP_FALSE USE_GMP_TRUE USE_FIPS_PRF_FALSE USE_FIPS_PRF_TRUE +USE_SHA3_FALSE +USE_SHA3_TRUE USE_SHA2_FALSE USE_SHA2_TRUE USE_SHA1_FALSE @@ -1299,6 +1301,7 @@ enable_rdrand enable_aesni enable_sha1 enable_sha2 +enable_sha3 enable_xcbc enable_dnskey enable_pem @@ -2029,7 +2032,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.3.3 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2099,7 +2102,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.3.3:";; + short | recursive ) echo "Configuration of strongSwan 5.3.4:";; esac cat <<\_ACEOF @@ -2137,6 +2140,8 @@ Optional Features: --disable-sha1 disable SHA1 software implementation plugin. --disable-sha2 disable SHA256/SHA384/SHA512 software implementation plugin. + --enable-sha3 enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software + implementation plugin. --disable-xcbc disable xcbc crypto implementation plugin. --disable-dnskey disable DNS RR key decoding plugin. --disable-pem disable PEM decoding plugin. @@ -2540,7 +2545,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.3.3 +strongSwan configure 5.3.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3062,7 +3067,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.3.3, which was +It was created by strongSwan $as_me 5.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3925,7 +3930,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.3.3' + VERSION='5.3.4' cat >>confdefs.h <<_ACEOF @@ -5194,6 +5199,22 @@ fi enabled_by_default=${enabled_by_default}" sha2" +# Check whether --enable-sha3 was given. +if test "${enable_sha3+set}" = set; then : + enableval=$enable_sha3; sha3_given=true + if test x$enableval = xyes; then + sha3=true + else + sha3=false + fi +else + sha3=false + sha3_given=false + +fi + + disabled_by_default=${disabled_by_default}" sha3" + # Check whether --enable-xcbc was given. if test "${enable_xcbc+set}" = set; then : enableval=$enable_xcbc; xcbc_given=true @@ -18269,7 +18290,7 @@ _ACEOF fi done -for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd +for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -21969,6 +21990,7 @@ if test x$sha1 = xtrue; then scepclient_plugins=${scepclient_plugins}" sha1" pki_plugins=${pki_plugins}" sha1" scripts_plugins=${scripts_plugins}" sha1" + manager_plugins=${manager_plugins}" sha1" medsrv_plugins=${medsrv_plugins}" sha1" attest_plugins=${attest_plugins}" sha1" nm_plugins=${nm_plugins}" sha1" @@ -21991,10 +22013,23 @@ if test x$sha2 = xtrue; then fi +if test x$sha3 = xtrue; then + s_plugins=${s_plugins}" sha3" + charon_plugins=${charon_plugins}" sha3" + scepclient_plugins=${scepclient_plugins}" sha3" + pki_plugins=${pki_plugins}" sha3" + scripts_plugins=${scripts_plugins}" sha3" + medsrv_plugins=${medsrv_plugins}" sha3" + attest_plugins=${attest_plugins}" sha3" + nm_plugins=${nm_plugins}" sha3" + cmd_plugins=${cmd_plugins}" sha3" + aikgen_plugins=${aikgen_plugins}" sha3" + + fi + if test x$md4 = xtrue; then s_plugins=${s_plugins}" md4" charon_plugins=${charon_plugins}" md4" - manager_plugins=${manager_plugins}" md4" scepclient_plugins=${scepclient_plugins}" md4" pki_plugins=${pki_plugins}" md4" nm_plugins=${nm_plugins}" md4" @@ -22035,6 +22070,7 @@ if test x$random = xtrue; then scepclient_plugins=${scepclient_plugins}" random" pki_plugins=${pki_plugins}" random" scripts_plugins=${scripts_plugins}" random" + manager_plugins=${manager_plugins}" random" medsrv_plugins=${medsrv_plugins}" random" attest_plugins=${attest_plugins}" random" nm_plugins=${nm_plugins}" random" @@ -23031,6 +23067,14 @@ else USE_SHA2_FALSE= fi + if test x$sha3 = xtrue; then + USE_SHA3_TRUE= + USE_SHA3_FALSE='#' +else + USE_SHA3_TRUE='#' + USE_SHA3_FALSE= +fi + if test x$fips_prf = xtrue; then USE_FIPS_PRF_TRUE= USE_FIPS_PRF_FALSE='#' @@ -24499,7 +24543,7 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= @@ -24727,6 +24771,10 @@ if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then as_fn_error $? "conditional \"USE_SHA2\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SHA3_TRUE}" && test -z "${USE_SHA3_FALSE}"; then + as_fn_error $? "conditional \"USE_SHA3\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -25812,7 +25860,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.3.3, which was +This file was extended by strongSwan $as_me 5.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25878,7 +25926,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.3.3 +strongSwan config.status 5.3.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -26305,6 +26353,7 @@ do "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;; "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;; "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;; + "src/libstrongswan/plugins/sha3/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha3/Makefile" ;; "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;; "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;; "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;; diff --git a/configure.ac b/configure.ac index ffd092939..c073c70b8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ # # Copyright (C) 2007-2015 Tobias Brunner -# Copyright (C) 2006-2014 Andreas Steffen +# Copyright (C) 2006-2015 Andreas Steffen # Copyright (C) 2006-2014 Martin Willi # Hochschule fuer Technik Rapperswil # @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.3.3]) +AC_INIT([strongSwan],[5.3.4]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -148,6 +148,7 @@ ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.]) ARG_ENABL_SET([aesni], [enable Intel AES-NI crypto plugin.]) ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.]) ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.]) +ARG_ENABL_SET([sha3], [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) # encoding/decoding plugins ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) @@ -585,7 +586,7 @@ AC_CHECK_FUNC( ) AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r) -AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd) +AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo) AC_CHECK_FUNC([syslog], [ AC_DEFINE([HAVE_SYSLOG], [], [have syslog(3) and friends]) @@ -1282,12 +1283,13 @@ ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd]) +ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([md4], [s charon scepclient pki nm cmd]) ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen]) ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([random], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) ADD_PLUGIN([nonce], [s charon nm cmd aikgen]) ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen]) ADD_PLUGIN([revocation], [s charon pki nm cmd]) @@ -1439,6 +1441,7 @@ AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue) AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue) AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue) AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue) +AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) @@ -1686,6 +1689,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile + src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in index 608078b1e..49c1cd0bf 100644 --- a/init/systemd/strongswan.service.in +++ b/init/systemd/strongswan.service.in @@ -1,6 +1,6 @@ [Unit] Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf -After=syslog.target +After=syslog.target network.target [Service] ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 6e7abca09..e549e9597 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -427,6 +427,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -451,6 +459,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -490,6 +505,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -533,6 +557,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c index 6f2b6f178..b8f943f51 100644 --- a/src/charon-cmd/charon-cmd.c +++ b/src/charon-cmd/charon-cmd.c @@ -17,14 +17,13 @@ */ #include -#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include -#undef _POSIX_PTHREAD_SEMANTICS #include #include #include #include #include +#include #include #include @@ -112,12 +111,11 @@ static int run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return 1; } switch (sig) @@ -382,7 +380,7 @@ int main(int argc, char *argv[]) lib->plugins->status(lib->plugins, LEVEL_CTRL); /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c index 80551f853..1773e7c39 100644 --- a/src/charon-nm/charon-nm.c +++ b/src/charon-nm/charon-nm.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -80,12 +81,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -237,7 +237,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT and TERM are handled by sigwait() in run() */ + * INT and TERM are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c index e391a5397..f302d4527 100644 --- a/src/charon-systemd/charon-systemd.c +++ b/src/charon-systemd/charon-systemd.c @@ -249,12 +249,12 @@ static int run() while (TRUE) { - int sig, error; + int sig; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(error)); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return SS_RC_INITIALIZATION_FAILED; } switch (sig) @@ -393,7 +393,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index 7c60f0ca8..52d82f3ad 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -42,6 +43,7 @@ #include "tkm_public_key.h" #include "tkm_cred.h" #include "tkm_encoder.h" +#include "tkm_spi_generator.h" /** * TKM bus listener for IKE authorize events. @@ -98,12 +100,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -298,6 +299,9 @@ int main(int argc, char *argv[]) PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256), PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create), PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"), + PLUGIN_CALLBACK(tkm_spi_generator_register, NULL), + PLUGIN_PROVIDE(CUSTOM, "tkm-spi-generator"), + PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"), }; lib->plugins->add_static_features(lib->plugins, "tkm-backend", features, countof(features), TRUE, NULL, NULL); @@ -358,7 +362,7 @@ int main(int argc, char *argv[]) lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode); /* add handler for SEGV and ILL, - * INT and TERM are handled by sigwait() in run() */ + * INT and TERM are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 7a0672aa8..2d22fbdc3 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -281,9 +281,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t prio) + private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, policy_priority_t priority) { return SUCCESS; } diff --git a/src/charon-tkm/src/tkm/tkm_spi_generator.c b/src/charon-tkm/src/tkm/tkm_spi_generator.c new file mode 100644 index 000000000..eff0ca91e --- /dev/null +++ b/src/charon-tkm/src/tkm/tkm_spi_generator.c @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2015 Reto Buerki + * Copyright (C) 2015 Adrian-Ken Rueegsegger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "tkm_spi_generator.h" + +/** + * Get SPI callback arguments + */ +typedef struct { + rng_t *rng; + u_int64_t spi_mask; + u_int64_t spi_label; +} get_spi_args_t; + +static get_spi_args_t *spi_args; + +/** + * Callback called to generate an IKE SPI. + * + * @param this Callback args containing rng_t and spi mask & label + * @return labeled SPI + */ +CALLBACK(tkm_get_spi, u_int64_t, + const get_spi_args_t const *this) +{ + u_int64_t spi; + + if (!this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + { + return 0; + } + + return (spi & ~this->spi_mask) | this->spi_label; +} + +bool tkm_spi_generator_register(plugin_t *plugin, + plugin_feature_t *feature, + bool reg, void *cb_data) +{ + u_int64_t spi_mask, spi_label; + char *spi_val; + rng_t *rng; + + if (reg) + { + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + return FALSE; + } + + spi_val = lib->settings->get_str(lib->settings, "%s.spi_mask", NULL, + lib->ns); + spi_mask = settings_value_as_uint64(spi_val, 0); + + spi_val = lib->settings->get_str(lib->settings, "%s.spi_label", NULL, + lib->ns); + spi_label = settings_value_as_uint64(spi_val, 0); + + INIT(spi_args, + .rng = rng, + .spi_mask = spi_mask, + .spi_label = spi_label, + ); + + charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager, + tkm_get_spi, spi_args); + DBG1(DBG_IKE, "using SPI label 0x%.16"PRIx64" and mask 0x%.16"PRIx64, + spi_label, spi_mask); + } + else + { + if (spi_args) + { + DESTROY_IF(spi_args->rng); + free(spi_args); + } + } + + return TRUE; +} diff --git a/src/charon-tkm/src/tkm/tkm_spi_generator.h b/src/charon-tkm/src/tkm/tkm_spi_generator.h new file mode 100644 index 000000000..5f9ff03c6 --- /dev/null +++ b/src/charon-tkm/src/tkm/tkm_spi_generator.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2015 Reto Buerki + * Copyright (C) 2015 Adrian-Ken Rueegsegger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tkm-spi-generator spi generator + * @{ @ingroup tkm + */ + +#ifndef TKM_SPI_GENERATOR_H_ +#define TKM_SPI_GENERATOR_H_ + +#include + +/** + * Register the TKM SPI generator callback. + * + * @return TRUE on success + */ +bool tkm_spi_generator_register(plugin_t *plugin, + plugin_feature_t *feature, + bool reg, void *cb_data); + +#endif /** TKM_SPI_GENERATOR_H_ @}*/ diff --git a/src/charon/charon.c b/src/charon/charon.c index 081e49490..f03b6e1ba 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -17,9 +17,7 @@ */ #include -#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include -#undef _POSIX_PTHREAD_SEMANTICS #include #include #include @@ -110,12 +108,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -434,7 +431,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c index 584a2698a..9348b64e1 100644 --- a/src/conftest/conftest.c +++ b/src/conftest/conftest.c @@ -382,15 +382,17 @@ static void load_log_levels(file_logger_t *logger, char *section) */ static void load_logger_options(file_logger_t *logger, char *section) { - bool ike_name; char *time_format; + bool add_ms, ike_name; time_format = conftest->test->get_str(conftest->test, "log.%s.time_format", NULL, section); + add_ms = conftest->test->get_bool(conftest->test, + "log.%s.time_add_ms", FALSE, section); ike_name = conftest->test->get_bool(conftest->test, "log.%s.ike_name", FALSE, section); - logger->set_options(logger, time_format, ike_name); + logger->set_options(logger, time_format, add_ms, ike_name); } /** @@ -463,7 +465,7 @@ int main(int argc, char *argv[]) lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); logger = file_logger_create("stdout"); - logger->set_options(logger, NULL, FALSE); + logger->set_options(logger, NULL, FALSE, FALSE); logger->open(logger, FALSE, FALSE); logger->set_level(logger, DBG_ANY, LEVEL_CTRL); charon->bus->add_logger(charon->bus, &logger->logger); @@ -563,7 +565,7 @@ int main(int argc, char *argv[]) sigaddset(&set, SIGTERM); sigprocmask(SIG_BLOCK, &set, NULL); - while (sigwait(&set, &sig) == 0) + while ((sig = sigwaitinfo(&set, NULL)) != -1) { switch (sig) { diff --git a/src/include/Makefile.am b/src/include/Makefile.am index 0284c094a..8e6db88a4 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -1,2 +1,2 @@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h diff --git a/src/include/Makefile.in b/src/include/Makefile.in index e2c3cd0c3..5740544ca 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -343,7 +343,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h all: all-am diff --git a/src/include/linux/socket.h b/src/include/linux/socket.h new file mode 100644 index 000000000..76ab0c685 --- /dev/null +++ b/src/include/linux/socket.h @@ -0,0 +1,21 @@ +#ifndef _UAPI_LINUX_SOCKET_H +#define _UAPI_LINUX_SOCKET_H + +/* + * Desired design of maximum size and alignment (see RFC2553) + */ +#define _K_SS_MAXSIZE 128 /* Implementation specific max size */ +#define _K_SS_ALIGNSIZE (__alignof__ (struct sockaddr *)) + /* Implementation specific desired alignment */ + +typedef unsigned short __kernel_sa_family_t; + +struct __kernel_sockaddr_storage { + __kernel_sa_family_t ss_family; /* address family */ + /* Following field(s) are implementation specific */ + char __data[_K_SS_MAXSIZE - sizeof(unsigned short)]; + /* space to achieve desired size, */ + /* _SS_MAXSIZE value minus size of ss_family */ +} __attribute__ ((aligned(_K_SS_ALIGNSIZE))); /* force desired alignment */ + +#endif /* _UAPI_LINUX_SOCKET_H */ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index 9795451e8..bc7b633b0 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.3.3dr5" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.3.4dr1" "strongSwan" . .SH NAME . diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 0798830cf..89c7ef753 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -256,10 +256,10 @@ stop) if [ -n "$spid" ] then kill $spid 2>/dev/null - loop=11 + loop=110 while [ $loop -gt 0 ] ; do kill -0 $spid 2>/dev/null || break - sleep 1 + sleep 0.1 loop=$(($loop - 1)) done if [ $loop -eq 0 ] diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index 5eef6fdc6..10085794b 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -228,7 +228,6 @@ endif # build libcharon -------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libhydra \ $(strongswan_PATH)/src/libstrongswan diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c index e3661bde6..7a53e9338 100644 --- a/src/libcharon/bus/listeners/file_logger.c +++ b/src/libcharon/bus/listeners/file_logger.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -64,6 +64,11 @@ struct private_file_logger_t { */ char *time_format; + /** + * Add milliseconds after the time string + */ + bool add_ms; + /** * Print the name/# of the IKE_SA? */ @@ -87,7 +92,9 @@ METHOD(logger_t, log_, void, char timestr[128], namestr[128] = ""; const char *current = message, *next; struct tm tm; - time_t t; + timeval_t tv; + time_t s; + u_int ms = 0; this->lock->read_lock(this->lock); if (!this->out) @@ -97,8 +104,10 @@ METHOD(logger_t, log_, void, } if (this->time_format) { - t = time(NULL); - localtime_r(&t, &tm); + gettimeofday(&tv, NULL); + s = tv.tv_sec; + ms = tv.tv_usec / 1000; + localtime_r(&s, &tm); strftime(timestr, sizeof(timestr), this->time_format, &tm); } if (this->ike_name && ike_sa) @@ -126,8 +135,16 @@ METHOD(logger_t, log_, void, next = strchr(current, '\n'); if (this->time_format) { - fprintf(this->out, "%s %.2d[%N]%s ", - timestr, thread, debug_names, group, namestr); + if (this->add_ms) + { + fprintf(this->out, "%s.%03u %.2d[%N]%s ", + timestr, ms, thread, debug_names, group, namestr); + } + else + { + fprintf(this->out, "%s %.2d[%N]%s ", + timestr, thread, debug_names, group, namestr); + } } else { @@ -182,11 +199,12 @@ METHOD(file_logger_t, set_level, void, } METHOD(file_logger_t, set_options, void, - private_file_logger_t *this, char *time_format, bool ike_name) + private_file_logger_t *this, char *time_format, bool add_ms, bool ike_name) { this->lock->write_lock(this->lock); free(this->time_format); this->time_format = strdupnull(time_format); + this->add_ms = add_ms; this->ike_name = ike_name; this->lock->unlock(this->lock); } diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h index 9e5aed50b..1bcfec150 100644 --- a/src/libcharon/bus/listeners/file_logger.h +++ b/src/libcharon/bus/listeners/file_logger.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -48,9 +48,12 @@ struct file_logger_t { * Set options used by this logger * * @param time_format format of timestamp prefix, as in strftime(), cloned + * @param add_ms TRUE to add the number of milliseconds within the + * current second after the timestamp * @param ike_name TRUE to prefix the name of the IKE_SA */ - void (*set_options) (file_logger_t *this, char *time_format, bool ike_name); + void (*set_options) (file_logger_t *this, char *time_format, bool add_ms, + bool ike_name); /** * Open (or reopen) the log file according to the given parameters diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index ce9301006..aa2a39ce5 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -302,7 +302,7 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*, enumerator_t *enumerator; int best = 0; - DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); + DBG2(DBG_CFG, "looking for a child config for %#R === %#R", my_ts, other_ts); enumerator = create_child_cfg_enumerator(this); while (enumerator->enumerate(enumerator, ¤t)) { diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 316be7611..dce2a7144 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -324,11 +324,13 @@ static void load_file_logger(private_daemon_t *this, char *filename, file_logger_t *file_logger; debug_t group; level_t def; - bool ike_name, flush_line, append; + bool add_ms, ike_name, flush_line, append; char *time_format; time_format = lib->settings->get_str(lib->settings, "%s.filelog.%s.time_format", NULL, lib->ns, filename); + add_ms = lib->settings->get_bool(lib->settings, + "%s.filelog.%s.time_add_ms", FALSE, lib->ns, filename); ike_name = lib->settings->get_bool(lib->settings, "%s.filelog.%s.ike_name", FALSE, lib->ns, filename); flush_line = lib->settings->get_bool(lib->settings, @@ -337,7 +339,7 @@ static void load_file_logger(private_daemon_t *this, char *filename, "%s.filelog.%s.append", TRUE, lib->ns, filename); file_logger = add_file_logger(this, filename, current_loggers); - file_logger->set_options(file_logger, time_format, ike_name); + file_logger->set_options(file_logger, time_format, add_ms, ike_name); file_logger->open(file_logger, flush_line, append); def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1, @@ -486,8 +488,6 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->kernel_handler); DESTROY_IF(this->public.traps); DESTROY_IF(this->public.shunts); - DESTROY_IF(this->public.child_sa_manager); - DESTROY_IF(this->public.ike_sa_manager); DESTROY_IF(this->public.controller); DESTROY_IF(this->public.eap); DESTROY_IF(this->public.xauth); @@ -560,7 +560,6 @@ METHOD(daemon_t, start, void, run_scripts(this, "start"); } - /** * Initialize/deinitialize sender and receiver */ @@ -584,12 +583,36 @@ static bool sender_receiver_cb(void *plugin, plugin_feature_t *feature, return TRUE; } +/** + * Initialize/deinitialize IKE_SA/CHILD_SA managers + */ +static bool sa_managers_cb(void *plugin, plugin_feature_t *feature, + bool reg, private_daemon_t *this) +{ + if (reg) + { + this->public.ike_sa_manager = ike_sa_manager_create(); + if (!this->public.ike_sa_manager) + { + return FALSE; + } + this->public.child_sa_manager = child_sa_manager_create(); + } + else + { + DESTROY_IF(this->public.ike_sa_manager); + DESTROY_IF(this->public.child_sa_manager); + } + return TRUE; +} + METHOD(daemon_t, initialize, bool, private_daemon_t *this, char *plugins) { plugin_feature_t features[] = { PLUGIN_PROVIDE(CUSTOM, "libcharon"), PLUGIN_DEPENDS(NONCE_GEN), + PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"), PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"), PLUGIN_DEPENDS(CUSTOM, "kernel-ipsec"), PLUGIN_DEPENDS(CUSTOM, "kernel-net"), @@ -598,6 +621,10 @@ METHOD(daemon_t, initialize, bool, PLUGIN_DEPENDS(HASHER, HASH_SHA1), PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_DEPENDS(CUSTOM, "socket"), + PLUGIN_CALLBACK((plugin_feature_callback_t)sa_managers_cb, this), + PLUGIN_PROVIDE(CUSTOM, "libcharon-sa-managers"), + PLUGIN_DEPENDS(HASHER, HASH_SHA1), + PLUGIN_DEPENDS(RNG, RNG_WEAK), }; lib->plugins->add_static_features(lib->plugins, lib->ns, features, countof(features), TRUE, NULL, NULL); @@ -608,13 +635,6 @@ METHOD(daemon_t, initialize, bool, return FALSE; } - this->public.ike_sa_manager = ike_sa_manager_create(); - if (this->public.ike_sa_manager == NULL) - { - return FALSE; - } - this->public.child_sa_manager = child_sa_manager_create(); - /* Queue start_action job */ lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index f7f39f984..16978f486 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -81,6 +81,21 @@ struct private_eap_mschapv2_t * Number of retries */ int retries; + + /** + * Provide EAP-Identity + */ + auth_cfg_t *auth; + + /** + * Current state + */ + enum { + S_EXPECT_CHALLENGE, + S_EXPECT_RESPONSE, + S_EXPECT_SUCCESS, + S_DONE, + } state; }; /** @@ -628,6 +643,7 @@ METHOD(eap_method_t, initiate_server, status_t, memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + this->state = S_EXPECT_RESPONSE; return NEED_MORE; } @@ -747,6 +763,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this, memcpy(res->name, userid.ptr, userid.len); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + this->state = S_EXPECT_SUCCESS; return NEED_MORE; } @@ -829,6 +846,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this, *out = eap_payload_create_data(chunk_create((void*) eap, len)); status = NEED_MORE; + this->state = S_DONE; error: chunk_free(&auth_string); @@ -922,6 +940,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, */ status = FAILED; + this->state = S_DONE; error: chunk_free(&challenge); @@ -946,26 +965,38 @@ METHOD(eap_method_t, process_peer, status_t, eap = (eap_mschapv2_header_t*)data.ptr; + switch (this->state) + { + case S_EXPECT_CHALLENGE: + if (eap->opcode == MSCHAPV2_CHALLENGE) + { + return process_peer_challenge(this, in, out); + } + break; + case S_EXPECT_SUCCESS: + switch (eap->opcode) + { + case MSCHAPV2_SUCCESS: + return process_peer_success(this, in, out); + case MSCHAPV2_FAILURE: + return process_peer_failure(this, in, out); + } + break; + default: + break; + } switch (eap->opcode) { case MSCHAPV2_CHALLENGE: - { - return process_peer_challenge(this, in, out); - } case MSCHAPV2_SUCCESS: - { - return process_peer_success(this, in, out); - } case MSCHAPV2_FAILURE: - { - return process_peer_failure(this, in, out); - } + DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; default: - { DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); break; - } } return FAILED; } @@ -1027,6 +1058,8 @@ static status_t process_server_retry(private_eap_mschapv2_t *this, /* delay the response for some time to make brute-force attacks harder */ sleep(RETRY_DELAY); + /* since the error is retryable the state does not change, we still + * expect an MSCHAPV2_RESPONSE from the peer */ return NEED_MORE; } @@ -1058,7 +1091,10 @@ static status_t process_server_response(private_eap_mschapv2_t *this, name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); userid = identification_create_from_string(buf); - DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); + if (!userid->equals(userid, this->peer)) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); + } /* userid can only be destroyed after the last use of username */ username = extract_username(userid->get_encoding(userid)); @@ -1084,7 +1120,6 @@ static status_t process_server_response(private_eap_mschapv2_t *this, chunk_clear(&nt_hash); return FAILED; } - userid->destroy(userid); chunk_clear(&nt_hash); if (memeq_const(res->response.nt_response, this->nt_response.ptr, @@ -1109,9 +1144,12 @@ static status_t process_server_response(private_eap_mschapv2_t *this, chunk_free(&hex); memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + + this->auth->add(this->auth, AUTH_RULE_EAP_IDENTITY, userid); + this->state = S_EXPECT_SUCCESS; return NEED_MORE; } - + userid->destroy(userid); return process_server_retry(this, out); } @@ -1137,26 +1175,39 @@ METHOD(eap_method_t, process_server, status_t, eap = (eap_mschapv2_header_t*)data.ptr; + switch (this->state) + { + case S_EXPECT_RESPONSE: + if (eap->opcode == MSCHAPV2_RESPONSE) + { + return process_server_response(this, in, out); + } + break; + case S_EXPECT_SUCCESS: + if (eap->opcode == MSCHAPV2_SUCCESS && + this->msk.ptr) + { + return SUCCESS; + } + break; + default: + break; + } switch (eap->opcode) { - case MSCHAPV2_RESPONSE: - { - return process_server_response(this, in, out); - } - case MSCHAPV2_SUCCESS: - { - return SUCCESS; - } case MSCHAPV2_FAILURE: - { + /* the client may abort the authentication by sending us a failure + * in any state */ return FAILED; - } + case MSCHAPV2_RESPONSE: + case MSCHAPV2_SUCCESS: + DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; default: - { DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); break; - } } return FAILED; } @@ -1197,11 +1248,18 @@ METHOD(eap_method_t, is_mutual, bool, return FALSE; } +METHOD(eap_method_t, get_auth, auth_cfg_t*, + private_eap_mschapv2_t *this) +{ + return this->auth; +} + METHOD(eap_method_t, destroy, void, private_eap_mschapv2_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); + this->auth->destroy(this->auth); chunk_free(&this->challenge); chunk_free(&this->nt_response); chunk_free(&this->auth_response); @@ -1224,11 +1282,14 @@ static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *ser .get_msk = _get_msk, .get_identifier = _get_identifier, .set_identifier = _set_identifier, + .get_auth = _get_auth, .destroy = _destroy, }, }, .peer = peer->clone(peer), .server = server->clone(server), + .auth = auth_cfg_create(), + .state = S_EXPECT_CHALLENGE, ); return this; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 0cf723711..0f207fbe6 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -178,18 +178,38 @@ static void add_addr(private_eap_radius_provider_t *this, * Remove the next address from the locked hashtable stored for given id */ static host_t* remove_addr(private_eap_radius_provider_t *this, - hashtable_t *hashtable, uintptr_t id) + hashtable_t *hashtable, uintptr_t id, host_t *addr) { + enumerator_t *enumerator; entry_t *entry; - host_t *addr = NULL; + host_t *found = NULL, *current; entry = hashtable->remove(hashtable, (void*)id); if (entry) { - entry->addrs->remove_first(entry->addrs, (void**)&addr); + enumerator = entry->addrs->create_enumerator(entry->addrs); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (addr->ip_equals(addr, current)) + { /* prefer an exact match */ + entry->addrs->remove_at(entry->addrs, enumerator); + enumerator->destroy(enumerator); + put_or_destroy_entry(hashtable, entry); + return current; + } + if (!found && addr->get_family(addr) == current->get_family(current)) + { /* fallback to the first IP with a matching address family */ + found = current; + } + } + enumerator->destroy(enumerator); + if (found) + { + entry->addrs->remove(entry->addrs, found, NULL); + } put_or_destroy_entry(hashtable, entry); } - return addr; + return found; } /** @@ -326,7 +346,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, if (streq(name, "radius")) { this->listener.mutex->lock(this->listener.mutex); - addr = remove_addr(this, this->listener.unclaimed, sa); + addr = remove_addr(this, this->listener.unclaimed, sa, requested); if (addr) { add_addr(this, this->listener.claimed, sa, addr->clone(addr)); @@ -357,7 +377,7 @@ METHOD(attribute_provider_t, release_address, bool, if (streq(name, "radius")) { this->listener.mutex->lock(this->listener.mutex); - found = remove_addr(this, this->listener.claimed, sa); + found = remove_addr(this, this->listener.claimed, sa, address); this->listener.mutex->unlock(this->listener.mutex); break; } diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c index f7a1f49ec..ce577c62c 100644 --- a/src/libcharon/plugins/error_notify/error_notify_listener.c +++ b/src/libcharon/plugins/error_notify/error_notify_listener.c @@ -110,7 +110,7 @@ METHOD(listener_t, alert, bool, list = va_arg(args, linked_list_t*); list2 = va_arg(args, linked_list_t*); snprintf(msg.str, sizeof(msg.str), "the received traffic selectors " - "did not match: %#R=== %#R", list, list2); + "did not match: %#R === %#R", list, list2); break; case ALERT_INSTALL_CHILD_SA_FAILED: msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED); diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c index 17f2d50d1..dbb6adc8f 100644 --- a/src/libcharon/plugins/ha/ha_child.c +++ b/src/libcharon/plugins/ha/ha_child.c @@ -126,7 +126,7 @@ METHOD(listener_t, child_keys, bool, ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE)); seg_o = this->kernel->get_segment_spi(this->kernel, ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE)); - DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R " + DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index afa099309..07ef607c6 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -848,7 +848,7 @@ static void process_child_add(private_ha_dispatcher_t *this, seg_o = this->kernel->get_segment_spi(this->kernel, ike_sa->get_other_host(ike_sa), outbound_spi); - DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R " + DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R === %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index 6246dc505..d738e6d13 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -563,15 +563,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { policy_entry_t *policy, *found = NULL; status_t status; status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts, - direction, reqid, mark, priority); + direction, sa->reqid, mark, priority); policy = create_policy_entry(src_ts, dst_ts, direction); diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index b38ded846..95f79f168 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -2456,15 +2456,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_wfp_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED) { - if (remove_trap(this, reqid, FALSE, src_ts, dst_ts)) + if (remove_trap(this, sa->reqid, FALSE, src_ts, dst_ts)) { - remove_trap(this, reqid, TRUE, src_ts, dst_ts); + remove_trap(this, sa->reqid, TRUE, src_ts, dst_ts); return SUCCESS; } return NOT_FOUND; diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 62d43e302..6a86bb899 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -103,8 +103,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { return SUCCESS; diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index dbfddbb81..13bf3e775 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -148,6 +148,91 @@ struct private_socket_default_socket_t { u_int rr_counter; }; +/** + * Get the destination IPv4 address of a received packet, depending on the + * available mechanism. + */ +#ifdef IP_PKTINFO + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct sockaddr_in dst = { + .sin_family = AF_INET, + .sin_port = htons(port), + }; + struct in_pktinfo *pktinfo; + struct in_addr *addr; + + if (cmsgptr->cmsg_type == IP_PKTINFO) + { + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); + addr = &pktinfo->ipi_addr; + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#elif defined(IP_RECVDSTADDR) + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct sockaddr_in dst = { + .sin_family = AF_INET, + .sin_port = htons(port), + }; + struct in_addr *addr; + + if (cmsgptr->cmsg_type == IP_RECVDSTADDR) + { + addr = (struct in_addr*)CMSG_DATA(cmsgptr); + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#else /* IP_PKTINFO || IP_RECVDSTADDR */ + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + return NULL; +} + +#endif /* IP_PKTINFO || IP_RECVDSTADDR */ + +/** + * Get the destination IPv6 address of a received packet, depending on the + * available mechanism. + */ +#ifdef HAVE_IN6_PKTINFO + +static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 dst = { + .sin6_family = AF_INET6, + .sin6_port = htons(port), + }; + + if (cmsgptr->cmsg_type == IPV6_PKTINFO) + { + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); + memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#else /* HAVE_IN6_PKTINFO */ + +static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port) +{ + return NULL; +} + +#endif /* HAVE_IN6_PKTINFO */ + METHOD(socket_t, receiver, status_t, private_socket_default_socket_t *this, packet_t **packet) { @@ -233,48 +318,13 @@ METHOD(socket_t, receiver, status_t, DBG1(DBG_NET, "error reading ancillary data"); return FAILED; } - -#ifdef HAVE_IN6_PKTINFO - if (cmsgptr->cmsg_level == SOL_IPV6 && - cmsgptr->cmsg_type == IPV6_PKTINFO) + if (cmsgptr->cmsg_level == SOL_IP) { - struct in6_pktinfo *pktinfo; - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); - struct sockaddr_in6 dst; - - memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr)); - dst.sin6_family = AF_INET6; - dst.sin6_port = htons(port); - dest = host_create_from_sockaddr((sockaddr_t*)&dst); + dest = get_dst_v4(cmsgptr, port); } -#endif /* HAVE_IN6_PKTINFO */ - if (cmsgptr->cmsg_level == SOL_IP && -#ifdef IP_PKTINFO - cmsgptr->cmsg_type == IP_PKTINFO -#elif defined(IP_RECVDSTADDR) - cmsgptr->cmsg_type == IP_RECVDSTADDR -#else - FALSE -#endif - ) + else if (cmsgptr->cmsg_level == SOL_IPV6) { - struct in_addr *addr; - struct sockaddr_in dst; - -#ifdef IP_PKTINFO - struct in_pktinfo *pktinfo; - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); - addr = &pktinfo->ipi_addr; -#elif defined(IP_RECVDSTADDR) - addr = (struct in_addr*)CMSG_DATA(cmsgptr); -#endif - memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); - - dst.sin_family = AF_INET; - dst.sin_port = htons(port); - dest = host_create_from_sockaddr((sockaddr_t*)&dst); + dest = get_dst_v6(cmsgptr, port); } if (dest) { @@ -305,6 +355,107 @@ METHOD(socket_t, receiver, status_t, return SUCCESS; } +/** + * Generic function to send a message. + */ +static ssize_t send_msg_generic(int skt, struct msghdr *msg) +{ + return sendmsg(skt, msg, 0); +} + +/** + * Send a message with the IPv4 source address set, if possible. + */ +#ifdef IP_PKTINFO + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct in_pktinfo *pktinfo; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + addr = &pktinfo->ipi_spec_dst; + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +#elif defined(IP_SENDSRCADDR) + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_addr))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_SENDSRCADDR; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); + + addr = (struct in_addr*)CMSG_DATA(cmsg); + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +#else /* IP_PKTINFO || IP_RECVDSTADDR */ + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + return send_msg_generic(skt, msg); +} + +#endif /* IP_PKTINFO || IP_RECVDSTADDR */ + +/** + * Send a message with the IPv6 source address set, if possible. + */ +#ifdef HAVE_IN6_PKTINFO + +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IPV6; + cmsg->cmsg_type = IPV6_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in6*)src->get_sockaddr(src); + memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + return send_msg_generic(skt, msg); +} + +#else /* HAVE_IN6_PKTINFO */ + +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + return send_msg_generic(skt, msg); +} + +#endif /* HAVE_IN6_PKTINFO */ + METHOD(socket_t, sender, status_t, private_socket_default_socket_t *this, packet_t *packet) { @@ -313,7 +464,6 @@ METHOD(socket_t, sender, status_t, chunk_t data; host_t *src, *dst; struct msghdr msg; - struct cmsghdr *cmsg; struct iovec iov; u_int8_t *dscp; @@ -415,56 +565,17 @@ METHOD(socket_t, sender, status_t, { if (family == AF_INET) { -#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR) - struct in_addr *addr; - struct sockaddr_in *sin; -#ifdef IP_PKTINFO - char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; - struct in_pktinfo *pktinfo; -#elif defined(IP_SENDSRCADDR) - char buf[CMSG_SPACE(sizeof(struct in_addr))]; -#endif - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IP; -#ifdef IP_PKTINFO - cmsg->cmsg_type = IP_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); - addr = &pktinfo->ipi_spec_dst; -#elif defined(IP_SENDSRCADDR) - cmsg->cmsg_type = IP_SENDSRCADDR; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); - addr = (struct in_addr*)CMSG_DATA(cmsg); -#endif - sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); -#endif /* IP_PKTINFO || IP_SENDSRCADDR */ + bytes_sent = send_msg_v4(skt, &msg, src); } -#ifdef HAVE_IN6_PKTINFO else { - char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))]; - struct in6_pktinfo *pktinfo; - struct sockaddr_in6 *sin; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); - sin = (struct sockaddr_in6*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + bytes_sent = send_msg_v6(skt, &msg, src); } -#endif /* HAVE_IN6_PKTINFO */ } - - bytes_sent = sendmsg(skt, &msg, 0); + else + { + bytes_sent = send_msg_generic(skt, &msg); + } if (bytes_sent != data.len) { diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c index b82a69e1b..a032134c3 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c @@ -527,6 +527,62 @@ static dynsock_t *find_socket(private_socket_dynamic_socket_t *this, return skt; } +/** + * Generic function to send a message. + */ +static ssize_t send_msg_generic(int skt, struct msghdr *msg) +{ + return sendmsg(skt, msg, 0); +} + +/** + * Send a message with the IPv4 source address set. + */ +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct in_pktinfo *pktinfo; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + addr = &pktinfo->ipi_spec_dst; + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +/** + * Send a message with the IPv6 source address set. + */ +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IPV6; + cmsg->cmsg_type = IPV6_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in6*)src->get_sockaddr(src); + memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + return send_msg_generic(skt, msg); +} + METHOD(socket_t, sender, status_t, private_socket_dynamic_socket_t *this, packet_t *packet) { @@ -536,7 +592,6 @@ METHOD(socket_t, sender, status_t, ssize_t len; chunk_t data; struct msghdr msg; - struct cmsghdr *cmsg; struct iovec iov; src = packet->get_source(packet); @@ -564,43 +619,18 @@ METHOD(socket_t, sender, status_t, { if (family == AF_INET) { - struct in_addr *addr; - struct sockaddr_in *sin; - char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; - struct in_pktinfo *pktinfo; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IP; - cmsg->cmsg_type = IP_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); - addr = &pktinfo->ipi_spec_dst; - sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + len = send_msg_v4(skt->fd, &msg, src); } else { - char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))]; - struct in6_pktinfo *pktinfo; - struct sockaddr_in6 *sin; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); - sin = (struct sockaddr_in6*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + len = send_msg_v6(skt->fd, &msg, src); } } + else + { + len = send_msg_generic(skt->fd, &msg); + } - len = sendmsg(skt->fd, &msg, 0); if (len != data.len) { DBG1(DBG_NET, "error writing to socket: %s", strerror(errno)); diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index f71719458..68cf83089 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -346,9 +346,9 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, - { "sha256", SIGN_BLISS_WITH_SHA256, KEY_BLISS, }, - { "sha384", SIGN_BLISS_WITH_SHA384, KEY_BLISS, }, - { "sha512", SIGN_BLISS_WITH_SHA512, KEY_BLISS, }, + { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, }, + { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, }, + { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, }, }; if (rsa_len || ecdsa_len || bliss_strength) diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 0125d17c6..5a1a5074d 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -298,6 +298,41 @@ static void report_terminate_status(private_stroke_control_t *this, } } +/** + * Call the charon controller to terminate a CHILD_SA + */ +static void charon_terminate(private_stroke_control_t *this, u_int32_t id, + stroke_msg_t *msg, FILE *out, bool child) +{ + if (msg->output_verbosity >= 0) + { + stroke_log_info_t info = { msg->output_verbosity, out }; + status_t status; + + if (child) + { + status = charon->controller->terminate_child(charon->controller, id, + (controller_cb_t)stroke_log, &info, this->timeout); + } + else + { + status = charon->controller->terminate_ike(charon->controller, id, + (controller_cb_t)stroke_log, &info, this->timeout); + } + report_terminate_status(this, status, out, id, child); + } + else if (child) + { + charon->controller->terminate_child(charon->controller, id, + NULL, NULL, 0); + } + else + { + charon->controller->terminate_ike(charon->controller, id, + NULL, NULL, 0); + } +} + METHOD(stroke_control_t, terminate, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { @@ -307,9 +342,7 @@ METHOD(stroke_control_t, terminate, void, ike_sa_t *ike_sa; enumerator_t *enumerator; linked_list_t *ike_list, *child_list; - stroke_log_info_t info; uintptr_t del; - status_t status; if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) { @@ -317,22 +350,9 @@ METHOD(stroke_control_t, terminate, void, return; } - info.out = out; - info.level = msg->output_verbosity; - if (id) { - if (child) - { - status = charon->controller->terminate_child(charon->controller, id, - (controller_cb_t)stroke_log, &info, this->timeout); - } - else - { - status = charon->controller->terminate_ike(charon->controller, id, - (controller_cb_t)stroke_log, &info, this->timeout); - } - return report_terminate_status(this, status, out, id, child); + return charon_terminate(this, id, msg, out, child); } ike_list = linked_list_create(); @@ -380,18 +400,14 @@ METHOD(stroke_control_t, terminate, void, enumerator = child_list->create_enumerator(child_list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_child(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, TRUE); + charon_terminate(this, del, msg, out, TRUE); } enumerator->destroy(enumerator); enumerator = ike_list->create_enumerator(ike_list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, FALSE); + charon_terminate(this, del, msg, out, FALSE); } enumerator->destroy(enumerator); @@ -548,11 +564,6 @@ METHOD(stroke_control_t, purge_ike, void, child_sa_t *child_sa; linked_list_t *list; uintptr_t del; - stroke_log_info_t info; - status_t status; - - info.out = out; - info.level = msg->output_verbosity; list = linked_list_create(); enumerator = charon->controller->create_ike_sa_enumerator( @@ -572,9 +583,7 @@ METHOD(stroke_control_t, purge_ike, void, enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, TRUE); + charon_terminate(this, del, msg, out, FALSE); } enumerator->destroy(enumerator); list->destroy(list); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c7e4c9c65..c0192b5c0 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -334,7 +334,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) child_sa->create_ts_enumerator(child_sa, TRUE)); other_ts = linked_list_create_from_enumerator( child_sa->create_ts_enumerator(child_sa, FALSE)); - fprintf(out, "\n%12s{%d}: %#R=== %#R\n", + fprintf(out, "\n%12s{%d}: %#R === %#R\n", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), my_ts, other_ts); my_ts->destroy(my_ts); @@ -586,7 +586,7 @@ METHOD(stroke_list_t, status, void, { my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); - fprintf(out, "%12s: child: %#R=== %#R%N", + fprintf(out, "%12s: child: %#R === %#R %N", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -620,7 +620,7 @@ METHOD(stroke_list_t, status, void, } my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); - fprintf(out, "%12s: %#R=== %#R%N\n", + fprintf(out, "%12s: %#R === %#R %N\n", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index e20e8ab26..b9531d8a5 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -526,12 +526,21 @@ Unloading fails for pools with leases currently online. List the currently loaded pools. - {} => { + { + leases = + } => { * = { base = size = online = offline = + leases = { + * = { + address = + identity = + status = + } + } } } @@ -587,6 +596,10 @@ command. initiator = initiator-spi = responder-spi = + nat-local = + nat-remote = + nat-fake = + nat-any = encr-alg = encr-keysize = integ-alg = @@ -596,6 +609,12 @@ command. established = rekey-time = reauth-time = + local-vips = [ + + ] + remote-vips = [ + + ] tasks-queued = [ ] diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c index f04bae774..9064d3d8c 100644 --- a/src/libcharon/plugins/vici/vici_attribute.c +++ b/src/libcharon/plugins/vici/vici_attribute.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Tobias Brunner + * Copyright (C) 2014-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2014 Martin Willi @@ -662,9 +662,16 @@ CALLBACK(get_pools, vici_message_t*, vici_message_t *message) { vici_builder_t *builder; - enumerator_t *enumerator; + enumerator_t *enumerator, *leases; mem_pool_t *vips; pool_t *pool; + identification_t *uid; + host_t *lease; + bool list_leases, on; + char buf[32]; + int i; + + list_leases = message->get_bool(message, FALSE, "leases"); builder = vici_builder_create(); @@ -681,6 +688,23 @@ CALLBACK(get_pools, vici_message_t*, builder->add_kv(builder, "online", "%u", vips->get_online(vips)); builder->add_kv(builder, "offline", "%u", vips->get_offline(vips)); + if (list_leases) + { + i = 0; + builder->begin_section(builder, "leases"); + leases = vips->create_lease_enumerator(vips); + while (leases && leases->enumerate(leases, &uid, &lease, &on)) + { + snprintf(buf, sizeof(buf), "%d", i++); + builder->begin_section(builder, buf); + builder->add_kv(builder, "address", "%H", lease); + builder->add_kv(builder, "identity", "%Y", uid); + builder->add_kv(builder, "status", on ? "online" : "offline"); + builder->end_section(builder); + } + leases->destroy(leases); + builder->end_section(builder); + } builder->end_section(builder); } enumerator->destroy(enumerator); diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index ffdc034ea..6631184b5 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -71,6 +71,7 @@ CALLBACK(load_cert, vici_message_t*, certificate_t *cert; x509_t *x509; chunk_t data; + bool trusted = TRUE; char *str; str = message->get_str(message, NULL, "type"); @@ -99,6 +100,7 @@ CALLBACK(load_cert, vici_message_t*, else if (strcaseeq(str, "x509ac")) { type = CERT_X509_AC; + trusted = FALSE; } else { @@ -131,8 +133,14 @@ CALLBACK(load_cert, vici_message_t*, DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); - this->creds->add_cert(this->creds, TRUE, cert); - + if (type == CERT_X509_CRL) + { + this->creds->add_crl(this->creds, (crl_t*)cert); + } + else + { + this->creds->add_cert(this->creds, trusted, cert); + } return create_reply(NULL); } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 98d264fca..9a3d832da 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -221,6 +221,45 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b, } } +/** + * Add an IKE_SA condition to the given builder + */ +static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa, + char *key, ike_condition_t cond) +{ + if (ike_sa->has_condition(ike_sa, cond)) + { + b->add_kv(b, key, "yes"); + } +} + +/** + * List virtual IPs + */ +static void list_vips(private_vici_query_t *this, vici_builder_t *b, + ike_sa_t *ike_sa, bool local, char *name) +{ + enumerator_t *enumerator; + bool has = FALSE; + host_t *vip; + + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); + while (enumerator->enumerate(enumerator, &vip)) + { + if (!has) + { + b->begin_list(b, name); + has = TRUE; + } + b->add_li(b, "%H", vip); + } + enumerator->destroy(enumerator); + if (has) + { + b->end_list(b); + } +} + /** * List details of an IKE_SA */ @@ -265,6 +304,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id)); b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id)); + add_condition(b, ike_sa, "nat-local", COND_NAT_HERE); + add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE); + add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE); + add_condition(b, ike_sa, "nat-any", COND_NAT_ANY); + proposal = ike_sa->get_proposal(ike_sa); if (proposal) { @@ -310,6 +354,9 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, } } + list_vips(this, b, ike_sa, TRUE, "local-vips"); + list_vips(this, b, ike_sa, FALSE, "remote-vips"); + list_task_queue(this, b, ike_sa, TASK_QUEUE_QUEUED, "tasks-queued"); list_task_queue(this, b, ike_sa, TASK_QUEUE_ACTIVE, "tasks-active"); list_task_queue(this, b, ike_sa, TASK_QUEUE_PASSIVE, "tasks-passive"); diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c index 5b5fb9d98..6c01ffe95 100644 --- a/src/libcharon/processing/jobs/initiate_mediation_job.c +++ b/src/libcharon/processing/jobs/initiate_mediation_job.c @@ -161,6 +161,10 @@ METHOD(job_t, initiate, job_requeue_t, } mediated_cfg->destroy(mediated_cfg); } + else + { /* newly created IKE_SA is not checked in yet, try again */ + return JOB_RESCHEDULE_MS(100); + } return JOB_REQUEUE_NONE; } diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 73f2ec9d3..b0f163c83 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -413,8 +413,14 @@ METHOD(enumerator_t, policy_enumerate, bool, { /* protocol mismatch */ continue; } - *my_out = this->ts; - *other_out = other_ts; + if (my_out) + { + *my_out = this->ts; + } + if (other_out) + { + *other_out = other_ts; + } return TRUE; } return FALSE; @@ -774,6 +780,50 @@ static bool require_policy_update() return !(f & KERNEL_NO_POLICY_UPDATES); } +/** + * Prepare SA config to install/delete policies + */ +static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa, + ipsec_sa_cfg_t *other_sa) +{ + enumerator_t *enumerator; + + *my_sa = (ipsec_sa_cfg_t){ + .mode = this->mode, + .reqid = this->reqid, + .ipcomp = { + .transform = this->ipcomp, + }, + }; + *other_sa = *my_sa; + + my_sa->ipcomp.cpi = this->my_cpi; + other_sa->ipcomp.cpi = this->other_cpi; + + if (this->protocol == PROTO_ESP) + { + my_sa->esp.use = TRUE; + my_sa->esp.spi = this->my_spi; + other_sa->esp.use = TRUE; + other_sa->esp.spi = this->other_spi; + } + else + { + my_sa->ah.use = TRUE; + my_sa->ah.spi = this->my_spi; + other_sa->ah.use = TRUE; + other_sa->ah.spi = this->other_spi; + } + + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, NULL, NULL)) + { + my_sa->policy_count++; + other_sa->policy_count++; + } + enumerator->destroy(enumerator); +} + /** * Install 3 policies: out, in and forward */ @@ -806,20 +856,22 @@ static status_t install_policies_internal(private_child_sa_t *this, * Delete 3 policies: out, in and forward */ static void del_policies_internal(private_child_sa_t *this, - traffic_selector_t *my_ts, traffic_selector_t *other_ts, - policy_priority_t priority) + host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, + traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa, + ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) { + hydra->kernel_interface->del_policy(hydra->kernel_interface, - my_ts, other_ts, POLICY_OUT, this->reqid, - this->mark_out, priority); + my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type, + other_sa, this->mark_out, priority); hydra->kernel_interface->del_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_IN, this->reqid, - this->mark_in, priority); + other_addr, my_addr, other_ts, my_ts, POLICY_IN, + type, my_sa, this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->del_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_FWD, this->reqid, - this->mark_in, priority); + other_addr, my_addr, other_ts, my_ts, POLICY_FWD, + type, my_sa, this->mark_in, priority); } } @@ -864,31 +916,9 @@ METHOD(child_sa_t, add_policies, status_t, if (this->config->install_policy(this->config)) { policy_priority_t priority; - ipsec_sa_cfg_t my_sa = { - .mode = this->mode, - .reqid = this->reqid, - .ipcomp = { - .transform = this->ipcomp, - }, - }, other_sa = my_sa; - - my_sa.ipcomp.cpi = this->my_cpi; - other_sa.ipcomp.cpi = this->other_cpi; - - if (this->protocol == PROTO_ESP) - { - my_sa.esp.use = TRUE; - my_sa.esp.spi = this->my_spi; - other_sa.esp.use = TRUE; - other_sa.esp.spi = this->other_spi; - } - else - { - my_sa.ah.use = TRUE; - my_sa.ah.spi = this->my_spi; - other_sa.ah.use = TRUE; - other_sa.ah.spi = this->other_spi; - } + ipsec_sa_cfg_t my_sa, other_sa; + + prepare_sa_cfg(this, &my_sa, &other_sa); /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD * entry) we install a trap policy */ @@ -896,14 +926,6 @@ METHOD(child_sa_t, add_policies, status_t, priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT; - enumerator = create_policy_enumerator(this); - while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) - { - my_sa.policy_count++; - other_sa.policy_count++; - } - enumerator->destroy(enumerator); - /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) @@ -1006,47 +1028,24 @@ METHOD(child_sa_t, update, status_t, if (this->config->install_policy(this->config) && require_policy_update()) { - ipsec_sa_cfg_t my_sa = { - .mode = this->mode, - .reqid = this->reqid, - .ipcomp = { - .transform = this->ipcomp, - }, - }, other_sa = my_sa; - - my_sa.ipcomp.cpi = this->my_cpi; - other_sa.ipcomp.cpi = this->other_cpi; - - if (this->protocol == PROTO_ESP) - { - my_sa.esp.use = TRUE; - my_sa.esp.spi = this->my_spi; - other_sa.esp.use = TRUE; - other_sa.esp.spi = this->other_spi; - } - else - { - my_sa.ah.use = TRUE; - my_sa.ah.spi = this->my_spi; - other_sa.ah.use = TRUE; - other_sa.ah.spi = this->other_spi; - } - - /* update policies */ if (!me->ip_equals(me, this->my_addr) || !other->ip_equals(other, this->other_addr)) { + ipsec_sa_cfg_t my_sa, other_sa; enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; + prepare_sa_cfg(this, &my_sa, &other_sa); + /* always use high priorities, as hosts getting updated are INSTALLED */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; /* remove old policies first */ - del_policies_internal(this, my_ts, other_ts, - POLICY_PRIORITY_DEFAULT); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, + POLICY_IPSEC, POLICY_PRIORITY_DEFAULT); /* check if we have to update a "dynamic" traffic selector */ if (!me->ip_equals(me, this->my_addr) && @@ -1068,21 +1067,20 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ install_policies_internal(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT); + &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT); /* update fallback policies after the new policy is in place */ - if (old_my_ts || old_other_ts) - { - del_policies_internal(this, old_my_ts ?: my_ts, - old_other_ts ?: other_ts, + del_policies_internal(this, this->my_addr, this->other_addr, + old_my_ts ?: my_ts, + old_other_ts ?: other_ts, + &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_FALLBACK); + install_policies_internal(this, me, other, my_ts, other_ts, + &my_sa, &other_sa, POLICY_DROP, POLICY_PRIORITY_FALLBACK); - install_policies_internal(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK); - DESTROY_IF(old_my_ts); - DESTROY_IF(old_other_ts); - } + DESTROY_IF(old_my_ts); + DESTROY_IF(old_other_ts); } enumerator->destroy(enumerator); } @@ -1122,15 +1120,21 @@ METHOD(child_sa_t, destroy, void, if (this->config->install_policy(this->config)) { + ipsec_sa_cfg_t my_sa, other_sa; + + prepare_sa_cfg(this, &my_sa, &other_sa); + /* delete all policies in the kernel */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - del_policies_internal(this, my_ts, other_ts, priority); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority); if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { - del_policies_internal(this, my_ts, other_ts, - POLICY_PRIORITY_FALLBACK); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_FALLBACK); } } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 37d69874d..4625df5b8 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -394,9 +394,17 @@ struct private_ike_sa_manager_t { rng_t *rng; /** - * Lock to access the RNG instance + * Registered callback for IKE SPIs */ - rwlock_t *rng_lock; + struct { + spi_cb_t cb; + void *data; + } spi_cb; + + /** + * Lock to access the RNG instance and the callback + */ + rwlock_t *spi_lock; /** * reuse existing IKE_SAs in checkout_by_config @@ -971,13 +979,17 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) { u_int64_t spi; - this->rng_lock->read_lock(this->rng_lock); - if (!this->rng || - !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + this->spi_lock->read_lock(this->spi_lock); + if (this->spi_cb.cb) + { + spi = this->spi_cb.cb(this->spi_cb.data); + } + else if (!this->rng || + !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) { spi = 0; } - this->rng_lock->unlock(this->rng_lock); + this->spi_lock->unlock(this->spi_lock); return spi; } @@ -1188,11 +1200,15 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, */ static u_int32_t get_message_id_or_hash(message_t *message) { - /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */ - if (message->get_major_version(message) == IKEV1_MAJOR_VERSION && - message->get_message_id(message) == 0) + if (message->get_major_version(message) == IKEV1_MAJOR_VERSION) { - return chunk_hash(message->get_packet_data(message)); + /* Use a hash for IKEv1 Phase 1, where we don't have a MID, and Quick + * Mode, where all three messages use the same message ID */ + if (message->get_message_id(message) == 0 || + message->get_exchange_type(message) == QUICK_MODE) + { + return chunk_hash(message->get_packet_data(message)); + } } return message->get_message_id(message); } @@ -1384,7 +1400,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, continue; } if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) - { /* skip IKE_SAs which are not usable */ + { /* skip IKE_SAs which are not usable, wake other waiting threads */ + entry->condvar->signal(entry->condvar); continue; } @@ -1402,6 +1419,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, break; } } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } enumerator->destroy(enumerator); @@ -1434,6 +1453,8 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, entry->checked_out = TRUE; break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1490,6 +1511,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1628,8 +1651,27 @@ METHOD(ike_sa_manager_t, checkin, void, * delete any existing IKE_SAs with that peer. */ if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN)) { + /* We can't hold the segment locked while checking the + * uniqueness as this could lead to deadlocks. We mark the + * entry as checked out while we release the lock so no other + * thread can acquire it. Since it is not yet in the list of + * connected peers that will not cause a deadlock as no other + * caller of check_unqiueness() will try to check out this SA */ + entry->checked_out = TRUE; + unlock_single_segment(this, segment); + this->public.check_uniqueness(&this->public, ike_sa, TRUE); ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE); + + /* The entry could have been modified in the mean time, e.g. + * because another SA was added/removed next to it or another + * thread is waiting, but it should still exist, so there is no + * need for a lookup via get_entry_by... */ + lock_single_segment(this, segment); + entry->checked_out = FALSE; + /* We already signaled waiting threads above, we have to do that + * again after checking the SA out and back in again. */ + entry->condvar->signal(entry->condvar); } } @@ -2010,6 +2052,15 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, return count; } +METHOD(ike_sa_manager_t, set_spi_cb, void, + private_ike_sa_manager_t *this, spi_cb_t callback, void *data) +{ + this->spi_lock->write_lock(this->spi_lock); + this->spi_cb.cb = callback; + this->spi_cb.data = data; + this->spi_lock->unlock(this->spi_lock); +} + METHOD(ike_sa_manager_t, flush, void, private_ike_sa_manager_t *this) { @@ -2092,10 +2143,12 @@ METHOD(ike_sa_manager_t, flush, void, charon->bus->set_sa(charon->bus, NULL); unlock_all_segments(this); - this->rng_lock->write_lock(this->rng_lock); + this->spi_lock->write_lock(this->spi_lock); this->rng->destroy(this->rng); this->rng = NULL; - this->rng_lock->unlock(this->rng_lock); + this->spi_cb.cb = NULL; + this->spi_cb.data = NULL; + this->spi_lock->unlock(this->spi_lock); } METHOD(ike_sa_manager_t, destroy, void, @@ -2120,7 +2173,7 @@ METHOD(ike_sa_manager_t, destroy, void, free(this->connected_peers_segments); free(this->init_hashes_segments); - this->rng_lock->destroy(this->rng_lock); + this->spi_lock->destroy(this->spi_lock); free(this); } @@ -2167,6 +2220,7 @@ ike_sa_manager_t *ike_sa_manager_create() .get_count = _get_count, .get_half_open_count = _get_half_open_count, .flush = _flush, + .set_spi_cb = _set_spi_cb, .destroy = _destroy, }, ); @@ -2178,7 +2232,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } - this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->spi_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->ikesa_limit = lib->settings->get_int(lib->settings, "%s.ikesa_limit", 0, lib->ns); diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index 3ea928ea5..f1b7c2579 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -30,6 +30,16 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; #include #include +/** + * Callback called to generate an IKE SPI. + * + * This may be called from multiple threads concurrently. + * + * @param data data supplied during registration of the callback + * @return allocated SPI, 0 on failure + */ +typedef u_int64_t (*spi_cb_t)(void *data); + /** * Manages and synchronizes access to all IKE_SAs. * @@ -226,6 +236,15 @@ struct ike_sa_manager_t { u_int (*get_half_open_count)(ike_sa_manager_t *this, host_t *ip, bool responder_only); + /** + * Set the callback to generate IKE SPIs + * + * @param callback callback to register + * @param data data provided to callback + */ + void (*set_spi_cb)(ike_sa_manager_t *this, spi_cb_t callback, + void *data); + /** * Delete all existing IKE_SAs and destroy them immediately. * diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index f5a91dbeb..e428966ad 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -23,14 +23,9 @@ typedef struct private_keymat_v1_t private_keymat_v1_t; /** - * Max. number of IVs to track. + * Max. number of IVs/QMs to track. */ -#define MAX_IV 3 - -/** - * Max. number of Quick Modes to track. - */ -#define MAX_QM 2 +#define MAX_EXCHANGES_DEFAULT 3 /** * Data stored for IVs @@ -110,6 +105,11 @@ struct private_keymat_v1_t { * of QMs are tracked at the same time. Stores qm_data_t objects. */ linked_list_t *qms; + + /** + * Max. number of IVs/Quick Modes to track. + */ + int max_exchanges; }; @@ -874,7 +874,7 @@ static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid) } this->qms->insert_first(this->qms, found); /* remove least recently used state if maximum reached */ - if (this->qms->get_count(this->qms) > MAX_QM && + if (this->qms->get_count(this->qms) > this->max_exchanges && this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS) { qm_data_destroy(qm); @@ -1048,7 +1048,7 @@ static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid) } this->ivs->insert_first(this->ivs, found); /* remove least recently used IV if maximum reached */ - if (this->ivs->get_count(this->ivs) > MAX_IV && + if (this->ivs->get_count(this->ivs) > this->max_exchanges && this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS) { iv_data_destroy(iv); @@ -1163,6 +1163,8 @@ keymat_v1_t *keymat_v1_create(bool initiator) .ivs = linked_list_create(), .qms = linked_list_create(), .initiator = initiator, + .max_exchanges = lib->settings->get_int(lib->settings, + "%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns), ); return &this->public; diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 678f99df1..3c601a4fa 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -752,6 +752,12 @@ static status_t build_response(private_task_manager_t *this, message_t *request) case ALREADY_DONE: cancelled = TRUE; break; + case INVALID_ARG: + if (task->get_type(task) == TASK_QUICK_MODE) + { /* not responsible for this exchange */ + continue; + } + /* FALL */ case FAILED: default: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); @@ -928,6 +934,28 @@ static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid) return found; } +/** + * Check if we still have an aggressive mode task queued + */ +static bool have_aggressive_mode_task(private_task_manager_t *this) +{ + enumerator_t *enumerator; + task_t *task; + bool found = FALSE; + + enumerator = this->passive_tasks->create_enumerator(this->passive_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_AGGRESSIVE_MODE) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + /** * handle an incoming request message */ @@ -1034,6 +1062,12 @@ static status_t process_request(private_task_manager_t *this, case ALREADY_DONE: send_response = FALSE; break; + case INVALID_ARG: + if (task->get_type(task) == TASK_QUICK_MODE) + { /* not responsible for this exchange */ + continue; + } + /* FALL */ case FAILED: default: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); @@ -1061,6 +1095,22 @@ static status_t process_request(private_task_manager_t *this, * the same message again. */ clear_packets(this->responding.packets); } + if (this->queued && + this->queued->get_exchange_type(this->queued) == INFORMATIONAL_V1) + { + message_t *queued; + status_t status; + + queued = this->queued; + this->queued = NULL; + status = this->public.task_manager.process_message( + &this->public.task_manager, queued); + queued->destroy(queued); + if (status == DESTROY_ME) + { + return status; + } + } if (this->passive_tasks->get_count(this->passive_tasks) == 0 && this->queued_tasks->get_count(this->queued_tasks) > 0) { @@ -1133,7 +1183,8 @@ static status_t process_response(private_task_manager_t *this, this->initiating.type = EXCHANGE_TYPE_UNDEFINED; clear_packets(this->initiating.packets); - if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0) + if (this->queued && !this->active_tasks->get_count(this->active_tasks) && + this->queued->get_exchange_type(this->queued) == TRANSACTION) { queued = this->queued; this->queued = NULL; @@ -1228,6 +1279,29 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) return status; } +/** + * Queue the given message if possible + */ +static status_t queue_message(private_task_manager_t *this, message_t *msg) +{ + if (this->queued) + { + DBG1(DBG_IKE, "ignoring %N request, queue full", + exchange_type_names, msg->get_exchange_type(msg)); + return FAILED; + } + this->queued = message_create_from_packet(msg->get_packet(msg)); + if (this->queued->parse_header(this->queued) != SUCCESS) + { + this->queued->destroy(this->queued); + this->queued = NULL; + return FAILED; + } + DBG1(DBG_IKE, "queueing %N request as tasks still active", + exchange_type_names, msg->get_exchange_type(msg)); + return SUCCESS; +} + METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { @@ -1328,25 +1402,29 @@ METHOD(task_manager_t, process_message, status_t, } } - if (msg->get_exchange_type(msg) == TRANSACTION && - this->active_tasks->get_count(this->active_tasks)) - { /* main mode not yet complete, queue XAuth/Mode config tasks */ - if (this->queued) + /* drop XAuth/Mode Config/Quick Mode messages until we received the last + * Aggressive Mode message. since Informational messages are not + * retransmitted we queue them. */ + if (have_aggressive_mode_task(this)) + { + if (msg->get_exchange_type(msg) == INFORMATIONAL_V1) { - DBG1(DBG_IKE, "ignoring additional %N request, queue full", - exchange_type_names, TRANSACTION); - return SUCCESS; + return queue_message(this, msg); } - this->queued = message_create_from_packet(msg->get_packet(msg)); - if (this->queued->parse_header(this->queued) != SUCCESS) + else if (msg->get_exchange_type(msg) != AGGRESSIVE) { - this->queued->destroy(this->queued); - this->queued = NULL; + DBG1(DBG_IKE, "ignoring %N request while phase 1 is incomplete", + exchange_type_names, msg->get_exchange_type(msg)); return FAILED; } - DBG1(DBG_IKE, "queueing %N request as tasks still active", - exchange_type_names, TRANSACTION); - return SUCCESS; + } + + /* queue XAuth/Mode Config messages unless the Main Mode exchange we + * initiated is complete */ + if (msg->get_exchange_type(msg) == TRANSACTION && + this->active_tasks->get_count(this->active_tasks)) + { + return queue_message(this, msg); } msg->set_request(msg, TRUE); @@ -1724,6 +1802,8 @@ METHOD(task_manager_t, queue_dpd, void, pow(this->retransmit_base, retransmit)); } } + /* compensate for the already elapsed dpd delay */ + t -= 1000 * peer_cfg->get_dpd(peer_cfg); /* schedule DPD timeout job */ lib->scheduler->schedule_job_ms(lib->scheduler, diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index d0994a961..a03477e18 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -482,7 +482,9 @@ static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested) enumerator = migrated->create_enumerator(migrated); while (enumerator->enumerate(enumerator, &vip)) { - if (vip->ip_equals(vip, requested)) + if (vip->ip_equals(vip, requested) || + (requested->is_anyaddr(requested) && + requested->get_family(requested) == vip->get_family(vip))) { migrated->remove_at(migrated, enumerator); found = vip; diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c index 1b95a8b11..ade59a2dd 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_delete.c +++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c @@ -115,7 +115,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, if (this->expired) { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); @@ -126,7 +126,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL); DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs " - "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", + "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index d6a3f2cd1..e7d26443b 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -388,7 +388,7 @@ static bool install(private_quick_mode_t *this) this->child_sa->create_ts_enumerator(this->child_sa, FALSE)); DBG0(DBG_IKE, "CHILD_SA %s{%d} established " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", this->child_sa->get_name(this->child_sa), this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), @@ -1026,7 +1026,7 @@ METHOD(task_t, process_r, status_t, { if (this->mid && this->mid != message->get_message_id(message)) { /* not responsible for this quick mode exchange */ - return NEED_MORE; + return INVALID_ARG; } switch (this->state) @@ -1200,7 +1200,7 @@ METHOD(task_t, build_r, status_t, { if (this->mid && this->mid != message->get_message_id(message)) { /* not responsible for this quick mode exchange */ - return NEED_MORE; + return INVALID_ARG; } switch (this->state) diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index a770e90ff..c0c91574c 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -271,7 +271,10 @@ static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH); - auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); + if (id) + { + auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); + } auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); @@ -342,7 +345,10 @@ METHOD(task_t, build_i, status_t, break; case SUCCESS: DESTROY_IF(cp); - this->status = XAUTH_OK; + if (add_auth_cfg(this, NULL, FALSE) && allowed(this)) + { + this->status = XAUTH_OK; + } this->public.task.process = _process_i_status; return build_i_status(this, message); default: diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index fce0840e3..55cb5dd9c 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -527,6 +527,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool, case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: case ENCR_AES_CTR: + case ENCR_CAMELLIA_CTR: case ENCR_NULL_AUTH_AES_GMAC: case ENCR_CHACHA20_POLY1305: enc_size += 4; diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index e08f3dab1..97f73d851 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -712,7 +712,7 @@ static status_t select_and_install(private_child_create_t *this, this->child_sa->create_ts_enumerator(this->child_sa, FALSE)); DBG0(DBG_IKE, "CHILD_SA %s{%d} established " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", this->child_sa->get_name(this->child_sa), this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), @@ -1245,7 +1245,7 @@ METHOD(task_t, build_r, status_t, } if (this->config == NULL) { - DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable", + DBG1(DBG_IKE, "traffic selectors %#R === %#R inacceptable", this->tsr, this->tsi); charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr); message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index f0b11e291..877ae0531 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -266,7 +266,7 @@ static void log_children(private_child_delete_t *this) if (this->expired) { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); @@ -277,7 +277,7 @@ static void log_children(private_child_delete_t *this) child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL); DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i " - "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", + "(%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index 11b0bb281..cbdc5e797 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -339,7 +339,11 @@ METHOD(ike_mobike_t, transmit, bool, { if (me->ip_equals(me, me_old)) { - charon->sender->send(charon->sender, packet->clone(packet)); + copy = packet->clone(packet); + /* hosts might have been updated by a peer's MOBIKE exchange */ + copy->set_source(copy, me_old->clone(me_old)); + copy->set_destination(copy, other_old->clone(other_old)); + charon->sender->send(charon->sender, copy); me->destroy(me); return TRUE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index 9e0eb68ce..dd34c1234 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -128,25 +128,6 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this, return natd_hash; } -/** - * build a faked NATD payload to enforce UDP encap - */ -static chunk_t generate_natd_hash_faked(private_ike_natd_t *this) -{ - rng_t *rng; - chunk_t chunk; - - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk)) - { - DBG1(DBG_IKE, "unable to get random bytes for NATD fake"); - DESTROY_IF(rng); - return chunk_empty; - } - rng->destroy(rng); - return chunk; -} - /** * Build a NAT detection notify payload. */ @@ -162,7 +143,14 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this, config = this->ike_sa->get_ike_cfg(this->ike_sa); if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP) { - hash = generate_natd_hash_faked(this); + u_int32_t addr; + + /* chunk_hash() is randomly keyed so this produces a random IPv4 address + * that changes with every restart but otherwise stays the same */ + addr = chunk_hash(chunk_from_chars(0x00, 0x00, 0x00, 0x00)); + host = host_create_from_chunk(AF_INET, chunk_from_thing(addr), 0); + hash = generate_natd_hash(this, ike_sa_id, host); + host->destroy(host); } else { diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 1a984435c..5231994c8 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -63,9 +63,9 @@ struct private_shunt_manager_t { static bool install_shunt_policy(child_cfg_t *child) { enumerator_t *e_my_ts, *e_other_ts; - linked_list_t *my_ts_list, *other_ts_list; + linked_list_t *my_ts_list, *other_ts_list, *hosts; traffic_selector_t *my_ts, *other_ts; - host_t *host_any; + host_t *host_any, *host_any6; policy_type_t policy_type; policy_priority_t policy_prio; status_t status = SUCCESS; @@ -85,9 +85,13 @@ static bool install_shunt_policy(child_cfg_t *child) return FALSE; } - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); host_any = host_create_any(AF_INET); + host_any6 = host_create_any(AF_INET6); + + hosts = linked_list_create_with_items(host_any, host_any6, NULL); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + hosts->destroy(hosts); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -96,6 +100,16 @@ static bool install_shunt_policy(child_cfg_t *child) e_other_ts = other_ts_list->create_enumerator(other_ts_list); while (e_other_ts->enumerate(e_other_ts, &other_ts)) { + if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) + { + continue; + } + if (my_ts->get_protocol(my_ts) && + other_ts->get_protocol(other_ts) && + my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts)) + { + continue; + } /* install out policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, @@ -125,6 +139,7 @@ static bool install_shunt_policy(child_cfg_t *child) offsetof(traffic_selector_t, destroy)); other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy)); + host_any6->destroy(host_any6); host_any->destroy(host_any); return status == SUCCESS; @@ -185,25 +200,35 @@ METHOD(shunt_manager_t, install, bool, static void uninstall_shunt_policy(child_cfg_t *child) { enumerator_t *e_my_ts, *e_other_ts; - linked_list_t *my_ts_list, *other_ts_list; + linked_list_t *my_ts_list, *other_ts_list, *hosts; traffic_selector_t *my_ts, *other_ts; + host_t *host_any, *host_any6; + policy_type_t policy_type; policy_priority_t policy_prio; status_t status = SUCCESS; + ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) { case MODE_PASS: + policy_type = POLICY_PASS; policy_prio = POLICY_PRIORITY_PASS; break; case MODE_DROP: + policy_type = POLICY_DROP; policy_prio = POLICY_PRIORITY_FALLBACK; break; default: return; } - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); + host_any = host_create_any(AF_INET); + host_any6 = host_create_any(AF_INET6); + + hosts = linked_list_create_with_items(host_any, host_any6, NULL); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + hosts->destroy(hosts); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -212,22 +237,35 @@ static void uninstall_shunt_policy(child_cfg_t *child) e_other_ts = other_ts_list->create_enumerator(other_ts_list); while (e_other_ts->enumerate(e_other_ts, &other_ts)) { + if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) + { + continue; + } + if (my_ts->get_protocol(my_ts) && + other_ts->get_protocol(other_ts) && + my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts)) + { + continue; + } /* uninstall out policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, my_ts, other_ts, - POLICY_OUT, 0, child->get_mark(child, FALSE), + hydra->kernel_interface, host_any, host_any, + my_ts, other_ts, POLICY_OUT, policy_type, + &sa, child->get_mark(child, FALSE), policy_prio); /* uninstall in policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, other_ts, my_ts, - POLICY_IN, 0, child->get_mark(child, TRUE), + hydra->kernel_interface, host_any, host_any, + other_ts, my_ts, POLICY_IN, policy_type, + &sa, child->get_mark(child, TRUE), policy_prio); /* uninstall forward policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, other_ts, my_ts, - POLICY_FWD, 0, child->get_mark(child, TRUE), + hydra->kernel_interface, host_any, host_any, + other_ts, my_ts, POLICY_FWD, policy_type, + &sa, child->get_mark(child, TRUE), policy_prio); } e_other_ts->destroy(e_other_ts); @@ -238,6 +276,8 @@ static void uninstall_shunt_policy(child_cfg_t *child) offsetof(traffic_selector_t, destroy)); other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy)); + host_any6->destroy(host_any6); + host_any->destroy(host_any); if (status != SUCCESS) { diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 63505c960..90ad7e40e 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -211,6 +211,7 @@ METHOD(trap_manager_t, install, u_int32_t, if (this->installing == INSTALL_DISABLED) { /* flush() has been called */ this->lock->unlock(this->lock); + other->destroy(other); me->destroy(me); return 0; } @@ -235,6 +236,7 @@ METHOD(trap_manager_t, install, u_int32_t, { DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name); this->lock->unlock(this->lock); + other->destroy(other); me->destroy(me); return 0; } diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c index 4daf91905..b4c6ce3a6 100644 --- a/src/libfast/fast_dispatcher.c +++ b/src/libfast/fast_dispatcher.c @@ -383,14 +383,13 @@ METHOD(fast_dispatcher_t, waitsignal, void, private_fast_dispatcher_t *this) { sigset_t set; - int sig; sigemptyset(&set); sigaddset(&set, SIGINT); sigaddset(&set, SIGTERM); sigaddset(&set, SIGHUP); sigprocmask(SIG_BLOCK, &set, NULL); - sigwait(&set, &sig); + sigwaitinfo(&set, NULL); } METHOD(fast_dispatcher_t, destroy, void, diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk index af39f04ec..7b62e9529 100644 --- a/src/libhydra/Android.mk +++ b/src/libhydra/Android.mk @@ -20,7 +20,6 @@ LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) # build libhydra --------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libstrongswan LOCAL_CFLAGS := $(strongswan_CFLAGS) diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index ce31bd410..89e95ade9 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2013 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -509,16 +509,17 @@ METHOD(kernel_interface_t, query_policy, status_t, } METHOD(kernel_interface_t, del_policy, status_t, - private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_interface_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, - direction, reqid, mark, priority); + return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts, + direction, type, sa, mark, priority); } METHOD(kernel_interface_t, flush_policies, status_t, @@ -738,44 +739,52 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, } -METHOD(kernel_interface_t, add_ipsec_interface, void, +METHOD(kernel_interface_t, add_ipsec_interface, bool, private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) { if (!this->ipsec) { this->ipsec_constructor = constructor; this->ipsec = constructor(); + return this->ipsec != NULL; } + return FALSE; } -METHOD(kernel_interface_t, remove_ipsec_interface, void, +METHOD(kernel_interface_t, remove_ipsec_interface, bool, private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) { if (constructor == this->ipsec_constructor && this->ipsec) { this->ipsec->destroy(this->ipsec); this->ipsec = NULL; + return TRUE; } + return FALSE; } -METHOD(kernel_interface_t, add_net_interface, void, +METHOD(kernel_interface_t, add_net_interface, bool, private_kernel_interface_t *this, kernel_net_constructor_t constructor) { if (!this->net) { this->net_constructor = constructor; this->net = constructor(); + return this->net != NULL; } + return FALSE; } -METHOD(kernel_interface_t, remove_net_interface, void, +METHOD(kernel_interface_t, remove_net_interface, bool, private_kernel_interface_t *this, kernel_net_constructor_t constructor) { if (constructor == this->net_constructor && this->net) { this->net->destroy(this->net); this->net = NULL; + return TRUE; } + return FALSE; } METHOD(kernel_interface_t, add_listener, void, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 96ce9e26d..45efe8946 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2013 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -265,9 +265,6 @@ struct kernel_interface_t { /** * Add a policy to the SPD. * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * * @param src source address of SA * @param dst dest address of SA * @param src_ts traffic selector to match traffic source @@ -309,24 +306,24 @@ struct kernel_interface_t { /** * Remove a policy from the SPD. * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * + * @param src source address of SA + * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param reqid unique ID of the associated SA - * @param mark optional mark + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy * @param priority priority of the policy * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_interface_t *this, + host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t priority); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); /** * Flush all policies from the SPD. @@ -502,39 +499,49 @@ struct kernel_interface_t { /** * Register an ipsec kernel interface constructor on the manager. * - * @param create constructor to register + * @param create constructor to register + * @return TRUE if the ipsec kernel interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed */ - void (*add_ipsec_interface)(kernel_interface_t *this, + bool (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); /** * Unregister an ipsec kernel interface constructor. * - * @param create constructor to unregister + * @param create constructor to unregister + * @return TRUE if the ipsec kernel interface was unregistered + * successfully, FALSE otherwise */ - void (*remove_ipsec_interface)(kernel_interface_t *this, + bool (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); /** * Register a network kernel interface constructor on the manager. * - * @param create constructor to register + * @param create constructor to register + * @return TRUE if the kernel net interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed */ - void (*add_net_interface)(kernel_interface_t *this, + bool (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); /** * Unregister a network kernel interface constructor. * - * @param create constructor to unregister + * @param create constructor to unregister + * @return TRUE if the kernel net interface was unregistered + * successfully, FALSE otherwise */ - void (*remove_net_interface)(kernel_interface_t *this, + bool (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); /** * Add a listener to the kernel interface. * - * @param listener listener to add + * @param listener listener to add */ void (*add_listener)(kernel_interface_t *this, kernel_listener_t *listener); @@ -542,7 +549,7 @@ struct kernel_interface_t { /** * Remove a listener from the kernel interface. * - * @param listener listener to remove + * @param listener listener to remove */ void (*remove_listener)(kernel_interface_t *this, kernel_listener_t *listener); diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c index 1a32ab4e7..697b1b33d 100644 --- a/src/libhydra/kernel/kernel_ipsec.c +++ b/src/libhydra/kernel/kernel_ipsec.c @@ -25,13 +25,14 @@ bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, { if (reg) { - hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, + return hydra->kernel_interface->add_ipsec_interface( + hydra->kernel_interface, (kernel_ipsec_constructor_t)data); } else { - hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, + return hydra->kernel_interface->remove_ipsec_interface( + hydra->kernel_interface, (kernel_ipsec_constructor_t)data); } - return TRUE; } diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 19caaa400..2458db5b9 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -186,9 +186,6 @@ struct kernel_ipsec_t { /** * Add a policy to the SPD. * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * * @param src source address of SA * @param dst dest address of SA * @param src_ts traffic selector to match traffic source @@ -231,24 +228,24 @@ struct kernel_ipsec_t { /** * Remove a policy from the SPD. * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * + * @param src source address of SA + * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param reqid unique ID of the associated SA - * @param mark optional mark + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy * @param priority priority of the policy * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_ipsec_t *this, + host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t priority); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); /** * Flush all policies from the SPD. diff --git a/src/libhydra/kernel/kernel_net.c b/src/libhydra/kernel/kernel_net.c index 0841ed803..07d8b2999 100644 --- a/src/libhydra/kernel/kernel_net.c +++ b/src/libhydra/kernel/kernel_net.c @@ -25,13 +25,14 @@ bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature, { if (reg) { - hydra->kernel_interface->add_net_interface(hydra->kernel_interface, + return hydra->kernel_interface->add_net_interface( + hydra->kernel_interface, (kernel_net_constructor_t)data); } else { - hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, + return hydra->kernel_interface->remove_net_interface( + hydra->kernel_interface, (kernel_net_constructor_t)data); } - return TRUE; } diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 605476ef1..8c506d9f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2013 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -317,11 +317,6 @@ struct private_kernel_netlink_ipsec_t { */ bool proto_port_transport; - /** - * Whether to track the history of a policy - */ - bool policy_history; - /** * Whether to always use UPDATE to install policies */ @@ -2140,7 +2135,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, { continue; } - tmpl->reqid = policy->reqid; + tmpl->reqid = ipsec->cfg.reqid; tmpl->id.proto = protos[i].proto; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(proto_mode); @@ -2322,7 +2317,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, current = this->policies->get(this->policies, policy); if (current) { - if (current->reqid != sa->reqid) + if (current->reqid && sa->reqid && current->reqid != sa->reqid) { DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark " "%u/0x%08x) for reqid %u, the same policy for reqid %u exists", @@ -2352,26 +2347,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t, dst_ts, mark, sa); assigned_sa->priority = get_priority(policy, priority); - if (this->policy_history) - { /* insert the SA according to its priority */ - enumerator = policy->used_by->create_enumerator(policy->used_by); - while (enumerator->enumerate(enumerator, (void**)¤t_sa)) + /* insert the SA according to its priority */ + enumerator = policy->used_by->create_enumerator(policy->used_by); + while (enumerator->enumerate(enumerator, (void**)¤t_sa)) + { + if (current_sa->priority >= assigned_sa->priority) { - if (current_sa->priority >= assigned_sa->priority) - { - break; - } - update = FALSE; + break; } - policy->used_by->insert_before(policy->used_by, enumerator, - assigned_sa); - enumerator->destroy(enumerator); - } - else - { /* simply insert it last and only update if it is not installed yet */ - policy->used_by->insert_last(policy->used_by, assigned_sa); - update = !found; + update = FALSE; } + policy->used_by->insert_before(policy->used_by, enumerator, + assigned_sa); + enumerator->destroy(enumerator); if (!update) { /* we don't update the policy if the priority is lower than that of @@ -2482,8 +2470,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t prio) { policy_entry_t *current, policy; @@ -2494,6 +2483,12 @@ METHOD(kernel_ipsec_t, del_policy, status_t, struct xfrm_userpolicy_id *policy_id; bool is_installed = TRUE; u_int32_t priority; + ipsec_sa_t assigned_sa = { + .src = src, + .dst = dst, + .mark = mark, + .cfg = *sa, + }; DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%08x)", src_ts, dst_ts, policy_dir_names, direction, @@ -2508,7 +2503,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, /* find the policy */ this->mutex->lock(this->mutex); current = this->policies->get(this->policies, &policy); - if (!current || current->reqid != reqid) + if (!current) { if (mark.value) { @@ -2525,28 +2520,21 @@ METHOD(kernel_ipsec_t, del_policy, status_t, return NOT_FOUND; } - if (this->policy_history) - { /* remove mapping to SA by reqid and priority */ - priority = get_priority(current, prio); - enumerator = current->used_by->create_enumerator(current->used_by); - while (enumerator->enumerate(enumerator, (void**)&mapping)) + /* remove mapping to SA by reqid and priority */ + priority = get_priority(current, prio); + enumerator = current->used_by->create_enumerator(current->used_by); + while (enumerator->enumerate(enumerator, (void**)&mapping)) + { + if (priority == mapping->priority && type == mapping->type && + ipsec_sa_equals(mapping->sa, &assigned_sa)) { - if (priority == mapping->priority) - { - current->used_by->remove_at(current->used_by, enumerator); - policy_sa_destroy(mapping, &direction, this); - break; - } - is_installed = FALSE; + current->used_by->remove_at(current->used_by, enumerator); + policy_sa_destroy(mapping, &direction, this); + break; } - enumerator->destroy(enumerator); - } - else - { /* remove one of the SAs but don't update the policy */ - current->used_by->remove_last(current->used_by, (void**)&mapping); - policy_sa_destroy(mapping, &direction, this); is_installed = FALSE; } + enumerator->destroy(enumerator); if (current->used_by->get_count(current->used_by) > 0) { /* policy is used by more SAs, keep in kernel */ @@ -2915,7 +2903,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() (hashtable_equals_t)ipsec_sa_equals, 32), .bypass = array_create(sizeof(bypass_t), 0), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .policy_history = TRUE, .policy_update = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns), .install_routes = lib->settings->get_bool(lib->settings, diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 5027e1759..c67366b86 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, 0 }, */ {ENCR_NULL, SADB_EALG_NULL }, {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ +#ifdef SADB_X_EALG_AESCTR + {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, +#endif /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ @@ -2689,8 +2691,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t prio) { unsigned char request[PFKEY_BUFFER_SIZE]; @@ -2702,6 +2705,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t, bool first = TRUE, is_installed = TRUE; u_int32_t priority; size_t len; + ipsec_sa_t assigned_sa = { + .src = src, + .dst = dst, + .cfg = *sa, + }; if (dir2kernel(direction) == IPSEC_DIR_INVALID) { /* FWD policies are not supported on all platforms */ @@ -2735,7 +2743,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t, enumerator = policy->used_by->create_enumerator(policy->used_by); while (enumerator->enumerate(enumerator, (void**)&mapping)) { - if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority) + if (priority == mapping->priority && + ipsec_sa_equals(mapping->sa, &assigned_sa)) { to_remove = mapping; is_installed = first; diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index ff6191117..9162e3f87 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -388,6 +388,30 @@ INSERT INTO products ( /* 65 */ 'Debian 7.8 armv7l' ); +INSERT INTO products ( /* 66 */ + name +) VALUES ( + 'Debian 7.9 i686' +); + +INSERT INTO products ( /* 67 */ + name +) VALUES ( + 'Debian 7.9 x86_64' +); + +INSERT INTO products ( /* 68 */ + name +) VALUES ( + 'Debian 7.9 armv6l' +); + +INSERT INTO products ( /* 69 */ + name +) VALUES ( + 'Debian 7.9 armv7l' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -886,6 +910,12 @@ INSERT INTO groups_product_defaults ( 4, 58 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 66 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -952,6 +982,12 @@ INSERT INTO groups_product_defaults ( 5, 59 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 67 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1198,12 +1234,24 @@ INSERT INTO groups_product_defaults ( 14, 60 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 68 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( 15, 65 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 15, 69 +); + /* Policies */ INSERT INTO policies ( /* 1 */ diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk index c5d987977..dffed94f0 100644 --- a/src/libipsec/Android.mk +++ b/src/libipsec/Android.mk @@ -20,7 +20,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES)) # build libipsec --------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libstrongswan LOCAL_CFLAGS := $(strongswan_CFLAGS) diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index b742d1576..2b003e390 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -247,7 +247,19 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, signer_t *signer = NULL; iv_gen_t *ivg; - crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len); + switch (enc_alg) + { + case ENCR_AES_CTR: + case ENCR_CAMELLIA_CTR: + /* the key includes a 4 byte salt */ + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len - 4); + break; + default: + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len); + break; + } if (!crypter) { DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption " diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index d019d96e1..db3da8e15 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -15,6 +15,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen_null.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -116,8 +117,7 @@ LOCAL_SRC_FILES += $(call add_plugin, xcbc) # build libstrongswan ---------------------------------------------------------- -LOCAL_CFLAGS := $(strongswan_CFLAGS) \ - -include $(LOCAL_PATH)/AndroidConfigLocal.h +LOCAL_CFLAGS := $(strongswan_CFLAGS) LOCAL_MODULE := libstrongswan diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/AndroidConfigLocal.h deleted file mode 100644 index ae0e60633..000000000 --- a/src/libstrongswan/AndroidConfigLocal.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/* stuff defined in AndroidConfig.h, which is included using the -include - * command-line option, thus cannot be undefined using -U CFLAGS options. - * the reason we have to undefine these flags in the first place, is that - * AndroidConfig.h defines them as 0, which in turn means that they are - * actually defined. */ - -#undef HAVE_BACKTRACE diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index adf3687ae..ed3b85dd4 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -13,6 +13,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen_null.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -72,7 +73,7 @@ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ -crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \ crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ @@ -109,7 +110,7 @@ utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \ utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h @@ -190,7 +191,7 @@ endif EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ -Android.mk AndroidConfigLocal.h +Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ @@ -288,6 +289,13 @@ if MONOLITHIC endif endif +if USE_SHA3 + SUBDIRS += plugins/sha3 +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/sha3/libstrongswan-sha3.la +endif +endif + if USE_GMP SUBDIRS += plugins/gmp if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 9598c8b51..284960f5c 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -131,93 +131,95 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_33 = plugins/sha1/libstrongswan-sha1.la @USE_SHA2_TRUE@am__append_34 = plugins/sha2 @MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_35 = plugins/sha2/libstrongswan-sha2.la -@USE_GMP_TRUE@am__append_36 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_37 = plugins/gmp/libstrongswan-gmp.la -@USE_RDRAND_TRUE@am__append_38 = plugins/rdrand -@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_39 = plugins/rdrand/libstrongswan-rdrand.la -@USE_AESNI_TRUE@am__append_40 = plugins/aesni -@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_41 = plugins/aesni/libstrongswan-aesni.la -@USE_RANDOM_TRUE@am__append_42 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_43 = plugins/random/libstrongswan-random.la -@USE_NONCE_TRUE@am__append_44 = plugins/nonce -@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_45 = plugins/nonce/libstrongswan-nonce.la -@USE_HMAC_TRUE@am__append_46 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_47 = plugins/hmac/libstrongswan-hmac.la -@USE_CMAC_TRUE@am__append_48 = plugins/cmac -@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_49 = plugins/cmac/libstrongswan-cmac.la -@USE_XCBC_TRUE@am__append_50 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_51 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_52 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_53 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_54 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_55 = plugins/revocation/libstrongswan-revocation.la -@USE_CONSTRAINTS_TRUE@am__append_56 = plugins/constraints -@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_57 = plugins/constraints/libstrongswan-constraints.la -@USE_ACERT_TRUE@am__append_58 = plugins/acert -@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_59 = plugins/acert/libstrongswan-acert.la -@USE_PUBKEY_TRUE@am__append_60 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_61 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_62 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_63 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_64 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_65 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_66 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_67 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_68 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_69 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_70 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_71 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_72 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_73 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_74 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_75 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_76 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_77 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_78 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_79 = plugins/curl/libstrongswan-curl.la -@USE_FILES_TRUE@am__append_80 = plugins/files -@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_81 = plugins/files/libstrongswan-files.la -@USE_WINHTTP_TRUE@am__append_82 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_83 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_84 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_85 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_86 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_87 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_88 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_89 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_90 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_91 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_92 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_93 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_94 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_95 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_96 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_97 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_98 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_99 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_100 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_101 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_102 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_103 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_104 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_105 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_106 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_107 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CHAPOLY_TRUE@am__append_108 = plugins/chapoly -@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_109 = plugins/chapoly/libstrongswan-chapoly.la -@USE_CTR_TRUE@am__append_110 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_111 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_112 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_113 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_114 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_115 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_116 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_117 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_118 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_119 = plugins/bliss/libstrongswan-bliss.la -@USE_TEST_VECTORS_TRUE@am__append_120 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_121 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_BLISS_TRUE@am__append_122 = plugins/bliss/tests +@USE_SHA3_TRUE@am__append_36 = plugins/sha3 +@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_37 = plugins/sha3/libstrongswan-sha3.la +@USE_GMP_TRUE@am__append_38 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_39 = plugins/gmp/libstrongswan-gmp.la +@USE_RDRAND_TRUE@am__append_40 = plugins/rdrand +@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_41 = plugins/rdrand/libstrongswan-rdrand.la +@USE_AESNI_TRUE@am__append_42 = plugins/aesni +@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_43 = plugins/aesni/libstrongswan-aesni.la +@USE_RANDOM_TRUE@am__append_44 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_45 = plugins/random/libstrongswan-random.la +@USE_NONCE_TRUE@am__append_46 = plugins/nonce +@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_47 = plugins/nonce/libstrongswan-nonce.la +@USE_HMAC_TRUE@am__append_48 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_49 = plugins/hmac/libstrongswan-hmac.la +@USE_CMAC_TRUE@am__append_50 = plugins/cmac +@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_51 = plugins/cmac/libstrongswan-cmac.la +@USE_XCBC_TRUE@am__append_52 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_53 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_54 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_55 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_56 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_57 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_58 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_59 = plugins/constraints/libstrongswan-constraints.la +@USE_ACERT_TRUE@am__append_60 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_61 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_62 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_63 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_64 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_65 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_66 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_67 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_68 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_69 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_70 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_71 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_72 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_73 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_74 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_75 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_76 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_77 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_78 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_79 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_80 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_81 = plugins/curl/libstrongswan-curl.la +@USE_FILES_TRUE@am__append_82 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_83 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_84 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_85 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_86 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_87 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_88 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_89 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_90 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_91 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_92 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_93 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_94 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_95 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_96 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_97 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_98 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_99 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_100 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_101 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_102 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_103 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_104 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_105 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_106 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_107 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_108 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_109 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CHAPOLY_TRUE@am__append_110 = plugins/chapoly +@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_111 = plugins/chapoly/libstrongswan-chapoly.la +@USE_CTR_TRUE@am__append_112 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_113 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_114 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_115 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_116 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_117 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_118 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_119 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_120 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_121 = plugins/bliss/libstrongswan-bliss.la +@USE_TEST_VECTORS_TRUE@am__append_122 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_123 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_BLISS_TRUE@am__append_124 = plugins/bliss/tests subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ settings/settings_parser.h settings/settings_parser.c \ @@ -297,7 +299,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) + $(am__append_119) $(am__append_121) $(am__append_123) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -312,11 +314,11 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ - crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ - credentials/builder.c credentials/cred_encoding.c \ - credentials/keys/private_key.c credentials/keys/public_key.c \ - credentials/keys/shared_key.c \ + crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \ + crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ + credentials/credential_factory.c credentials/builder.c \ + credentials/cred_encoding.c credentials/keys/private_key.c \ + credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -397,7 +399,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ crypto/crypto_tester.lo crypto/diffie_hellman.lo \ crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen.lo \ crypto/iv/iv_gen_rand.lo crypto/iv/iv_gen_seq.lo \ - crypto/mgf1/mgf1.lo crypto/mgf1/mgf1_bitspender.lo \ + crypto/iv/iv_gen_null.lo crypto/mgf1/mgf1.lo \ + crypto/mgf1/mgf1_bitspender.lo \ credentials/credential_factory.lo credentials/builder.lo \ credentials/cred_encoding.lo credentials/keys/private_key.lo \ credentials/keys/public_key.lo credentials/keys/shared_key.lo \ @@ -524,10 +527,11 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \ crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ - crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ - credentials/credential_factory.h credentials/builder.h \ - credentials/cred_encoding.h credentials/keys/private_key.h \ - credentials/keys/public_key.h credentials/keys/shared_key.h \ + crypto/iv/iv_gen_null.h crypto/mgf1/mgf1.h \ + crypto/mgf1/mgf1_bitspender.h credentials/credential_factory.h \ + credentials/builder.h credentials/cred_encoding.h \ + credentials/keys/private_key.h credentials/keys/public_key.h \ + credentials/keys/shared_key.h \ credentials/certificates/certificate.h \ credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h \ @@ -574,7 +578,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \ utils/test.h utils/integrity_checker.h utils/process.h \ utils/utils/strerror.h utils/compat/windows.h \ - utils/compat/apple.h utils/utils/atomics.h utils/utils/types.h \ + utils/compat/apple.h utils/compat/android.h \ + utils/utils/atomics.h utils/utils/types.h \ utils/utils/byteorder.h utils/utils/string.h \ utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ utils/utils/status.h utils/utils/object.h utils/utils/time.h \ @@ -609,18 +614,19 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \ - plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \ - plugins/aesni plugins/random plugins/nonce plugins/hmac \ - plugins/cmac plugins/xcbc plugins/x509 plugins/revocation \ - plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \ - plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \ - plugins/dnskey plugins/sshkey plugins/pem plugins/curl \ - plugins/files plugins/winhttp plugins/unbound plugins/soup \ - plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ - plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ - plugins/keychain plugins/pkcs11 plugins/chapoly plugins/ctr \ - plugins/ccm plugins/gcm plugins/ntru plugins/bliss \ - plugins/test_vectors tests plugins/bliss/tests + plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \ + plugins/rdrand plugins/aesni plugins/random plugins/nonce \ + plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \ + plugins/revocation plugins/constraints plugins/acert \ + plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \ + plugins/pkcs12 plugins/pgp plugins/dnskey plugins/sshkey \ + plugins/pem plugins/curl plugins/files plugins/winhttp \ + plugins/unbound plugins/soup plugins/ldap plugins/mysql \ + plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \ + plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \ + plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \ + plugins/ntru plugins/bliss plugins/test_vectors tests \ + plugins/bliss/tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -886,11 +892,11 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ - crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ - credentials/builder.c credentials/cred_encoding.c \ - credentials/keys/private_key.c credentials/keys/public_key.c \ - credentials/keys/shared_key.c \ + crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \ + crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ + credentials/credential_factory.c credentials/builder.c \ + credentials/cred_encoding.c credentials/keys/private_key.c \ + credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -945,7 +951,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ @USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ -@USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +@USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \ @USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \ @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \ @@ -982,7 +988,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ @USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \ @USE_DEV_HEADERS_TRUE@utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ @USE_DEV_HEADERS_TRUE@utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ @USE_DEV_HEADERS_TRUE@utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h @@ -1007,7 +1013,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) + $(am__append_119) $(am__append_121) $(am__append_123) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -1023,7 +1029,7 @@ AM_YFLAGS = -v -d EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ -Android.mk AndroidConfigLocal.h +Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ @@ -1059,8 +1065,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) tests \ -@MONOLITHIC_FALSE@ $(am__append_122) +@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \ +@MONOLITHIC_FALSE@ $(am__append_122) tests $(am__append_124) # build plugins with their own Makefile ####################################### @@ -1089,8 +1095,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) . tests \ -@MONOLITHIC_TRUE@ $(am__append_122) +@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \ +@MONOLITHIC_TRUE@ $(am__append_122) . tests $(am__append_124) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1284,6 +1290,8 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) +crypto/iv/iv_gen_null.lo: crypto/iv/$(am__dirstamp) \ + crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/mgf1/$(am__dirstamp): @$(MKDIR_P) crypto/mgf1 @: > crypto/mgf1/$(am__dirstamp) @@ -1750,6 +1758,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_null.