[Pkg-swan-devel] [strongswan] 01/08: Import upstream version 5.1.3
Romain Francoise
rfrancoise at moszumanska.debian.org
Thu Apr 17 17:34:43 UTC 2014
This is an automated email from the git hooks/post-receive script.
rfrancoise pushed a commit to branch master
in repository strongswan.
commit c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9
Author: Romain Francoise <rfrancoise at debian.org>
Date: Tue Apr 15 19:34:32 2014 +0200
Import upstream version 5.1.3
---
Android.common.mk | 2 +-
Makefile.in | 1 -
NEWS | 22 +
conf/Makefile.in | 1 -
conf/format-options.py | 9 +-
conf/options/tools.conf | 7 -
conf/options/tools.opt | 3 -
conf/plugins/eap-radius.conf | 4 +
conf/plugins/eap-radius.opt | 4 +
conf/plugins/imc-attestation.conf | 3 +
conf/plugins/imc-attestation.opt | 5 +-
conf/plugins/imv-attestation.conf | 3 +
conf/plugins/imv-attestation.opt | 3 +
conf/strongswan.conf.5.main | 608 ++---
configure | 2600 +++++++++++---------
configure.ac | 319 +--
init/Makefile.in | 1 -
init/systemd/Makefile.in | 1 -
m4/macros/enable-disable.m4 | 4 +-
man/Makefile.in | 1 -
scripts/Makefile.in | 1 -
scripts/aes-test.c | 2 +-
scripts/crypt_burn.c | 2 +-
scripts/tls_test.c | 4 +-
src/Makefile.am | 2 +-
src/Makefile.in | 9 +-
src/_copyright/Makefile.in | 1 -
src/_updown/Makefile.in | 1 -
src/_updown_espmark/Makefile.in | 1 -
src/charon-cmd/Makefile.in | 1 -
src/charon-nm/Makefile.in | 1 -
src/charon-nm/nm/nm_service.c | 5 +-
src/charon-tkm/Makefile.in | 1 -
src/charon/Makefile.in | 1 -
src/checksum/Makefile.am | 1 -
src/checksum/Makefile.in | 4 +-
src/conftest/Makefile.in | 1 -
src/dumm/Makefile.in | 1 -
src/include/Makefile.in | 1 -
src/ipsec/Makefile.in | 1 -
src/ipsec/_ipsec.8 | 2 +-
src/ipsec/_ipsec.in | 1 -
src/libcharon/Makefile.in | 1 -
src/libcharon/config/ike_cfg.c | 2 +-
src/libcharon/config/proposal.c | 23 +-
src/libcharon/encoding/payloads/cert_payload.c | 7 +-
.../encoding/payloads/proposal_substructure.c | 16 +-
src/libcharon/plugins/addrblock/Makefile.in | 1 -
src/libcharon/plugins/android_dns/Makefile.in | 1 -
src/libcharon/plugins/android_log/Makefile.in | 1 -
src/libcharon/plugins/certexpire/Makefile.in | 1 -
src/libcharon/plugins/coupling/Makefile.in | 1 -
src/libcharon/plugins/dhcp/Makefile.in | 1 -
src/libcharon/plugins/dhcp/dhcp_provider.c | 19 +-
src/libcharon/plugins/dnscert/Makefile.in | 1 -
src/libcharon/plugins/duplicheck/Makefile.in | 1 -
src/libcharon/plugins/eap_aka/Makefile.in | 1 -
src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 1 -
src/libcharon/plugins/eap_dynamic/Makefile.in | 1 -
src/libcharon/plugins/eap_gtc/Makefile.in | 1 -
src/libcharon/plugins/eap_identity/Makefile.in | 1 -
src/libcharon/plugins/eap_md5/Makefile.in | 1 -
src/libcharon/plugins/eap_mschapv2/Makefile.in | 1 -
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 4 +
src/libcharon/plugins/eap_peap/Makefile.in | 1 -
src/libcharon/plugins/eap_radius/Makefile.in | 1 -
.../plugins/eap_radius/eap_radius_accounting.c | 7 +-
.../plugins/eap_radius/eap_radius_forward.c | 22 +-
src/libcharon/plugins/eap_sim/Makefile.in | 1 -
src/libcharon/plugins/eap_sim_file/Makefile.in | 1 -
src/libcharon/plugins/eap_sim_pcsc/Makefile.in | 1 -
.../plugins/eap_simaka_pseudonym/Makefile.in | 1 -
.../plugins/eap_simaka_reauth/Makefile.in | 1 -
src/libcharon/plugins/eap_simaka_sql/Makefile.in | 1 -
src/libcharon/plugins/eap_tls/Makefile.in | 1 -
src/libcharon/plugins/eap_tnc/Makefile.in | 1 -
src/libcharon/plugins/eap_ttls/Makefile.in | 1 -
src/libcharon/plugins/error_notify/Makefile.in | 1 -
src/libcharon/plugins/farp/Makefile.in | 1 -
src/libcharon/plugins/ha/Makefile.in | 1 -
src/libcharon/plugins/ha/ha_cache.c | 18 +-
src/libcharon/plugins/ipseckey/Makefile.in | 1 -
src/libcharon/plugins/kernel_libipsec/Makefile.in | 1 -
src/libcharon/plugins/led/Makefile.in | 1 -
src/libcharon/plugins/load_tester/Makefile.in | 1 -
src/libcharon/plugins/lookip/Makefile.in | 1 -
src/libcharon/plugins/maemo/Makefile.in | 1 -
src/libcharon/plugins/medcli/Makefile.in | 1 -
src/libcharon/plugins/medsrv/Makefile.in | 1 -
src/libcharon/plugins/osx_attr/Makefile.in | 1 -
src/libcharon/plugins/radattr/Makefile.in | 1 -
src/libcharon/plugins/smp/Makefile.in | 1 -
src/libcharon/plugins/socket_default/Makefile.in | 1 -
src/libcharon/plugins/socket_dynamic/Makefile.in | 1 -
src/libcharon/plugins/sql/Makefile.in | 1 -
src/libcharon/plugins/stroke/Makefile.in | 1 -
src/libcharon/plugins/stroke/stroke_list.c | 85 +-
src/libcharon/plugins/systime_fix/Makefile.in | 1 -
src/libcharon/plugins/tnc_ifmap/Makefile.in | 1 -
src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c | 6 +-
src/libcharon/plugins/tnc_pdp/Makefile.am | 3 +-
src/libcharon/plugins/tnc_pdp/Makefile.in | 21 +-
src/libcharon/plugins/uci/Makefile.in | 1 -
src/libcharon/plugins/unit_tester/Makefile.in | 1 -
src/libcharon/plugins/unity/Makefile.in | 1 -
src/libcharon/plugins/updown/Makefile.in | 1 -
src/libcharon/plugins/whitelist/Makefile.in | 1 -
src/libcharon/plugins/xauth_eap/Makefile.in | 1 -
src/libcharon/plugins/xauth_generic/Makefile.in | 1 -
src/libcharon/plugins/xauth_noauth/Makefile.in | 1 -
src/libcharon/plugins/xauth_pam/Makefile.in | 1 -
src/libcharon/sa/ikev2/keymat_v2.c | 29 +-
src/libcharon/sa/ikev2/task_manager_v2.c | 9 +
src/libcharon/sa/ikev2/tasks/child_delete.c | 12 +
src/libcharon/sa/ikev2/tasks/ike_cert_post.c | 139 +-
src/libcharon/sa/ikev2/tasks/ike_cert_pre.c | 28 +-
src/libfast/Makefile.in | 1 -
src/libhydra/Makefile.in | 1 -
src/libhydra/plugins/attr/Makefile.in | 1 -
src/libhydra/plugins/attr/attr_provider.c | 9 +-
src/libhydra/plugins/attr_sql/Makefile.in | 1 -
src/libhydra/plugins/kernel_klips/Makefile.in | 1 -