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@ diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index a750f7fcb..a088b0527 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -199,12 +199,12 @@ const oid_t oid_names[] = { { 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */ { 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */ - {0x2B, 413, 1, 0, "" }, /* 189 */ - { 0x06, 327, 1, 1, "dod" }, /* 190 */ + {0x2B, 416, 1, 0, "" }, /* 189 */ + { 0x06, 330, 1, 1, "dod" }, /* 190 */ { 0x01, 0, 1, 2, "internet" }, /* 191 */ - { 0x04, 278, 1, 3, "private" }, /* 192 */ + { 0x04, 281, 1, 3, "private" }, /* 192 */ { 0x01, 0, 1, 4, "enterprise" }, /* 193 */ - { 0x82, 228, 1, 5, "" }, /* 194 */ + { 0x82, 231, 1, 5, "" }, /* 194 */ { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */ { 0x0A, 200, 1, 7, "" }, /* 196 */ { 0x03, 0, 1, 8, "" }, /* 197 */ @@ -235,254 +235,257 @@ const oid_t oid_names[] = { { 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */ { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */ { 0x03, 0, 1, 9, "blissSigType" }, /* 224 */ - { 0x01, 226, 0, 10, "BLISS-with-SHA512" }, /* 225 */ - { 0x02, 227, 0, 10, "BLISS-with-SHA384" }, /* 226 */ - { 0x03, 0, 0, 10, "BLISS-with-SHA256" }, /* 227 */ - { 0x89, 235, 1, 5, "" }, /* 228 */ - { 0x31, 0, 1, 6, "" }, /* 229 */ - { 0x01, 0, 1, 7, "" }, /* 230 */ - { 0x01, 0, 1, 8, "" }, /* 231 */ - { 0x02, 0, 1, 9, "" }, /* 232 */ - { 0x02, 0, 1, 10, "" }, /* 233 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 234 */ - { 0x97, 239, 1, 5, "" }, /* 235 */ - { 0x55, 0, 1, 6, "" }, /* 236 */ - { 0x01, 0, 1, 7, "" }, /* 237 */ - { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 238 */ - { 0xC1, 0, 1, 5, "" }, /* 239 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 240 */ - { 0x01, 0, 1, 7, "eess" }, /* 241 */ - { 0x01, 0, 1, 8, "eess1" }, /* 242 */ - { 0x01, 247, 1, 9, "eess1-algs" }, /* 243 */ - { 0x01, 245, 0, 10, "ntru-EESS1v1-SVES" }, /* 244 */ - { 0x02, 246, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 245 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 246 */ - { 0x02, 277, 1, 9, "eess1-params" }, /* 247 */ - { 0x01, 249, 0, 10, "ees251ep1" }, /* 248 */ - { 0x02, 250, 0, 10, "ees347ep1" }, /* 249 */ - { 0x03, 251, 0, 10, "ees503ep1" }, /* 250 */ - { 0x07, 252, 0, 10, "ees251sp2" }, /* 251 */ - { 0x0C, 253, 0, 10, "ees251ep4" }, /* 252 */ - { 0x0D, 254, 0, 10, "ees251ep5" }, /* 253 */ - { 0x0E, 255, 0, 10, "ees251sp3" }, /* 254 */ - { 0x0F, 256, 0, 10, "ees251sp4" }, /* 255 */ - { 0x10, 257, 0, 10, "ees251sp5" }, /* 256 */ - { 0x11, 258, 0, 10, "ees251sp6" }, /* 257 */ - { 0x12, 259, 0, 10, "ees251sp7" }, /* 258 */ - { 0x13, 260, 0, 10, "ees251sp8" }, /* 259 */ - { 0x14, 261, 0, 10, "ees251sp9" }, /* 260 */ - { 0x22, 262, 0, 10, "ees401ep1" }, /* 261 */ - { 0x23, 263, 0, 10, "ees449ep1" }, /* 262 */ - { 0x24, 264, 0, 10, "ees677ep1" }, /* 263 */ - { 0x25, 265, 0, 10, "ees1087ep2" }, /* 264 */ - { 0x26, 266, 0, 10, "ees541ep1" }, /* 265 */ - { 0x27, 267, 0, 10, "ees613ep1" }, /* 266 */ - { 0x28, 268, 0, 10, "ees887ep1" }, /* 267 */ - { 0x29, 269, 0, 10, "ees1171ep1" }, /* 268 */ - { 0x2A, 270, 0, 10, "ees659ep1" }, /* 269 */ - { 0x2B, 271, 0, 10, "ees761ep1" }, /* 270 */ - { 0x2C, 272, 0, 10, "ees1087ep1" }, /* 271 */ - { 0x2D, 273, 0, 10, "ees1499ep1" }, /* 272 */ - { 0x2E, 274, 0, 10, "ees401ep2" }, /* 273 */ - { 0x2F, 275, 0, 10, "ees439ep1" }, /* 274 */ - { 0x30, 276, 0, 10, "ees593ep1" }, /* 275 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 276 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 277 */ - { 0x05, 0, 1, 3, "security" }, /* 278 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 279 */ - { 0x07, 324, 1, 5, "id-pkix" }, /* 280 */ - { 0x01, 285, 1, 6, "id-pe" }, /* 281 */ - { 0x01, 283, 0, 7, "authorityInfoAccess" }, /* 282 */ - { 0x03, 284, 0, 7, "qcStatements" }, /* 283 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 284 */ - { 0x02, 288, 1, 6, "id-qt" }, /* 285 */ - { 0x01, 287, 0, 7, "cps" }, /* 286 */ - { 0x02, 0, 0, 7, "unotice" }, /* 287 */ - { 0x03, 298, 1, 6, "id-kp" }, /* 288 */ - { 0x01, 290, 0, 7, "serverAuth" }, /* 289 */ - { 0x02, 291, 0, 7, "clientAuth" }, /* 290 */ - { 0x03, 292, 0, 7, "codeSigning" }, /* 291 */ - { 0x04, 293, 0, 7, "emailProtection" }, /* 292 */ - { 0x05, 294, 0, 7, "ipsecEndSystem" }, /* 293 */ - { 0x06, 295, 0, 7, "ipsecTunnel" }, /* 294 */ - { 0x07, 296, 0, 7, "ipsecUser" }, /* 295 */ - { 0x08, 297, 0, 7, "timeStamping" }, /* 296 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 297 */ - { 0x08, 306, 1, 6, "id-otherNames" }, /* 298 */ - { 0x01, 300, 0, 7, "personalData" }, /* 299 */ - { 0x02, 301, 0, 7, "userGroup" }, /* 300 */ - { 0x03, 302, 0, 7, "id-on-permanentIdentifier" }, /* 301 */ - { 0x04, 303, 0, 7, "id-on-hardwareModuleName" }, /* 302 */ - { 0x05, 304, 0, 7, "xmppAddr" }, /* 303 */ - { 0x06, 305, 0, 7, "id-on-SIM" }, /* 304 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 305 */ - { 0x0A, 311, 1, 6, "id-aca" }, /* 306 */ - { 0x01, 308, 0, 7, "authenticationInfo" }, /* 307 */ - { 0x02, 309, 0, 7, "accessIdentity" }, /* 308 */ - { 0x03, 310, 0, 7, "chargingIdentity" }, /* 309 */ - { 0x04, 0, 0, 7, "group" }, /* 310 */ - { 0x0B, 312, 0, 6, "subjectInfoAccess" }, /* 311 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 312 */ - { 0x01, 321, 1, 7, "ocsp" }, /* 313 */ - { 0x01, 315, 0, 8, "basic" }, /* 314 */ - { 0x02, 316, 0, 8, "nonce" }, /* 315 */ - { 0x03, 317, 0, 8, "crl" }, /* 316 */ - { 0x04, 318, 0, 8, "response" }, /* 317 */ - { 0x05, 319, 0, 8, "noCheck" }, /* 318 */ - { 0x06, 320, 0, 8, "archiveCutoff" }, /* 319 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 320 */ - { 0x02, 322, 0, 7, "caIssuers" }, /* 321 */ - { 0x03, 323, 0, 7, "timeStamping" }, /* 322 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 323 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 324 */ - { 0x02, 0, 1, 6, "certificate" }, /* 325 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 326 */ - { 0x0E, 333, 1, 1, "oiw" }, /* 327 */ - { 0x03, 0, 1, 2, "secsig" }, /* 328 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 329 */ - { 0x07, 331, 0, 4, "des-cbc" }, /* 330 */ - { 0x1A, 332, 0, 4, "sha-1" }, /* 331 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 332 */ - { 0x24, 379, 1, 1, "TeleTrusT" }, /* 333 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 334 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 335 */ - { 0x01, 340, 1, 4, "rsaSignature" }, /* 336 */ - { 0x02, 338, 0, 5, "rsaSigWithripemd160" }, /* 337 */ - { 0x03, 339, 0, 5, "rsaSigWithripemd128" }, /* 338 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 339 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 340 */ - { 0x01, 342, 0, 5, "ecSignWithsha1" }, /* 341 */ - { 0x02, 343, 0, 5, "ecSignWithripemd160" }, /* 342 */ - { 0x03, 344, 0, 5, "ecSignWithmd2" }, /* 343 */ - { 0x04, 345, 0, 5, "ecSignWithmd5" }, /* 344 */ - { 0x05, 362, 1, 5, "ttt-ecg" }, /* 345 */ - { 0x01, 350, 1, 6, "fieldType" }, /* 346 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 347 */ - { 0x01, 0, 1, 8, "basisType" }, /* 348 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 349 */ - { 0x02, 352, 1, 6, "keyType" }, /* 350 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 351 */ - { 0x03, 353, 0, 6, "curve" }, /* 352 */ - { 0x04, 360, 1, 6, "signatures" }, /* 353 */ - { 0x01, 355, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 354 */ - { 0x02, 356, 0, 7, "ecgdsa-with-SHA1" }, /* 355 */ - { 0x03, 357, 0, 7, "ecgdsa-with-SHA224" }, /* 356 */ - { 0x04, 358, 0, 7, "ecgdsa-with-SHA256" }, /* 357 */ - { 0x05, 359, 0, 7, "ecgdsa-with-SHA384" }, /* 358 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 359 */ - { 0x05, 0, 1, 6, "module" }, /* 360 */ - { 0x01, 0, 0, 7, "1" }, /* 361 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 362 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 363 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 364 */ - { 0x01, 366, 0, 8, "brainpoolP160r1" }, /* 365 */ - { 0x02, 367, 0, 8, "brainpoolP160t1" }, /* 366 */ - { 0x03, 368, 0, 8, "brainpoolP192r1" }, /* 367 */ - { 0x04, 369, 0, 8, "brainpoolP192t1" }, /* 368 */ - { 0x05, 370, 0, 8, "brainpoolP224r1" }, /* 369 */ - { 0x06, 371, 0, 8, "brainpoolP224t1" }, /* 370 */ - { 0x07, 372, 0, 8, "brainpoolP256r1" }, /* 371 */ - { 0x08, 373, 0, 8, "brainpoolP256t1" }, /* 372 */ - { 0x09, 374, 0, 8, "brainpoolP320r1" }, /* 373 */ - { 0x0A, 375, 0, 8, "brainpoolP320t1" }, /* 374 */ - { 0x0B, 376, 0, 8, "brainpoolP384r1" }, /* 375 */ - { 0x0C, 377, 0, 8, "brainpoolP384t1" }, /* 376 */ - { 0x0D, 378, 0, 8, "brainpoolP512r1" }, /* 377 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 378 */ - { 0x81, 0, 1, 1, "" }, /* 379 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 380 */ - { 0x00, 0, 1, 3, "curve" }, /* 381 */ - { 0x01, 383, 0, 4, "sect163k1" }, /* 382 */ - { 0x02, 384, 0, 4, "sect163r1" }, /* 383 */ - { 0x03, 385, 0, 4, "sect239k1" }, /* 384 */ - { 0x04, 386, 0, 4, "sect113r1" }, /* 385 */ - { 0x05, 387, 0, 4, "sect113r2" }, /* 386 */ - { 0x06, 388, 0, 4, "secp112r1" }, /* 387 */ - { 0x07, 389, 0, 4, "secp112r2" }, /* 388 */ - { 0x08, 390, 0, 4, "secp160r1" }, /* 389 */ - { 0x09, 391, 0, 4, "secp160k1" }, /* 390 */ - { 0x0A, 392, 0, 4, "secp256k1" }, /* 391 */ - { 0x0F, 393, 0, 4, "sect163r2" }, /* 392 */ - { 0x10, 394, 0, 4, "sect283k1" }, /* 393 */ - { 0x11, 395, 0, 4, "sect283r1" }, /* 394 */ - { 0x16, 396, 0, 4, "sect131r1" }, /* 395 */ - { 0x17, 397, 0, 4, "sect131r2" }, /* 396 */ - { 0x18, 398, 0, 4, "sect193r1" }, /* 397 */ - { 0x19, 399, 0, 4, "sect193r2" }, /* 398 */ - { 0x1A, 400, 0, 4, "sect233k1" }, /* 399 */ - { 0x1B, 401, 0, 4, "sect233r1" }, /* 400 */ - { 0x1C, 402, 0, 4, "secp128r1" }, /* 401 */ - { 0x1D, 403, 0, 4, "secp128r2" }, /* 402 */ - { 0x1E, 404, 0, 4, "secp160r2" }, /* 403 */ - { 0x1F, 405, 0, 4, "secp192k1" }, /* 404 */ - { 0x20, 406, 0, 4, "secp224k1" }, /* 405 */ - { 0x21, 407, 0, 4, "secp224r1" }, /* 406 */ - { 0x22, 408, 0, 4, "secp384r1" }, /* 407 */ - { 0x23, 409, 0, 4, "secp521r1" }, /* 408 */ - { 0x24, 410, 0, 4, "sect409k1" }, /* 409 */ - { 0x25, 411, 0, 4, "sect409r1" }, /* 410 */ - { 0x26, 412, 0, 4, "sect571k1" }, /* 411 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 412 */ - {0x60, 467, 1, 0, "" }, /* 413 */ - { 0x86, 0, 1, 1, "" }, /* 414 */ - { 0x48, 0, 1, 2, "" }, /* 415 */ - { 0x01, 0, 1, 3, "organization" }, /* 416 */ - { 0x65, 443, 1, 4, "gov" }, /* 417 */ - { 0x03, 0, 1, 5, "csor" }, /* 418 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 419 */ - { 0x01, 430, 1, 7, "aes" }, /* 420 */ - { 0x02, 422, 0, 8, "id-aes128-CBC" }, /* 421 */ - { 0x06, 423, 0, 8, "id-aes128-GCM" }, /* 422 */ - { 0x07, 424, 0, 8, "id-aes128-CCM" }, /* 423 */ - { 0x16, 425, 0, 8, "id-aes192-CBC" }, /* 424 */ - { 0x1A, 426, 0, 8, "id-aes192-GCM" }, /* 425 */ - { 0x1B, 427, 0, 8, "id-aes192-CCM" }, /* 426 */ - { 0x2A, 428, 0, 8, "id-aes256-CBC" }, /* 427 */ - { 0x2E, 429, 0, 8, "id-aes256-GCM" }, /* 428 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 429 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 430 */ - { 0x01, 432, 0, 8, "id-sha256" }, /* 431 */ - { 0x02, 433, 0, 8, "id-sha384" }, /* 432 */ - { 0x03, 434, 0, 8, "id-sha512" }, /* 433 */ - { 0x04, 435, 0, 8, "id-sha224" }, /* 434 */ - { 0x05, 436, 0, 8, "id-sha512-224" }, /* 435 */ - { 0x06, 437, 0, 8, "id-sha512-256" }, /* 436 */ - { 0x07, 438, 0, 8, "id-sha3-224" }, /* 437 */ - { 0x08, 439, 0, 8, "id-sha3-256" }, /* 438 */ - { 0x09, 440, 0, 8, "id-sha3-384" }, /* 439 */ - { 0x0A, 441, 0, 8, "id-sha3-512" }, /* 440 */ - { 0x0B, 442, 0, 8, "id-shake128" }, /* 441 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 442 */ - { 0x86, 0, 1, 4, "" }, /* 443 */ - { 0xf8, 0, 1, 5, "" }, /* 444 */ - { 0x42, 457, 1, 6, "netscape" }, /* 445 */ - { 0x01, 452, 1, 7, "" }, /* 446 */ - { 0x01, 448, 0, 8, "nsCertType" }, /* 447 */ - { 0x03, 449, 0, 8, "nsRevocationUrl" }, /* 448 */ - { 0x04, 450, 0, 8, "nsCaRevocationUrl" }, /* 449 */ - { 0x08, 451, 0, 8, "nsCaPolicyUrl" }, /* 450 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 451 */ - { 0x03, 455, 1, 7, "directory" }, /* 452 */ - { 0x01, 0, 1, 8, "" }, /* 453 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 454 */ - { 0x04, 0, 1, 7, "policy" }, /* 455 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 456 */ - { 0x45, 0, 1, 6, "verisign" }, /* 457 */ - { 0x01, 0, 1, 7, "pki" }, /* 458 */ - { 0x09, 0, 1, 8, "attributes" }, /* 459 */ - { 0x02, 461, 0, 9, "messageType" }, /* 460 */ - { 0x03, 462, 0, 9, "pkiStatus" }, /* 461 */ - { 0x04, 463, 0, 9, "failInfo" }, /* 462 */ - { 0x05, 464, 0, 9, "senderNonce" }, /* 463 */ - { 0x06, 465, 0, 9, "recipientNonce" }, /* 464 */ - { 0x07, 466, 0, 9, "transID" }, /* 465 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 466 */ - {0x67, 0, 1, 0, "" }, /* 467 */ - { 0x81, 0, 1, 1, "" }, /* 468 */ - { 0x05, 0, 1, 2, "" }, /* 469 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 470 */ - { 0x01, 472, 0, 4, "tcg-at-tpmManufacturer" }, /* 471 */ - { 0x02, 473, 0, 4, "tcg-at-tpmModel" }, /* 472 */ - { 0x03, 474, 0, 4, "tcg-at-tpmVersion" }, /* 473 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 474 */ + { 0x01, 226, 0, 10, "BLISS-with-SHA2-512" }, /* 225 */ + { 0x02, 227, 0, 10, "BLISS-with-SHA2-384" }, /* 226 */ + { 0x03, 228, 0, 10, "BLISS-with-SHA2-256" }, /* 227 */ + { 0x04, 229, 0, 10, "BLISS-with-SHA3-512" }, /* 228 */ + { 0x05, 230, 0, 10, "BLISS-with-SHA3-384" }, /* 229 */ + { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 230 */ + { 0x89, 238, 1, 5, "" }, /* 231 */ + { 0x31, 0, 1, 6, "" }, /* 232 */ + { 0x01, 0, 1, 7, "" }, /* 233 */ + { 0x01, 0, 1, 8, "" }, /* 234 */ + { 0x02, 0, 1, 9, "" }, /* 235 */ + { 0x02, 0, 1, 10, "" }, /* 236 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 237 */ + { 0x97, 242, 1, 5, "" }, /* 238 */ + { 0x55, 0, 1, 6, "" }, /* 239 */ + { 0x01, 0, 1, 7, "" }, /* 240 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 241 */ + { 0xC1, 0, 1, 5, "" }, /* 242 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 243 */ + { 0x01, 0, 1, 7, "eess" }, /* 244 */ + { 0x01, 0, 1, 8, "eess1" }, /* 245 */ + { 0x01, 250, 1, 9, "eess1-algs" }, /* 246 */ + { 0x01, 248, 0, 10, "ntru-EESS1v1-SVES" }, /* 247 */ + { 0x02, 249, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 248 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 249 */ + { 0x02, 280, 1, 9, "eess1-params" }, /* 250 */ + { 0x01, 252, 0, 10, "ees251ep1" }, /* 251 */ + { 0x02, 253, 0, 10, "ees347ep1" }, /* 252 */ + { 0x03, 254, 0, 10, "ees503ep1" }, /* 253 */ + { 0x07, 255, 0, 10, "ees251sp2" }, /* 254 */ + { 0x0C, 256, 0, 10, "ees251ep4" }, /* 255 */ + { 0x0D, 257, 0, 10, "ees251ep5" }, /* 256 */ + { 0x0E, 258, 0, 10, "ees251sp3" }, /* 257 */ + { 0x0F, 259, 0, 10, "ees251sp4" }, /* 258 */ + { 0x10, 260, 0, 10, "ees251sp5" }, /* 259 */ + { 0x11, 261, 0, 10, "ees251sp6" }, /* 260 */ + { 0x12, 262, 0, 10, "ees251sp7" }, /* 261 */ + { 0x13, 263, 0, 10, "ees251sp8" }, /* 262 */ + { 0x14, 264, 0, 10, "ees251sp9" }, /* 263 */ + { 0x22, 265, 0, 10, "ees401ep1" }, /* 264 */ + { 0x23, 266, 0, 10, "ees449ep1" }, /* 265 */ + { 0x24, 267, 0, 10, "ees677ep1" }, /* 266 */ + { 0x25, 268, 0, 10, "ees1087ep2" }, /* 267 */ + { 0x26, 269, 0, 10, "ees541ep1" }, /* 268 */ + { 0x27, 270, 0, 10, "ees613ep1" }, /* 269 */ + { 0x28, 271, 0, 10, "ees887ep1" }, /* 270 */ + { 0x29, 272, 0, 10, "ees1171ep1" }, /* 271 */ + { 0x2A, 273, 0, 10, "ees659ep1" }, /* 272 */ + { 0x2B, 274, 0, 10, "ees761ep1" }, /* 273 */ + { 0x2C, 275, 0, 10, "ees1087ep1" }, /* 274 */ + { 0x2D, 276, 0, 10, "ees1499ep1" }, /* 275 */ + { 0x2E, 277, 0, 10, "ees401ep2" }, /* 276 */ + { 0x2F, 278, 0, 10, "ees439ep1" }, /* 277 */ + { 0x30, 279, 0, 10, "ees593ep1" }, /* 278 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 279 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 280 */ + { 0x05, 0, 1, 3, "security" }, /* 281 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 282 */ + { 0x07, 327, 1, 5, "id-pkix" }, /* 283 */ + { 0x01, 288, 1, 6, "id-pe" }, /* 284 */ + { 0x01, 286, 0, 7, "authorityInfoAccess" }, /* 285 */ + { 0x03, 287, 0, 7, "qcStatements" }, /* 286 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 287 */ + { 0x02, 291, 1, 6, "id-qt" }, /* 288 */ + { 0x01, 290, 0, 7, "cps" }, /* 289 */ + { 0x02, 0, 0, 7, "unotice" }, /* 290 */ + { 0x03, 301, 1, 6, "id-kp" }, /* 291 */ + { 0x01, 293, 0, 7, "serverAuth" }, /* 292 */ + { 0x02, 294, 0, 7, "clientAuth" }, /* 293 */ + { 0x03, 295, 0, 7, "codeSigning" }, /* 294 */ + { 0x04, 296, 0, 7, "emailProtection" }, /* 295 */ + { 0x05, 297, 0, 7, "ipsecEndSystem" }, /* 296 */ + { 0x06, 298, 0, 7, "ipsecTunnel" }, /* 297 */ + { 0x07, 299, 0, 7, "ipsecUser" }, /* 298 */ + { 0x08, 300, 0, 7, "timeStamping" }, /* 299 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 300 */ + { 0x08, 309, 1, 6, "id-otherNames" }, /* 301 */ + { 0x01, 303, 0, 7, "personalData" }, /* 302 */ + { 0x02, 304, 0, 7, "userGroup" }, /* 303 */ + { 0x03, 305, 0, 7, "id-on-permanentIdentifier" }, /* 304 */ + { 0x04, 306, 0, 7, "id-on-hardwareModuleName" }, /* 305 */ + { 0x05, 307, 0, 7, "xmppAddr" }, /* 306 */ + { 0x06, 308, 0, 7, "id-on-SIM" }, /* 307 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 308 */ + { 0x0A, 314, 1, 6, "id-aca" }, /* 309 */ + { 0x01, 311, 0, 7, "authenticationInfo" }, /* 310 */ + { 0x02, 312, 0, 7, "accessIdentity" }, /* 311 */ + { 0x03, 313, 0, 7, "chargingIdentity" }, /* 312 */ + { 0x04, 0, 0, 7, "group" }, /* 313 */ + { 0x0B, 315, 0, 6, "subjectInfoAccess" }, /* 314 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 315 */ + { 0x01, 324, 1, 7, "ocsp" }, /* 316 */ + { 0x01, 318, 0, 8, "basic" }, /* 317 */ + { 0x02, 319, 0, 8, "nonce" }, /* 318 */ + { 0x03, 320, 0, 8, "crl" }, /* 319 */ + { 0x04, 321, 0, 8, "response" }, /* 320 */ + { 0x05, 322, 0, 8, "noCheck" }, /* 321 */ + { 0x06, 323, 0, 8, "archiveCutoff" }, /* 322 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 323 */ + { 0x02, 325, 0, 7, "caIssuers" }, /* 324 */ + { 0x03, 326, 0, 7, "timeStamping" }, /* 325 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 326 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 327 */ + { 0x02, 0, 1, 6, "certificate" }, /* 328 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 329 */ + { 0x0E, 336, 1, 1, "oiw" }, /* 330 */ + { 0x03, 0, 1, 2, "secsig" }, /* 331 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 332 */ + { 0x07, 334, 0, 4, "des-cbc" }, /* 333 */ + { 0x1A, 335, 0, 4, "sha-1" }, /* 334 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 335 */ + { 0x24, 382, 1, 1, "TeleTrusT" }, /* 336 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 337 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 338 */ + { 0x01, 343, 1, 4, "rsaSignature" }, /* 339 */ + { 0x02, 341, 0, 5, "rsaSigWithripemd160" }, /* 340 */ + { 0x03, 342, 0, 5, "rsaSigWithripemd128" }, /* 341 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 342 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 343 */ + { 0x01, 345, 0, 5, "ecSignWithsha1" }, /* 344 */ + { 0x02, 346, 0, 5, "ecSignWithripemd160" }, /* 345 */ + { 0x03, 347, 0, 5, "ecSignWithmd2" }, /* 346 */ + { 0x04, 348, 0, 5, "ecSignWithmd5" }, /* 347 */ + { 0x05, 365, 1, 5, "ttt-ecg" }, /* 348 */ + { 0x01, 353, 1, 6, "fieldType" }, /* 349 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 350 */ + { 0x01, 0, 1, 8, "basisType" }, /* 351 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 352 */ + { 0x02, 355, 1, 6, "keyType" }, /* 353 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 354 */ + { 0x03, 356, 0, 6, "curve" }, /* 355 */ + { 0x04, 363, 1, 6, "signatures" }, /* 356 */ + { 0x01, 358, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 357 */ + { 0x02, 359, 0, 7, "ecgdsa-with-SHA1" }, /* 358 */ + { 0x03, 360, 0, 7, "ecgdsa-with-SHA224" }, /* 359 */ + { 0x04, 361, 0, 7, "ecgdsa-with-SHA256" }, /* 360 */ + { 0x05, 362, 0, 7, "ecgdsa-with-SHA384" }, /* 361 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 362 */ + { 0x05, 0, 1, 6, "module" }, /* 363 */ + { 0x01, 0, 0, 7, "1" }, /* 364 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 365 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 366 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 367 */ + { 0x01, 369, 0, 8, "brainpoolP160r1" }, /* 368 */ + { 0x02, 370, 0, 8, "brainpoolP160t1" }, /* 369 */ + { 0x03, 371, 0, 8, "brainpoolP192r1" }, /* 370 */ + { 0x04, 372, 0, 8, "brainpoolP192t1" }, /* 371 */ + { 0x05, 373, 0, 8, "brainpoolP224r1" }, /* 372 */ + { 0x06, 374, 0, 8, "brainpoolP224t1" }, /* 373 */ + { 0x07, 375, 0, 8, "brainpoolP256r1" }, /* 374 */ + { 0x08, 376, 0, 8, "brainpoolP256t1" }, /* 375 */ + { 0x09, 377, 0, 8, "brainpoolP320r1" }, /* 376 */ + { 0x0A, 378, 0, 8, "brainpoolP320t1" }, /* 377 */ + { 0x0B, 379, 0, 8, "brainpoolP384r1" }, /* 378 */ + { 0x0C, 380, 0, 8, "brainpoolP384t1" }, /* 379 */ + { 0x0D, 381, 0, 8, "brainpoolP512r1" }, /* 380 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 381 */ + { 0x81, 0, 1, 1, "" }, /* 382 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 383 */ + { 0x00, 0, 1, 3, "curve" }, /* 384 */ + { 0x01, 386, 0, 4, "sect163k1" }, /* 385 */ + { 0x02, 387, 0, 4, "sect163r1" }, /* 386 */ + { 0x03, 388, 0, 4, "sect239k1" }, /* 387 */ + { 0x04, 389, 0, 4, "sect113r1" }, /* 388 */ + { 0x05, 390, 0, 4, "sect113r2" }, /* 389 */ + { 0x06, 391, 0, 4, "secp112r1" }, /* 390 */ + { 0x07, 392, 0, 4, "secp112r2" }, /* 391 */ + { 0x08, 393, 0, 4, "secp160r1" }, /* 392 */ + { 0x09, 394, 0, 4, "secp160k1" }, /* 393 */ + { 0x0A, 395, 0, 4, "secp256k1" }, /* 394 */ + { 0x0F, 396, 0, 4, "sect163r2" }, /* 395 */ + { 0x10, 397, 0, 4, "sect283k1" }, /* 396 */ + { 0x11, 398, 0, 4, "sect283r1" }, /* 397 */ + { 0x16, 399, 0, 4, "sect131r1" }, /* 398 */ + { 0x17, 400, 0, 4, "sect131r2" }, /* 399 */ + { 0x18, 401, 0, 4, "sect193r1" }, /* 400 */ + { 0x19, 402, 0, 4, "sect193r2" }, /* 401 */ + { 0x1A, 403, 0, 4, "sect233k1" }, /* 402 */ + { 0x1B, 404, 0, 4, "sect233r1" }, /* 403 */ + { 0x1C, 405, 0, 4, "secp128r1" }, /* 404 */ + { 0x1D, 406, 0, 4, "secp128r2" }, /* 405 */ + { 0x1E, 407, 0, 4, "secp160r2" }, /* 406 */ + { 0x1F, 408, 0, 4, "secp192k1" }, /* 407 */ + { 0x20, 409, 0, 4, "secp224k1" }, /* 408 */ + { 0x21, 410, 0, 4, "secp224r1" }, /* 409 */ + { 0x22, 411, 0, 4, "secp384r1" }, /* 410 */ + { 0x23, 412, 0, 4, "secp521r1" }, /* 411 */ + { 0x24, 413, 0, 4, "sect409k1" }, /* 412 */ + { 0x25, 414, 0, 4, "sect409r1" }, /* 413 */ + { 0x26, 415, 0, 4, "sect571k1" }, /* 414 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 415 */ + {0x60, 470, 1, 0, "" }, /* 416 */ + { 0x86, 0, 1, 1, "" }, /* 417 */ + { 0x48, 0, 1, 2, "" }, /* 418 */ + { 0x01, 0, 1, 3, "organization" }, /* 419 */ + { 0x65, 446, 1, 4, "gov" }, /* 420 */ + { 0x03, 0, 1, 5, "csor" }, /* 421 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 422 */ + { 0x01, 433, 1, 7, "aes" }, /* 423 */ + { 0x02, 425, 0, 8, "id-aes128-CBC" }, /* 424 */ + { 0x06, 426, 0, 8, "id-aes128-GCM" }, /* 425 */ + { 0x07, 427, 0, 8, "id-aes128-CCM" }, /* 426 */ + { 0x16, 428, 0, 8, "id-aes192-CBC" }, /* 427 */ + { 0x1A, 429, 0, 8, "id-aes192-GCM" }, /* 428 */ + { 0x1B, 430, 0, 8, "id-aes192-CCM" }, /* 429 */ + { 0x2A, 431, 0, 8, "id-aes256-CBC" }, /* 430 */ + { 0x2E, 432, 0, 8, "id-aes256-GCM" }, /* 431 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 432 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 433 */ + { 0x01, 435, 0, 8, "id-sha256" }, /* 434 */ + { 0x02, 436, 0, 8, "id-sha384" }, /* 435 */ + { 0x03, 437, 0, 8, "id-sha512" }, /* 436 */ + { 0x04, 438, 0, 8, "id-sha224" }, /* 437 */ + { 0x05, 439, 0, 8, "id-sha512-224" }, /* 438 */ + { 0x06, 440, 0, 8, "id-sha512-256" }, /* 439 */ + { 0x07, 441, 0, 8, "id-sha3-224" }, /* 440 */ + { 0x08, 442, 0, 8, "id-sha3-256" }, /* 441 */ + { 0x09, 443, 0, 8, "id-sha3-384" }, /* 442 */ + { 0x0A, 444, 0, 8, "id-sha3-512" }, /* 443 */ + { 0x0B, 445, 0, 8, "id-shake128" }, /* 444 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 445 */ + { 0x86, 0, 1, 4, "" }, /* 446 */ + { 0xf8, 0, 1, 5, "" }, /* 447 */ + { 0x42, 460, 1, 6, "netscape" }, /* 448 */ + { 0x01, 455, 1, 7, "" }, /* 449 */ + { 0x01, 451, 0, 8, "nsCertType" }, /* 450 */ + { 0x03, 452, 0, 8, "nsRevocationUrl" }, /* 451 */ + { 0x04, 453, 0, 8, "nsCaRevocationUrl" }, /* 452 */ + { 0x08, 454, 0, 8, "nsCaPolicyUrl" }, /* 453 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 454 */ + { 0x03, 458, 1, 7, "directory" }, /* 455 */ + { 0x01, 0, 1, 8, "" }, /* 456 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 457 */ + { 0x04, 0, 1, 7, "policy" }, /* 458 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 459 */ + { 0x45, 0, 1, 6, "verisign" }, /* 460 */ + { 0x01, 0, 1, 7, "pki" }, /* 461 */ + { 0x09, 0, 1, 8, "attributes" }, /* 462 */ + { 0x02, 464, 0, 9, "messageType" }, /* 463 */ + { 0x03, 465, 0, 9, "pkiStatus" }, /* 464 */ + { 0x04, 466, 0, 9, "failInfo" }, /* 465 */ + { 0x05, 467, 0, 9, "senderNonce" }, /* 466 */ + { 0x06, 468, 0, 9, "recipientNonce" }, /* 467 */ + { 0x07, 469, 0, 9, "transID" }, /* 468 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 469 */ + {0x67, 0, 1, 0, "" }, /* 470 */ + { 0x81, 0, 1, 1, "" }, /* 471 */ + { 0x05, 0, 1, 2, "" }, /* 472 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 473 */ + { 0x01, 475, 0, 4, "tcg-at-tpmManufacturer" }, /* 474 */ + { 0x02, 476, 0, 4, "tcg-at-tpmModel" }, /* 475 */ + { 0x03, 477, 0, 4, "tcg-at-tpmVersion" }, /* 476 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 477 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 0f7c5d644..b9ed08d2e 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -150,103 +150,110 @@ extern const oid_t oid_names[]; #define OID_BLISS_B_II 221 #define OID_BLISS_B_III 222 #define OID_BLISS_B_IV 223 -#define OID_BLISS_WITH_SHA512 225 -#define OID_BLISS_WITH_SHA384 226 -#define OID_BLISS_WITH_SHA256 227 -#define OID_TCGID 234 -#define OID_BLOWFISH_CBC 238 -#define OID_AUTHORITY_INFO_ACCESS 282 -#define OID_IP_ADDR_BLOCKS 284 -#define OID_POLICY_QUALIFIER_CPS 286 -#define OID_POLICY_QUALIFIER_UNOTICE 287 -#define OID_SERVER_AUTH 289 -#define OID_CLIENT_AUTH 290 -#define OID_OCSP_SIGNING 297 -#define OID_XMPP_ADDR 303 -#define OID_AUTHENTICATION_INFO 307 -#define OID_ACCESS_IDENTITY 308 -#define OID_CHARGING_IDENTITY 309 -#define OID_GROUP 310 -#define OID_OCSP 313 -#define OID_BASIC 314 -#define OID_NONCE 315 -#define OID_CRL 316 -#define OID_RESPONSE 317 -#define OID_NO_CHECK 318 -#define OID_ARCHIVE_CUTOFF 319 -#define OID_SERVICE_LOCATOR 320 -#define OID_CA_ISSUERS 321 -#define OID_IKE_INTERMEDIATE 326 -#define OID_DES_CBC 330 -#define OID_SHA1 331 -#define OID_SHA1_WITH_RSA_OIW 332 -#define OID_ECGDSA_PUBKEY 351 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 354 -#define OID_ECGDSA_SIG_WITH_SHA1 355 -#define OID_ECGDSA_SIG_WITH_SHA224 356 -#define OID_ECGDSA_SIG_WITH_SHA256 357 -#define OID_ECGDSA_SIG_WITH_SHA384 358 -#define OID_ECGDSA_SIG_WITH_SHA512 359 -#define OID_SECT163K1 382 -#define OID_SECT163R1 383 -#define OID_SECT239K1 384 -#define OID_SECT113R1 385 -#define OID_SECT113R2 386 -#define OID_SECT112R1 387 -#define OID_SECT112R2 388 -#define OID_SECT160R1 389 -#define OID_SECT160K1 390 -#define OID_SECT256K1 391 -#define OID_SECT163R2 392 -#define OID_SECT283K1 393 -#define OID_SECT283R1 394 -#define OID_SECT131R1 395 -#define OID_SECT131R2 396 -#define OID_SECT193R1 397 -#define OID_SECT193R2 398 -#define OID_SECT233K1 399 -#define OID_SECT233R1 400 -#define OID_SECT128R1 401 -#define OID_SECT128R2 402 -#define OID_SECT160R2 403 -#define OID_SECT192K1 404 -#define OID_SECT224K1 405 -#define OID_SECT224R1 406 -#define OID_SECT384R1 407 -#define OID_SECT521R1 408 -#define OID_SECT409K1 409 -#define OID_SECT409R1 410 -#define OID_SECT571K1 411 -#define OID_SECT571R1 412 -#define OID_AES128_CBC 421 -#define OID_AES128_GCM 422 -#define OID_AES128_CCM 423 -#define OID_AES192_CBC 424 -#define OID_AES192_GCM 425 -#define OID_AES192_CCM 426 -#define OID_AES256_CBC 427 -#define OID_AES256_GCM 428 -#define OID_AES256_CCM 429 -#define OID_SHA256 431 -#define OID_SHA384 432 -#define OID_SHA512 433 -#define OID_SHA224 434 -#define OID_NS_REVOCATION_URL 448 -#define OID_NS_CA_REVOCATION_URL 449 -#define OID_NS_CA_POLICY_URL 450 -#define OID_NS_COMMENT 451 -#define OID_EMPLOYEE_NUMBER 454 -#define OID_PKI_MESSAGE_TYPE 460 -#define OID_PKI_STATUS 461 -#define OID_PKI_FAIL_INFO 462 -#define OID_PKI_SENDER_NONCE 463 -#define OID_PKI_RECIPIENT_NONCE 464 -#define OID_PKI_TRANS_ID 465 -#define OID_TPM_MANUFACTURER 471 -#define OID_TPM_MODEL 472 -#define OID_TPM_VERSION 473 -#define OID_TPM_ID_LABEL 474 +#define OID_BLISS_WITH_SHA2_512 225 +#define OID_BLISS_WITH_SHA2_384 226 +#define OID_BLISS_WITH_SHA2_256 227 +#define OID_BLISS_WITH_SHA3_512 228 +#define OID_BLISS_WITH_SHA3_384 229 +#define OID_BLISS_WITH_SHA3_256 230 +#define OID_TCGID 237 +#define OID_BLOWFISH_CBC 241 +#define OID_AUTHORITY_INFO_ACCESS 285 +#define OID_IP_ADDR_BLOCKS 287 +#define OID_POLICY_QUALIFIER_CPS 289 +#define OID_POLICY_QUALIFIER_UNOTICE 290 +#define OID_SERVER_AUTH 292 +#define OID_CLIENT_AUTH 293 +#define OID_OCSP_SIGNING 300 +#define OID_XMPP_ADDR 306 +#define OID_AUTHENTICATION_INFO 310 +#define OID_ACCESS_IDENTITY 311 +#define OID_CHARGING_IDENTITY 312 +#define OID_GROUP 313 +#define OID_OCSP 316 +#define OID_BASIC 317 +#define OID_NONCE 318 +#define OID_CRL 319 +#define OID_RESPONSE 320 +#define OID_NO_CHECK 321 +#define OID_ARCHIVE_CUTOFF 322 +#define OID_SERVICE_LOCATOR 323 +#define OID_CA_ISSUERS 324 +#define OID_IKE_INTERMEDIATE 329 +#define OID_DES_CBC 333 +#define OID_SHA1 334 +#define OID_SHA1_WITH_RSA_OIW 335 +#define OID_ECGDSA_PUBKEY 354 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 357 +#define OID_ECGDSA_SIG_WITH_SHA1 358 +#define OID_ECGDSA_SIG_WITH_SHA224 359 +#define OID_ECGDSA_SIG_WITH_SHA256 360 +#define OID_ECGDSA_SIG_WITH_SHA384 361 +#define OID_ECGDSA_SIG_WITH_SHA512 362 +#define OID_SECT163K1 385 +#define OID_SECT163R1 386 +#define OID_SECT239K1 387 +#define OID_SECT113R1 388 +#define OID_SECT113R2 389 +#define OID_SECT112R1 390 +#define OID_SECT112R2 391 +#define OID_SECT160R1 392 +#define OID_SECT160K1 393 +#define OID_SECT256K1 394 +#define OID_SECT163R2 395 +#define OID_SECT283K1 396 +#define OID_SECT283R1 397 +#define OID_SECT131R1 398 +#define OID_SECT131R2 399 +#define OID_SECT193R1 400 +#define OID_SECT193R2 401 +#define OID_SECT233K1 402 +#define OID_SECT233R1 403 +#define OID_SECT128R1 404 +#define OID_SECT128R2 405 +#define OID_SECT160R2 406 +#define OID_SECT192K1 407 +#define OID_SECT224K1 408 +#define OID_SECT224R1 409 +#define OID_SECT384R1 410 +#define OID_SECT521R1 411 +#define OID_SECT409K1 412 +#define OID_SECT409R1 413 +#define OID_SECT571K1 414 +#define OID_SECT571R1 415 +#define OID_AES128_CBC 424 +#define OID_AES128_GCM 425 +#define OID_AES128_CCM 426 +#define OID_AES192_CBC 427 +#define OID_AES192_GCM 428 +#define OID_AES192_CCM 429 +#define OID_AES256_CBC 430 +#define OID_AES256_GCM 431 +#define OID_AES256_CCM 432 +#define OID_SHA256 434 +#define OID_SHA384 435 +#define OID_SHA512 436 +#define OID_SHA224 437 +#define OID_SHA3_224 440 +#define OID_SHA3_256 441 +#define OID_SHA3_384 442 +#define OID_SHA3_512 443 +#define OID_NS_REVOCATION_URL 451 +#define OID_NS_CA_REVOCATION_URL 452 +#define OID_NS_CA_POLICY_URL 453 +#define OID_NS_COMMENT 454 +#define OID_EMPLOYEE_NUMBER 457 +#define OID_PKI_MESSAGE_TYPE 463 +#define OID_PKI_STATUS 464 +#define OID_PKI_FAIL_INFO 465 +#define OID_PKI_SENDER_NONCE 466 +#define OID_PKI_RECIPIENT_NONCE 467 +#define OID_PKI_TRANS_ID 468 +#define OID_TPM_MANUFACTURER 474 +#define OID_TPM_MODEL 475 +#define OID_TPM_VERSION 476 +#define OID_TPM_ID_LABEL 477 -#define OID_MAX 475 +#define OID_MAX 478 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 919d24c43..64dedcb33 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -223,9 +223,12 @@ 0x07 "BLISS-B-III" OID_BLISS_B_III 0x08 "BLISS-B-IV" OID_BLISS_B_IV 0x03 "blissSigType" - 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512 - 0x02 "BLISS-with-SHA384" OID_BLISS_WITH_SHA384 - 0x03 "BLISS-with-SHA256" OID_BLISS_WITH_SHA256 + 0x01 "BLISS-with-SHA2-512" OID_BLISS_WITH_SHA2_512 + 0x02 "BLISS-with-SHA2-384" OID_BLISS_WITH_SHA2_384 + 0x03 "BLISS-with-SHA2-256" OID_BLISS_WITH_SHA2_256 + 0x04 "BLISS-with-SHA3-512" OID_BLISS_WITH_SHA3_512 + 0x05 "BLISS-with-SHA3-384" OID_BLISS_WITH_SHA3_384 + 0x06 "BLISS-with-SHA3-256" OID_BLISS_WITH_SHA3_256 0x89 "" 0x31 "" 0x01 "" @@ -435,10 +438,10 @@ 0x04 "id-sha224" OID_SHA224 0x05 "id-sha512-224" 0x06 "id-sha512-256" - 0x07 "id-sha3-224" - 0x08 "id-sha3-256" - 0x09 "id-sha3-384" - 0x0A "id-sha3-512" + 0x07 "id-sha3-224" OID_SHA3_224 + 0x08 "id-sha3-256" OID_SHA3_256 + 0x09 "id-sha3-384" OID_SHA3_384 + 0x0A "id-sha3-512" OID_SHA3_512 0x0B "id-shake128" 0x0C "id-shake256" 0x86 "" diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 1e93f021a..9988d8021 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -951,9 +951,9 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy { entry_t entry; - while (array_remove(other->entries, ARRAY_HEAD, &entry)) - { - array_insert(this->entries, ARRAY_TAIL, &entry); + while (array_remove(other->entries, ARRAY_TAIL, &entry)) + { /* keep order but prefer new values (esp. for single valued ones) */ + array_insert(this->entries, ARRAY_HEAD, &entry); } array_compress(other->entries); } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index bd5915e60..d6f211a34 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS, "BLISS" ); -ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512, +ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512, "UNKNOWN", "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", @@ -44,9 +44,12 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512, "ECDSA-256", "ECDSA-384", "ECDSA-521", - "BLISS_WITH_SHA256", - "BLISS_WITH_SHA384", - "BLISS_WITH_SHA512", + "BLISS_WITH_SHA2_256", + "BLISS_WITH_SHA2_384", + "BLISS_WITH_SHA2_512", + "BLISS_WITH_SHA3_256", + "BLISS_WITH_SHA3_384", + "BLISS_WITH_SHA3_512", ); ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512, @@ -137,12 +140,18 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_ECDSA_WITH_SHA512: return SIGN_ECDSA_WITH_SHA512_DER; case OID_BLISS_PUBLICKEY: - case OID_BLISS_WITH_SHA512: - return SIGN_BLISS_WITH_SHA512; - case OID_BLISS_WITH_SHA256: - return SIGN_BLISS_WITH_SHA256; - case OID_BLISS_WITH_SHA384: - return SIGN_BLISS_WITH_SHA384; + case OID_BLISS_WITH_SHA2_512: + return SIGN_BLISS_WITH_SHA2_512; + case OID_BLISS_WITH_SHA2_384: + return SIGN_BLISS_WITH_SHA2_384; + case OID_BLISS_WITH_SHA2_256: + return SIGN_BLISS_WITH_SHA2_256; + case OID_BLISS_WITH_SHA3_512: + return SIGN_BLISS_WITH_SHA3_512; + case OID_BLISS_WITH_SHA3_384: + return SIGN_BLISS_WITH_SHA3_384; + case OID_BLISS_WITH_SHA3_256: + return SIGN_BLISS_WITH_SHA3_256; } return SIGN_UNKNOWN; } @@ -181,12 +190,18 @@ int signature_scheme_to_oid(signature_scheme_t scheme) return OID_ECDSA_WITH_SHA384; case SIGN_ECDSA_WITH_SHA512_DER: return OID_ECDSA_WITH_SHA512; - case SIGN_BLISS_WITH_SHA256: - return OID_BLISS_WITH_SHA256; - case SIGN_BLISS_WITH_SHA384: - return OID_BLISS_WITH_SHA384; - case SIGN_BLISS_WITH_SHA512: - return OID_BLISS_WITH_SHA512; + case SIGN_BLISS_WITH_SHA2_256: + return OID_BLISS_WITH_SHA2_256; + case SIGN_BLISS_WITH_SHA2_384: + return OID_BLISS_WITH_SHA2_384; + case SIGN_BLISS_WITH_SHA2_512: + return OID_BLISS_WITH_SHA2_512; + case SIGN_BLISS_WITH_SHA3_256: + return OID_BLISS_WITH_SHA3_256; + case SIGN_BLISS_WITH_SHA3_384: + return OID_BLISS_WITH_SHA3_384; + case SIGN_BLISS_WITH_SHA3_512: + return OID_BLISS_WITH_SHA3_512; } return OID_UNKNOWN; } @@ -207,9 +222,9 @@ static struct { { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 }, { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 }, { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 }, - { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 }, - { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 }, - { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 }, + { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 }, + { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 }, + { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 } }; /** @@ -284,9 +299,12 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme) case SIGN_ECDSA_384: case SIGN_ECDSA_521: return KEY_ECDSA; - case SIGN_BLISS_WITH_SHA256: - case SIGN_BLISS_WITH_SHA384: - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_256: + case SIGN_BLISS_WITH_SHA2_384: + case SIGN_BLISS_WITH_SHA2_512: + case SIGN_BLISS_WITH_SHA3_256: + case SIGN_BLISS_WITH_SHA3_384: + case SIGN_BLISS_WITH_SHA3_512: return KEY_BLISS; } return KEY_ANY; diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index 66e98b294..ce48f9b7e 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -94,12 +94,18 @@ enum signature_scheme_t { SIGN_ECDSA_384, /** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */ SIGN_ECDSA_521, - /** BLISS with SHA-256 */ - SIGN_BLISS_WITH_SHA256, - /** BLISS with SHA-384 */ - SIGN_BLISS_WITH_SHA384, - /** BLISS with SHA-512 */ - SIGN_BLISS_WITH_SHA512, + /** BLISS with SHA-2_256 */ + SIGN_BLISS_WITH_SHA2_256, + /** BLISS with SHA-2_384 */ + SIGN_BLISS_WITH_SHA2_384, + /** BLISS with SHA-2_512 */ + SIGN_BLISS_WITH_SHA2_512, + /** BLISS with SHA-3_256 */ + SIGN_BLISS_WITH_SHA3_256, + /** BLISS with SHA-3_384 */ + SIGN_BLISS_WITH_SHA3_384, + /** BLISS with SHA-3_512 */ + SIGN_BLISS_WITH_SHA3_512, }; /** diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 38eebea9c..e220593d4 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -1,8 +1,9 @@ /* * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2015 Andreas Steffen * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,26 +25,34 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512, "HASH_SHA256", "HASH_SHA384", "HASH_SHA512"); -ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, +ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512, "HASH_UNKNOWN", "HASH_MD2", "HASH_MD4", "HASH_MD5", - "HASH_SHA224"); -ENUM_END(hash_algorithm_names, HASH_SHA224); + "HASH_SHA224", + "HASH_SHA3_224", + "HASH_SHA3_256", + "HASH_SHA3_384", + "HASH_SHA3_512"); +ENUM_END(hash_algorithm_names, HASH_SHA3_512); ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512, "sha1", "sha256", "sha384", "sha512"); -ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, +ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512, "unknown", "md2", "md4", "md5", - "sha224"); -ENUM_END(hash_algorithm_short_names, HASH_SHA224); + "sha224", + "sha3_224", + "sha3_256", + "sha3_384", + "sha3_512"); +ENUM_END(hash_algorithm_short_names, HASH_SHA3_512); /* * Described in header. @@ -73,6 +82,14 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) case OID_SHA512: case OID_SHA512_WITH_RSA: return HASH_SHA512; + case OID_SHA3_224: + return HASH_SHA3_224; + case OID_SHA3_256: + return HASH_SHA3_256; + case OID_SHA3_384: + return HASH_SHA3_384; + case OID_SHA3_512: + return HASH_SHA3_512; default: return HASH_UNKNOWN; } @@ -242,6 +259,10 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg, case HASH_MD2: case HASH_MD4: case HASH_SHA224: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: case HASH_UNKNOWN: break; } @@ -265,6 +286,10 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) case HASH_MD4: case HASH_MD5: case HASH_SHA224: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: break; } return FALSE; @@ -300,6 +325,18 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA512: oid = OID_SHA512; break; + case HASH_SHA3_224: + oid = OID_SHA3_224; + break; + case HASH_SHA3_256: + oid = OID_SHA3_256; + break; + case HASH_SHA3_384: + oid = OID_SHA3_384; + break; + case HASH_SHA3_512: + oid = OID_SHA3_512; + break; default: oid = OID_UNKNOWN; } @@ -351,11 +388,17 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) switch (alg) { case HASH_SHA256: - return OID_BLISS_WITH_SHA256; + return OID_BLISS_WITH_SHA2_256; case HASH_SHA384: - return OID_BLISS_WITH_SHA384; + return OID_BLISS_WITH_SHA2_384; case HASH_SHA512: - return OID_BLISS_WITH_SHA512; + return OID_BLISS_WITH_SHA2_512; + case HASH_SHA3_256: + return OID_BLISS_WITH_SHA3_256; + case HASH_SHA3_384: + return OID_BLISS_WITH_SHA3_384; + case HASH_SHA3_512: + return OID_BLISS_WITH_SHA3_512; default: return OID_UNKNOWN; } @@ -385,18 +428,24 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_SHA256: case SIGN_ECDSA_WITH_SHA256_DER: case SIGN_ECDSA_256: - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return HASH_SHA256; case SIGN_RSA_EMSA_PKCS1_SHA384: case SIGN_ECDSA_WITH_SHA384_DER: case SIGN_ECDSA_384: - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return HASH_SHA384; case SIGN_RSA_EMSA_PKCS1_SHA512: case SIGN_ECDSA_WITH_SHA512_DER: case SIGN_ECDSA_521: - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return HASH_SHA512; + case SIGN_BLISS_WITH_SHA3_256: + return HASH_SHA3_256; + case SIGN_BLISS_WITH_SHA3_384: + return HASH_SHA3_384; + case SIGN_BLISS_WITH_SHA3_512: + return HASH_SHA3_512; } return HASH_UNKNOWN; } diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 772586308..272502cf0 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -45,6 +45,10 @@ enum hash_algorithm_t { HASH_MD4 = 1026, HASH_MD5 = 1027, HASH_SHA224 = 1028, + HASH_SHA3_224 = 1029, + HASH_SHA3_256 = 1030, + HASH_SHA3_384 = 1031, + HASH_SHA3_512 = 1032 }; #define HASH_SIZE_MD2 16 diff --git a/src/libstrongswan/crypto/iv/iv_gen.c b/src/libstrongswan/crypto/iv/iv_gen.c index 7d6570a74..c70627723 100644 --- a/src/libstrongswan/crypto/iv/iv_gen.c +++ b/src/libstrongswan/crypto/iv/iv_gen.