src/libhydra/plugins/kernel_netlink/Makefile.in | 1 -
src/libhydra/plugins/kernel_pfkey/Makefile.in | 1 -
src/libhydra/plugins/kernel_pfroute/Makefile.in | 1 -
.../plugins/kernel_pfroute/kernel_pfroute_net.c | 10 +-
src/libhydra/plugins/resolve/Makefile.in | 1 -
src/libimcv/Makefile.in | 1 -
src/libimcv/imv/data.sql | 24 +
src/libimcv/plugins/imc_os/Makefile.in | 1 -
src/libimcv/plugins/imc_scanner/Makefile.in | 1 -
src/libimcv/plugins/imc_test/Makefile.in | 1 -
src/libimcv/plugins/imv_os/Makefile.in | 1 -
src/libimcv/plugins/imv_scanner/Makefile.in | 1 -
src/libimcv/plugins/imv_test/Makefile.in | 1 -
src/libipsec/Makefile.in | 1 -
src/libipsec/esp_context.c | 3 +-
src/libpts/Makefile.in | 1 -
src/libpts/plugins/imc_attestation/Makefile.in | 1 -
.../plugins/imc_attestation/imc_attestation.c | 7 +-
src/libpts/plugins/imc_swid/Makefile.in | 1 -
src/libpts/plugins/imv_attestation/Makefile.in | 1 -
src/libpts/plugins/imv_attestation/attest.c | 4 +-
.../imv_attestation/imv_attestation_agent.c | 21 +-
src/libpts/plugins/imv_swid/Makefile.in | 1 -
src/libpts/pts/pts.c | 3 +-
src/libpts/pts/pts_database.c | 21 +-
src/libpts/pts/pts_dh_group.c | 15 +-
src/libpts/pts/pts_dh_group.h | 9 +-
src/libpttls/Makefile.in | 1 -
src/libpttls/pt_tls_client.c | 3 +-
src/libpttls/pt_tls_server.c | 2 +-
src/libradius/Makefile.in | 1 -
src/libsimaka/Makefile.in | 1 -
src/libstrongswan/Android.mk | 2 +-
src/libstrongswan/Makefile.am | 10 +-
src/libstrongswan/Makefile.in | 156 +-
src/libstrongswan/asn1/oid.c | 485 ++--
src/libstrongswan/asn1/oid.h | 189 +-
src/libstrongswan/asn1/oid.txt | 41 +-
src/libstrongswan/collections/array.c | 2 +-
src/libstrongswan/collections/hashtable.c | 24 +-
src/libstrongswan/collections/hashtable.h | 21 +-
src/libstrongswan/credentials/auth_cfg.c | 12 +-
src/libstrongswan/credentials/auth_cfg.h | 2 +
src/libstrongswan/credentials/builder.c | 3 +-
src/libstrongswan/credentials/builder.h | 4 +-
src/libstrongswan/credentials/certificates/ac.h | 25 +-
src/libstrongswan/credentials/certificates/x509.h | 22 +-
src/libstrongswan/credentials/cred_encoding.c | 19 +-
.../credentials/ietf_attributes/ietf_attributes.c | 534 ----
.../credentials/ietf_attributes/ietf_attributes.h | 92 -
.../credentials/sets/auth_cfg_wrapper.c | 3 +-
src/libstrongswan/crypto/aead.h | 9 +
src/libstrongswan/crypto/crypto_factory.c | 47 +-
src/libstrongswan/crypto/crypto_factory.h | 6 +-
src/libstrongswan/crypto/crypto_tester.c | 21 +-
src/libstrongswan/crypto/crypto_tester.h | 8 +-
src/libstrongswan/library.c | 7 +-
src/libstrongswan/plugins/acert/Makefile.am | 17 +
.../plugins/{nonce => acert}/Makefile.in | 45 +-
src/libstrongswan/plugins/acert/acert_plugin.c | 99 +
.../plugins/acert/acert_plugin.h} | 32 +-
src/libstrongswan/plugins/acert/acert_validator.c | 149 ++
src/libstrongswan/plugins/acert/acert_validator.h | 49 +
src/libstrongswan/plugins/aes/Makefile.in | 1 -
src/libstrongswan/plugins/af_alg/Makefile.in | 1 -
src/libstrongswan/plugins/agent/Makefile.in | 1 -
src/libstrongswan/plugins/blowfish/Makefile.in | 1 -
src/libstrongswan/plugins/ccm/Makefile.in | 1 -
src/libstrongswan/plugins/ccm/ccm_aead.c | 8 +-
src/libstrongswan/plugins/ccm/ccm_aead.h | 4 +-
src/libstrongswan/plugins/cmac/Makefile.in | 1 -
src/libstrongswan/plugins/constraints/Makefile.in | 1 -
src/libstrongswan/plugins/ctr/Makefile.in | 1 -
src/libstrongswan/plugins/curl/Makefile.in | 1 -
src/libstrongswan/plugins/des/Makefile.in | 1 -
src/libstrongswan/plugins/dnskey/Makefile.in | 1 -
src/libstrongswan/plugins/fips_prf/Makefile.in | 1 -
src/libstrongswan/plugins/gcm/Makefile.in | 1 -
src/libstrongswan/plugins/gcm/gcm_aead.c | 8 +-
src/libstrongswan/plugins/gcm/gcm_aead.h | 4 +-
src/libstrongswan/plugins/gcrypt/Makefile.in | 1 -
src/libstrongswan/plugins/gmp/Makefile.in | 1 -
src/libstrongswan/plugins/hmac/Makefile.in | 1 -
src/libstrongswan/plugins/keychain/Makefile.in | 1 -
src/libstrongswan/plugins/ldap/Makefile.in | 1 -
src/libstrongswan/plugins/md4/Makefile.in | 1 -
src/libstrongswan/plugins/md5/Makefile.in | 1 -
src/libstrongswan/plugins/mysql/Makefile.in | 1 -
src/libstrongswan/plugins/nonce/Makefile.in | 1 -
src/libstrongswan/plugins/ntru/Makefile.am | 16 +-
src/libstrongswan/plugins/ntru/Makefile.in | 65 +-
src/libstrongswan/plugins/ntru/ntru_convert.c | 452 ++++
src/libstrongswan/plugins/ntru/ntru_convert.h | 147 ++
.../plugins/ntru/ntru_crypto/ntru_crypto.h | 235 --
.../ntru/ntru_crypto/ntru_crypto_ntru_convert.c | 581 -----
.../ntru/ntru_crypto/ntru_crypto_ntru_convert.h | 183 --
.../ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c | 1034 --------
.../ntru_crypto/ntru_crypto_ntru_encrypt_key.c | 360 ---
.../ntru_crypto/ntru_crypto_ntru_encrypt_key.h | 167 --
.../ntru_crypto_ntru_encrypt_param_sets.h | 101 -
.../ntru/ntru_crypto/ntru_crypto_ntru_poly.c | 242 --
.../ntru/ntru_crypto/ntru_crypto_ntru_poly.h | 96 -
src/libstrongswan/plugins/ntru/ntru_drbg.c | 24 +-
src/libstrongswan/plugins/ntru/ntru_drbg.h | 7 +
src/libstrongswan/plugins/ntru/ntru_ke.c | 155 +-
..._ntru_encrypt_param_sets.c => ntru_param_set.c} | 151 +-
src/libstrongswan/plugins/ntru/ntru_param_set.h | 118 +
src/libstrongswan/plugins/ntru/ntru_poly.c | 50 +-
src/libstrongswan/plugins/ntru/ntru_private_key.c | 892 +++++++
src/libstrongswan/plugins/ntru/ntru_private_key.h | 92 +
src/libstrongswan/plugins/ntru/ntru_public_key.c | 408 +++
src/libstrongswan/plugins/ntru/ntru_public_key.h | 88 +
src/libstrongswan/plugins/ntru/ntru_trits.c | 3 +-
src/libstrongswan/plugins/openssl/Makefile.in | 1 -
src/libstrongswan/plugins/openssl/openssl_gcm.c | 10 +-
src/libstrongswan/plugins/openssl/openssl_gcm.h | 4 +-
.../plugins/openssl/openssl_rsa_public_key.c | 16 +-
src/libstrongswan/plugins/padlock/Makefile.in | 1 -
src/libstrongswan/plugins/pem/Makefile.in | 1 -
src/libstrongswan/plugins/pem/pem_encoder.c | 7 +-
src/libstrongswan/plugins/pgp/Makefile.in | 1 -
src/libstrongswan/plugins/pkcs1/Makefile.in | 1 -
src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c | 3 +
src/libstrongswan/plugins/pkcs11/Makefile.in | 1 -
src/libstrongswan/plugins/pkcs12/Makefile.in | 1 -
src/libstrongswan/plugins/pkcs7/Makefile.in | 1 -
src/libstrongswan/plugins/pkcs8/Makefile.in | 1 -
src/libstrongswan/plugins/plugin_feature.c | 32 +-
src/libstrongswan/plugins/plugin_loader.c | 1 +
src/libstrongswan/plugins/pubkey/Makefile.in | 1 -
src/libstrongswan/plugins/random/Makefile.in | 1 -
src/libstrongswan/plugins/rc2/Makefile.in | 1 -
src/libstrongswan/plugins/rdrand/Makefile.in | 1 -
src/libstrongswan/plugins/revocation/Makefile.in | 1 -
.../plugins/revocation/revocation_validator.c | 127 +-
src/libstrongswan/plugins/sha1/Makefile.in | 1 -
src/libstrongswan/plugins/sha2/Makefile.in | 1 -
src/libstrongswan/plugins/soup/Makefile.in | 1 -
src/libstrongswan/plugins/sqlite/Makefile.in | 1 -
src/libstrongswan/plugins/sshkey/Makefile.in | 1 -
src/libstrongswan/plugins/test_vectors/Makefile.in | 1 -
.../plugins/test_vectors/test_vectors.h | 13 +-
.../plugins/test_vectors/test_vectors/aes_ccm.c | 33 +-
.../plugins/test_vectors/test_vectors/aes_gcm.c | 125 +-
src/libstrongswan/plugins/unbound/Makefile.in | 1 -
src/libstrongswan/plugins/x509/Makefile.in | 1 -
src/libstrongswan/plugins/x509/x509_ac.c | 383 ++-
src/libstrongswan/plugins/x509/x509_cert.c | 15 +-
src/libstrongswan/plugins/x509/x509_ocsp_request.c | 2 +-
src/libstrongswan/plugins/x509/x509_plugin.c | 4 +-
src/libstrongswan/plugins/xcbc/Makefile.in | 1 -
src/libstrongswan/tests/Makefile.in | 1 -
src/libstrongswan/tests/suites/test_chunk.c | 9 +-
src/libstrongswan/tests/suites/test_enumerator.c | 24 +-
src/libstrongswan/tests/suites/test_ntru.c | 524 +++-
src/libstrongswan/tests/suites/test_vectors.c | 13 +-
src/libstrongswan/tests/test_runner.c | 121 +-
src/libstrongswan/tests/test_suite.c | 3 +-
src/libstrongswan/threading/thread.c | 2 +
src/libstrongswan/utils/leak_detective.c | 15 +-
src/libstrongswan/utils/leak_detective.h | 18 +-
src/libstrongswan/utils/settings.c | 20 +-
src/libstrongswan/utils/test.c | 53 +-
src/libstrongswan/utils/test.h | 34 +-
src/libtls/Makefile.am | 5 +-
src/libtls/Makefile.in | 201 +-
src/libtls/tests/Makefile.am | 22 +
{scripts => src/libtls/tests}/Makefile.in | 448 ++--
src/libtls/tests/suites/test_socket.c | 524 ++++
src/libtls/tests/suites/test_suites.c | 247 ++
src/libtls/tests/tls_tests.c | 57 +
src/{pki/pki.h => libtls/tests/tls_tests.h} | 27 +-
src/libtls/tls.c | 17 +-
src/libtls/tls.h | 2 +
src/libtls/tls_aead.c | 217 ++
src/libtls/tls_aead.h | 156 ++
src/libtls/tls_aead_expl.c | 222 ++
src/libtls/tls_aead_impl.c | 214 ++
src/libtls/tls_aead_null.c | 159 ++
src/libtls/tls_crypto.c | 588 +++--
src/libtls/tls_crypto.h | 9 +
src/libtls/tls_peer.c | 8 +-
src/libtls/tls_protection.c | 214 +-
src/libtls/tls_protection.h | 10 +-
src/libtls/tls_socket.c | 16 +-
src/libtls/tls_socket.h | 5 +-
src/libtnccs/Makefile.in | 1 -
src/libtnccs/plugins/tnc_imc/Makefile.in | 1 -
src/libtnccs/plugins/tnc_imv/Makefile.in | 1 -
src/libtnccs/plugins/tnc_tnccs/Makefile.in | 1 -
src/libtnccs/plugins/tnccs_11/Makefile.in | 1 -
src/libtnccs/plugins/tnccs_20/Makefile.in | 1 -
src/libtnccs/plugins/tnccs_dynamic/Makefile.in | 1 -
src/libtncif/Makefile.in | 1 -
src/manager/Makefile.in | 1 -
src/medsrv/Makefile.in | 1 -
src/openac/Makefile.am | 11 -
src/openac/Makefile.in | 802 ------
src/openac/openac.8 | 165 --
src/openac/openac.c | 551 -----
src/pki/Makefile.am | 1 +
src/pki/Makefile.in | 8 +-
src/pki/command.c | 4 +-
src/pki/command.h | 4 +-
src/pki/commands/acert.c | 292 +++
src/pki/commands/issue.c | 34 +-
src/pki/commands/print.c | 95 +-
src/pki/commands/self.c | 33 +-
src/pki/commands/signcrl.c | 28 +-
src/pki/man/Makefile.am | 1 +
src/pki/man/Makefile.in | 8 +-
src/pki/man/pki---acert.1.in | 130 +
src/pki/man/pki---issue.1.in | 27 +-
src/pki/man/pki---print.1.in | 5 +-
src/pki/man/pki---self.1.in | 27 +-
src/pki/man/pki---signcrl.1.in | 27 +-
src/pki/man/pki.1.in | 4 +
src/pki/pki.c | 53 +-
src/pki/pki.h | 17 +
src/pool/Makefile.in | 1 -
src/pt-tls-client/Makefile.in | 1 -
src/scepclient/Makefile.in | 1 -
src/starter/Makefile.in | 1 -
src/stroke/Makefile.in | 1 -
testing/Makefile.in | 1 -
testing/do-tests | 9 +
testing/hosts/winnetou/etc/openssl/index.txt | 1 +
testing/hosts/winnetou/etc/openssl/index.txt.old | 2 +
.../winnetou/etc/openssl/newcerts/28.pem} | 18 +-
.../hosts/winnetou/etc/openssl/ocspCert-self.pem | 28 +-
testing/hosts/winnetou/etc/openssl/openssl.cnf | 4 +-
.../hosts/winnetou/etc/openssl/research/index.txt | 6 +-
.../winnetou/etc/openssl/research/index.txt.old | 6 +-
.../winnetou/etc/openssl/research/newcerts/08.pem | 26 +
.../winnetou/etc/openssl/research/newcerts/09.pem | 24 +
.../winnetou/etc/openssl/research/ocspCert.pem | 36 +-
.../winnetou/etc/openssl/research/ocspKey.pem | 50 +-
testing/hosts/winnetou/etc/openssl/research/serial | 2 +-
.../hosts/winnetou/etc/openssl/research/serial.old | 2 +-
testing/hosts/winnetou/etc/openssl/sales/index.txt | 6 +-
.../hosts/winnetou/etc/openssl/sales/index.txt.old | 8 +-
.../winnetou/etc/openssl/sales/newcerts/07.pem | 26 +
.../winnetou/etc/openssl/sales/newcerts/08.pem | 25 +
.../hosts/winnetou/etc/openssl/sales/ocspCert.pem | 34 +-
.../hosts/winnetou/etc/openssl/sales/ocspKey.pem | 50 +-
.../hosts/winnetou/etc/openssl/sales/openssl.cnf | 1 +
testing/hosts/winnetou/etc/openssl/sales/serial | 2 +-