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2015 Martin Willi * Copyright (C) 2015 revosec AG * @@ -16,6 +19,7 @@ #include "iv_gen.h" #include "iv_gen_rand.h" #include "iv_gen_seq.h" +#include "iv_gen_null.h" /** * See header. @@ -52,6 +56,7 @@ iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg) case ENCR_NULL_AUTH_AES_GMAC: return iv_gen_seq_create(); case ENCR_NULL: + return iv_gen_null_create(); case ENCR_UNDEFINED: case ENCR_DES_ECB: case ENCR_DES_IV32: diff --git a/src/libstrongswan/crypto/iv/iv_gen_null.c b/src/libstrongswan/crypto/iv/iv_gen_null.c new file mode 100644 index 000000000..b13de0674 --- /dev/null +++ b/src/libstrongswan/crypto/iv/iv_gen_null.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "iv_gen_null.h" + +typedef struct private_iv_gen_t private_iv_gen_t; + +/** + * Private data of an iv_gen_t object. + */ +struct private_iv_gen_t { + + /** + * Public iv_gen_t interface. + */ + iv_gen_t public; +}; + +METHOD(iv_gen_t, get_iv, bool, + private_iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer) +{ + return size == 0; +} + +METHOD(iv_gen_t, allocate_iv, bool, + private_iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk) +{ + *chunk = chunk_empty; + return size == 0; +} + +METHOD(iv_gen_t, destroy, void, + private_iv_gen_t *this) +{ + free(this); +} + +iv_gen_t *iv_gen_null_create() +{ + private_iv_gen_t *this; + + INIT(this, + .public = { + .get_iv = _get_iv, + .allocate_iv = _allocate_iv, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/crypto/iv/iv_gen_null.h b/src/libstrongswan/crypto/iv/iv_gen_null.h new file mode 100644 index 000000000..b63f0c3e9 --- /dev/null +++ b/src/libstrongswan/crypto/iv/iv_gen_null.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @{ @ingroup iv + */ + +#ifndef IV_GEN_NULL_H_ +#define IV_GEN_NULL_H_ + +#include + +/** + * Create an IV generator that does not actually generate an IV. + * + * @return IV generator + */ +iv_gen_t *iv_gen_null_create(); + +#endif /** IV_GEN_NULL_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c index 07597c318..4adcf1e76 100644 --- a/src/libstrongswan/plugins/bliss/bliss_plugin.c +++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c @@ -55,19 +55,31 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_ANY), /* signature schemes, private */ - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_384), PLUGIN_DEPENDS(HASHER, HASH_SHA384), - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_256), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_384), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_512), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_512), /* signature verification schemes */ - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_384), PLUGIN_DEPENDS(HASHER, HASH_SHA384), - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_256), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_384), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_512), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_512), }; *features = f; diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c index 1386eeb2d..20bbc6ac5 100644 --- a/src/libstrongswan/plugins/bliss/bliss_private_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -511,12 +511,18 @@ METHOD(private_key_t, sign, bool, { switch (scheme) { - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return sign_bliss(this, HASH_SHA256, data, signature); - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return sign_bliss(this, HASH_SHA384, data, signature); - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return sign_bliss(this, HASH_SHA512, data, signature); + case SIGN_BLISS_WITH_SHA3_256: + return sign_bliss(this, HASH_SHA3_256, data, signature); + case SIGN_BLISS_WITH_SHA3_384: + return sign_bliss(this, HASH_SHA3_384, data, signature); + case SIGN_BLISS_WITH_SHA3_512: + return sign_bliss(this, HASH_SHA3_512, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported with BLISS", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c index 2b305f6c2..93d1165eb 100644 --- a/src/libstrongswan/plugins/bliss/bliss_public_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -193,12 +193,18 @@ METHOD(public_key_t, verify, bool, { switch (scheme) { - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return verify_bliss(this, HASH_SHA256, data, signature); - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return verify_bliss(this, HASH_SHA384, data, signature); - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return verify_bliss(this, HASH_SHA512, data, signature); + case SIGN_BLISS_WITH_SHA3_256: + return verify_bliss(this, HASH_SHA3_256, data, signature); + case SIGN_BLISS_WITH_SHA3_384: + return verify_bliss(this, HASH_SHA3_384, data, signature); + case SIGN_BLISS_WITH_SHA3_512: + return verify_bliss(this, HASH_SHA3_512, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported by BLISS", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c index 8b4e9cbf0..a3e4420a9 100644 --- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c @@ -36,13 +36,13 @@ START_TEST(test_bliss_sign_all) switch (k) { case 1: - signature_scheme = SIGN_BLISS_WITH_SHA256; + signature_scheme = SIGN_BLISS_WITH_SHA2_256; break; case 2: - signature_scheme = SIGN_BLISS_WITH_SHA384; + signature_scheme = SIGN_BLISS_WITH_SHA2_384; break; default: - signature_scheme = SIGN_BLISS_WITH_SHA512; + signature_scheme = SIGN_BLISS_WITH_SHA2_512; } /* enforce BLISS-B key for k = 2, 3 */ @@ -176,14 +176,14 @@ START_TEST(test_bliss_sign_fail) /* generate valid signature */ msg = chunk_from_str("Hello Dolly!"); - ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature)); + ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature)); /* verify with invalid signature scheme */ ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature)); /* corrupt signature */ signature.ptr[signature.len - 1] ^= 0x80; - ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature)); free(signature.ptr); privkey->destroy(privkey); diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 7653c1986..9207f11b6 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -123,7 +123,7 @@ METHOD(fetcher_t, fetch, status_t, curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers); } - DBG2(DBG_LIB, " sending http request to '%s'...", uri); + DBG2(DBG_LIB, " sending request to '%s'...", uri); curl_status = curl_easy_perform(this->curl); switch (curl_status) { @@ -137,10 +137,10 @@ METHOD(fetcher_t, fetch, status_t, { *this->result = result; } - status = (result >= 200 && result < 300) ? SUCCESS : FAILED; + status = (result < 400) ? SUCCESS : FAILED; break; default: - DBG1(DBG_LIB, "libcurl http request failed [%d]: %s", curl_status, + DBG1(DBG_LIB, "libcurl request failed [%d]: %s", curl_status, error); status = FAILED; break; diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index cac442fc0..49ec48804 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -18,6 +18,7 @@ #ifndef OPENSSL_NO_DH +#include #include #include "openssl_diffie_hellman.h" diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index a1af500e2..11d6e8ec5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -17,6 +17,7 @@ #ifndef OPENSSL_NO_EC +#include #include #include #include diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 10a35c1fd..de02f302d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -23,6 +23,7 @@ #include +#include #include #include #ifndef OPENSSL_NO_ENGINE diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index aa54d3bbd..db928569f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -23,6 +23,7 @@ #include +#include #include #include #include diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index 0e61086b1..2f9813701 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -18,6 +18,7 @@ #include +#include #include #include diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index f7ac347d2..01d0495be 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -356,6 +356,7 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, { plugin_entry_t *entry; void *handle; + int flag = RTLD_LAZY; switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, critical, &entry)) { @@ -380,15 +381,19 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, return NULL; } } - handle = dlopen(file, RTLD_LAZY + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } #ifdef RTLD_NODELETE - /* if supported, do not unload library when unloading a plugin. It really - * doesn't matter in productive systems, but causes many (dependency) - * library reloads during unit tests. Some libraries can't handle that, + /* If supported, do not unload the library when unloading a plugin. It + * really doesn't matter in productive systems, but causes many (dependency) + * library reloads during unit tests. Some libraries can't handle that, e.g. * GnuTLS leaks file descriptors in its library load/unload functions. */ - | RTLD_NODELETE + flag |= RTLD_NODELETE; #endif - ); + handle = dlopen(file, flag); if (handle == NULL) { DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c index 36d5446b8..177b3c2e5 100644 --- a/src/libstrongswan/plugins/random/random_rng.c +++ b/src/libstrongswan/plugins/random/random_rng.c @@ -56,6 +56,7 @@ METHOD(rng_t, get_bytes, bool, DBG1(DBG_LIB, "reading from random FD %d failed: %s, retrying...", this->fd, strerror(errno)); sleep(1); + continue; } done += got; } diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 9fd5b2a22..fdcb9902b 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -367,7 +367,7 @@ static certificate_t* fetch_crl(char *url) return NULL; } crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_BLOB_ASN1_DER, chunk, BUILD_END); + BUILD_BLOB_PEM, chunk, BUILD_END); chunk_free(&chunk); if (!crl) { diff --git a/src/libstrongswan/plugins/sha3/Makefile.am b/src/libstrongswan/plugins/sha3/Makefile.am new file mode 100644 index 000000000..7ccf58ce6 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/Makefile.am @@ -0,0 +1,16 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-sha3.la +else +plugin_LTLIBRARIES = libstrongswan-sha3.la +endif + +libstrongswan_sha3_la_SOURCES = \ + sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h + +libstrongswan_sha3_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in new file mode 100644 index 000000000..3034ea537 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/Makefile.in @@ -0,0 +1,774 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/sha3 +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_sha3_la_LIBADD = +am_libstrongswan_sha3_la_OBJECTS = sha3_plugin.lo sha3_hasher.lo +libstrongswan_sha3_la_OBJECTS = $(am_libstrongswan_sha3_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_sha3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha3_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_sha3_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_sha3_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_sha3_la_SOURCES) +DIST_SOURCES = $(libstrongswan_sha3_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha3.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha3.la +libstrongswan_sha3_la_SOURCES = \ + sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h + +libstrongswan_sha3_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-sha3.la: $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha3_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_sha3_la_LINK) $(am_libstrongswan_sha3_la_rpath) $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha3_hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha3_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.c b/src/libstrongswan/plugins/sha3/sha3_hasher.c new file mode 100644 index 000000000..b34a02594 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_hasher.c @@ -0,0 +1,527 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Based on the implementation by the Keccak, Keyak and Ketje Teams, namely, + * Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and + * Ronny Van Keer, hereby denoted as "the implementer". + * + * To the extent possible under law, the implementer has waived all copyright + * and related or neighboring rights to the source code in this file. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +#include + +#include "sha3_hasher.h" + +typedef struct private_sha3_hasher_t private_sha3_hasher_t; + +#define KECCAK_STATE_SIZE 200 /* bytes */ +#define KECCAK_MAX_RATE 144 /* bytes */ +#define DELIMITED_SUFFIX 0x06 + +static const uint64_t round_constants[] = { + 0x0000000000000001ULL, + 0x0000000000008082ULL, + 0x800000000000808aULL, + 0x8000000080008000ULL, + 0x000000000000808bULL, + 0x0000000080000001ULL, + 0x8000000080008081ULL, + 0x8000000000008009ULL, + 0x000000000000008aULL, + 0x0000000000000088ULL, + 0x0000000080008009ULL, + 0x000000008000000aULL, + 0x000000008000808bULL, + 0x800000000000008bULL, + 0x8000000000008089ULL, + 0x8000000000008003ULL, + 0x8000000000008002ULL, + 0x8000000000000080ULL, + 0x000000000000800aULL, + 0x800000008000000aULL, + 0x8000000080008081ULL, + 0x8000000000008080ULL, + 0x0000000080000001ULL, + 0x8000000080008008ULL +}; + +/** + * Private data structure with hashing context for SHA-3 + */ +struct private_sha3_hasher_t { + + /** + * Public interface for this hasher. + */ + sha3_hasher_t public; + + /** + * SHA-3 algorithm to be used + */ + hash_algorithm_t algorithm; + + /** + * Internal state of 1600 bits as defined by FIPS-202 + */ + uint8_t state[KECCAK_STATE_SIZE]; + + /** + * Rate in bytes + */ + u_int rate; + + /** + * Rate input buffer + */ + uint8_t rate_buffer[KECCAK_MAX_RATE]; + + /** + * Index pointing to the current position in the rate buffer + */ + u_int rate_index; + +}; + +#if BYTE_ORDER != LITTLE_ENDIAN +/** + * Function to load a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static uint64_t load64(const uint8_t *x) +{ + int i; + uint64_t u = 0; + + for (i = 7; i >= 0; --i) + { + u <<= 8; + u |= x[i]; + } + return u; +} + +/** + * Function to store a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static void store64(uint8_t *x, uint64_t u) +{ + u_int i; + + for (i = 0; i < 8; ++i) + { + x[i] = u; + u >>= 8; + } +} + +/** + * Function to XOR into a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static void xor64(uint8_t *x, uint64_t u) +{ + u_int i; + + for (i = 0; i < 8; ++i) + { + x[i] ^= u; + u >>= 8; + } +} +#endif + +/** + * Some macros used by the Keccak-f[1600] permutation. + */ +#define ROL64(a, offset) ((((uint64_t)a) << offset) ^ (((uint64_t)a) >> (64-offset))) + +#if BYTE_ORDER == LITTLE_ENDIAN + #define readLane(i) (((uint64_t*)state)[i]) + #define writeLane(i, lane) (((uint64_t*)state)[i]) = (lane) + #define XORLane(i, lane) (((uint64_t*)state)[i]) ^= (lane) +#elif BYTE_ORDER == BIG_ENDIAN + #define readLane(i) load64((uint8_t*)state+sizeof(uint64_t)*i)) + #define writeLane(i, lane) store64((uint8_t*)state+sizeof(uint64_t)*i, lane) + #define XORLane(i, lane) xor64((uint8_t*)state+sizeof(uint64_t)*i, lane) +#endif + +/** + * Function that computes the Keccak-f[1600] permutation on the given state. + */ +static void keccak_f1600_state_permute(void *state) +{ + int round; + + for (round = 0; round < 24; round++) + { + { /* θ step (see [Keccak Reference, Section 2.3.2]) */ + + uint64_t C[5], D; + + /* Compute the parity of the columns */ + C[0] = readLane(0) ^ readLane( 5) ^ readLane(10) + ^ readLane(15) ^ readLane(20); + C[1] = readLane(1) ^ readLane( 6) ^ readLane(11) + ^ readLane(16) ^ readLane(21); + C[2] = readLane(2) ^ readLane( 7) ^ readLane(12) + ^ readLane(17) ^ readLane(22); + C[3] = readLane(3) ^ readLane( 8) ^ readLane(13) + ^ readLane(18) ^ readLane(23); + C[4] = readLane(4) ^ readLane( 9) ^ readLane(14) + ^ readLane(19) ^ readLane(24); + + /* Compute and add the θ effect to the whole column */ + D = C[4] ^ ROL64(C[1], 1); + XORLane( 0, D); + XORLane( 5, D); + XORLane(10, D); + XORLane(15, D); + XORLane(20, D); + + D = C[0] ^ ROL64(C[2], 1); + XORLane( 1, D); + XORLane( 6, D); + XORLane(11, D); + XORLane(16, D); + XORLane(21, D); + + D = C[1] ^ ROL64(C[3], 1); + XORLane( 2, D); + XORLane( 7, D); + XORLane(12, D); + XORLane(17, D); + XORLane(22, D); + + D = C[2] ^ ROL64(C[4], 1); + XORLane( 3, D); + XORLane( 8, D); + XORLane(13, D); + XORLane(18, D); + XORLane(23, D); + + D = C[3] ^ ROL64(C[0], 1); + XORLane( 4, D); + XORLane( 9, D); + XORLane(14, D); + XORLane(19, D); + XORLane(24, D); + } + + { /* ρ and π steps (see [Keccak Reference, Sections 2.3.3 and 2.3.4]) */ + + uint64_t t1, t2; + + t1 = readLane( 1); + + t2 = readLane(10); + writeLane(10, ROL64(t1, 1)); + + t1 = readLane( 7); + writeLane( 7, ROL64(t2, 3)); + + t2 = readLane(11); + writeLane(11, ROL64(t1, 6)); + + t1 = readLane(17); + writeLane(17, ROL64(t2, 10)); + + t2 = readLane(18); + writeLane(18, ROL64(t1, 15)); + + t1 = readLane( 3); + writeLane( 3, ROL64(t2, 21)); + + t2 = readLane( 5); + writeLane( 5, ROL64(t1, 28)); + + t1 = readLane(16); + writeLane(16, ROL64(t2, 36)); + + t2 = readLane( 8); + writeLane( 8, ROL64(t1, 45)); + + t1 = readLane(21); + writeLane(21, ROL64(t2, 55)); + + t2 = readLane(24); + writeLane(24, ROL64(t1, 2)); + + t1 = readLane( 4); + writeLane( 4, ROL64(t2, 14)); + + t2 = readLane(15); + writeLane(15, ROL64(t1, 27)); + + t1 = readLane(23); + writeLane(23, ROL64(t2, 41)); + + t2 = readLane(19); + writeLane(19, ROL64(t1, 56)); + + t1 = readLane(13); + writeLane(13, ROL64(t2, 8)); + + t2 = readLane(12); + writeLane(12, ROL64(t1, 25)); + + t1 = readLane( 2); + writeLane( 2, ROL64(t2, 43)); + + t2 = readLane(20); + writeLane(20, ROL64(t1, 62)); + + t1 = readLane(14); + writeLane(14, ROL64(t2, 18)); + + t2 = readLane(22); + writeLane(22, ROL64(t1, 39)); + + t1 = readLane( 9); + writeLane( 9, ROL64(t2, 61)); + + t2 = readLane( 6); + writeLane( 6, ROL64(t1, 20)); + + writeLane( 1, ROL64(t2, 44)); + } + + { /* χ step (see [Keccak Reference, Section 2.3.1]) */ + + uint64_t t[5]; + + t[0] = readLane(0); + t[1] = readLane(1); + t[2] = readLane(2); + t[3] = readLane(3); + t[4] = readLane(4); + + writeLane(0, t[0] ^ ((~t[1]) & t[2])); + writeLane(1, t[1] ^ ((~t[2]) & t[3])); + writeLane(2, t[2] ^ ((~t[3]) & t[4])); + writeLane(3, t[3] ^ ((~t[4]) & t[0])); + writeLane(4, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(5); + t[1] = readLane(6); + t[2] = readLane(7); + t[3] = readLane(8); + t[4] = readLane(9); + + writeLane(5, t[0] ^ ((~t[1]) & t[2])); + writeLane(6, t[1] ^ ((~t[2]) & t[3])); + writeLane(7, t[2] ^ ((~t[3]) & t[4])); + writeLane(8, t[3] ^ ((~t[4]) & t[0])); + writeLane(9, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(10); + t[1] = readLane(11); + t[2] = readLane(12); + t[3] = readLane(13); + t[4] = readLane(14); + + writeLane(10, t[0] ^ ((~t[1]) & t[2])); + writeLane(11, t[1] ^ ((~t[2]) & t[3])); + writeLane(12, t[2] ^ ((~t[3]) & t[4])); + writeLane(13, t[3] ^ ((~t[4]) & t[0])); + writeLane(14, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(15); + t[1] = readLane(16); + t[2] = readLane(17); + t[3] = readLane(18); + t[4] = readLane(19); + + writeLane(15, t[0] ^ ((~t[1]) & t[2])); + writeLane(16, t[1] ^ ((~t[2]) & t[3])); + writeLane(17, t[2] ^ ((~t[3]) & t[4])); + writeLane(18, t[3] ^ ((~t[4]) & t[0])); + writeLane(19, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(20); + t[1] = readLane(21); + t[2] = readLane(22); + t[3] = readLane(23); + t[4] = readLane(24); + + writeLane(20, t[0] ^ ((~t[1]) & t[2])); + writeLane(21, t[1] ^ ((~t[2]) & t[3])); + writeLane(22, t[2] ^ ((~t[3]) & t[4])); + writeLane(23, t[3] ^ ((~t[4]) & t[0])); + writeLane(24, t[4] ^ ((~t[0]) & t[1])); + } + + { /* ι step (see [Keccak Reference, Section 2.3.5]) */ + + XORLane(0, round_constants[round]); + } + } +} + +METHOD(hasher_t, reset, bool, + private_sha3_hasher_t *this) +{ + memset(this->state, 0x00, KECCAK_STATE_SIZE); + this->rate_index = 0; + + return TRUE; +} + +METHOD(hasher_t, get_hash_size, size_t, + private_sha3_hasher_t *this) +{ + switch (this->algorithm) + { + case HASH_SHA3_224: + return HASH_SIZE_SHA224; + case HASH_SHA3_256: + return HASH_SIZE_SHA256; + case HASH_SHA3_384: + return HASH_SIZE_SHA384; + case HASH_SHA3_512: + return HASH_SIZE_SHA512; + default: + return 0; + } +} + +static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data) +{ + uint64_t *buffer_lanes, *state_lanes; + size_t len, rate_lanes; + int i; + + buffer_lanes = (uint64_t*)this->rate_buffer; + state_lanes = (uint64_t*)this->state; + rate_lanes = this->rate / sizeof(uint64_t); + + while (data.len) + { + len = min(data.len, this->rate - this->rate_index); + memcpy(this->rate_buffer + this->rate_index, data.ptr, len); + this->rate_index += len; + data.ptr += len; + data.len -= len; + + if (this->rate_index == this->rate) + { + for (i = 0; i < rate_lanes; i++) + { + state_lanes[i] ^= buffer_lanes[i]; + } + this->rate_index = 0; + + keccak_f1600_state_permute(this->state); + } + } +} + +static void sha3_final(private_sha3_hasher_t *this) +{ + uint64_t *buffer_lanes, *state_lanes; + size_t rate_lanes, remainder; + int i; + + /* Add the delimitedSuffix as the first bit of padding */ + this->rate_buffer[this->rate_index++] = DELIMITED_SUFFIX; + + buffer_lanes = (uint64_t*)this->rate_buffer; + state_lanes = (uint64_t*)this->state; + rate_lanes = this->rate_index / sizeof(uint64_t); + + remainder = this->rate_index - rate_lanes * sizeof(uint64_t); + if (remainder) + { + memset(this->rate_buffer + this->rate_index, 0x00, + sizeof(uint64_t) - remainder); + rate_lanes++; + } + for (i = 0; i < rate_lanes; i++) + { + state_lanes[i] ^= buffer_lanes[i]; + } + + /* Add the second bit of padding */ + this->state[this->rate - 1] ^= 0x80; + + /* Switch to the squeezing phase */ + keccak_f1600_state_permute(this->state); +} + +METHOD(hasher_t, get_hash, bool, + private_sha3_hasher_t *this, chunk_t chunk, uint8_t *buffer) +{ + sha3_absorb(this, chunk); + + if (buffer != NULL) + { + sha3_final(this); + memcpy(buffer, this->state, get_hash_size(this)); + reset(this); + } + return TRUE; +} + +METHOD(hasher_t, allocate_hash, bool, + private_sha3_hasher_t *this, chunk_t chunk, chunk_t *hash) +{ + chunk_t allocated_hash; + + sha3_absorb(this, chunk); + + if (hash != NULL) + { + sha3_final(this); + allocated_hash = chunk_alloc(get_hash_size(this)); + memcpy(allocated_hash.ptr, this->state, allocated_hash.len); + reset(this); + *hash = allocated_hash; + } + return TRUE; +} + +METHOD(hasher_t, destroy, void, + sha3_hasher_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm) +{ + private_sha3_hasher_t *this; + + switch (algorithm) + { + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: + break; + default: + return NULL; + } + + INIT(this, + .public = { + .hasher_interface = { + .reset = _reset, + .get_hash_size = _get_hash_size, + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .destroy = _destroy, + }, + }, + .algorithm = algorithm, + ); + + this->rate = KECCAK_STATE_SIZE - 2*get_hash_size(this); + reset(this); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.h b/src/libstrongswan/plugins/sha3/sha3_hasher.h new file mode 100644 index 000000000..2f18d35b0 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_hasher.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sha3_hasher sha3_hasher + * @{ @ingroup sha3_p + */ + +#ifndef SHA3_HASHER_H_ +#define SHA3_HASHER_H_ + +typedef struct sha3_hasher_t sha3_hasher_t; + +#include + +/** + * Implementation of hasher_t interface using the SHA-3 algorithm family + * SHA3_224, SHA3_256, SHA3_384 and SHA3_512 as defined by FIPS-202. + */ +struct sha3_hasher_t { + + /** + * Generic hasher_t interface for this hasher. + */ + hasher_t hasher_interface; +}; + +/** + * Creates a new sha3_hasher_t. + * + * @param algorithm HASH3_224, HASH_SHA3_256, HASH_SHA3_384 or HASH_SHA3_512 + * @return sha3_hasher_t object, NULL if not supported + */ +sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm); + +#endif /** SHA3_HASHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.c b/src/libstrongswan/plugins/sha3/sha3_plugin.c new file mode 100644 index 000000000..28068f38e --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_plugin.c @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "sha3_plugin.h" + +#include +#include "sha3_hasher.h" + +typedef struct private_sha3_plugin_t private_sha3_plugin_t; + +/** + * private data of sha3_plugin + */ +struct private_sha3_plugin_t { + + /** + * public functions + */ + sha3_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_sha3_plugin_t *this) +{ + return "sha3"; +} + +METHOD(plugin_t, get_features, int, + private_sha3_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_REGISTER(HASHER, sha3_hasher_create), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_224), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_512), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_sha3_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *sha3_plugin_create() +{ + private_sha3_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} + diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.h b/src/libstrongswan/plugins/sha3/sha3_plugin.h new file mode 100644 index 000000000..09c8e5d81 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sha3_p sha3 + * @ingroup plugins + * + * @defgroup sha3_plugin sha3_plugin + * @{ @ingroup sha3_p + */ + +#ifndef SHA3_PLUGIN_H_ +#define SHA3_PLUGIN_H_ + +#include + +typedef struct sha3_plugin_t sha3_plugin_t; + +/** + * Plugin implementing the SHA356, SHA384 and SHA512 algorithms in software. + */ +struct sha3_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** SHA3_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 72ba4ceef..ab540e78e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -40,6 +40,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha1_hmac.c \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ + test_vectors/sha3.c \ test_vectors/fips_prf.c \ test_vectors/modp.c \ test_vectors/modpsub.c \ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index fa7c3cb82..100f3b15a 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -142,9 +142,10 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \ test_vectors/md5_hmac.lo test_vectors/sha1.lo \ test_vectors/sha1_hmac.lo test_vectors/sha2.lo \ - test_vectors/sha2_hmac.lo test_vectors/fips_prf.lo \ - test_vectors/modp.lo test_vectors/modpsub.lo \ - test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo + test_vectors/sha2_hmac.lo test_vectors/sha3.lo \ + test_vectors/fips_prf.lo test_vectors/modp.lo \ + test_vectors/modpsub.lo test_vectors/ecp.lo \ + test_vectors/ecpbp.lo test_vectors/rng.lo libstrongswan_test_vectors_la_OBJECTS = \ $(am_libstrongswan_test_vectors_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -482,6 +483,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha1_hmac.c \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ + test_vectors/sha3.c \ test_vectors/fips_prf.c \ test_vectors/modp.c \ test_vectors/modpsub.c \ @@ -632,6 +634,8 @@ test_vectors/sha2.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/sha3.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/modp.lo: test_vectors/$(am__dirstamp) \ @@ -690,6 +694,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha1_hmac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha2_hmac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha3.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/twofish_cbc.Plo@am__quote@ .c.o: diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index 57c218c16..3ff211da8 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -184,6 +184,30 @@ TEST_VECTOR_HASHER(sha384_3) TEST_VECTOR_HASHER(sha512_1) TEST_VECTOR_HASHER(sha512_2) TEST_VECTOR_HASHER(sha512_3) +TEST_VECTOR_HASHER(sha3_224_0) +TEST_VECTOR_HASHER(sha3_256_0) +TEST_VECTOR_HASHER(sha3_384_0) +TEST_VECTOR_HASHER(sha3_512_0) +TEST_VECTOR_HASHER(sha3_224_1) +TEST_VECTOR_HASHER(sha3_256_1) +TEST_VECTOR_HASHER(sha3_384_1) +TEST_VECTOR_HASHER(sha3_512_1) +TEST_VECTOR_HASHER(sha3_224_2) +TEST_VECTOR_HASHER(sha3_256_2) +TEST_VECTOR_HASHER(sha3_384_2) +TEST_VECTOR_HASHER(sha3_512_2) +TEST_VECTOR_HASHER(sha3_224_143) +TEST_VECTOR_HASHER(sha3_256_135) +TEST_VECTOR_HASHER(sha3_384_103) +TEST_VECTOR_HASHER(sha3_512_71) +TEST_VECTOR_HASHER(sha3_224_144) +TEST_VECTOR_HASHER(sha3_256_136) +TEST_VECTOR_HASHER(sha3_384_104) +TEST_VECTOR_HASHER(sha3_512_72) +TEST_VECTOR_HASHER(sha3_224_255) +TEST_VECTOR_HASHER(sha3_256_255) +TEST_VECTOR_HASHER(sha3_384_255) +TEST_VECTOR_HASHER(sha3_512_255) TEST_VECTOR_PRF(aes_xcbc_p1) TEST_VECTOR_PRF(aes_xcbc_p2) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c new file mode 100644 index 000000000..e659f66f4 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * SHA-3_224 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_224_0 = { + .alg = HASH_SHA3_224, .len = 0, + .data = "", + .hash = "\x6B\x4E\x03\x42\x36\x67\xDB\xB7\x3B\x6E\x15\x45\x4F\x0E\xB1\xAB" + "\xD4\x59\x7F\x9A\x1B\x07\x8E\x3F\x5B\x5A\x6B\xC7" + +}; + +hasher_test_vector_t sha3_224_1 = { + .alg = HASH_SHA3_224, .len = 1, + .data = "\xCC", + .hash = "\xDF\x70\xAD\xC4\x9B\x2E\x76\xEE\xE3\xA6\x93\x1B\x93\xFA\x41\x84" + "\x1C\x3A\xF2\xCD\xF5\xB3\x2A\x18\xB5\x47\x8C\x39" +}; + +hasher_test_vector_t sha3_224_2 = { + .alg = HASH_SHA3_224, .len = 2, + .data = "\x41\xFB", + .hash = "\xBF\xF2\x95\x86\x1D\xAE\xDF\x33\xE7\x05\x19\xB1\xE2\xBC\xB4\xC2" + "\xE9\xFE\x33\x64\xD7\x89\xBC\x3B\x17\x30\x1C\x15" +}; + +hasher_test_vector_t sha3_224_143 = { + .alg = HASH_SHA3_224, .len = 143, + .data = "\xEA\x40\xE8\x3C\xB1\x8B\x3A\x24\x2C\x1E\xCC\x6C\xCD\x0B\x78\x53" + "\xA4\x39\xDA\xB2\xC5\x69\xCF\xC6\xDC\x38\xA1\x9F\x5C\x90\xAC\xBF" + "\x76\xAE\xF9\xEA\x37\x42\xFF\x3B\x54\xEF\x7D\x36\xEB\x7C\xE4\xFF" + "\x1C\x9A\xB3\xBC\x11\x9C\xFF\x6B\xE9\x3C\x03\xE2\x08\x78\x33\x35" + "\xC0\xAB\x81\x37\xBE\x5B\x10\xCD\xC6\x6F\xF3\xF8\x9A\x1B\xDD\xC6" + "\xA1\xEE\xD7\x4F\x50\x4C\xBE\x72\x90\x69\x0B\xB2\x95\xA8\x72\xB9" + "\xE3\xFE\x2C\xEE\x9E\x6C\x67\xC4\x1D\xB8\xEF\xD7\xD8\x63\xCF\x10" + "\xF8\x40\xFE\x61\x8E\x79\x36\xDA\x3D\xCA\x5C\xA6\xDF\x93\x3F\x24" + "\xF6\x95\x4B\xA0\x80\x1A\x12\x94\xCD\x8D\x7E\x66\xDF\xAF\xEC", + .hash = "\xAB\x0F\xD3\x08\x59\x05\x74\xD6\xF6\x13\x02\x32\xD9\xFA\xFA\x9F" + "\xFC\xFE\xA7\x85\x79\xA6\xA8\xF6\x7C\x59\x04\x20" +}; + +hasher_test_vector_t sha3_224_144 = { + .alg = HASH_SHA3_224, .len = 144, + .data = "\x15\x7D\x5B\x7E\x45\x07\xF6\x6D\x9A\x26\x74\x76\xD3\x38\x31\xE7" + "\xBB\x76\x8D\x4D\x04\xCC\x34\x38\xDA\x12\xF9\x01\x02\x63\xEA\x5F" + "\xCA\xFB\xDE\x25\x79\xDB\x2F\x6B\x58\xF9\x11\xD5\x93\xD5\xF7\x9F" + "\xB0\x5F\xE3\x59\x6E\x3F\xA8\x0F\xF2\xF7\x61\xD1\xB0\xE5\x70\x80" + "\x05\x5C\x11\x8C\x53\xE5\x3C\xDB\x63\x05\x52\x61\xD7\xC9\xB2\xB3" + "\x9B\xD9\x0A\xCC\x32\x52\x0C\xBB\xDB\xDA\x2C\x4F\xD8\x85\x6D\xBC" + "\xEE\x17\x31\x32\xA2\x67\x91\x98\xDA\xF8\x30\x07\xA9\xB5\xC5\x15" + "\x11\xAE\x49\x76\x6C\x79\x2A\x29\x52\x03\x88\x44\x4E\xBE\xFE\x28" + "\x25\x6F\xB3\x3D\x42\x60\x43\x9C\xBA\x73\xA9\x47\x9E\xE0\x0C\x63", + .hash = "\xD5\x13\x42\x00\xDC\x98\xF4\xCA\x48\x0C\xD2\x4D\x24\x49\x77\x37" + "\x25\x2B\x55\x97\x7A\xE5\xA8\x69\xBA\x27\x08\x9D" +}; + +hasher_test_vector_t sha3_224_255 = { + .alg = HASH_SHA3_224, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x94\x68\x9E\xA9\xF3\x47\xDD\xA8\xDD\x79\x8A\x85\x86\x05\x86\x87" + "\x43\xC6\xBD\x03\xA6\xA6\x5C\x60\x85\xD5\x2B\xED" +}; + +/** + * SHA-3_256 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_256_0 = { + .alg = HASH_SHA3_256, .len = 0, + .data = "", + .hash = "\xA7\xFF\xC6\xF8\xBF\x1E\xD7\x66\x51\xC1\x47\x56\xA0\x61\xD6\x62" + "\xF5\x80\xFF\x4D\xE4\x3B\x49\xFA\x82\xD8\x0A\x4B\x80\xF8\x43\x4A" +}; + +hasher_test_vector_t sha3_256_1 = { + .alg = HASH_SHA3_256, .len = 1, + .data = "\xCC", + .hash = "\x67\x70\x35\x39\x1C\xD3\x70\x12\x93\xD3\x85\xF0\x37\xBA\x32\x79" + "\x62\x52\xBB\x7C\xE1\x80\xB0\x0B\x58\x2D\xD9\xB2\x0A\xAA\xD7\xF0" +}; + +hasher_test_vector_t sha3_256_2 = { + .alg = HASH_SHA3_256, .len = 2, + .data = "\x41\xFB", + .hash = "\x39\xF3\x1B\x6E\x65\x3D\xFC\xD9\xCA\xED\x26\x02\xFD\x87\xF6\x1B" + "\x62\x54\xF5\x81\x31\x2F\xB6\xEE\xEC\x4D\x71\x48\xFA\x2E\x72\xAA" +}; + +hasher_test_vector_t sha3_256_135 = { + .alg = HASH_SHA3_256, .len = 135, + .data = "\xB7\x71\xD5\xCE\xF5\xD1\xA4\x1A\x93\xD1\x56\x43\xD7\x18\x1D\x2A" + "\x2E\xF0\xA8\xE8\x4D\x91\x81\x2F\x20\xED\x21\xF1\x47\xBE\xF7\x32" + "\xBF\x3A\x60\xEF\x40\x67\xC3\x73\x4B\x85\xBC\x8C\xD4\x71\x78\x0F" + "\x10\xDC\x9E\x82\x91\xB5\x83\x39\xA6\x77\xB9\x60\x21\x8F\x71\xE7" + "\x93\xF2\x79\x7A\xEA\x34\x94\x06\x51\x28\x29\x06\x5D\x37\xBB\x55" + "\xEA\x79\x6F\xA4\xF5\x6F\xD8\x89\x6B\x49\xB2\xCD\x19\xB4\x32\x15" + "\xAD\x96\x7C\x71\x2B\x24\xE5\x03\x2D\x06\x52\x32\xE0\x2C\x12\x74" + "\x09\xD2\xED\x41\x46\xB9\xD7\x5D\x76\x3D\x52\xDB\x98\xD9\x49\xD3" + "\xB0\xFE\xD6\xA8\x05\x2F\xBB", + .hash = "\xA1\x9E\xEE\x92\xBB\x20\x97\xB6\x4E\x82\x3D\x59\x77\x98\xAA\x18" + "\xBE\x9B\x7C\x73\x6B\x80\x59\xAB\xFD\x67\x79\xAC\x35\xAC\x81\xB5" +}; + +hasher_test_vector_t sha3_256_136 = { + .alg = HASH_SHA3_256, .len = 136, + .data = "\xB3\x2D\x95\xB0\xB9\xAA\xD2\xA8\x81\x6D\xE6\xD0\x6D\x1F\x86\x00" + "\x85\x05\xBD\x8C\x14\x12\x4F\x6E\x9A\x16\x3B\x5A\x2A\xDE\x55\xF8" + "\x35\xD0\xEC\x38\x80\xEF\x50\x70\x0D\x3B\x25\xE4\x2C\xC0\xAF\x05" + "\x0C\xCD\x1B\xE5\xE5\x55\xB2\x30\x87\xE0\x4D\x7B\xF9\x81\x36\x22" + "\x78\x0C\x73\x13\xA1\x95\x4F\x87\x40\xB6\xEE\x2D\x3F\x71\xF7\x68" + "\xDD\x41\x7F\x52\x04\x82\xBD\x3A\x08\xD4\xF2\x22\xB4\xEE\x9D\xBD" + "\x01\x54\x47\xB3\x35\x07\xDD\x50\xF3\xAB\x42\x47\xC5\xDE\x9A\x8A" + "\xBD\x62\xA8\xDE\xCE\xA0\x1E\x3B\x87\xC8\xB9\x27\xF5\xB0\x8B\xEB" + "\x37\x67\x4C\x6F\x8E\x38\x0C\x04", + .hash = "\xDF\x67\x3F\x41\x05\x37\x9F\xF6\xB7\x55\xEE\xAB\x20\xCE\xB0\xDC" + "\x77\xB5\x28\x63\x64\xFE\x16\xC5\x9C\xC8\xA9\x07\xAF\xF0\x77\x32" +}; + +hasher_test_vector_t sha3_256_255 = { + .alg = HASH_SHA3_256, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\xC1\x1F\x35\x22\xA8\xFB\x7B\x35\x32\xD8\x0B\x6D\x40\x02\x3A\x92" + "\xB4\x89\xAD\xDA\xD9\x3B\xF5\xD6\x4B\x23\xF3\x5E\x96\x63\x52\x1C" +}; + +/** + * SHA-3_384 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_384_0 = { + .alg = HASH_SHA3_384, .len = 0, + .data = "", + .hash = "\x0C\x63\xA7\x5B\x84\x5E\x4F\x7D\x01\x10\x7D\x85\x2E\x4C\x24\x85" + "\xC5\x1A\x50\xAA\xAA\x94\xFC\x61\x99\x5E\x71\xBB\xEE\x98\x3A\x2A" + "\xC3\x71\x38\x31\x26\x4A\xDB\x47\xFB\x6B\xD1\xE0\x58\xD5\xF0\x04" +}; + +hasher_test_vector_t sha3_384_1 = { + .alg = HASH_SHA3_384, .len = 1, + .data = "\xCC", + .hash = "\x5E\xE7\xF3\x74\x97\x3C\xD4\xBB\x3D\xC4\x1E\x30\x81\x34\x67\x98" + "\x49\x7F\xF6\xE3\x6C\xB9\x35\x22\x81\xDF\xE0\x7D\x07\xFC\x53\x0C" + "\xA9\xAD\x8E\xF7\xAA\xD5\x6E\xF5\xD4\x1B\xE8\x3D\x5E\x54\x38\x07" +}; + +hasher_test_vector_t sha3_384_2 = { + .alg = HASH_SHA3_384, .len = 2, + .data = "\x41\xFB", + .hash = "\x1D\xD8\x16\x09\xDC\xC2\x90\xEF\xFD\x7A\xC0\xA9\x5D\x4A\x20\x82" + "\x15\x80\xE5\x6B\xD5\x0D\xBD\x84\x39\x20\x65\x0B\xE7\xA8\x0A\x17" + "\x19\x57\x7D\xA3\x37\xCF\xDF\x86\xE5\x1C\x76\x4C\xAA\x2E\x10\xBD" +}; + +hasher_test_vector_t