.../hosts/winnetou/etc/openssl/sales/serial.old | 2 +-
testing/hosts/winnetou/etc/openssl/serial | 2 +-
testing/hosts/winnetou/etc/openssl/serial.old | 2 +-
testing/scripts/recipes/013_strongswan.mk | 1 +
.../af-alg/rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../af-alg/rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../af-alg/rw-cert/hosts/moon/etc/strongswan.conf | 2 -
.../alg-serpent/hosts/carol/etc/strongswan.conf | 2 -
.../alg-serpent/hosts/moon/etc/strongswan.conf | 2 -
.../alg-twofish/hosts/carol/etc/strongswan.conf | 2 -
.../alg-twofish/hosts/moon/etc/strongswan.conf | 2 -
.../rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../rw-cert/hosts/moon/etc/strongswan.conf | 2 -
testing/tests/ha/both-active/posttest.dat | 2 -
testing/tests/ikev1/double-nat-net/posttest.dat | 2 -
testing/tests/ikev1/double-nat/posttest.dat | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
testing/tests/ikev1/nat-rw/posttest.dat | 1 -
testing/tests/ikev1/nat-virtual-ip/posttest.dat | 1 -
testing/tests/ikev1/nat-virtual-ip/pretest.dat | 3 +-
.../net2net-cert/hosts/moon/etc/strongswan.conf | 2 -
.../net2net-cert/hosts/sun/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 3 -
.../hosts/sun/etc/strongswan.conf | 3 -
.../hosts/moon/etc/strongswan.conf | 3 +-
.../net2net-psk/hosts/moon/etc/strongswan.conf | 2 -
.../net2net-psk/hosts/sun/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../rw-cert-unity/hosts/carol/etc/strongswan.conf | 4 +-
.../rw-cert-unity/hosts/moon/etc/strongswan.conf | 7 +-
.../ikev1/rw-cert/hosts/carol/etc/strongswan.conf | 3 +-
.../ikev1/rw-cert/hosts/dave/etc/strongswan.conf | 3 +-
.../ikev1/rw-cert/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../xauth-psk/hosts/carol/etc/strongswan.conf | 2 -
.../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf | 2 -
.../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf | 2 -
.../hosts/alice/etc/strongswan.conf | 1 +
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 3 +
.../hosts/alice/etc/strongswan.conf | 1 +
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 3 +
.../xauth-rsa/hosts/carol/etc/strongswan.conf | 2 -
.../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf | 2 -
.../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf | 2 -
testing/tests/ikev2/acert-cached/description.txt | 11 +
testing/tests/ikev2/acert-cached/evaltest.dat | 12 +
.../hosts/carol/etc/ipsec.conf | 8 +-
.../hosts/carol}/etc/strongswan.conf | 1 -
.../hosts/dave}/etc/ipsec.conf | 12 +-
.../hosts/dave}/etc/strongswan.conf | 1 -
.../hosts/moon/etc/ipsec.conf | 11 +-
.../hosts/moon}/etc/strongswan.conf | 3 +-
testing/tests/ikev2/acert-cached/posttest.dat | 11 +
testing/tests/ikev2/acert-cached/pretest.dat | 9 +
testing/tests/ikev2/acert-cached/test.conf | 21 +
testing/tests/ikev2/acert-fallback/description.txt | 12 +
testing/tests/ikev2/acert-fallback/evaltest.dat | 8 +
.../hosts/carol/etc/ipsec.conf | 8 +-
.../hosts/carol}/etc/strongswan.conf | 1 -
.../ikev2/acert-fallback/hosts/moon/etc/ipsec.conf | 32 +
.../hosts/moon}/etc/strongswan.conf | 3 +-
testing/tests/ikev2/acert-fallback/posttest.dat | 8 +
testing/tests/ikev2/acert-fallback/pretest.dat | 6 +
testing/tests/ikev2/acert-fallback/test.conf | 21 +
testing/tests/ikev2/acert-inline/description.txt | 12 +
testing/tests/ikev2/acert-inline/evaltest.dat | 15 +
.../hosts/carol/etc/ipsec.conf | 8 +-
.../hosts/carol}/etc/strongswan.conf | 1 -
.../hosts/dave}/etc/ipsec.conf | 12 +-
.../hosts/dave}/etc/strongswan.conf | 1 -
.../hosts/moon/etc/ipsec.conf | 11 +-
.../hosts/moon}/etc/strongswan.conf | 3 +-
testing/tests/ikev2/acert-inline/posttest.dat | 13 +
testing/tests/ikev2/acert-inline/pretest.dat | 9 +
testing/tests/ikev2/acert-inline/test.conf | 21 +
testing/tests/ikev2/compress-nat/posttest.dat | 4 +-
.../hosts/moon/etc/strongswan.conf | 5 +-
.../hosts/sun/etc/strongswan.conf | 1 +
testing/tests/ikev2/double-nat-net/posttest.dat | 2 -
testing/tests/ikev2/double-nat/posttest.dat | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 -
.../hosts/dave/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
testing/tests/ikev2/ip-two-pools-db/posttest.dat | 1 -
.../tests/ikev2/ip-two-pools-mixed/posttest.dat | 1 -
.../tests/ikev2/ip-two-pools-v4v6-db/posttest.dat | 1 -
testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat | 1 -
testing/tests/ikev2/ip-two-pools/posttest.dat | 1 -
testing/tests/ikev2/mobike-nat/posttest.dat | 1 -
testing/tests/ikev2/mobike-nat/pretest.dat | 1 -
.../moon/etc/ipsec.d/cacerts/researchCert.pem | 18 +-
testing/tests/ikev2/nat-rw-mark/posttest.dat | 2 -
testing/tests/ikev2/nat-rw-psk/posttest.dat | 1 -
testing/tests/ikev2/nat-rw/posttest.dat | 1 -
testing/tests/ikev2/nat-rw/pretest.dat | 5 +-
testing/tests/ikev2/nat-virtual-ip/posttest.dat | 1 -
testing/tests/ikev2/nat-virtual-ip/pretest.dat | 3 +-
.../net2net-dnscert/hosts/moon/etc/strongswan.conf | 5 -
.../net2net-dnscert/hosts/sun/etc/strongswan.conf | 5 -
.../net2net-dnssec/hosts/moon/etc/strongswan.conf | 5 -
.../net2net-dnssec/hosts/sun/etc/strongswan.conf | 5 -
.../ikev2/net2net-ntru-bandwidth/description.txt | 9 +
.../ikev2/net2net-ntru-bandwidth/evaltest.dat | 9 +
.../hosts/moon/etc/ipsec.conf | 16 +-
.../hosts/moon/etc/strongswan.conf | 5 +-
.../hosts/sun/etc/ipsec.conf | 25 +
.../hosts/sun}/etc/strongswan.conf | 5 +-
.../net2net-ntru-bandwidth}/posttest.dat | 3 +-
.../net2net-ntru-bandwidth}/pretest.dat | 2 -
.../tests/ikev2/net2net-ntru-bandwidth/test.conf | 21 +
.../hosts/moon/etc/strongswan.conf | 3 +-
testing/tests/ikev2/net2net-same-nets/posttest.dat | 1 -
.../carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem | 28 +-
.../moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem | 28 +-
testing/tests/ikev2/ocsp-multi-level/evaltest.dat | 4 +
.../tests/ikev2/ocsp-no-signer-cert/evaltest.dat | 2 +-
.../carol/etc/ipsec.d/certs/carolCert-ifuri.pem | 38 +-
.../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +-
.../dave/etc/ipsec.d/certs/daveCert-ifuri.pem | 36 +-
.../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +-
.../tests/ikev2/ocsp-untrusted-cert/evaltest.dat | 3 +-
.../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 -
.../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 -
.../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 -
.../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 2 -
.../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 2 -
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/rw-eap-tls-only/evaltest.dat | 1 +
.../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 1 +
.../hosts/carol/etc/strongswan.conf | 3 +-
.../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 1 +
.../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 7 +-
testing/tests/ikev2/rw-mark-in-out/posttest.dat | 2 -
.../tests/libipsec/net2net-3des/description.txt | 9 +
testing/tests/libipsec/net2net-3des/evaltest.dat | 11 +
.../net2net-3des}/hosts/moon/etc/ipsec.conf | 17 +-
.../net2net-3des/hosts/moon}/etc/strongswan.conf | 2 +-
.../libipsec/net2net-3des/hosts/moon/etc/updown | 705 ++++++
.../libipsec/net2net-3des/hosts/sun/etc/ipsec.conf | 24 +
.../net2net-3des}/hosts/sun/etc/strongswan.conf | 2 +-
.../libipsec/net2net-3des/hosts/sun/etc/updown | 705 ++++++
.../net2net-3des}/posttest.dat | 2 -
.../net2net-3des}/pretest.dat | 2 -
testing/tests/libipsec/net2net-3des/test.conf | 21 +
.../rw-suite-b/hosts/carol/etc/strongswan.conf | 2 -
.../rw-suite-b/hosts/dave/etc/strongswan.conf | 2 -
.../rw-suite-b/hosts/moon/etc/strongswan.conf | 2 -
.../hosts/moon/etc/strongswan.conf | 2 -
.../openssl-ikev2/net2net-pgp-v3/description.txt | 6 +
.../openssl-ikev2/net2net-pgp-v3/evaltest.dat | 7 +
.../net2net-pgp-v3}/hosts/moon/etc/ipsec.conf | 14 +-
.../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets | 3 +
.../net2net-pgp-v3/hosts/moon/etc/strongswan.conf | 6 +
.../net2net-pgp-v3/hosts/sun}/etc/ipsec.conf | 15 +-
.../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets | 3 +
.../net2net-pgp-v3/hosts/sun/etc/strongswan.conf | 6 +
.../net2net-pgp-v3}/posttest.dat | 6 +-
.../net2net-pgp-v3}/pretest.dat | 6 +-
.../tests/openssl-ikev2/net2net-pgp-v3/test.conf | 21 +
.../rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../rw-cert/hosts/moon/etc/strongswan.conf | 2 -
.../openssl-ikev2/rw-eap-tls-only/evaltest.dat | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 6 +-
.../rw-suite-b-128/hosts/carol/etc/strongswan.conf | 5 +-
.../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 5 +-
.../rw-suite-b-128/hosts/moon/etc/strongswan.conf | 4 +-
.../rw-suite-b-192/hosts/carol/etc/strongswan.conf | 5 +-
.../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 5 +-
.../rw-suite-b-192/hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/p2pnat/behind-same-nat/posttest.dat | 1 -
testing/tests/p2pnat/medsrv-psk/posttest.dat | 2 -
testing/tests/pfkey/nat-rw/posttest.dat | 1 -
.../pfkey/rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../pfkey/rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../pfkey/rw-cert/hosts/moon/etc/strongswan.conf | 2 -
.../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 -
.../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 -
.../sql/rw-cert/hosts/moon/etc/strongswan.conf | 2 -
testing/tests/tnc/tnccs-20-pt-tls/pretest.dat | 2 +-
.../tests/tnc/tnccs-20-pts-no-ecc/description.txt | 26 +
testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 20 +
.../hosts/carol/etc/ipsec.conf | 7 +-
.../hosts/carol/etc/ipsec.secrets | 3 +
.../hosts/carol/etc/strongswan.conf | 22 +
.../tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config | 4 +
.../tnccs-20-pts-no-ecc/hosts/dave}/etc/ipsec.conf | 9 +-
.../hosts/dave/etc/ipsec.secrets | 3 +
.../hosts/dave/etc/strongswan.conf | 25 +
.../tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config | 4 +
.../tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf | 34 +
.../hosts/moon/etc/ipsec.secrets | 6 +
.../hosts/moon/etc/pts/data1.sql | 29 +
.../hosts/moon/etc/strongswan.conf | 34 +
.../tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config | 4 +
testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 8 +
testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 18 +
testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf | 26 +
.../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 12 +-
.../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 12 +-
.../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 17 +-
601 files changed, 12984 insertions(+), 9780 deletions(-)
diff --git a/Android.common.mk b/Android.common.mk
index 14abca8..9f49831 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.1.2"
+strongswan_VERSION := "5.1.3"
diff --git a/Makefile.in b/Makefile.in
index a81e93f..7115717 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -401,7 +401,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/NEWS b/NEWS
index 0d22295..fd33fb0 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,25 @@
+strongswan-5.1.3
+----------------
+
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+ unestablished IKEv2 SA while it gets actively initiated. This allowed an
+ attacker to trick a peer's IKE_SA state to established, without the need to
+ provide any valid authentication credentials. The vulnerability has been
+ registered as CVE-2014-2338.