sha3_384_103 = { + .alg = HASH_SHA3_384, .len = 103, + .data = "\xF1\x3C\x97\x2C\x52\xCB\x3C\xC4\xA4\xDF\x28\xC9\x7F\x2D\xF1\x1C" + "\xE0\x89\xB8\x15\x46\x6B\xE8\x88\x63\x24\x3E\xB3\x18\xC2\xAD\xB1" + "\xA4\x17\xCB\x10\x41\x30\x85\x98\x54\x17\x20\x19\x7B\x9B\x1C\xB5" + "\xBA\x23\x18\xBD\x55\x74\xD1\xDF\x21\x74\xAF\x14\x88\x41\x49\xBA" + "\x9B\x2F\x44\x6D\x60\x9D\xF2\x40\xCE\x33\x55\x99\x95\x7B\x8E\xC8" + "\x08\x76\xD9\xA0\x85\xAE\x08\x49\x07\xBC\x59\x61\xB2\x0B\xF5\xF6" + "\xCA\x58\xD5\xDA\xB3\x8A\xDB", + .hash = "\x0A\x83\x4E\x11\x1B\x4E\x84\x0E\x78\x7C\x19\x74\x84\x65\xA4\x7D" + "\x88\xB3\xF0\xF3\xDA\xAF\x15\xDB\x25\x53\x6B\xDC\x60\x78\xFA\x9C" + "\x05\xE6\xC9\x53\x83\x02\x74\x22\x39\x68\x84\x7D\xA8\xBF\xD2\x0D" +}; + +hasher_test_vector_t sha3_384_104 = { + .alg = HASH_SHA3_384, .len = 104, + .data = "\xE3\x57\x80\xEB\x97\x99\xAD\x4C\x77\x53\x5D\x4D\xDB\x68\x3C\xF3" + "\x3E\xF3\x67\x71\x53\x27\xCF\x4C\x4A\x58\xED\x9C\xBD\xCD\xD4\x86" + "\xF6\x69\xF8\x01\x89\xD5\x49\xA9\x36\x4F\xA8\x2A\x51\xA5\x26\x54" + "\xEC\x72\x1B\xB3\xAA\xB9\x5D\xCE\xB4\xA8\x6A\x6A\xFA\x93\x82\x6D" + "\xB9\x23\x51\x7E\x92\x8F\x33\xE3\xFB\xA8\x50\xD4\x56\x60\xEF\x83" + "\xB9\x87\x6A\xCC\xAF\xA2\xA9\x98\x7A\x25\x4B\x13\x7C\x6E\x14\x0A" + "\x21\x69\x1E\x10\x69\x41\x38\x48", + .hash = "\xD1\xC0\xFA\x85\xC8\xD1\x83\xBE\xFF\x99\xAD\x9D\x75\x2B\x26\x3E" + "\x28\x6B\x47\x7F\x79\xF0\x71\x0B\x01\x03\x17\x01\x73\x97\x81\x33" + "\x44\xB9\x9D\xAF\x3B\xB7\xB1\xBC\x5E\x8D\x72\x2B\xAC\x85\x94\x3A" +}; + +hasher_test_vector_t sha3_384_255 = { + .alg = HASH_SHA3_384, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x12\x8D\xC6\x11\x76\x2B\xE9\xB1\x35\xB3\x73\x94\x84\xCF\xAA\xDC" + "\xA7\x48\x1D\x68\x51\x4F\x3D\xFD\x6F\x5D\x78\xBB\x18\x63\xAE\x68" + "\x13\x08\x35\xCD\xC7\x06\x1A\x7E\xD9\x64\xB3\x2F\x1D\xB7\x5E\xE1" +}; + +/** + * SHA-3_512 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_512_0 = { + .alg = HASH_SHA3_512, .len = 0, + .data = "", + .hash = "\xA6\x9F\x73\xCC\xA2\x3A\x9A\xC5\xC8\xB5\x67\xDC\x18\x5A\x75\x6E" + "\x97\xC9\x82\x16\x4F\xE2\x58\x59\xE0\xD1\xDC\xC1\x47\x5C\x80\xA6" + "\x15\xB2\x12\x3A\xF1\xF5\xF9\x4C\x11\xE3\xE9\x40\x2C\x3A\xC5\x58" + "\xF5\x00\x19\x9D\x95\xB6\xD3\xE3\x01\x75\x85\x86\x28\x1D\xCD\x26" +}; + +hasher_test_vector_t sha3_512_1 = { + .alg = HASH_SHA3_512, .len = 1, + .data = "\xCC", + .hash = "\x39\x39\xFC\xC8\xB5\x7B\x63\x61\x25\x42\xDA\x31\xA8\x34\xE5\xDC" + "\xC3\x6E\x2E\xE0\xF6\x52\xAC\x72\xE0\x26\x24\xFA\x2E\x5A\xDE\xEC" + "\xC7\xDD\x6B\xB3\x58\x02\x24\xB4\xD6\x13\x87\x06\xFC\x6E\x80\x59" + "\x7B\x52\x80\x51\x23\x0B\x00\x62\x1C\xC2\xB2\x29\x99\xEA\xA2\x05" +}; + +hasher_test_vector_t sha3_512_2 = { + .alg = HASH_SHA3_512, .len = 2, + .data = "\x41\xFB", + .hash = "\xAA\x09\x28\x65\xA4\x06\x94\xD9\x17\x54\xDB\xC7\x67\xB5\x20\x2C" + "\x54\x6E\x22\x68\x77\x14\x7A\x95\xCB\x8B\x4C\x8F\x87\x09\xFE\x8C" + "\xD6\x90\x52\x56\xB0\x89\xDA\x37\x89\x6E\xA5\xCA\x19\xD2\xCD\x9A" + "\xB9\x4C\x71\x92\xFC\x39\xF7\xCD\x4D\x59\x89\x75\xA3\x01\x3C\x69" +}; + +hasher_test_vector_t sha3_512_71 = { + .alg = HASH_SHA3_512, .len = 71, + .data = "\x13\xBD\x28\x11\xF6\xED\x2B\x6F\x04\xFF\x38\x95\xAC\xEE\xD7\xBE" + "\xF8\xDC\xD4\x5E\xB1\x21\x79\x1B\xC1\x94\xA0\xF8\x06\x20\x6B\xFF" + "\xC3\xB9\x28\x1C\x2B\x30\x8B\x1A\x72\x9C\xE0\x08\x11\x9D\xD3\x06" + "\x6E\x93\x78\xAC\xDC\xC5\x0A\x98\xA8\x2E\x20\x73\x88\x00\xB6\xCD" + "\xDB\xE5\xFE\x96\x94\xAD\x6D", + .hash = "\xDE\xF4\xAB\x6C\xDA\x88\x39\x72\x9A\x03\xE0\x00\x84\x66\x04\xB1" + "\x7F\x03\xC5\xD5\xD7\xEC\x23\xC4\x83\x67\x0A\x13\xE1\x15\x73\xC1" + "\xE9\x34\x7A\x63\xEC\x69\xA5\xAB\xB2\x13\x05\xF9\x38\x2E\xCD\xAA" + "\xAB\xC6\x85\x0F\x92\x84\x0E\x86\xF8\x8F\x4D\xAB\xFC\xD9\x3C\xC0" +}; + +hasher_test_vector_t sha3_512_72 = { + .alg = HASH_SHA3_512, .len = 72, + .data = "\x1E\xED\x9C\xBA\x17\x9A\x00\x9E\xC2\xEC\x55\x08\x77\x3D\xD3\x05" + "\x47\x7C\xA1\x17\xE6\xD5\x69\xE6\x6B\x5F\x64\xC6\xBC\x64\x80\x1C" + "\xE2\x5A\x84\x24\xCE\x4A\x26\xD5\x75\xB8\xA6\xFB\x10\xEA\xD3\xFD" + "\x19\x92\xED\xDD\xEE\xC2\xEB\xE7\x15\x0D\xC9\x8F\x63\xAD\xC3\x23" + "\x7E\xF5\x7B\x91\x39\x7A\xA8\xA7", + .hash = "\xA3\xE1\x68\xB0\xD6\xC1\x43\xEE\x9E\x17\xEA\xE9\x29\x30\xB9\x7E" + "\x66\x00\x35\x6B\x73\xAE\xBB\x5D\x68\x00\x5D\xD1\xD0\x74\x94\x45" + "\x1A\x37\x05\x2F\x7B\x39\xFF\x03\x0C\x1A\xE1\xD7\xEF\xC4\xE0\xC3" + "\x66\x7E\xB7\xA7\x6C\x62\x7E\xC1\x43\x54\xC4\xF6\xA7\x96\xE2\xC6" +}; + +hasher_test_vector_t sha3_512_255 = { + .alg = HASH_SHA3_512, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x6E\x8B\x8B\xD1\x95\xBD\xD5\x60\x68\x9A\xF2\x34\x8B\xDC\x74\xAB" + "\x7C\xD0\x5E\xD8\xB9\xA5\x77\x11\xE9\xBE\x71\xE9\x72\x6F\xDA\x45" + "\x91\xFE\xE1\x22\x05\xED\xAC\xAF\x82\xFF\xBB\xAF\x16\xDF\xF9\xE7" + "\x02\xA7\x08\x86\x20\x80\x16\x6C\x2F\xF6\xBA\x37\x9B\xC7\xFF\xC2" +}; + diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index eb5b01986..e32f8eefe 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -266,8 +266,8 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, scheme = SIGN_ECDSA_WITH_SHA1_DER; break; case KEY_BLISS: - oid = OID_BLISS_WITH_SHA512; - scheme = SIGN_BLISS_WITH_SHA512; + oid = OID_BLISS_WITH_SHA2_512; + scheme = SIGN_BLISS_WITH_SHA2_512; break; default: DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not " diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 668632459..a6298b394 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -219,9 +219,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, enumerator_t *enumerator; char from_str[INET6_ADDRSTRLEN] = ""; char to_str[INET6_ADDRSTRLEN] = ""; - char *serv_proto = NULL; - bool has_proto; - bool has_ports; + char *serv_proto = NULL, *sep = ""; + bool has_proto, has_ports; size_t written = 0; u_int32_t from[4], to[4]; @@ -235,8 +234,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, (void**)&this)) { - /* call recursivly */ - written += print_in_hook(data, "%R ", this); + written += print_in_hook(data, "%s%R", sep, this); + sep = " "; } enumerator->destroy(enumerator); return written; diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c index 305ebe620..56cc2f19b 100644 --- a/src/libstrongswan/settings/settings.c +++ b/src/libstrongswan/settings/settings.c @@ -537,6 +537,31 @@ METHOD(settings_t, get_int, int, return settings_value_as_int(value, def); } +/** + * Described in header + */ +inline u_int64_t settings_value_as_uint64(char *value, u_int64_t def) +{ + u_int64_t intval; + char *end; + int base = 10; + + if (value) + { + errno = 0; + if (value[0] == '0' && value[1] == 'x') + { /* manually detect 0x prefix as we want to avoid octal encoding */ + base = 16; + } + intval = strtoull(value, &end, base); + if (errno == 0 && *end == 0 && end != value) + { + return intval; + } + } + return def; +} + /** * Described in header */ diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index 4ef80d0f6..a133a3681 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -50,6 +50,15 @@ bool settings_value_as_bool(char *value, bool def); */ int settings_value_as_int(char *value, int def); +/** + * Convert a string value returned by a key/value enumerator to an u_int64_t. + * + * @see settings_t.create_key_value_enumerator() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +u_int64_t settings_value_as_uint64(char *value, u_int64_t def); + /** * Convert a string value returned by a key/value enumerator to a double. * diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c index 14cc32122..067abf0d9 100644 --- a/src/libstrongswan/tests/suites/test_hasher.c +++ b/src/libstrongswan/tests/suites/test_hasher.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -28,30 +28,38 @@ typedef struct { }hasher_oid_t; static hasher_oid_t oids[] = { - { OID_MD2, HASH_MD2, KEY_ANY }, - { OID_MD5, HASH_MD5, KEY_ANY }, - { OID_SHA1, HASH_SHA1, KEY_ANY }, - { OID_SHA224, HASH_SHA224, KEY_ANY }, - { OID_SHA256, HASH_SHA256, KEY_ANY }, - { OID_SHA384, HASH_SHA384, KEY_ANY }, - { OID_SHA512, HASH_SHA512, KEY_ANY }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, - { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, - { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, - { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, - { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, - { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, - { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, - { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, - { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, - { OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS }, - { OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS }, - { OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA } + { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */ + { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */ + { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */ + { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */ + { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */ + { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */ + { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */ + { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */ + { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */ + { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */ + { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */ + { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */ + { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */ + { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */ + { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */ + { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */ + { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */ + { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 19 */ + { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 20 */ + { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 21 */ + { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 22 */ + { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 23 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 24 */ + { OID_BLISS_WITH_SHA2_256, HASH_SHA256, KEY_BLISS }, /* 25 */ + { OID_BLISS_WITH_SHA2_384, HASH_SHA384, KEY_BLISS }, /* 26 */ + { OID_BLISS_WITH_SHA2_512, HASH_SHA512, KEY_BLISS }, /* 27 */ + { OID_BLISS_WITH_SHA3_256, HASH_SHA3_256, KEY_BLISS }, /* 28 */ + { OID_BLISS_WITH_SHA3_384, HASH_SHA3_384, KEY_BLISS }, /* 29 */ + { OID_BLISS_WITH_SHA3_512, HASH_SHA3_512, KEY_BLISS }, /* 30 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_BLISS } /* 31 */ }; START_TEST(test_hasher_from_oid) @@ -73,6 +81,44 @@ START_TEST(test_hasher_sig_to_oid) } END_TEST +typedef struct { + signature_scheme_t scheme; + hash_algorithm_t alg; +}hasher_sig_scheme_t; + +static hasher_sig_scheme_t sig_schemes[] = { + { SIGN_UNKNOWN, HASH_UNKNOWN }, + { SIGN_RSA_EMSA_PKCS1_NULL, HASH_UNKNOWN }, + { SIGN_RSA_EMSA_PKCS1_MD5, HASH_MD5 }, + { SIGN_RSA_EMSA_PKCS1_SHA1, HASH_SHA1 }, + { SIGN_RSA_EMSA_PKCS1_SHA224, HASH_SHA224 }, + { SIGN_RSA_EMSA_PKCS1_SHA256, HASH_SHA256 }, + { SIGN_RSA_EMSA_PKCS1_SHA384, HASH_SHA384 }, + { SIGN_RSA_EMSA_PKCS1_SHA512, HASH_SHA512 }, + { SIGN_ECDSA_WITH_SHA1_DER, HASH_SHA1 }, + { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256 }, + { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384 }, + { SIGN_ECDSA_WITH_SHA512_DER, HASH_SHA512 }, + { SIGN_ECDSA_WITH_NULL, HASH_UNKNOWN }, + { SIGN_ECDSA_256, HASH_SHA256 }, + { SIGN_ECDSA_384, HASH_SHA384 }, + { SIGN_ECDSA_521, HASH_SHA512 }, + { SIGN_BLISS_WITH_SHA2_256, HASH_SHA256 }, + { SIGN_BLISS_WITH_SHA2_384, HASH_SHA384 }, + { SIGN_BLISS_WITH_SHA2_512, HASH_SHA512 }, + { SIGN_BLISS_WITH_SHA3_256, HASH_SHA3_256 }, + { SIGN_BLISS_WITH_SHA3_384, HASH_SHA3_384 }, + { SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 }, + { 30, HASH_UNKNOWN } +}; + +START_TEST(test_hasher_from_sig_scheme) +{ + ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) == + sig_schemes[_i].alg); +} +END_TEST + typedef struct { pseudo_random_function_t prf; hash_algorithm_t alg; @@ -157,6 +203,35 @@ START_TEST(test_hasher_to_integrity) } END_TEST + +typedef struct { + hash_algorithm_t alg; + bool ikev2; +}hasher_ikev2_t; + +static hasher_ikev2_t ikev2[] = { + { HASH_SHA1, TRUE }, + { HASH_SHA256, TRUE }, + { HASH_SHA384, TRUE }, + { HASH_SHA512, TRUE }, + { HASH_UNKNOWN, FALSE }, + { HASH_MD2, FALSE }, + { HASH_MD4, FALSE }, + { HASH_MD5, FALSE }, + { HASH_SHA224, FALSE }, + { HASH_SHA3_224, FALSE }, + { HASH_SHA3_256, FALSE }, + { HASH_SHA3_384, FALSE }, + { HASH_SHA3_512, FALSE }, + { 30, FALSE } +}; + +START_TEST(test_hasher_for_ikev2) +{ + ck_assert(hasher_algorithm_for_ikev2(ikev2[_i].alg) == ikev2[_i].ikev2); +} +END_TEST + Suite *hasher_suite_create() { Suite *s; @@ -169,11 +244,15 @@ Suite *hasher_suite_create() suite_add_tcase(s, tc); tc = tcase_create("to_oid"); - tcase_add_loop_test(tc, test_hasher_to_oid, 0, 8); + tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12); suite_add_tcase(s, tc); tc = tcase_create("sig_to_oid"); - tcase_add_loop_test(tc, test_hasher_sig_to_oid, 7, countof(oids)); + tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids)); + suite_add_tcase(s, tc); + + tc = tcase_create("from_sig_scheme"); + tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes)); suite_add_tcase(s, tc); tc = tcase_create("from_prf"); @@ -188,5 +267,9 @@ Suite *hasher_suite_create() tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17); suite_add_tcase(s, tc); + tc = tcase_create("for_ikev2"); + tcase_add_loop_test(tc, test_hasher_for_ikev2, 0, countof(ikev2)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index ff14ba897..9554d2919 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -550,6 +550,7 @@ START_TEST(test_matches) a = identification_create_from_string("C=CH, E=moon@strongswan.org, CN=moon"); ck_assert(id_matches(a, "C=CH, E=moon@strongswan.org, CN=moon", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "C=CH, E=*@strongswan.org, CN=moon", ID_MATCH_NONE)); ck_assert(id_matches(a, "C=CH, E=*, CN=moon", ID_MATCH_ONE_WILDCARD)); ck_assert(id_matches(a, "C=CH, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 1)); ck_assert(id_matches(a, "C=*, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 2)); diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c index bead9d795..5ddd0bb9a 100644 --- a/src/libstrongswan/tests/suites/test_settings.c +++ b/src/libstrongswan/tests/suites/test_settings.c @@ -317,6 +317,26 @@ START_TEST(test_set_int) } END_TEST +START_TEST(test_value_as_unit64) +{ + test_int_eq(1, settings_value_as_uint64(NULL, 1)); + test_int_eq(1, settings_value_as_uint64("", 1)); + test_int_eq(1, settings_value_as_uint64("2a", 1)); + test_int_eq(1, settings_value_as_uint64("a2", 1)); + test_int_eq(1, settings_value_as_uint64("2.0", 1)); + + test_int_eq(10, settings_value_as_uint64("10", 0)); + test_int_eq(10, settings_value_as_uint64("010", 0)); + test_int_eq(16, settings_value_as_uint64("0x010", 0)); + test_int_eq(0x2a, settings_value_as_uint64("0x2a", 0)); + + test_int_eq(0xffffffffffffffffLL, settings_value_as_uint64("0xffffffffffffffff", 0)); + test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("0xffffffff00000000", 0)); + test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("18446744069414584320", 0)); + test_int_eq(0xffffffff00000001LL, settings_value_as_uint64("18446744069414584321", 0)); +} +END_TEST + START_SETUP(setup_double_config) { create_settings(chunk_from_str( @@ -1158,6 +1178,10 @@ Suite *settings_suite_create() tcase_add_test(tc, test_set_int); suite_add_tcase(s, tc); + tc = tcase_create("settings_value_as_uint64"); + tcase_add_test(tc, test_value_as_unit64); + suite_add_tcase(s, tc); + tc = tcase_create("get/set_double"); tcase_add_checked_fixture(tc, setup_double_config, teardown_config); tcase_add_test(tc, test_get_double); diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c index bec32d2d8..5c0fb754d 100644 --- a/src/libstrongswan/tests/suites/test_traffic_selector.c +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -770,17 +770,17 @@ START_TEST(test_printf_hook_hash) list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), NULL); - verify_list("10.1.0.0/16 ", NULL, list); + verify_list("10.1.0.0/16", NULL, list); list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235), NULL); - verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1/32[17/1234-1235] ", list); + verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235]", "10.1.0.0/16 10.1.0.1/32[17/1234-1235]", list); list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE, "10.1.0.1", 1234, "10.1.0.99", 1235), NULL); - verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235] ", list); + verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235]", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235]", list); } END_TEST diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index b38f2cb52..104b0b2c0 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -789,9 +789,9 @@ static struct { {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, - {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, - {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, - {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, + {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA2_256, SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, + {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, + {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, }; START_TEST(test_signature_schemes_for_key) diff --git a/src/libstrongswan/utils/compat/android.h b/src/libstrongswan/utils/compat/android.h new file mode 100644 index 000000000..b3ea9c475 --- /dev/null +++ b/src/libstrongswan/utils/compat/android.h @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2010-2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android android + * @{ @ingroup compat + */ + +#ifndef ANDROID_H_ +#define ANDROID_H_ + +/* stuff defined in AndroidConfig.h, which is included using the -include + * command-line option, thus cannot be undefined using -U CFLAGS options. + * the reason we have to undefine these flags in the first place, is that + * AndroidConfig.h defines them as 0, which in turn means that they are + * actually defined. */ +#undef HAVE_BACKTRACE + +#endif /** ANDROID_H_ @}*/ diff --git a/src/libstrongswan/utils/compat/windows.h b/src/libstrongswan/utils/compat/windows.h index fd4f1f196..f7e6207a5 100644 --- a/src/libstrongswan/utils/compat/windows.h +++ b/src/libstrongswan/utils/compat/windows.h @@ -220,6 +220,11 @@ static inline int setenv(const char *name, const char *value, int overwrite) */ #define RTLD_LAZY 1 +/** + * Immediate binding, ignored on Windows + */ +#define RTLD_NOW 2 + /** * Default handle targeting .exe */ diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index b4a4db802..47d72ee98 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -20,6 +20,7 @@ #include #include #include +#include #ifndef WIN32 # include #endif @@ -117,17 +118,35 @@ void wait_sigint() void wait_sigint() { sigset_t set; - int sig; sigemptyset(&set); sigaddset(&set, SIGINT); sigaddset(&set, SIGTERM); sigprocmask(SIG_BLOCK, &set, NULL); - sigwait(&set, &sig); + sigwaitinfo(&set, NULL); } -#endif +#ifndef HAVE_SIGWAITINFO +int sigwaitinfo(const sigset_t *set, void *info) +{ + int sig, err; + + if (info) + { /* we don't replicate siginfo_t, fail if anybody tries to use it */ + errno = EINVAL; + return -1; + } + err = sigwait(set, &sig); + if (err != 0) + { + errno = err; + sig = -1; + } + return sig; +} +#endif /* HAVE_SIGWAITINFO */ +#endif /* WIN32 */ #ifndef HAVE_CLOSEFROM /** diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index acc15c42a..18b17b120 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -38,6 +38,7 @@ # include # include # include +# include #endif #include "utils/types.h" @@ -56,6 +57,9 @@ #ifdef __APPLE__ # include "compat/apple.h" #endif +#ifdef __ANDROID__ +# include "compat/android.h" +#endif /** * Initialize utility functions @@ -148,6 +152,19 @@ void utils_deinit(); */ #define ignore_result(call) { if(call){}; } +#if !defined(HAVE_SIGWAITINFO) && !defined(WIN32) +/** + * Block and wait for a set of signals + * + * We don't replicate the functionality of siginfo_t. If info is not NULL + * -1 is returend and errno is set to EINVAL. + * + * @param set set of signals to wait for + * @param info must be NULL + */ +int sigwaitinfo(const sigset_t *set, void *info); +#endif + /** * Portable function to wait for SIGINT/SIGTERM (or equivalent). */ diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index 623da7f62..822df3f27 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -349,10 +349,16 @@ static private_tnc_imc_t* tnc_imc_create_empty(char *name) imc_t* tnc_imc_create(char *name, char *path) { private_tnc_imc_t *this; + int flag = RTLD_LAZY; this = tnc_imc_create_empty(name); - this->handle = dlopen(path, RTLD_LAZY); + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } + this->handle = dlopen(path, flag); if (!this->handle) { DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror()); diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c index 039f1fcf1..9a0304172 100644 --- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -345,10 +345,16 @@ static private_tnc_imv_t* tnc_imv_create_empty(char *name) imv_t* tnc_imv_create(char *name, char *path) { private_tnc_imv_t *this; + int flag = RTLD_LAZY; this = tnc_imv_create_empty(name); - this->handle = dlopen(path, RTLD_LAZY); + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } + this->handle = dlopen(path, flag); if (!this->handle) { DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror()); diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am index 94ab0cf67..bee7ae1f0 100644 --- a/src/medsrv/Makefile.am +++ b/src/medsrv/Makefile.am @@ -35,11 +35,11 @@ templates/peer/list.cs medsrv_templates_staticdir = ${medsrv_templatesdir}/static medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js +templates/static/favicon.ico EXTRA_DIST = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \ +templates/static/favicon.ico \ templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \ templates/user/login.cs templates/user/add.cs templates/user/edit.cs \ templates/user/help.cs diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 7265457f1..42830e186 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -466,11 +466,11 @@ templates/peer/list.cs medsrv_templates_staticdir = ${medsrv_templatesdir}/static medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js +templates/static/favicon.ico EXTRA_DIST = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \ +templates/static/favicon.ico \ templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \ templates/user/login.cs templates/user/add.cs templates/user/edit.cs \ templates/user/help.cs diff --git a/src/medsrv/templates/peer/add.cs b/src/medsrv/templates/peer/add.cs index 28a994f7f..27fdf0685 100644 --- a/src/medsrv/templates/peer/add.cs +++ b/src/medsrv/templates/peer/add.cs @@ -6,7 +6,7 @@ - + diff --git a/src/medsrv/templates/peer/edit.cs b/src/medsrv/templates/peer/edit.cs index 76fb9dafc..942762b49 100644 --- a/src/medsrv/templates/peer/edit.cs +++ b/src/medsrv/templates/peer/edit.cs @@ -6,7 +6,7 @@
- + diff --git a/src/medsrv/templates/static/mootools.js b/src/medsrv/templates/static/mootools.js deleted file mode 100644 index d953a1c06..000000000 --- a/src/medsrv/templates/static/mootools.js +++ /dev/null @@ -1,341 +0,0 @@ -//MooTools, , My Object Oriented (JavaScript) Tools. Copyright (c) 2006-2008 Valerio Proietti, , MIT Style License. - -var MooTools={version:"1.2dev",build:""};var Native=function(J){J=J||{};var F=J.afterImplement||function(){};var G=J.generics;G=(G!==false);var H=J.legacy; -var E=J.initialize;var B=J.protect;var A=J.name;var C=E||H;C.constructor=Native;C.$family={name:"native"};if(H&&E){C.prototype=H.prototype;}C.prototype.constructor=C; -if(A){var D=A.toLowerCase();C.prototype.$family={name:D};Native.typize(C,D);}var I=function(M,K,N,L){if(!B||L||!M.prototype[K]){M.prototype[K]=N;}if(G){Native.genericize(M,K,B); -}F.call(M,K,N);return M;};C.implement=function(L,K,N){if(typeof L=="string"){return I(this,L,K,N);}for(var M in L){I(this,M,L[M],K);}return this;};C.alias=function(M,K,N){if(typeof M=="string"){M=this.prototype[M]; -if(M){I(this,K,M,N);}}else{for(var L in M){this.alias(L,M[L],K);}}return this;};return C;};Native.implement=function(D,C){for(var B=0,A=D.length;B-1:this.indexOf(A)>-1;},trim:function(){return this.replace(/^\s+|\s+$/g,"");},clean:function(){return this.replace(/\s+/g," ").trim(); -},camelCase:function(){return this.replace(/-\D/g,function(A){return A.charAt(1).toUpperCase();});},hyphenate:function(){return this.replace(/[A-Z]/g,function(A){return("-"+A.charAt(0).toLowerCase()); -});},capitalize:function(){return this.replace(/\b[a-z]/g,function(A){return A.toUpperCase();});},escapeRegExp:function(){return this.replace(/([-.*+?^${}()|[\]\/\\])/g,"\\$1"); -},toInt:function(A){return parseInt(this,A||10);},toFloat:function(){return parseFloat(this);},hexToRgb:function(B){var A=this.match(/^#?(\w{1,2})(\w{1,2})(\w{1,2})$/); -return(A)?A.slice(1).hexToRgb(B):null;},rgbToHex:function(B){var A=this.match(/\d{1,3}/g);return(A)?A.rgbToHex(B):null;},stripScripts:function(B){var A=""; -var C=this.replace(/]*>([\s\S]*?)<\/script>/gi,function(){A+=arguments[1]+"\n";return"";});if(B===true){$exec(A);}else{if($type(B)=="function"){B(A,C); -}}return C;},substitute:function(A,B){return this.replace(B||(/\\?\{([^}]+)\}/g),function(D,C){if(D.charAt(0)=="\\"){return D.slice(1);}return(A[C]!=undefined)?A[C]:""; -});}});Hash.implement({has:Object.prototype.hasOwnProperty,keyOf:function(B){for(var A in this){if(this.hasOwnProperty(A)&&this[A]===B){return A;}}return null; -},hasValue:function(A){return(Hash.keyOf(this,A)!==null);},extend:function(A){Hash.each(A,function(C,B){Hash.set(this,B,C);},this);return this;},combine:function(A){Hash.each(A,function(C,B){Hash.include(this,B,C); -},this);return this;},erase:function(A){if(this.hasOwnProperty(A)){delete this[A];}return this;},get:function(A){return(this.hasOwnProperty(A))?this[A]:null; -},set:function(A,B){if(!this[A]||this.hasOwnProperty(A)){this[A]=B;}return this;},empty:function(){Hash.each(this,function(B,A){delete this[A];},this); -return this;},include:function(B,C){var A=this[B];if(A==undefined){this[B]=C;}return this;},map:function(B,C){var A=new Hash;Hash.each(this,function(E,D){A.set(D,B.call(C,E,D,this)); -},this);return A;},filter:function(B,C){var A=new Hash;Hash.each(this,function(E,D){if(B.call(C,E,D,this)){A.set(D,E);}},this);return A;},every:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&!B.call(C,this[A],A)){return false; -}}return true;},some:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&B.call(C,this[A],A)){return true;}}return false;},getKeys:function(){var A=[]; -Hash.each(this,function(C,B){A.push(B);});return A;},getValues:function(){var A=[];Hash.each(this,function(B){A.push(B);});return A;},toQueryString:function(A){var B=[]; -Hash.each(this,function(F,E){if(A){E=A+"["+E+"]";}var D;switch($type(F)){case"object":D=Hash.toQueryString(F,E);break;case"array":var C={};F.each(function(H,G){C[G]=H; -});D=Hash.toQueryString(C,E);break;default:D=E+"="+encodeURIComponent(F);}if(F!=undefined){B.push(D);}});return B.join("&");}});Hash.alias({keyOf:"indexOf",hasValue:"contains"}); -var Event=new Native({name:"Event",initialize:function(A,F){F=F||window;var K=F.document;A=A||F.event;if(A.$extended){return A;}this.$extended=true;var J=A.type; -var G=A.target||A.srcElement;while(G&&G.nodeType==3){G=G.parentNode;}if(J.test(/key/)){var B=A.which||A.keyCode;var M=Event.Keys.keyOf(B);if(J=="keydown"){var D=B-111; -if(D>0&&D<13){M="f"+D;}}M=M||String.fromCharCode(B).toLowerCase();}else{if(J.match(/(click|mouse|menu)/i)){K=(!K.compatMode||K.compatMode=="CSS1Compat")?K.html:K.body; -var I={x:A.pageX||A.clientX+K.scrollLeft,y:A.pageY||A.clientY+K.scrollTop};var C={x:(A.pageX)?A.pageX-F.pageXOffset:A.clientX,y:(A.pageY)?A.pageY-F.pageYOffset:A.clientY}; -if(J.match(/DOMMouseScroll|mousewheel/)){var H=(A.wheelDelta)?A.wheelDelta/120:-(A.detail||0)/3;}var E=(A.which==3)||(A.button==2);var L=null;if(J.match(/over|out/)){switch(J){case"mouseover":L=A.relatedTarget||A.fromElement; -break;case"mouseout":L=A.relatedTarget||A.toElement;}if(!(function(){while(L&&L.nodeType==3){L=L.parentNode;}return true;}).create({attempt:Browser.Engine.gecko})()){L=false; -}}}}return $extend(this,{event:A,type:J,page:I,client:C,rightClick:E,wheel:H,relatedTarget:L,target:G,code:B,key:M,shift:A.shiftKey,control:A.ctrlKey,alt:A.altKey,meta:A.metaKey}); -}});Event.Keys=new Hash({enter:13,up:38,down:40,left:37,right:39,esc:27,space:32,backspace:8,tab:9,"delete":46});Event.implement({stop:function(){return this.stopPropagation().preventDefault(); -},stopPropagation:function(){if(this.event.stopPropagation){this.event.stopPropagation();}else{this.event.cancelBubble=true;}return this;},preventDefault:function(){if(this.event.preventDefault){this.event.preventDefault(); -}else{this.event.returnValue=false;}return this;}});var Class=new Native({name:"Class",initialize:function(B){B=B||{};var A=function(E){for(var D in this){this[D]=$unlink(this[D]); -}for(var F in Class.Mutators){if(!this[F]){continue;}Class.Mutators[F](this,this[F]);delete this[F];}this.constructor=A;if(E===$empty){return this;}var C=(this.initialize)?this.initialize.apply(this,arguments):this; -if(this.options&&this.options.initialize){this.options.initialize.call(this);}return C;};$extend(A,this);A.constructor=Class;A.prototype=B;return A;}}); -Class.implement({implement:function(){Class.Mutators.Implements(this.prototype,Array.slice(arguments));return this;}});Class.Mutators={Implements:function(A,B){$splat(B).each(function(C){$extend(A,($type(C)=="class")?new C($empty):C); -});},Extends:function(self,klass){var instance=new klass($empty);delete instance.parent;delete instance.parentOf;for(var key in instance){var current=self[key],previous=instance[key]; -if(current==undefined){self[key]=previous;continue;}var ctype=$type(current),ptype=$type(previous);if(ctype!=ptype){continue;}switch(ctype){case"function":if(!arguments.callee.caller){self[key]=eval("("+String(current).replace(/\bthis\.parent\(\s*(\))?/g,function(full,close){return"arguments.callee._parent_.call(this"+(close||", "); -})+")");}self[key]._parent_=previous;break;case"object":self[key]=$merge(previous,current);}}self.parent=function(){return arguments.callee.caller._parent_.apply(this,arguments); -};self.parentOf=function(descendant){return descendant._parent_.apply(this,Array.slice(arguments,1));};}};var Chain=new Class({chain:function(){this.$chain=(this.$chain||[]).extend(arguments); -return this;},callChain:function(){return(this.$chain&&this.$chain.length)?this.$chain.shift().apply(this,arguments):false;},clearChain:function(){if(this.$chain){this.$chain.empty(); -}return this;}});var Events=new Class({addEvent:function(C,B,A){C=Events.removeOn(C);if(B!=$empty){this.$events=this.$events||{};this.$events[C]=this.$events[C]||[]; -this.$events[C].include(B);if(A){B.internal=true;}}return this;},addEvents:function(A){for(var B in A){this.addEvent(B,A[B]);}return this;},fireEvent:function(C,B,A){C=Events.removeOn(C); -if(!this.$events||!this.$events[C]){return this;}this.$events[C].each(function(D){D.create({bind:this,delay:A,"arguments":B})();},this);return this;},removeEvent:function(B,A){B=Events.removeOn(B); -if(!this.$events||!this.$events[B]){return this;}if(!A.internal){this.$events[B].erase(A);}return this;},removeEvents:function(C){for(var D in this.$events){if(C&&C!=D){continue; -}var B=this.$events[D];for(var A=B.length;A--;A){this.removeEvent(D,B[A]);}}return this;}});Events.removeOn=function(A){return A.replace(/^on([A-Z])/,function(B,C){return C.toLowerCase(); -});};var Options=new Class({setOptions:function(){this.options=$merge.run([this.options].extend(arguments));if(!this.addEvent){return this;}for(var A in this.options){if($type(this.options[A])!="function"||!(/^on[A-Z]/).test(A)){continue; -}this.addEvent(A,this.options[A]);delete this.options[A];}return this;}});Document.implement({newElement:function(A,B){if(Browser.Engine.trident&&B){["name","type","checked"].each(function(C){if(!B[C]){return ; -}A+=" "+C+'="'+B[C]+'"';if(C!="checked"){delete B[C];}});A="<"+A+">";}return $.element(this.createElement(A)).set(B);},newTextNode:function(A){return this.createTextNode(A); -},getDocument:function(){return this;},getWindow:function(){return this.defaultView||this.parentWindow;},purge:function(){var C=this.getElementsByTagName("*"); -for(var B=0,A=C.length;B1);A.each(function(E){var F=this.getElementsByTagName(E.trim());(B)?C.extend(F):C=F;},this);return new Elements(C,{ddup:B,cash:!D}); -}});Element.Storage={get:function(A){return(this[A]||(this[A]={}));}};Element.Inserters=new Hash({before:function(B,A){if(A.parentNode){A.parentNode.insertBefore(B,A); -}},after:function(B,A){if(!A.parentNode){return ;}var C=A.nextSibling;(C)?A.parentNode.insertBefore(B,C):A.parentNode.appendChild(B);},bottom:function(B,A){A.appendChild(B); -},top:function(B,A){var C=A.firstChild;(C)?A.insertBefore(B,C):A.appendChild(B);}});Element.Inserters.inside=Element.Inserters.bottom;Element.Inserters.each(function(C,B){var A=B.capitalize(); -Element.implement("inject"+A,function(D){C(this,$(D,true));return this;});Element.implement("grab"+A,function(D){C($(D,true),this);return this;});});Element.implement({getDocument:function(){return this.ownerDocument; -},getWindow:function(){return this.ownerDocument.getWindow();},getElementById:function(D,C){var B=this.ownerDocument.getElementById(D);if(!B){return null; -}for(var A=B.parentNode;A!=this;A=A.parentNode){if(!A){return null;}}return $.element(B,C);},set:function(D,B){switch($type(D)){case"object":for(var C in D){this.set(C,D[C]); -}break;case"string":var A=Element.Properties.get(D);(A&&A.set)?A.set.apply(this,Array.slice(arguments,1)):this.setProperty(D,B);}return this;},get:function(B){var A=Element.Properties.get(B); -return(A&&A.get)?A.get.apply(this,Array.slice(arguments,1)):this.getProperty(B);},erase:function(B){var A=Element.Properties.get(B);(A&&A.erase)?A.erase.apply(this,Array.slice(arguments,1)):this.removeProperty(B); -return this;},match:function(A){return(!A||Element.get(this,"tag")==A);},inject:function(B,A){Element.Inserters.get(A||"bottom")(this,$(B,true));return this; -},wraps:function(B,A){B=$(B,true);return this.replaces(B).grab(B,A);},grab:function(B,A){Element.Inserters.get(A||"bottom")($(B,true),this);return this; -},appendText:function(B,A){return this.grab(this.getDocument().newTextNode(B),A);},adopt:function(){Array.flatten(arguments).each(function(A){A=$(A,true); -if(A){this.appendChild(A);}},this);return this;},dispose:function(){return(this.parentNode)?this.parentNode.removeChild(this):this;},clone:function(D,C){switch($type(this)){case"element":var H={}; -for(var G=0,E=this.attributes.length;G1),cash:!G});}});Element.implement({match:function(B){if(!B){return true;}var D=Selectors.Utils.parseTagAndID(B); -var A=D[0],E=D[1];if(!Selectors.Filters.byID(this,E)||!Selectors.Filters.byTag(this,A)){return false;}var C=Selectors.Utils.parseSelector(B);return(C)?Selectors.Utils.filter(this,C,{}):true; -}});var Selectors={Cache:{nth:{},parsed:{}}};Selectors.RegExps={id:(/#([\w-]+)/),tag:(/^(\w+|\*)/),quick:(/^(\w+|\*)$/),splitter:(/\s*([+>~\s])\s*([a-zA-Z#.*:\[])/g),combined:(/\.([\w-]+)|\[(\w+)(?:([!*^$~|]?=)["']?(.*?)["']?)?\]|:([\w-]+)(?:\(["']?(.*?)?["']?\)|$)/g)}; -Selectors.Utils={chk:function(B,C){if(!C){return true;}var A=$uid(B);if(!C[A]){return C[A]=true;}return false;},parseNthArgument:function(F){if(Selectors.Cache.nth[F]){return Selectors.Cache.nth[F]; -}var C=F.match(/^([+-]?\d*)?([a-z]+)?([+-]?\d*)?$/);if(!C){return false;}var E=parseInt(C[1]);var B=(E||E===0)?E:1;var D=C[2]||false;var A=parseInt(C[3])||0; -if(B!=0){A--;while(A<1){A+=B;}while(A>=B){A-=B;}}else{B=A;D="index";}switch(D){case"n":C={a:B,b:A,special:"n"};break;case"odd":C={a:2,b:0,special:"n"}; -break;case"even":C={a:2,b:1,special:"n"};break;case"first":C={a:0,special:"index"};break;case"last":C={special:"last-child"};break;case"only":C={special:"only-child"}; -break;default:C={a:(B-1),special:"index"};}return Selectors.Cache.nth[F]=C;},parseSelector:function(E){if(Selectors.Cache.parsed[E]){return Selectors.Cache.parsed[E]; -}var D,H={classes:[],pseudos:[],attributes:[]};while((D=Selectors.RegExps.combined.exec(E))){var I=D[1],G=D[2],F=D[3],B=D[4],C=D[5],J=D[6];if(I){H.classes.push(I); -}else{if(C){var A=Selectors.Pseudo.get(C);if(A){H.pseudos.push({parser:A,argument:J});}else{H.attributes.push({name:C,operator:"=",value:J});}}else{if(G){H.attributes.push({name:G,operator:F,value:B}); -}}}}if(!H.classes.length){delete H.classes;}if(!H.attributes.length){delete H.attributes;}if(!H.pseudos.length){delete H.pseudos;}if(!H.classes&&!H.attributes&&!H.pseudos){H=null; -}return Selectors.Cache.parsed[E]=H;},parseTagAndID:function(B){var A=B.match(Selectors.RegExps.tag);var C=B.match(Selectors.RegExps.id);return[(A)?A[1]:"*",(C)?C[1]:false]; -},filter:function(F,C,E){var D;if(C.classes){for(D=C.classes.length;D--;D){var G=C.classes[D];if(!Selectors.Filters.byClass(F,G)){return false;}}}if(C.attributes){for(D=C.attributes.length; -D--;D){var B=C.attributes[D];if(!Selectors.Filters.byAttribute(F,B.name,B.operator,B.value)){return false;}}}if(C.pseudos){for(D=C.pseudos.length;D--;D){var A=C.pseudos[D]; -if(!Selectors.Filters.byPseudo(F,A.parser,A.argument,E)){return false;}}}return true;},getByTagAndID:function(B,A,D){if(D){var C=(B.getElementById)?B.getElementById(D,true):Element.getElementById(B,D,true); -return(C&&Selectors.Filters.byTag(C,A))?[C]:[];}else{return B.getElementsByTagName(A);}},search:function(J,I,O){var B=[];var C=I.trim().replace(Selectors.RegExps.splitter,function(Z,Y,X){B.push(Y); -return":)"+X;}).split(":)");var K,F,E,V;for(var U=0,Q=C.length;U":function(H,G,I,A,F){var C=Selectors.Utils.getByTagAndID(G,I,A);for(var E=0,D=C.length;EA){return false; -}}return(C==A);},even:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n+1",A);},odd:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n",A); -}});Element.Events.domready={onAdd:function(A){if(Browser.loaded){A.call(this);}}};(function(){var B=function(){if(Browser.loaded){return ;}Browser.loaded=true; -window.fireEvent("domready");document.fireEvent("domready");};switch(Browser.Engine.name){case"webkit":(function(){(["loaded","complete"].contains(document.readyState))?B():arguments.callee.delay(50); -})();break;case"trident":var A=document.createElement("div");(function(){($try(function(){A.doScroll("left");return $(A).inject(document.body).set("html","temp").dispose(); -}))?B():arguments.callee.delay(50);})();break;default:window.addEvent("load",B);document.addEvent("DOMContentLoaded",B);}})();var JSON=new Hash({encode:function(B){switch($type(B)){case"string":return'"'+B.replace(/[\x00-\x1f\\"]/g,JSON.$replaceChars)+'"'; -case"array":return"["+String(B.map(JSON.encode).filter($defined))+"]";case"object":case"hash":var A=[];Hash.each(B,function(E,D){var C=JSON.encode(E);if(C){A.push(JSON.encode(D)+":"+C); -}});return"{"+A+"}";case"number":case"boolean":return String(B);case false:return"null";}return null;},$specialChars:{"\b":"\\b","\t":"\\t","\n":"\\n","\f":"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"},$replaceChars:function(A){return JSON.$specialChars[A]||"\\u00"+Math.floor(A.charCodeAt()/16).toString(16)+(A.charCodeAt()%16).toString(16); -},decode:function(string,secure){if($type(string)!="string"||!string.length){return null;}if(secure&&!(/^[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]*$/).test(string.replace(/\\./g,"@").replace(/"[^"\\\n\r]*"/g,""))){return null; -}return eval("("+string+")");}});Native.implement([Hash,Array,String,Number],{toJSON:function(){return JSON.encode(this);}});var Cookie=new Class({Implements:Options,options:{path:false,domain:false,duration:false,secure:false,document:document},initialize:function(B,A){this.key=B; -this.setOptions(A);},write:function(B){B=encodeURIComponent(B);if(this.options.domain){B+="; domain="+this.options.domain;}if(this.options.path){B+="; path="+this.options.path; -}if(this.options.duration){var A=new Date();A.setTime(A.getTime()+this.options.duration*24*60*60*1000);B+="; expires="+A.toGMTString();}if(this.options.secure){B+="; secure"; -}this.options.document.cookie=this.key+"="+B;return this;},read:function(){var A=this.options.document.cookie.match("(?:^|;)\\s*"+this.key.escapeRegExp()+"=([^;]*)"); -return(A)?decodeURIComponent(A[1]):null;},dispose:function(){new Cookie(this.key,$merge(this.options,{duration:-1})).write("");return this;}});Cookie.write=function(B,C,A){return new Cookie(B,A).write(C); -};Cookie.read=function(A){return new Cookie(A).read();};Cookie.dispose=function(B,A){return new Cookie(B,A).dispose();};var Swiff=new Class({Implements:[Options],options:{id:null,height:1,width:1,container:null,properties:{},params:{quality:"high",allowScriptAccess:"always",wMode:"transparent",swLiveConnect:true},callBacks:{},vars:{}},toElement:function(){return this.object; -},initialize:function(L,M){this.instance="Swiff_"+$time();this.setOptions(M);M=this.options;var B=this.id=M.id||this.instance;var A=$(M.container);Swiff.CallBacks[this.instance]={}; -var E=M.params,G=M.vars,F=M.callBacks;var H=$extend({height:M.height,width:M.width},M.properties);var K=this;for(var D in F){Swiff.CallBacks[this.instance][D]=(function(N){return function(){return N.apply(K.object,arguments); -};})(F[D]);G[D]="Swiff.CallBacks."+this.instance+"."+D;}E.flashVars=Hash.toQueryString(G);if(Browser.Engine.trident){H.classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"; -E.movie=L;}else{H.type="application/x-shockwave-flash";H.data=L;}var J=''; -}}J+="";this.object=((A)?A.empty():new Element("div")).set("html",J).firstChild;},replaces:function(A){A=$(A,true);A.parentNode.replaceChild(this.toElement(),A); -return this;},inject:function(A){$(A,true).appendChild(this.toElement());return this;},remote:function(){return Swiff.remote.apply(Swiff,[this.toElement()].extend(arguments)); -}});Swiff.CallBacks={};Swiff.remote=function(obj,fn){var rs=obj.CallFunction(''+__flash__argumentsToXML(arguments,2)+""); -return eval(rs);};var Fx=new Class({Implements:[Chain,Events,Options],options:{fps:50,unit:false,duration:500,link:"ignore",transition:function(A){return -(Math.cos(Math.PI*A)-1)/2; -}},initialize:function(A){this.subject=this.subject||this;this.setOptions(A);this.options.duration=Fx.Durations[this.options.duration]||this.options.duration.toInt(); -var B=this.options.wait;if(B===false){this.options.link="cancel";}},step:function(){var A=$time();if(A=(7-4*B)/11){C=-Math.pow((11-6*B-11*D)/4,2)+A*A; -break;}}return C;},Elastic:function(B,A){return Math.pow(2,10*--B)*Math.cos(20*B*Math.PI*(A[0]||1)/3);}});["Quad","Cubic","Quart","Quint"].each(function(B,A){Fx.Transitions[B]=new Fx.Transition(function(C){return Math.pow(C,[A+2]); -});});var Request=new Class({Implements:[Chain,Events,Options],options:{url:"",data:"",headers:{"X-Requested-With":"XMLHttpRequest",Accept:"text/javascript, text/html, application/xml, text/xml, */*"},async:true,format:false,method:"post",link:"ignore",isSuccess:null,emulation:true,urlEncoded:true,encoding:"utf-8",evalScripts:false,evalResponse:false},initialize:function(A){this.xhr=new Browser.Request(); -this.setOptions(A);this.options.isSuccess=this.options.isSuccess||this.isSuccess;this.headers=new Hash(this.options.headers);},onStateChange:function(){if(this.xhr.readyState!=4||!this.running){return ; -}this.running=false;this.status=0;$try(function(){this.status=this.xhr.status;}.bind(this));if(this.options.isSuccess.call(this,this.status)){this.response={text:this.xhr.responseText,xml:this.xhr.responseXML}; -this.success(this.response.text,this.response.xml);}else{this.response={text:null,xml:null};this.failure();}this.xhr.onreadystatechange=$empty;},isSuccess:function(){return((this.status>=200)&&(this.status<300)); -},processScripts:function(A){if(this.options.evalResponse||(/(ecma|java)script/).test(this.getHeader("Content-type"))){return $exec(A);}return A.stripScripts(this.options.evalScripts); -},success:function(B,A){this.onSuccess(this.processScripts(B),A);},onSuccess:function(){this.fireEvent("complete",arguments).fireEvent("success",arguments).callChain(); -},failure:function(){this.onFailure();},onFailure:function(){this.fireEvent("complete").fireEvent("failure",this.xhr);},setHeader:function(A,B){this.headers.set(A,B); -return this;},getHeader:function(A){return $try(function(){return this.xhr.getResponseHeader(A);}.bind(this));},check:function(A){if(!this.running){return true; -}switch(this.options.link){case"cancel":this.cancel();return true;case"chain":this.chain(A.bind(this,Array.slice(arguments,1)));return false;}return false; -},send:function(I){if(!this.check(arguments.callee,I)){return this;}this.running=true;var G=$type(I);if(G=="string"||G=="element"){I={data:I};}var D=this.options; -I=$extend({data:D.data,url:D.url,method:D.method},I);var E=I.data,B=I.url,A=I.method;switch($type(E)){case"element":E=$(E).toQueryString();break;case"object":case"hash":E=Hash.toQueryString(E); -}if(this.options.format){var H="format="+this.options.format;E=(E)?H+"&"+E:H;}if(this.options.emulation&&["put","delete"].contains(A)){var F="_method="+A; -E=(E)?F+"&"+E:F;A="post";}if(this.options.urlEncoded&&A=="post"){var C=(this.options.encoding)?"; charset="+this.options.encoding:"";this.headers.set("Content-type","application/x-www-form-urlencoded"+C); -}if(E&&A=="get"){B=B+(B.contains("?")?"&":"?")+E;E=null;}this.xhr.open(A.toUpperCase(),B,this.options.async);this.xhr.onreadystatechange=this.onStateChange.bind(this); -this.headers.each(function(K,J){if(!$try(function(){this.xhr.setRequestHeader(J,K);return true;}.bind(this))){this.fireEvent("exception",[J,K]);}},this); -this.fireEvent("request");this.xhr.send(E);if(!this.options.async){this.onStateChange();}return this;},cancel:function(){if(!this.running){return this; -}this.running=false;this.xhr.abort();this.xhr.onreadystatechange=$empty;this.xhr=new Browser.Request();this.fireEvent("cancel");return this;}});(function(){var A={}; -["get","post","put","delete","GET","POST","PUT","DELETE"].each(function(B){A[B]=function(){var C=Array.link(arguments,{url:String.type,data:$defined}); -return this.send($extend(C,{method:B.toLowerCase()}));};});Request.implement(A);})();Element.Properties.send={set:function(A){var B=this.retrieve("send"); -if(B){B.cancel();}return this.eliminate("send").store("send:options",$extend({data:this,link:"cancel",method:this.get("method")||"post",url:this.get("action")},A)); -},get:function(A){if(A||!this.retrieve("send")){if(A||!this.retrieve("send:options")){this.set("send",A);}this.store("send",new Request(this.retrieve("send:options"))); -}return this.retrieve("send");}};Element.implement({send:function(A){var B=this.get("send");B.send({data:this,url:A||B.options.url});return this;}});Request.HTML=new Class({Extends:Request,options:{update:false,evalScripts:true,filter:false},processHTML:function(C){var B=C.match(/]*>([\s\S]*?)<\/body>/i); -C=(B)?B[1]:C;var A=new Element("div");return $try(function(){var D=""+C+"",G;if(Browser.Engine.trident){G=new ActiveXObject("Microsoft.XMLDOM"); -G.async=false;G.loadXML(D);}else{G=new DOMParser().parseFromString(D,"text/xml");}D=G.getElementsByTagName("root")[0];for(var F=0,E=D.childNodes.length; -F - + diff --git a/src/medsrv/templates/user/login.cs b/src/medsrv/templates/user/login.cs index 1d6eadbbc..fbf5b8bd7 100644 --- a/src/medsrv/templates/user/login.cs +++ b/src/medsrv/templates/user/login.cs @@ -6,7 +6,7 @@
- + diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 7099977f2..4f850d6d1 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -278,7 +278,8 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex", " --issuercert file [--serial hex] [--lifetime hours]", " [--not-before datetime] [--not-after datetime] [--dateform form]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "holder certificate, default: stdin"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 2dc9fcce3..fdc43d705 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -588,7 +588,8 @@ static void __attribute__ ((constructor))reg() "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "key/request file to issue, default: stdin"}, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index da991b505..68d611250 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -196,7 +196,8 @@ static void __attribute__ ((constructor))reg() "create a PKCS#10 certificate request", {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index a785c2a0c..f4e83c76c 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -425,7 +425,8 @@ static void __attribute__ ((constructor))reg() "[--policy-map issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 720dfd8a9..6c27289f9 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -451,7 +451,7 @@ static void __attribute__ ((constructor))reg() " [[--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp] --cert file|--serial hex]*", - " [--digest md5|sha1|sha224|sha256|sha384|sha512]", + " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", " [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index bf71bf85c..78ce5c628 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -289,14 +289,5 @@ The challenge password is '5xH2pnT7wq'. The encryption and signature check has t caCert.der. .RE - .SH "BUGS" \fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks. -.SH "COPYRIGHT" -Copyright (C) 2005 Jan Hutter, Martin Willi -.br -Hochschule fuer Technik Rapperswil -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See . -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. diff --git a/src/swanctl/commands/list_pools.c b/src/swanctl/commands/list_pools.c index 155771657..429107e17 100644 --- a/src/swanctl/commands/list_pools.c +++ b/src/swanctl/commands/list_pools.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -19,8 +22,22 @@ #include "command.h" +CALLBACK(list_leases, int, + char *pool, vici_res_t *res, char *name) +{ + if (streq(name, "leases")) + { + return vici_parse_cb(res, list_leases, NULL, NULL, pool); + } + printf(" %-30s %-8s '%s'\n", + vici_find_str(res, "", "%s.leases.%s.address", pool, name), + vici_find_str(res, "", "%s.leases.%s.status", pool, name), + vici_find_str(res, "", "%s.leases.%s.identity", pool, name)); + return 0; +} + CALLBACK(list_pool, int, - linked_list_t *list, vici_res_t *res, char *name) + void *not_used, vici_res_t *res, char *name) { char pool[64], leases[32]; @@ -33,7 +50,7 @@ CALLBACK(list_pool, int, printf("%-20s %-30s %16s\n", name, vici_find_str(res, "", "%s.base", name), leases); - return 0; + return vici_parse_cb(res, list_leases, NULL, NULL, name); } static int list_pools(vici_conn_t *conn) @@ -43,6 +60,7 @@ static int list_pools(vici_conn_t *conn) command_format_options_t format = COMMAND_FORMAT_NONE; char *arg; int ret = 0; + bool leases = FALSE; while (TRUE) { @@ -56,6 +74,9 @@ static int list_pools(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'l': + leases = TRUE; + continue; case EOF: break; default: @@ -65,6 +86,10 @@ static int list_pools(vici_conn_t *conn) } req = vici_begin("get-pools"); + if (leases) + { + vici_add_key_valuef(req, "leases", "yes"); + } res = vici_submit(req, conn); if (!res) { @@ -92,11 +117,12 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { list_pools, 'A', "list-pools", "list loaded pool configurations", - {"[--raw|--pretty]"}, + {"[--leases] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"leases", 'l', 0, "list leases of each pool"}, } }); } diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 1aca6d212..93dd7ed85 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -198,8 +198,14 @@ CALLBACK(ike_sa, int, ike->get(ike, "state"), ike->get(ike, "version"), ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi")); - printf(" local '%s' @ %s\n", + printf(" local '%s' @ %s", ike->get(ike, "local-id"), ike->get(ike, "local-host")); + if (ike->get(ike, "local-vips")) + { + printf(" [%s]", ike->get(ike, "local-vips")); + } + printf("\n"); + printf(" remote '%s' @ %s", ike->get(ike, "remote-id"), ike->get(ike, "remote-host")); if (ike->get(ike, "remote-eap-id")) @@ -210,6 +216,10 @@ CALLBACK(ike_sa, int, { printf(" XAuth: '%s'", ike->get(ike, "remote-xauth-id")); } + if (ike->get(ike, "remote-vips")) + { + printf(" [%s]", ike->get(ike, "remote-vips")); + } printf("\n"); if (ike->get(ike, "encr-alg")) diff --git a/testing/do-tests b/testing/do-tests index c01152c7b..c87ba05a7 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -47,7 +47,6 @@ testnumber="0" failed_cnt="0" passed_cnt="0" - ############################################################################## # copy default tests to $BUILDDIR # @@ -105,6 +104,12 @@ do do_on_exit kill `eval echo \\\$ssh_pid_$host` done +############################################################################## +# determine actual software versions +# + +[ -f $SHAREDDIR/.strongswan-version ] && SWANVERSION=`cat $SHAREDDIR/.strongswan-version` +KERNELVERSION=`ssh $SSHCONF root@\$ipv4_winnetou uname -r 2>/dev/null` ############################################################################## # create header for the results html file @@ -131,7 +136,7 @@ ENVIRONMENT_HEADER=$(cat <<@EOF - + @EOF @@ -159,7 +164,8 @@ cat > $TESTRESULTSHTML <<@EOF - + + @EOF @@ -249,6 +255,8 @@ do testname=$SUBDIR/$name log_action " $testnumber $testname:" + teststart=$(date +%s) + if [ ! -d $DEFAULTTESTSDIR/${testname} ] then echo "is missing..skipped" @@ -329,8 +337,11 @@ do # copy test specific configurations to uml hosts and clear auth.log files # + DBDIR=/etc/db.d + $DIR/scripts/load-testconfig $testname unset RADIUSHOSTS + unset DBHOSTS unset IPV6 unset SWANCTL source $TESTDIR/test.conf @@ -355,6 +366,17 @@ do done fi + ########################################################################## + # create database directory in RAM + # + + for host in $DBHOSTS + do + eval HOSTLOGIN=root@\$ipv4_${host} + ssh $SSHCONF $HOSTLOGIN "mkdir -p $DBDIR; mount -t ramfs -o size=5m ramfs $DBDIR" >/dev/null 2>&1 + ssh $SSHCONF $HOSTLOGIN "chgrp www-data $DBDIR; chmod g+w $DBDIR" >/dev/null 2>&1 + done + ########################################################################## # flush conntrack table on all hosts # @@ -504,32 +526,20 @@ do scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \ $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1 - if [ -n "$SWANCTL" ] then scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \ $TESTRESULTDIR/${host}.swanctl.conf > /dev/null 2>&1 - ssh $SSHCONF $HOSTLOGIN swanctl --list-conns \ - > $TESTRESULTDIR/${host}.swanctl.conns 2>/dev/null + for subsys in conns certs pools authorities sas pols + do + ssh $SSHCONF $HOSTLOGIN swanctl --list-$subsys \ + > $TESTRESULTDIR/${host}.swanctl.$subsys 2>/dev/null + done - ssh $SSHCONF $HOSTLOGIN swanctl --list-certs \ - > $TESTRESULTDIR/${host}.swanctl.certs 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-pools \ - > $TESTRESULTDIR/${host}.swanctl.pools 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-authorities \ - > $TESTRESULTDIR/${host}.swanctl.authorities 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-sas \ - > $TESTRESULTDIR/${host}.swanctl.sas 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-pols \ - > $TESTRESULTDIR/${host}.swanctl.pols 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --stats \ - > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null + # this is quite slow due to allocation stats via leak-detective + ssh $SSHCONF $HOSTLOGIN swanctl --stats \ + > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null else for file in ipsec.conf ipsec.secrets do @@ -752,7 +762,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv|pt-tls-client' \ /var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log done @@ -764,7 +774,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv' \ /var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log done @@ -783,6 +793,15 @@ do fi done + ########################################################################## + # remove database directory if needed + # + + for host in $DBHOSTS + do + eval HOSTLOGIN=root@\$ipv4_${host} + ssh $SSHCONF $HOSTLOGIN "umount $DBDIR; rm -r $DBDIR" > /dev/null 2>&1 + done ########################################################################## # copy default host config back if necessary @@ -794,6 +813,9 @@ do ########################################################################## # write test status to html file # + testend=$(date +%s) + let "testend -= teststart" + let "timetotal += testend" if [ $STATUS = "passed" ] then @@ -808,8 +830,8 @@ do + - @EOF cat >> $SUBTESTSINDEX << @EOF @@ -851,6 +873,9 @@ cat >> $TESTRESULTSHTML << @EOF + + +
       
Number TestResultTime [s]Result
$testnumber $testname$testend $STATUS 
Failed$failed_cnt  
Time [s]$timetotal  
@@ -895,6 +920,6 @@ echo echo "The results are available in $TODAYDIR" echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE" -ENDDATE=`date +%Y%m%d-%H%M` +ENDDATE=`date +%Y%m%d-%H%M-%S` echo echo "Finished : $ENDDATE" diff --git a/testing/hosts/default/etc/strongswan.conf.testing b/testing/hosts/default/etc/strongswan.conf.testing new file mode 100644 index 000000000..55efbe7d1 --- /dev/null +++ b/testing/hosts/default/etc/strongswan.conf.testing @@ -0,0 +1,7 @@ +charon { + retransmit_tries = 2 + retransmit_timeout = 1.0 + retransmit_base = 1 +} + +include strongswan.conf \ No newline at end of file diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index f064bdb0b..842c3a1b2 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -45,5 +45,5 @@ openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl cp strongswan_rfc3779.crl ${ROOT} cd /etc/openssl/bliss -pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl +pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha3_512 > strongswan_bliss.crl cp strongswan_bliss.crl ${ROOT} diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan index c52dddda8..8c6ecaafd 100755 --- a/testing/scripts/build-strongswan +++ b/testing/scripts/build-strongswan @@ -49,7 +49,21 @@ log_action "Mounting $SWANDIR as /root/strongswan" execute "bindfs -u $SRCUID -g $SRCGID $SWANDIR $LOOPDIR/root/strongswan" do_on_exit umount $LOOPDIR/root/strongswan +log_action "Remove SWID tags of previous versions" +execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete' + echo "Building and installing strongSwan" + +log_action "Determine strongSwan version" +desc=`git -C $SWANDIR describe --dirty` +if [ $? -eq 0 ]; then + SWANVERSION="$desc (`git -C $SWANDIR rev-parse --abbrev-ref HEAD`)" +else + SWANVERSION="`cat $SWANDIR/configure.ac | sed -n '/^AC_INIT/{ s/.*,\[\(.*\)\])$/\1/p }'`" +fi +echo "$SWANVERSION" > $SHAREDDIR/.strongswan-version +log_status 0 + log_action "Preparing source tree" execute_chroot 'autoreconf -i /root/strongswan' diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 5abd2178b..8799d424d 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -2,7 +2,7 @@ PKG = tkm SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.1.2 +REV = v0.1.3 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 404c6c6bf..994acaa28 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -18,6 +18,7 @@ NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) CONFIG_OPTS = \ --sysconfdir=/etc \ + --with-strongswan-conf=/etc/strongswan.conf.testing \ --with-random-device=/dev/urandom \ --disable-load-warning \ --enable-curl \ @@ -98,7 +99,8 @@ CONFIG_OPTS = \ --enable-ntru \ --enable-lookip \ --enable-swanctl \ - --enable-bliss + --enable-bliss \ + --enable-sha3 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat @@ -109,6 +111,7 @@ $(TAR): $(PKG): $(TAR) tar xfj $(TAR) + echo "$(SWANVERSION)" > /root/shared/.strongswan-version configure: $(BUILDDIR) cd $(BUILDDIR) && $(DIR)/configure $(CONFIG_OPTS) diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index c582e030d..855c273cc 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home carol::ipsec up home -dave::ipsec up home +dave::ipsec up home \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 1b8fc3b79..8230de058 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 1b8fc3b79..8230de058 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index c582e030d..f1a4b964c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat index 448f283f1..9af5c4c02 100644 --- a/testing/tests/ha/active-passive/evaltest.dat +++ b/testing/tests/ha/active-passive/evaltest.dat @@ -16,7 +16,7 @@ dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES alice::ip xfrm policy flush::no output expected::NO alice::ip xfrm state flush::no output expected::NO alice::killall -9 starter charon::no output expected::NO -carol::sleep 3::no output expected::NO +carol::sleep 2::no output expected::NO moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat index d0efb76f7..2bdab2839 100644 --- a/testing/tests/ha/active-passive/pretest.dat +++ b/testing/tests/ha/active-passive/pretest.dat @@ -12,10 +12,11 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start alice::ipsec start moon::ipsec start -moon::sleep 2 +moon::sleep 2 alice::echo "+1" > /var/run/charon.ha carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat index 5ffc38766..f48873f62 100644 --- a/testing/tests/ha/both-active/pretest.dat +++ b/testing/tests/ha/both-active/pretest.dat @@ -14,6 +14,7 @@ alice::ipsec start alice::sleep 1 carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat index e50793830..f1af9ede5 100644 --- a/testing/tests/ike/rw-cert/pretest.dat +++ b/testing/tests/ike/rw-cert/pretest.dat @@ -1,7 +1,7 @@ moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat index f61a4cb51..072d9ddeb 100644 --- a/testing/tests/ike/rw_v1-net_v2/pretest.dat +++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat @@ -1,7 +1,7 @@ moon::ipsec start sun::ipsec start carol::ipsec start -moon::sleep 1 +moon::expect-connection net-net +carol::expect-connection home moon::ipsec up net-net carol::ipsec up home -moon::sleep 1 diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat index 8bbea1412..f1a4b964c 100644 --- a/testing/tests/ikev1/alg-blowfish/pretest.dat +++ b/testing/tests/ikev1/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat index 8bbea1412..f1a4b964c 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha256/pretest.dat +++ b/testing/tests/ikev1/alg-sha256/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha384/pretest.dat +++ b/testing/tests/ikev1/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha512/pretest.dat +++ b/testing/tests/ikev1/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat index f5aa989fe..8230de058 100644 --- a/testing/tests/ikev1/compress/pretest.dat +++ b/testing/tests/ikev1/compress/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat index 3864bdac3..c0ec6a7a4 100644 --- a/testing/tests/ikev1/config-payload-push/pretest.dat +++ b/testing/tests/ikev1/config-payload-push/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat index 3864bdac3..c0ec6a7a4 100644 --- a/testing/tests/ikev1/config-payload/pretest.dat +++ b/testing/tests/ikev1/config-payload/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat index 17a4fe5eb..d300a276f 100644 --- a/testing/tests/ikev1/double-nat-net/pretest.dat +++ b/testing/tests/ikev1/double-nat-net/pretest.dat @@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des sun::ip route add 10.1.0.0/16 via PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat index 65f18b756..6a861d29f 100644 --- a/testing/tests/ikev1/double-nat/pretest.dat +++ b/testing/tests/ikev1/double-nat/pretest.dat @@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev1/dpd-clear/description.txt +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, -moon clears the connection after 4 unsuccessful retransmits. +moon clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat index f6f18212c..8d4fa03a8 100644 --- a/testing/tests/ikev1/dpd-clear/evaltest.dat +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 60::no output expected::NO +moon:: sleep 16::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES -moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES +moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf index 83f2849a4..9219e7028 100644 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=clear - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev1/dpd-clear/pretest.dat +++ b/testing/tests/ikev1/dpd-clear/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt index 410d3d636..6f4af9439 100644 --- a/testing/tests/ikev1/dpd-restart/description.txt +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon. Both end points activate Dead Peer Detection (DPD) with a -polling interval of 10 s. When the network connectivity between carol -and moon is forcefully disrupted for a duration of 100 s, moon -clears the connection after 4 unsuccessful retransmits whereas carol +polling interval of 10s. When the network connectivity between carol +and moon is forcefully disrupted for a duration of 100s, moon +clears the connection after a number of unsuccessful retransmits whereas carol also takes down the connection but immediately tries to reconnect which succeeds as soon as the connection becomes available again. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 6a749b826..a685ce166 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 60::no output expected::NO +carol::sleep 16::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 2::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf index d3c105c31..4e142d699 100644 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=restart - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev1/dpd-restart/pretest.dat +++ b/testing/tests/ikev1/dpd-restart/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat index 32ac12ddc..6898bd567 100644 --- a/testing/tests/ikev1/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index 9aadb2a4c..7e6ad46df 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -2,10 +2,9 @@ carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon -carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat index 32ac12ddc..6898bd567 100644 --- a/testing/tests/ikev1/dynamic-responder/posttest.dat +++ b/testing/tests/ikev1/dynamic-responder/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index 8dc744f9a..0c423aeec 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -2,10 +2,11 @@ carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection carol moon::ipsec up carol -moon::sleep 1 +moon::sleep 0.5 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 +moon::sleep 0.5 diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat index 7b2609846..119c8e45a 100644 --- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat @@ -1,6 +1,5 @@ carol::ipsec stop dave::ipsec stop -moon::sleep 1 moon::ipsec stop moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat index 4bb2a4686..c19b38fcd 100644 --- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat @@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon +dave::expect-connection moon carol::ipsec up moon dave::ipsec up moon -carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat index f5aa989fe..8230de058 100644 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-null/pretest.dat +++ b/testing/tests/ikev1/esp-alg-null/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev1/host2host-ah/pretest.dat +++ b/testing/tests/ikev1/host2host-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev1/host2host-cert/pretest.dat +++ b/testing/tests/ikev1/host2host-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev1/host2host-transport/pretest.dat +++ b/testing/tests/ikev1/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat index c99f347e3..37436a3d9 100644 --- a/testing/tests/ikev1/ip-pool-db/posttest.dat +++ b/testing/tests/ikev1/ip-pool-db/posttest.dat @@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat index 2327eb983..337ccb297 100644 --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null @@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev1/ip-pool-db/test.conf +++ b/testing/tests/ikev1/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev1/ip-pool/pretest.dat +++ b/testing/tests/ikev1/ip-pool/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat index 2eebc0f84..bee9bc792 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection alice +moon::expect-connection venus moon::ipsec up alice moon::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev1/multi-level-ca/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat index d701a1d61..e3d9fc858 100644 --- a/testing/tests/ikev1/nat-rw/pretest.dat +++ b/testing/tests/ikev1/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat index 8945d87b9..1732d6efa 100644 --- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat index 81a98fa41..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-ah/pretest.dat +++ b/testing/tests/ikev1/net2net-ah/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat index c724e5df8..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-cert/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat index c724e5df8..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-fragmentation/pretest.dat +++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat index 0f4ae0f4f..fe4223a44 100644 --- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat index 0f4ae0f4f..fe4223a44 100644 --- a/testing/tests/ikev1/net2net-psk/pretest.dat +++ b/testing/tests/ikev1/net2net-psk/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat index efb2e5712..4759fdb7b 100644 --- a/testing/tests/ikev1/protoport-dual/pretest.dat +++ b/testing/tests/ikev1/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ipsec up home-icmp carol::ipsec up home-ssh diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat index 4fbe475bf..3a1982f8a 100644 --- a/testing/tests/ikev1/rw-cert-unity/pretest.dat +++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat index 8bbea1412..e87a8ee47 100644 --- a/testing/tests/ikev1/rw-cert/pretest.dat +++ b/testing/tests/ikev1/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat index fc7173430..5a972079b 100644 --- a/testing/tests/ikev1/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1/rw-ntru-psk/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev1/rw-ntru-psk/pretest.dat +++ b/testing/tests/ikev1/rw-ntru-psk/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev1/virtual-ip/pretest.dat +++ b/testing/tests/ikev1/virtual-ip/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat index 88a91ae86..ab5e18da2 100644 --- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat index 88a91ae86..ab5e18da2 100644 --- a/testing/tests/ikev1/xauth-psk/pretest.dat +++ b/testing/tests/ikev1/xauth-psk/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-rsa/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat index 682c55ce2..c0bb035a1 100644 --- a/testing/tests/ikev2/acert-cached/evaltest.dat +++ b/testing/tests/ikev2/acert-cached/evaltest.dat @@ -5,7 +5,7 @@ moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/acert-cached/pretest.dat +++ b/testing/tests/ikev2/acert-cached/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat index 985f3208e..17d83d182 100644 --- a/testing/tests/ikev2/acert-fallback/evaltest.dat +++ b/testing/tests/ikev2/acert-fallback/evaltest.dat @@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon. moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/acert-fallback/pretest.dat +++ b/testing/tests/ikev2/acert-fallback/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat index ba448f81b..98128e715 100644 --- a/testing/tests/ikev2/acert-inline/evaltest.dat +++ b/testing/tests/ikev2/acert-inline/evaltest.dat @@ -8,7 +8,7 @@ dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/acert-inline/pretest.dat +++ b/testing/tests/ikev2/acert-inline/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/after-2038-certs/pretest.dat +++ b/testing/tests/ikev2/after-2038-certs/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/alg-blowfish/pretest.dat +++ b/testing/tests/ikev2/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat +++ b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha256-96/pretest.dat +++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha256/pretest.dat +++ b/testing/tests/ikev2/alg-sha256/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha384/pretest.dat +++ b/testing/tests/ikev2/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha512/pretest.dat +++ b/testing/tests/ikev2/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat index 0a6ce8be4..2f27224d2 100644 --- a/testing/tests/ikev2/any-interface/pretest.dat +++ b/testing/tests/ikev2/any-interface/pretest.dat @@ -4,7 +4,8 @@ alice::ipsec start moon::ipsec start sun::ipsec start bob::ipsec start -moon::sleep 2 -moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_ALICE -moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN -bob::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN1 +moon::expect-connection alice +moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE +moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN +bob::expect-connection sun +bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1 diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat index 29a90355f..1fd37b6a8 100644 --- a/testing/tests/ikev2/compress/pretest.dat +++ b/testing/tests/ikev2/compress/pretest.dat @@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/config-payload-swapped/pretest.dat +++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/config-payload/pretest.dat +++ b/testing/tests/ikev2/config-payload/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/critical-extension/pretest.dat +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2/crl-from-cache/pretest.dat index acdb265ed..d4141a30c 100644 --- a/testing/tests/ikev2/crl-from-cache/pretest.dat +++ b/testing/tests/ikev2/crl-from-cache/pretest.dat @@ -4,5 +4,5 @@ carol::wget -q http://crl.strongswan.org/strongswan.crl carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat index 8ffa9d3ed..4eed5e073 100644 --- a/testing/tests/ikev2/crl-ldap/pretest.dat +++ b/testing/tests/ikev2/crl-ldap/pretest.dat @@ -3,6 +3,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home -carol::sleep 3 diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat index 8984dcbcf..3a1982f8a 100644 --- a/testing/tests/ikev2/crl-revoked/pretest.dat +++ b/testing/tests/ikev2/crl-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/crl-to-cache/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/crl-to-cache/pretest.dat +++ b/testing/tests/ikev2/crl-to-cache/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index ef5f67097..9e291d291 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -10,10 +10,10 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 5 +moon::expect-connection carol moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der moon::ipsec reload carol::ipsec reload -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat index 5670a2e89..3b22f29f2 100644 --- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat index 5670a2e89..8eafe1a9e 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +carol::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat index 5670a2e89..3b22f29f2 100644 --- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat index 17a4fe5eb..d300a276f 100644 --- a/testing/tests/ikev2/double-nat-net/pretest.dat +++ b/testing/tests/ikev2/double-nat-net/pretest.dat @@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des sun::ip route add 10.1.0.0/16 via PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat index 65f18b756..6a861d29f 100644 --- a/testing/tests/ikev2/double-nat/pretest.dat +++ b/testing/tests/ikev2/double-nat/pretest.dat @@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev2/dpd-clear/description.txt +++ b/testing/tests/ikev2/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, -moon clears the connection after 4 unsuccessful retransmits. +moon clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat index c1a271903..2071e8fc8 100644 --- a/testing/tests/ikev2/dpd-clear/evaltest.dat +++ b/testing/tests/ikev2/dpd-clear/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 180::no output expected::NO +moon:: sleep 13::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES moon:: cat /var/log/daemon.log::retransmit.*of request::YES -moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES +moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-clear/pretest.dat +++ b/testing/tests/ikev2/dpd-clear/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat index 4c035a6e9..9ce76f976 100644 --- a/testing/tests/ikev2/dpd-hold/evaltest.dat +++ b/testing/tests/ikev2/dpd-hold/evaltest.dat @@ -2,13 +2,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::ping -c 1 PH_IP_ALICE::trigger route::NO -carol::sleep 2::no output expected::NO +carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO +carol::sleep 1::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2/dpd-hold/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-hold/pretest.dat +++ b/testing/tests/ikev2/dpd-hold/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat index 962bd0636..25c54df95 100644 --- a/testing/tests/ikev2/dpd-restart/evaltest.dat +++ b/testing/tests/ikev2/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 2::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-restart/pretest.dat +++ b/testing/tests/ikev2/dpd-restart/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt index e74ee1569..3e441b2fe 100644 --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ The peers carol and moon both have dynamic IP addresses, so that the remote end -is defined symbolically by right=<hostname>. The ipsec starter resolves the +is defined symbolically by right=<hostname>. The IKE daemon resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -rightallowany=yes will allow an IKE_SA rekeying to arrive from an arbitrary +% prefix in the right option will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.