+
+- The acert plugin evaluates X.509 Attribute Certificates. Group membership
+ information encoded as strings can be used to fulfill authorization checks
+ defined with the rightgroups option. Attribute Certificates can be loaded
+ locally or get exchanged in IKEv2 certificate payloads.
+
+- The pki command gained support to generate X.509 Attribute Certificates
+ using the --acert subcommand, while the --print command supports the ac type.
+ The openac utility has been removed in favor of the new pki functionality.
+
+- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
+ has been extended by AEAD mode support, currently limited to AES-GCM.
+
+
strongswan-5.1.2
----------------
diff --git a/conf/Makefile.in b/conf/Makefile.in
index d925932..e14c44e 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -346,7 +346,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/conf/format-options.py b/conf/format-options.py
index 04afed6..fc6e6e1 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -54,6 +54,7 @@ import sys
import re
from textwrap import TextWrapper
from optparse import OptionParser
+from operator import attrgetter
class ConfigOption:
"""Representing a configuration option or described section in strongswan.conf"""
@@ -67,9 +68,7 @@ class ConfigOption:
self.options = []
def __cmp__(self, other):
- if self.section == other.section:
- return cmp(self.name, other.name)
- return 1 if self.section else -1
+ return cmp(self.name, other.name)
def add_paragraph(self):
"""Adds a new paragraph to the description"""
@@ -246,7 +245,7 @@ class ConfFormatter:
self.__print_description(section, indent)
print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
print
- for o in section.options:
+ for o in sorted(section.options, key=attrgetter('section')):
if o.section:
self.__print_section(o, indent + 1, section.commented)
else:
@@ -258,7 +257,7 @@ class ConfFormatter:
"""Print a list of options"""
if not options:
return
- for option in options:
+ for option in sorted(options, key=attrgetter('section')):
if option.section:
self.__print_section(option, 0, False)
else:
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
index a3ab099..781635c 100644
--- a/conf/options/tools.conf
+++ b/conf/options/tools.conf
@@ -1,10 +1,3 @@
-openac {
-
- # Plugins to load in ipsec openac tool.
- # load =
-
-}
-
pki {
# Plugins to load in ipsec pki tool.
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
index 23e6a1c..72a49de 100644
--- a/conf/options/tools.opt
+++ b/conf/options/tools.opt
@@ -1,6 +1,3 @@
-openac.load =
- Plugins to load in ipsec openac tool.
-
pki.load =
Plugins to load in ipsec pki tool.
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 53023b8..64db674 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -3,6 +3,10 @@ eap-radius {
# Send RADIUS accounting information to RADIUS servers.
# accounting = no
+ # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+ # updates.
+ # accounting_close_on_timeout = yes
+
# If enabled, accounting is disabled unless an IKE_SA has at least one
# virtual IP.
# accounting_requires_vip = no
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0edd345..0df6a0d 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -1,6 +1,10 @@
charon.plugins.eap-radius.accounting = no
Send RADIUS accounting information to RADIUS servers.
+charon.plugins.eap-radius.accounting_close_on_timeout = yes
+ Close the IKE_SA if there is a timeout during interim RADIUS accounting
+ updates.
+
charon.plugins.eap-radius.accounting_requires_vip = no
If enabled, accounting is disabled unless an IKE_SA has at least one
virtual IP.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index ffb1b45..2d8deaa 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -13,6 +13,9 @@ imc-attestation {
# priority of this plugin.
load = yes
+ # Enforce mandatory Diffie-Hellman groups.
+ # mandatory_dh_groups = yes
+
# DH nonce length.
# nonce_len = 20
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9c10805..aaac4c2 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
charon.plugins.imc-attestation.aik_key =
AIK public key file.
+charon.plugins.imc-attestation.mandatory_dh_groups = yes
+ Enforce mandatory Diffie-Hellman groups.
+
charon.plugins.imc-attestation.nonce_len = 20
DH nonce length.
@@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes
Use Quote2 AIK signature instead of Quote signature.
charon.plugins.imc-attestation.pcr_info = yes
- Whether to send pcr_before and pcr_after info.
\ No newline at end of file
+ Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 48ffba8..3a1a7f2 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -35,6 +35,9 @@ imv-attestation {
# priority of this plugin.
load = yes
+ # Enforce mandatory Diffie-Hellman groups.
+ # mandatory_dh_groups = yes
+
# DH minimum nonce length.
# min_nonce_len = 0
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index c0ae204..f266281 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,6 +1,9 @@
charon.plugins.imv-attestation.cadir =
Path to directory with AIK cacerts.
+charon.plugins.imv-attestation.mandatory_dh_groups = yes
+ Enforce mandatory Diffie-Hellman groups.
+
charon.plugins.imv-attestation.dh_group = ecp256
Preferred Diffie-Hellman group.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 282b8fa..12fde49 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -48,6 +48,37 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
Number of half\-open IKE_SAs that activate the cookie mechanism.
.TP
+.BR charon.crypto_test.bench " [no]"
+Benchmark crypto algorithms and order them by efficiency.
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+Buffer size used for crypto benchmark.
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+Number of iterations to test each algorithm.
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration (requires test vectors provided by
+the
+.RI "" "test\-vectors" ""
+plugin).
+
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation.
+
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm.
+
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+.TP
.BR charon.dh_exponent_ansi_x9_42 " [yes]"
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
strength.
@@ -69,6 +100,47 @@ Enable Denial of Service protection using cookies and aggressiveness checks.
Compliance with the errata for RFC 4753.
.TP
+.B charon.filelog
+.br
+Section to define file loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.filelog.<filename>
+.br
+<filename> is the full path to the log file.
+
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.filelog.<filename>.time_format " []"
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.RB "" "strftime" "(3)."
+
+
+.TP
.BR charon.flush_auth_cfg " [no]"
If enabled objects used during authentication (certificates, identities etc.)
are released to free memory once an IKE_SA is established. Enabling this might
@@ -92,6 +164,14 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
Enable hash and URL support.
.TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused).
+
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around.
+
+.TP
.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
keys, which is discouraged due to security concerns (offline attacks on the
@@ -115,6 +195,34 @@ Number of exclusively locked segments in the hash table.
Size of the IKE_SA hash table.
.TP
+.B charon.imcv
+.br
+Defaults for options in this section can be configured in the
+.RI "" "libimcv" ""
+section.
+
+.TP
+.BR charon.imcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute.
+
+.TP
+.BR charon.imcv.database " []"
+Global IMV policy database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.imcv.os_info.name " []"
+Manually set the name of the client OS (e.g. Ubuntu).
+
+.TP
+.BR charon.imcv.os_info.version " []"
+Manually set the version of the client OS (e.g. 12.04 i686).
+
+.TP
+.BR charon.imcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies.
+
+.TP
.BR charon.inactivity_close_ike " [no]"
Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
@@ -167,254 +275,47 @@ other interfaces are ignored.
NAT keep alive interval.
.TP
-.BR charon.load " []"
-Plugins to load in the IKE daemon charon.