In this scenario carol first initiates a tunnel to moon. After some time carol suddenly changes her IP address and restarts the connection to moon without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from -carol and starting the connection from host dave using carol's identity). +carol and starting the connection from host dave using carol's identity). diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat index 83063a23f..715bb9482 100644 --- a/testing/tests/ikev2/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat index 3e1cfce77..f354efe51 100644 --- a/testing/tests/ikev2/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat @@ -4,10 +4,9 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon -carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat index 7b2609846..119c8e45a 100644 --- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat @@ -1,6 +1,5 @@ carol::ipsec stop dave::ipsec stop -moon::sleep 1 moon::ipsec stop moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat index 4bb2a4686..ee0b156dd 100644 --- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat +++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat @@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon +dave::expect-connection moon dave::ipsec up moon -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat +++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-null/pretest.dat +++ b/testing/tests/ikev2/esp-alg-null/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat +++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat index f0254da6c..1a982288d 100644 --- a/testing/tests/ikev2/farp/pretest.dat +++ b/testing/tests/ikev2/farp/pretest.dat @@ -6,7 +6,7 @@ alice::arp -d 10.1.0.40 carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat index 7be66867a..87a7764cf 100644 --- a/testing/tests/ikev2/force-udp-encaps/pretest.dat +++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat @@ -4,7 +4,5 @@ sun::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 4 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 - diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat index 206bf5b64..68a0c2cda 100644 --- a/testing/tests/ikev2/forecast/pretest.dat +++ b/testing/tests/ikev2/forecast/pretest.dat @@ -1,7 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev2/host2host-ah/pretest.dat +++ b/testing/tests/ikev2/host2host-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev2/host2host-cert/pretest.dat +++ b/testing/tests/ikev2/host2host-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev2/host2host-swapped/pretest.dat +++ b/testing/tests/ikev2/host2host-swapped/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev2/host2host-transport/pretest.dat +++ b/testing/tests/ikev2/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat index 221c59318..76b45c280 100644 --- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat +++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat @@ -1,8 +1,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::sleep 15::NO +carol::sleep 11::NO carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO carol::ipsec status 2> /dev/null::home.*INSTALLED::NO -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat index b949aaeaf..ac7b8d978 100644 --- a/testing/tests/ikev2/inactivity-timeout/pretest.dat +++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat @@ -1,6 +1,5 @@ carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat index c99f347e3..37436a3d9 100644 --- a/testing/tests/ikev2/ip-pool-db/posttest.dat +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat index 2327eb983..337ccb297 100644 --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null @@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev2/ip-pool-db/test.conf +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat index 1466fd2f2..2d09e88ce 100644 --- a/testing/tests/ikev2/ip-pool-wish/pretest.dat +++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/ip-pool/pretest.dat +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat index 9d88281ad..6066d464a 100644 --- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat @@ -3,4 +3,3 @@ dave::ipsec stop moon::ipsec stop moon::ipsec pool --del pool0 2> /dev/null moon::ipsec pool --del pool1 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat index c5af81b38..f74576382 100644 --- a/testing/tests/ikev2/ip-split-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat @@ -1,12 +1,12 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null moon::ipsec pool --status 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev2/ip-split-pools-db/test.conf +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index fe6cdde42..cf3b0d81b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 150690e3c..dd4abebad 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -15,4 +15,3 @@ moon::ipsec pool --del intpool 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat index bb36a2630..2d8b28cd9 100644 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null @@ -13,14 +13,16 @@ venus::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start alice::ipsec start venus::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home +alice::expect-connection home alice::ipsec up home +venus::expect-connection home venus::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf index c88e11d28..167c75d9d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice venus carol dave" # Used for IPsec logging purposes # IPSECHOSTS="alice venus moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index fe6cdde42..cf3b0d81b 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat index 57449be25..0c3cd2648 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush moon::ipsec pool --del intpool 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat index 8ebfdc740..5b3274131 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat @@ -1,13 +1,13 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules -carol::ipsec start moon::ipsec start +carol::ipsec start alice::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +alice::expect-connection home alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf index 1ed3473ab..0c1b38d49 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice carol" # Used for IPsec logging purposes # IPSECHOSTS="alice moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf index c7e9a44c1..5176e2a4d 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat index 2e78893e3..e46195cd3 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -1,4 +1,3 @@ alice::ip -6 route del default via fec1:\:1 carol::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat index 466a5eaec..60af3bce9 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat @@ -1,9 +1,9 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null alice::ip -6 route add default via fec1:\:1 moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf index cd03759f0..60819189c 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="carol" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat index 04139badf..7eb81b60c 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat @@ -1,5 +1,5 @@ alice::ip -6 route add default via fec1:\:1 moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat index 7de2bc9be..e4b043696 100644 --- a/testing/tests/ikev2/ip-two-pools/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools/posttest.dat @@ -4,4 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat index 4e8b639f4..56c1785cc 100644 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -4,7 +4,7 @@ alice::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start alice::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +alice::expect-connection home alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2/lookip/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/lookip/pretest.dat +++ b/testing/tests/ikev2/lookip/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules index 6dd261f20..450e7cef6 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules @@ -5,11 +5,15 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT -# allow ESP +# allow ESP -A INPUT -i eth0 -p 50 -j ACCEPT -A INPUT -i eth1 -p 50 -j ACCEPT -A OUTPUT -o eth0 -p 50 -j ACCEPT diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat index fde195daa..68df1b533 100644 --- a/testing/tests/ikev2/mobike-nat/pretest.dat +++ b/testing/tests/ikev2/mobike-nat/pretest.dat @@ -5,6 +5,5 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to- moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules index a238c8d19..450e7cef6 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules @@ -5,6 +5,10 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat index 067c1a1ec..8197296ee 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat @@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules index a238c8d19..450e7cef6 100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules @@ -5,6 +5,10 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat index 067c1a1ec..8197296ee 100644 --- a/testing/tests/ikev2/mobike/pretest.dat +++ b/testing/tests/ikev2/mobike/pretest.dat @@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index 8457ae0dd..eb20c7f0b 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -18,4 +18,4 @@ moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 22806012345600 moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index eb69d2e45..07ffe10fa 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -8,7 +8,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat index 2eebc0f84..bee9bc792 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection alice +moon::expect-connection venus moon::ipsec up alice moon::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat index 41319ae4d..d9ed52718 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat @@ -1,10 +1,13 @@ winnetou::/etc/init.d/slapd start moon::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat index bb538c160..3407743b3 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat @@ -1,5 +1,5 @@ moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat index e209e60ff..8230de058 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 -carol::ipsec up home +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat index 1646d5ed2..0f3f1ff89 100644 --- a/testing/tests/ikev2/multi-level-ca/posttest.dat +++ b/testing/tests/ikev2/multi-level-ca/posttest.dat @@ -2,4 +2,3 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev2/multi-level-ca/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat index 6cddfd4fe..9d68e3c6e 100644 --- a/testing/tests/ikev2/nat-rw-mark/pretest.dat +++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat @@ -13,8 +13,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20 sun::ipsec start alice::ipsec start venus::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat index c5d091f32..e52bc9d9c 100644 --- a/testing/tests/ikev2/nat-rw-psk/pretest.dat +++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat @@ -9,8 +9,7 @@ sun::rm /etc/ipsec.d/cacerts/* sun::ipsec start alice::ipsec start venus::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat index 12676f7ac..e3d9fc858 100644 --- a/testing/tests/ikev2/nat-rw/pretest.dat +++ b/testing/tests/ikev2/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat index 8945d87b9..1732d6efa 100644 --- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat index 81a98fa41..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ah/pretest.dat +++ b/testing/tests/ikev2/net2net-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat index 81a98fa41..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat +++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-dnscert/pretest.dat +++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-dnssec/pretest.dat +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-esn/pretest.dat +++ b/testing/tests/ikev2/net2net-esn/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat index 3492238f0..fd1ce379f 100644 --- a/testing/tests/ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat @@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat index 0495890dd..ef3eb9e06 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -9,9 +9,10 @@ moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mar bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection dscp-be +moon::expect-connection dscp-ef moon::ipsec up dscp-be moon::ipsec up dscp-ef diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat index cb9282595..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat index cb9282595..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-psk/pretest.dat +++ b/testing/tests/ikev2/net2net-psk/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat index 9fe2860b9..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat index e4ee3fac2..a1c567079 100644 --- a/testing/tests/ikev2/net2net-route/pretest.dat +++ b/testing/tests/ikev2/net2net-route/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 -alice::ping -c 10 PH_IP_BOB +moon::expect-connection net-net +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-rsa/pretest.dat +++ b/testing/tests/ikev2/net2net-rsa/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-same-nets/pretest.dat +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat index 9d23c553e..b3f371041 100644 --- a/testing/tests/ikev2/net2net-start/pretest.dat +++ b/testing/tests/ikev2/net2net-start/pretest.dat @@ -1,6 +1,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start -sun::sleep 2 moon::ipsec start -moon::sleep 3 +moon::sleep 1 diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-local-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index afb64c3ed..6296b4e06 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-revoked/pretest.dat +++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-root-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index c31e05ef5..934df4e5b 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,5 +1,5 @@ moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt index 9ee5db95b..ad7de9ecc 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt +++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt @@ -6,5 +6,5 @@ OCSP server is listening. Thanks to timeouts the connection can nevertheless be established successfully by contacting a valid OCSP URI contained in carol's certificate.

-As an additional test the OCSP response is delayed by 5 seconds in order to check +As an additional test the OCSP response is delayed by a few seconds in order to check the correct handling of retransmitted IKE_AUTH messages. diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index f50d5e88c..d4e41dbb8 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,9 +1,9 @@ -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES moon:: cat /var/log/daemon.log::ocsp response is valid::YES moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::libcurl http request failed::YES +carol::cat /var/log/daemon.log::libcurl request failed::YES carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index aa70321d5..46a716f83 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -6,7 +6,7 @@ echo "Content-type: application/ocsp-response" echo "" # simulate a delayed response -sleep 5 +sleep 2 cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ -rkey ocspKey.pem -rsigner ocspCert.pem \ diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index 7c0a9a5a4..cb7997f72 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,4 +1,4 @@ -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat index 7d9d600ff..a43ba3550 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat @@ -1,6 +1,6 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP -carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset +carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index afb64c3ed..6296b4e06 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat index efb2e5712..4759fdb7b 100644 --- a/testing/tests/ikev2/protoport-dual/pretest.dat +++ b/testing/tests/ikev2/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ipsec up home-icmp carol::ipsec up home-ssh diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat index 5a15574d6..433d0cf98 100644 --- a/testing/tests/ikev2/protoport-route/pretest.dat +++ b/testing/tests/ikev2/protoport-route/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ssh PH_IP_ALICE hostname -carol::ping -c 1 PH_IP_ALICE > /dev/null -carol::sleep 2 +carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat index 153ea7c43..d3ce70e80 100644 --- a/testing/tests/ikev2/reauth-early/pretest.dat +++ b/testing/tests/ikev2/reauth-early/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home carol::sleep 30 diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat index 153ea7c43..d3ce70e80 100644 --- a/testing/tests/ikev2/reauth-late/pretest.dat +++ b/testing/tests/ikev2/reauth-late/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home carol::sleep 30 diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/reauth-mbb/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat index c582e030d..e87a8ee47 100644 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev2/rw-dnssec/pretest.dat +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat +++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat index 698a719f7..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat index a2704e833..8893e0169 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -5,9 +5,11 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up alice dave::ipsec up venus -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat index 180537f5f..d44910db8 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat @@ -2,7 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec stroke user-creds home carol "Ar3etTnp" carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index 3e7fc0bb1..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index f8a9cc852..fa1164713 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -5,6 +5,5 @@ carol::cat /etc/ipsec.d/triplets.dat alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat index f434ddfc6..4f8f7285b 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat @@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 0e9e46bfd..a204f88a1 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -11,7 +11,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index a514f48b7..01aed2492 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index 57c9f11a8..fdb50fcfb 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -11,7 +11,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat index ae464b51c..3e05e4ed7 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat @@ -4,6 +4,5 @@ moon::cat /etc/ipsec.d/triplets.dat carol::cat /etc/ipsec.d/triplets.dat moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat index 3d680ab78..7ed202116 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat @@ -4,6 +4,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat index 589d478e7..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 2 diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index 3e7fc0bb1..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat index fc7173430..4660c29d6 100644 --- a/testing/tests/ikev2/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat index 8e9dd2f51..728831472 100644 --- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -1,8 +1,8 @@ alice::iptables-restore < /etc/iptables.rules venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON -sun::ip route add 10.1.0.0/16 via PH_IP_MOON +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11 @@ -10,8 +10,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21 alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 -alice::ipsec up home -venus::sleep 2 +alice::expect-connection home +alice::ipsec up home +venus::expect-connection home venus::ipsec up home -venus::sleep 2 diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat index 5a88b6641..72f3a0e69 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat @@ -1,15 +1,15 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf index f13e47a71..647a47f2f 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf index 5f605a43d..e7786040c 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf index 2a9b33aae..e5c2bf8b6 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat index 24249435e..c0f963d4c 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2/rw-ntru-psk/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev2/rw-ntru-psk/pretest.dat +++ b/testing/tests/ikev2/rw-ntru-psk/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-pkcs8/pretest.dat +++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat +++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat index 446f81426..08b891aa5 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat @@ -5,6 +5,7 @@ carol::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat index 9f437fe85..d26229602 100644 --- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -4,6 +4,5 @@ alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat index bec31cc68..9c26ea122 100644 --- a/testing/tests/ikev2/rw-sig-auth/pretest.dat +++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat @@ -4,9 +4,11 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up alice dave::ipsec up venus -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat index 3522c3d79..a9917bcf1 100644 --- a/testing/tests/ikev2/rw-whitelist/evaltest.dat +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -6,7 +6,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat index dea5fc162..a55cf37b2 100644 --- a/testing/tests/ikev2/strong-keys-certs/pretest.dat +++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat index bcba9ef08..b62e890c0 100644 --- a/testing/tests/ikev2/trap-any/evaltest.dat +++ b/testing/tests/ikev2/trap-any/evaltest.dat @@ -1,8 +1,8 @@ -moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES -moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES -dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +sun::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.2 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index fe2aaec19..5936eda68 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus -carol::sleep 1 diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev2/virtual-ip-override/pretest.dat +++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev2/virtual-ip/pretest.dat +++ b/testing/tests/ikev2/virtual-ip/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat index 3c4832e5e..2134d6bea 100644 --- a/testing/tests/ikev2/wildcards/pretest.dat +++ b/testing/tests/ikev2/wildcards/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf index 8e6478c51..f64bc2342 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.org/strongswan.crl + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add conn %default diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf index a880b12a1..e739fc8ea 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.org/strongswan.crl + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add conn %default diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat index 0a0b1a78f..8229b6254 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -8,6 +8,7 @@ moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES # send two pings because the first is lost due to Path MTU Discovery between alice and moon carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES +# reduce the size as the default is already larger than the threshold of 90 bytes +carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index d8d30af02..b095bf5c4 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -4,5 +4,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-null/description.txt b/testing/tests/libipsec/net2net-null/description.txt new file mode 100644 index 000000000..d8f019d36 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/description.txt @@ -0,0 +1,11 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication +algorithms are NULL and SHA-256, respectively.
+Just by way of example, NULL encryption is also configured for the IKEv2 connection, +using the NULL-crypter provided by the OpenSSL library. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat new file mode 100644 index 000000000..e455a3650 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -0,0 +1,11 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4ecfb0e92 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=null-sha256-modp2048! + esp=null-sha256-modp2048! + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftupdown=/etc/updown + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c283474db --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown new file mode 100755 index 000000000..61f65311c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown @@ -0,0 +1,566 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..95ea20d3c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=null-sha256-modp2048! + esp=null-sha256-modp2048! + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c283474db --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown new file mode 100755 index 000000000..61f65311c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown @@ -0,0 +1,566 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-null/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat new file mode 100644 index 000000000..1732d6efa --- /dev/null +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-null/test.conf b/testing/tests/libipsec/net2net-null/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat index 8bbea1412..e87a8ee47 100644 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ b/testing/tests/libipsec/rw-suite-b/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat index 972d93053..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat index 3492238f0..fd1ce379f 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat @@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index c582e030d..974c22530 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -4,6 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +# moon runs crypto tests, so make sure it is ready +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat index b9393944a..290f57e69 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat index b9393944a..290f57e69 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index eb1d67fa2..6d9217066 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -7,8 +7,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT carol::ipsec start -carol::sleep 1 +carol::expect-connection medsrv alice::ipsec start alice::sleep 1 venus::ipsec start -venus::sleep 4 +venus::sleep 2 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index 09b658318..950520006 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -12,8 +12,8 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT carol::ipsec start -carol::sleep 1 +carol::expect-connection medsrv bob::ipsec start bob::sleep 1 alice::ipsec start -alice::sleep 4 +alice::sleep 2 diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat +++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-sha384/pretest.dat +++ b/testing/tests/pfkey/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-sha512/pretest.dat +++ b/testing/tests/pfkey/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat index 29a90355f..1fd37b6a8 100644 --- a/testing/tests/pfkey/compress/pretest.dat +++ b/testing/tests/pfkey/compress/pretest.dat @@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/esp-alg-null/pretest.dat +++ b/testing/tests/pfkey/esp-alg-null/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/pfkey/host2host-transport/pretest.dat +++ b/testing/tests/pfkey/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat index d701a1d61..e3d9fc858 100644 --- a/testing/tests/pfkey/nat-rw/pretest.dat +++ b/testing/tests/pfkey/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat index e4ee3fac2..a1c567079 100644 --- a/testing/tests/pfkey/net2net-route/pretest.dat +++ b/testing/tests/pfkey/net2net-route/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 -alice::ping -c 10 PH_IP_BOB +moon::expect-connection net-net +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat index efb2e5712..12112b194 100644 --- a/testing/tests/pfkey/protoport-dual/pretest.dat +++ b/testing/tests/pfkey/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp carol::ipsec up home-icmp +carol::expect-connection home-ssh carol::ipsec up home-ssh diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat index 5a15574d6..b1bf23870 100644 --- a/testing/tests/pfkey/protoport-route/pretest.dat +++ b/testing/tests/pfkey/protoport-route/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ssh PH_IP_ALICE hostname -carol::ping -c 1 PH_IP_ALICE > /dev/null -carol::sleep 2 +carol::ping -c 1 -W 1 PH_IP_ALICE > /dev/null diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat index c582e030d..e87a8ee47 100644 --- a/testing/tests/pfkey/rw-cert/pretest.dat +++ b/testing/tests/pfkey/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index 1b963fcec..b757d8b15 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -4,7 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 10a51bc37..3e1b762d7 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules @@ -14,6 +14,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db-expired/test.conf +++ b/testing/tests/sql/ip-pool-db-expired/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index 1b963fcec..b757d8b15 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -4,7 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 639cfd99f..4976693ec 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules @@ -14,7 +14,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db-restart/test.conf +++ b/testing/tests/sql/ip-pool-db-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf index 62d9edbd8..4346eca40 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf index 62d9edbd8..4346eca40 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index 1b963fcec..47061432a 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -4,7 +4,6 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ +moon::dbdir-remove +carol::dbdir-remove +dave::dbdir-remove diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 46f33324c..0cea9d816 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -1,19 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db/test.conf +++ b/testing/tests/sql/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index 0fce500bf..a851d0924 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,7 +1,3 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index ba3f4d1cb..706cb3205 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -1,18 +1,18 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/test.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index 0fce500bf..a851d0924 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,7 +1,3 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index 6c7633811..e820c81a2 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -1,17 +1,17 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-split-pools-db/test.conf +++ b/testing/tests/sql/ip-split-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/multi-level-ca/test.conf +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index b62da613c..05fe277ce 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf index 646b8b3e6..1b7e280e8 100644 --- a/testing/tests/sql/net2net-cert/test.conf +++ b/testing/tests/sql/net2net-cert/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index b62da613c..05fe277ce 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf index 646b8b3e6..1b7e280e8 100644 --- a/testing/tests/sql/net2net-psk/test.conf +++ b/testing/tests/sql/net2net-psk/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index 537aa630b..cef74e474 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -1,13 +1,13 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start moon::ipsec start -moon::sleep 1 -alice::ping -c 1 PH_IP_BOB -bob::ping -c 1 PH_IP_VENUS +moon::expect-connection net-net +alice::ping -c 1 -W 1 PH_IP_BOB +bob::ping -c 1 -W 1 PH_IP_VENUS diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf index 10c582c9b..ee97968ab 100644 --- a/testing/tests/sql/net2net-route-pem/test.conf +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index 7307aca81..f260b396c 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -1,11 +1,11 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start moon::ipsec start -moon::sleep 3 +moon::sleep 1 diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf index 10c582c9b..ee97968ab 100644 --- a/testing/tests/sql/net2net-start-pem/test.conf +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 7e8023fcc..4946b1520 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 7e8023fcc..4946b1520 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 7e8023fcc..7fed45bed 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -3,13 +3,10 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql integrity_test = yes - crypto_test { - on_add = yes - } } diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 7958f0928..0cea9d816 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-cert/test.conf +++ b/testing/tests/sql/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index ec5899c84..2fba94535 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index 41951083c..b06c611b7 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 584356d8e..046d4cfdc 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -2,6 +2,3 @@ moon::ipsec stop carol::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index 2a8e460e7..a6cbee7a9 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf index 4a5fc470f..81b1d3bdb 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/test.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-psk-ipv4/test.conf +++ b/testing/tests/sql/rw-psk-ipv4/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index ab753507f..4e59395e3 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -10,6 +10,3 @@ dave::ip6tables-restore < /etc/ip6tables.flush alice::"ip route del fec0:\:/16 via fec1:\:1" carol::"ip route del fec1:\:/16 via fec0:\:1" dave::"ip route del fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index fdb5f1970..894689648 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules @@ -19,6 +19,7 @@ dave::"ip route add fec1:\:/16 via fec0:\:1" moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf index 05bb8ab6d..024105ebb 100644 --- a/testing/tests/sql/rw-psk-ipv6/test.conf +++ b/testing/tests/sql/rw-psk-ipv6/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-psk-rsa-split/test.conf +++ b/testing/tests/sql/rw-psk-rsa-split/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index 892650ccb..1865a1c60 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.db -carol::rm /etc/ipsec.d/ipsec.db -dave::rm /etc/ipsec.d/ipsec.db -~ diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-rsa-keyid/test.conf +++ b/testing/tests/sql/rw-rsa-keyid/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index 892650ccb..1865a1c60 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.db -carol::rm /etc/ipsec.d/ipsec.db -dave::rm /etc/ipsec.d/ipsec.db -~ diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-rsa/test.conf +++ b/testing/tests/sql/rw-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index 7f02ba120..f4dd8f199 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index 6a89855a9..6210c21cc 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -3,10 +3,10 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index 7f02ba120..f4dd8f199 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index f410dd776..e772be6af 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -2,7 +2,4 @@ sun::ipsec stop alice::ipsec stop venus::ipsec stop sun::iptables-restore < /etc/iptables.flush -alice::rm /etc/ipsec.d/ipsec.* -venus::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* moon::iptables -t nat -F \ No newline at end of file diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index 0314e7ad1..c23c09981 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -1,12 +1,12 @@ alice::rm /etc/ipsec.d/cacerts/* venus::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf index bd82f03ad..d797acb06 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/test.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# Guest instances on which databases are used +# +DBHOSTS="alice venus sun" diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf index c5ddd386a..1eab75a03 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -14,7 +14,7 @@ charon { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 4b88a6f4a..91380e6f9 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/swanctl/ip-pool-db/test.conf index 1227b9d1c..5554b4669 100755 --- a/testing/tests/swanctl/ip-pool-db/test.conf +++ b/testing/tests/swanctl/ip-pool-db/test.conf @@ -20,6 +20,10 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" +# Guest instances on which databases are used +# +DBHOSTS="moon" + # charon controlled by swanctl # SWANCTL=1 diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index a16ed01a6..a0891c358 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -3,6 +3,8 @@ dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat index 6b7c713ef..3478c07df 100644 --- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index 8fab1fb6c..d181aab9f 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -9,7 +9,8 @@ dave::cat /etc/tnc/dummyimc.file moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::sleep 1 +moon::expect-connection rw-allow +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat index b9eee4f57..3f3aa9f64 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat @@ -10,5 +10,5 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EA moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index 96163aa36..d2bb94583 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -8,7 +8,7 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat index 224807860..955584ba3 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf index 23f840f69..45845710b 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf @@ -3,11 +3,11 @@ libimcv { load = random nonce openssl pubkey sqlite debug_level = 3 - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager assessment_result = no } attest { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index b8488fef8..e8706082e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication=no + retransmit_tries = 5 + plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index dc8507d26..18e03746b 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -3,7 +3,6 @@ carol::ipsec stop dave::ipsec stop alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -alice::rm /etc/pts/config.db carol::echo 1 > /proc/sys/net/ipv4/ip_forward moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 03b24747e..31ee7d1c7 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -6,7 +6,7 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd alice::cat /etc/tnc_config carol::cat /etc/tnc_config @@ -14,9 +14,9 @@ dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 alice::ipsec attest --sessions alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf index f23a19329..318dfdfcb 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# Guest instances on which databases are used +# +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat index 224807860..955584ba3 100644 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 71dff71b7..fcfb1451c 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -10,7 +10,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat index ac03fedbb..4dbff64a3 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat +++ b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat @@ -6,6 +6,6 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::hostapd -B /etc/hostapd/hostapd.conf carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -carol::sleep 4 +carol::sleep 4 dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 dave::sleep 4 diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat index 6b7c713ef..3478c07df 100644 --- a/testing/tests/tnc/tnccs-11/evaltest.dat +++ b/testing/tests/tnc/tnccs-11/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index cac1cfafc..85622034d 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat index 03b576efa..e0f3d9357 100644 --- a/testing/tests/tnc/tnccs-20-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat @@ -9,4 +9,4 @@ moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index f5b3b2e8c..c66a2e1ec 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -8,7 +8,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index 38c651328..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -5,8 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start +carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index 6947c4bdf..e5c202947 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -3,6 +3,6 @@ carol::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -carol::sleep 1 +carol::ipsec start +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index 72c9b1665..39b0e03eb 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -8,9 +8,10 @@ carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file moon::cat /etc/tnc/dummyimv.policy moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::sleep 1 +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +moon::expect-connection rw-allow +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 626000612..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1,26 +0,0 @@ -WSGIPythonPath /var/www/tnc - - - ServerName tnc.strongswan.org - ServerAlias tnc - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/tnc - - - - Order deny,allow - Allow from all - - - - WSGIScriptAlias / /var/www/tnc/config/wsgi.py - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - Alias /static/ /var/www/tnc/static/ - - ErrorLog ${APACHE_LOG_DIR}/tnc/error.log - LogLevel warn - CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined - diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index d6a547bd1..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,61 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) -SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Identities */ - -INSERT INTO identities ( - type, value -) VALUES ( /* dave@strongswan.org */ - 5, X'64617665' -); - -/* Sessions */ - -INSERT INTO sessions ( - time, connection, identity, device, product, rec -) -SELECT NOW, 1, 1, 1, id, 0 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Results */ - -INSERT INTO results ( - session, policy, rec, result -) VALUES ( - 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 17, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 18, 10, 86400 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini deleted file mode 100644 index 5e7b7b556..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini +++ /dev/null @@ -1,19 +0,0 @@ -[debug] -DEBUG=0 -TEMPLATE_DEBUG=0 -DEBUG_TOOLBAR=0 - -[db] -DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db - -[localization] -LANGUAGE_CODE=en-us -TIME_ZONE=Europe/Zurich - -[admins] -Your Name: alice@strongswan.org - -[security] -SECRET_KEY=strongSwan -ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index d22a7e978..1ecf6f883 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -23,13 +23,6 @@ charon { } libimcv { - debug_level = 3 - database = sqlite:///etc/pts/config.db + debug_level = 3 policy_script = ipsec imv_policy_manager - - plugins { - imv-swid { - rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ - } - } } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index 913dd2190..0978d1252 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -11,7 +11,7 @@ alice::ipsec start moon::ipsec start carol::ipsec start dave::ipsec start -dave::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index fab55d11a..07b17600d 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ sun::ipsec start moon::cat /etc/pts/options -moon::sleep 1 -moon::ipsec pt-tls-client --optionsfrom /etc/pts/options +sun::expect-connection pdp +moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 14c2aaf6c..8c9e59a56 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 228441289..156a2e4c4 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication = no + retransmit_tries = 5 + plugins { tnc-imc { preferred_language = de diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index 88a4ad36e..c8992bdad 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -15,7 +15,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -26,5 +26,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf index a8a05af19..4b1c410ff 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 1cf7ed69a..292116309 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index baa7dbbc8..43cf395d9 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -15,11 +15,11 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager } attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index fc102ec12..3c5cd328e 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf index a8a05af19..f4fd4dc16 100644 --- a/testing/tests/tnc/tnccs-20-os/test.conf +++ b/testing/tests/tnc/tnccs-20-os/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="moon" \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index f744453e6..d373eb39b 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -24,6 +24,6 @@ moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP succe moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini index 5e7b7b556..ea9cbbee4 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0 [db] DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db +STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db [localization] LANGUAGE_CODE=en-us diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 1c34f51f8..48d5d70f0 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -24,7 +24,7 @@ charon { libimcv { debug_level = 3 - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index ee16a4cad..8aa2ab97e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + plugins { eap-ttls { max_message_count = 0 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index dd7d16076..aea7a71f9 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -3,7 +3,9 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { + retransmit_timeout = + + plugins { eap-ttls { max_message_count = 0 } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index 1e5c3f8cd..fe9f59e44 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -3,7 +3,6 @@ carol::ipsec stop dave::ipsec stop alice::ipsec stop alice::service apache2 stop -alice::rm /etc/pts/config.db moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index ca3c559d1..4b8d3f024 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -8,15 +8,16 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db +alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan alice::service apache2 start alice::ipsec start moon::ipsec start dave::ipsec start carol::ipsec start -carol::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf index c4ca1a19f..345e91150 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave alice" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini index 5e7b7b556..ea9cbbee4 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0 [db] DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db +STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db [localization] LANGUAGE_CODE=en-us diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 857e6d6d6..5fa49e7a7 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -18,7 +18,7 @@ libtls { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index b7da857a7..2f45a149d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -3,7 +3,6 @@ dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 alice::ipsec stop alice::service apache2 stop -alice::rm /etc/pts/config.db alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index eed7967ee..e14ba8902 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -8,12 +8,12 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id dave::cat /etc/tnc_config alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db +alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan alice::service apache2 start alice::ipsec start -alice::sleep 1 +alice::expect-connection aaa winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 dave::cat /etc/pts/options @@ -21,4 +21,3 @@ dave::ipsec pt-tls-client --optionsfrom /etc/pts/options carol::ip route add 10.1.0.0/16 via 192.168.0.1 carol::cat /etc/pts/options carol::ipsec pt-tls-client --optionsfrom /etc/pts/options -carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf index 5f4f8e725..baeceb92b 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="carol moon dave alice" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 14c2aaf6c..8c9e59a56 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index e67223b45..c69f9454d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index e72ab0920..38b2e2ec2 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -15,7 +15,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -28,5 +28,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf index a8a05af19..2fd3139f5 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index 0bf4f2b9b..d67756349 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index 3c41f154a..b6c9ab661 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { tnc-imc { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index 88a4ad36e..d9d0624f5 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + retransmit_timeout = + multiple_authentication = no plugins { @@ -15,7 +17,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -26,5 +28,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf index a8a05af19..2fd3139f5 100644 --- a/testing/tests/tnc/tnccs-20-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-pts/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index 40d5e24d5..fe1becb97 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU= moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index cac1cfafc..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20/evaltest.dat +++ b/testing/tests/tnc/tnccs-20/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat index 405298381..3d0c55449 100644 --- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat +++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat @@ -21,7 +21,7 @@ moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index 60775a11e..927b89d06 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::LEAK_DETECTIVE_DISABLE=1 ipsec start carol::LEAK_DETECTIVE_DISABLE=1 ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 -- cgit v1.2.3