-
-.TP
-.BR charon.load_modular " [no]"
-If enabled, the list of plugins to load is determined via the value of the
-.RI "" "charon.plugins.<name>.load" ""
-options. In addition to a simple boolean flag that
-option may take an integer value indicating the priority of a plugin, which
-would influence the order of a plugin in the plugin list (the default is 1). If
-two plugins have the same priority their order in the default plugin list is
-preserved. Enabled plugins not found in that list are ordered alphabetically
-before other plugins with the same priority.
-
-.TP
-.BR charon.max_packet " [10000]"
-Maximum packet size accepted by charon.
-
-.TP
-.BR charon.multiple_authentication " [yes]"
-Enable multiple authentication exchanges (RFC 4739).
-
-.TP
-.BR charon.nbns1 " []"
-WINS servers assigned to peer via configuration payload (CP).
-
-.TP
-.BR charon.nbns2 " []"
-WINS servers assigned to peer via configuration payload (CP).
-
-.TP
-.BR charon.port " [500]"
-UDP port used locally. If set to 0 a random port will be allocated.
-
-.TP
-.BR charon.port_nat_t " [4500]"
-UDP port used locally in case of NAT\-T. If set to 0 a random port will be
-allocated. Has to be different from
-.RB "" "charon.port" ","
-otherwise a random port
-will be allocated.
-
-.TP
-.BR charon.process_route " [yes]"
-Process RTM_NEWROUTE and RTM_DELROUTE events.
-
-.TP
-.BR charon.receive_delay " [0]"
-Delay in ms for receiving packets, to simulate larger RTT.
-
-.TP
-.BR charon.receive_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.receive_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.receive_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.replay_window " [32]"
-Size of the AH/ESP replay window, in packets.
-
-.TP
-.BR charon.retransmit_base " [1.8]"
-Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.BR charon.retransmit_timeout " [4.0]"
-Timeout in seconds before sending first retransmit.
-
-.TP
-.BR charon.retransmit_tries " [5]"
-Number of times to retransmit a packet before giving up.
-
-.TP
-.BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
-
-.TP
-.BR charon.reuse_ikesa " [yes]"
-Initiate CHILD_SA within existing IKE_SAs.
-
-.TP
-.BR charon.routing_table " []"
-Numerical routing table to install routes to.
-
-.TP
-.BR charon.routing_table_prio " []"
-Priority of the routing table.
-
-.TP
-.BR charon.send_delay " [0]"
-Delay in ms for sending packets, to simulate larger RTT.
-
-.TP
-.BR charon.send_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.send_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.send_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.send_vendor_id " [no]"
-Send strongSwan vendor ID payload
-
-.TP
-.BR charon.threads " [16]"
-Number of worker threads in charon. Several of these are reserved for long
-running tasks in internal modules and plugins. Therefore, make sure you don't
-set this value too low. The number of idle worker threads listed in
-.RI "" "ipsec statusall" ""
-might be used as indicator on the number of reserved threads.
-
-.TP
-.BR charon.user " []"
-Name of the user the daemon changes to after startup.
-
-.TP
-.BR charon.crypto_test.bench " [no]"
-Benchmark crypto algorithms and order them by efficiency.
-
-.TP
-.BR charon.crypto_test.bench_size " [1024]"
-Buffer size used for crypto benchmark.
-
-.TP
-.BR charon.crypto_test.bench_time " [50]"
-Number of iterations to test each algorithm.
-
-.TP
-.BR charon.crypto_test.on_add " [no]"
-Test crypto algorithms during registration (requires test vectors provided by
-the
-.RI "" "test\-vectors" ""
-plugin).
-
-.TP
-.BR charon.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation.
-
-.TP
-.BR charon.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm.
-
-.TP
-.BR charon.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy.
-
-.TP
-.B charon.filelog
-.br
-Section to define file loggers, see LOGGER CONFIGURATION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.B charon.filelog.<filename>
-.br
-<filename> is the full path to the log file.
-
-.TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
-Loglevel for a specific subsystem.
-
-.TP
-.BR charon.filelog.<filename>.append " [yes]"
-If this option is enabled log entries are appended to the existing file.
-
-.TP
-.BR charon.filelog.<filename>.default " [1]"
-Specifies the default loglevel to be used for subsystems for which no specific
-loglevel is defined.
-
-.TP
-.BR charon.filelog.<filename>.flush_line " [no]"
-Enabling this option disables block buffering and enables line buffering.
-
-.TP
-.BR charon.filelog.<filename>.ike_name " [no]"
-Prefix each log entry with the connection name and a unique numerical identifier
-for each IKE_SA.
-
-.TP
-.BR charon.filelog.<filename>.time_format " []"
-Prefix each log entry with a timestamp. The option accepts a format string as
-passed to
-.RB "" "strftime" "(3)."
-
-
-.TP
-.BR charon.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused).
-
-.TP
-.BR charon.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around.
-
-.TP
-.B charon.imcv
-.br
-Defaults for options in this section can be configured in the
-.RI "" "libimcv" ""
-section.
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output.
.TP
-.BR charon.imcv.assessment_result " [yes]"
-Whether IMVs send a standard IETF Assessment Result attribute.
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all).
.TP
-.BR charon.imcv.database " []"
-Global IMV policy database URI. If it contains a password, make sure to adjust
-the permissions of the config file accordingly.
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all).
.TP
-.BR charon.imcv.policy_script " [ipsec _imv_policy]"
-Script called for each TNC connection to generate IMV policies.
+.BR charon.load " []"
+Plugins to load in the IKE daemon charon.
.TP
-.BR charon.imcv.os_info.name " []"
-Manually set the name of the client OS (e.g. Ubuntu).
+.BR charon.load_modular " [no]"
+If enabled, the list of plugins to load is determined via the value of the
+.RI "" "charon.plugins.<name>.load" ""
+options. In addition to a simple boolean flag that
+option may take an integer value indicating the priority of a plugin, which
+would influence the order of a plugin in the plugin list (the default is 1). If
+two plugins have the same priority their order in the default plugin list is
+preserved. Enabled plugins not found in that list are ordered alphabetically
+before other plugins with the same priority.
.TP
-.BR charon.imcv.os_info.version " []"
-Manually set the version of the client OS (e.g. 12.04 i686).
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon.
.TP
-.BR charon.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output.
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739).
.TP
-.BR charon.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all).
+.BR charon.nbns1 " []"
+WINS servers assigned to peer via configuration payload (CP).
.TP
-.BR charon.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all).
+.BR charon.nbns2 " []"
+WINS servers assigned to peer via configuration payload (CP).
.TP
.BR charon.plugins.android_log.loglevel " [1]"
@@ -588,6 +489,10 @@ Request peer authentication based on a client certificate.
Send RADIUS accounting information to RADIUS servers.
.TP
+.BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
+Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
+
+.TP
.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
@@ -608,6 +513,23 @@ Closes all IKE_SAs if communication with the RADIUS server times out. If it is
not set only the current IKE_SA is closed.
.TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests.
+
+.TP
+.BR charon.plugins.eap-radius.dae.secret " []"
+Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
.BR charon.plugins.eap-radius.eap_start " [no]"
Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
@@ -627,6 +549,20 @@ option in
.TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
+or attribute number, a colon can be used to specify vendor\-specific attributes,
+e.g. Reply\-Message, or 11, or 36906:12).
+
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
+Same as
+.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+
+.TP
.BR charon.plugins.eap-radius.id_prefix " []"
Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
method.
@@ -649,41 +585,6 @@ permissions of the config file accordingly.
IP/Hostname of RADIUS server.
.TP
-.BR charon.plugins.eap-radius.sockets " [1]"
-Number of sockets (ports) to use, increase for high load.
-
-.TP
-.BR charon.plugins.eap-radius.dae.enable " [no]"
-Enables support for the Dynamic Authorization Extension (RFC 5176).
-
-.TP
-.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
-Address to listen for DAE messages from the RADIUS server.
-
-.TP
-.BR charon.plugins.eap-radius.dae.port " [3799]"
-Port to listen for DAE requests.
-
-.TP
-.BR charon.plugins.eap-radius.dae.secret " []"
-Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
-permissions of the config file accordingly.
-
-.TP
-.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
-RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
-or attribute number, a colon can be used to specify vendor\-specific attributes,
-e.g. Reply\-Message, or 11, or 36906:12).
-
-.TP
-.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
-Same as
-.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
-but from RADIUS to
-IKEv2, a strongSwan specific private notify (40969) is used to transmit the
-attributes.
-
-.TP
.B charon.plugins.eap-radius.servers
.br
Section to specify multiple RADIUS servers. The
@@ -706,6 +607,10 @@ accounting. For each RADIUS server a priority can be specified using the
[0] option.
.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load.
+
+.TP
.B charon.plugins.eap-radius.xauth
.br
Section to configure multiple XAuth authentication rounds via RADIUS. The
@@ -842,6 +747,10 @@ AIK certificate file.
AIK public key file.
.TP
+.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
.BR charon.plugins.imc-attestation.nonce_len " [20]"
DH nonce length.
@@ -922,6 +831,10 @@ Preferred Diffie\-Hellman group.
Preferred measurement hash algorithm.
.TP
+.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
.BR charon.plugins.imv-attestation.min_nonce_len " [0]"
DH minimum nonce length.
@@ -992,6 +905,12 @@ Section to configure the load\-tester plugin, see LOAD TESTS in
for details.
.TP
+.B charon.plugins.load-tester.addrs
+.br
+Section that contains key/value pairs with address pools (in CIDR notation) to
+use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+.TP
.BR charon.plugins.load-tester.addrs_keep " [no]"
Whether to keep dynamic addresses even after the associated SA got terminated.
@@ -1157,12 +1076,6 @@ IKE version to use (0 means use IKEv2 as initiator and accept any version as
responder).
.TP
-.B charon.plugins.load-tester.addrs
-.br
-Section that contains key/value pairs with address pools (in CIDR notation) to
-use for a specific network interface e.g. eth0 = 10.10.0.0/16.
-
-.TP
.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
Socket provided by the lookip plugin.
@@ -1195,6 +1108,11 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
Whether to load certificates from tokens.
.TP
+.B charon.plugins.pkcs11.modules
+.br
+List of available PKCS#11 modules.
+
+.TP
.BR charon.plugins.pkcs11.reload_certs " [no]"
Reload certificates from all tokens if charon receives a SIGHUP.
@@ -1223,11 +1141,6 @@ keys not stored on tokens.
Whether the PKCS#11 modules should be used as RNG.
.TP
-.B charon.plugins.pkcs11.modules
-.br
-List of available PKCS#11 modules.
-
-.TP
.BR charon.plugins.radattr.dir " []"
Directory where RADIUS attributes are stored in client\-ID specific files.
@@ -1378,14 +1291,6 @@ or
.TP
-.BR charon.plugins.tnc-pdp.server " []"
-Name of the strongSwan PDP as contained in the AAA certificate.
-
-.TP
-.BR charon.plugins.tnc-pdp.timeout " []"
-Timeout in seconds before closing incomplete connections.
-
-.TP
.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
Enable PT\-TLS protocol on the strongSwan PDP.
@@ -1411,6 +1316,14 @@ Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
the permissions of the config file accordingly.
.TP
+.BR charon.plugins.tnc-pdp.server " []"
+Name of the strongSwan PDP as contained in the AAA certificate.
+
+.TP
+.BR charon.plugins.tnc-pdp.timeout " []"
+Timeout in seconds before closing incomplete connections.
+
+.TP
.BR charon.plugins.tnccs-11.max_message_size " [45000]"
Maximum size of a PA\-TNC message (XML & Base64 encoding).
@@ -1472,6 +1385,22 @@ If an email address is received as an XAuth username, trim it to just the
username part.
.TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT\-T. If set to 0 a random port will be
+allocated. Has to be different from
+.RB "" "charon.port" ","
+otherwise a random port
+will be allocated.
+
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+.TP
.B charon.processor.priority_threads
.br
Section to configure the number of reserved threads per priority class see JOB
@@ -1480,6 +1409,77 @@ PRIORITY MANAGEMENT in
.TP
+.BR charon.receive_delay " [0]"
+Delay in ms for receiving packets, to simulate larger RTT.
+
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.retransmit_timeout " [4.0]"
+Timeout in seconds before sending first retransmit.
+
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up.
+
+.TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+
+.TP
+.BR charon.reuse_ikesa " [yes]"
+Initiate CHILD_SA within existing IKE_SAs.
+
+.TP
+.BR charon.routing_table " []"
+Numerical routing table to install routes to.
+
+.TP
+.BR charon.routing_table_prio " []"
+Priority of the routing table.
+
+.TP
+.BR charon.send_delay " [0]"
+Delay in ms for sending packets, to simulate larger RTT.
+
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.send_vendor_id " [no]"
+Send strongSwan vendor ID payload
+
+.TP
.B charon.syslog
.br
Section to define syslog loggers, see LOGGER CONFIGURATION in
@@ -1487,16 +1487,6 @@ Section to define syslog loggers, see LOGGER CONFIGURATION in
.TP
-.BR charon.syslog.identifier " []"
-Global identifier used for an
-.RB "" "openlog" "(3)"
-call, prepended to each log message
-by syslog. If not configured,
-.RB "" "openlog" "(3)"
-is not called, so the value will
-depend on system defaults (often the program name).
-
-.TP
.B charon.syslog.<facility>
.br
<facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
@@ -1519,6 +1509,24 @@ Prefix each log entry with the connection name and a unique numerical identifier
for each IKE_SA.
.TP
+.BR charon.syslog.identifier " []"
+Global identifier used for an
+.RB "" "openlog" "(3)"
+call, prepended to each log message
+by syslog. If not configured,
+.RB "" "openlog" "(3)"
+is not called, so the value will
+depend on system defaults (often the program name).
+
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.RI "" "ipsec statusall" ""
+might be used as indicator on the number of reserved threads.
+
+.TP
.BR charon.tls.cipher " []"
List of TLS encryption ciphers.
@@ -1539,6 +1547,10 @@ List of TLS cipher suites.
TNC IMC/IMV configuration file.
.TP
+.BR charon.user " []"
+Name of the user the daemon changes to after startup.
+
+.TP
.BR charon.x509.enforce_critical " [yes]"
Discard certificates with unsupported or unknown critical extensions.
@@ -1623,10 +1635,6 @@ Number of thread for mediation service web application.
Session timeout for mediation service.
.TP
-.BR openac.load " []"
-Plugins to load in ipsec openac tool.
-
-.TP
.BR pacman.database " []"
Database URI for the database that stores the package information. If it
contains a password, make sure to adjust the permissions of the config file
diff --git a/configure b/configure
index 652a5d0..6c4e4c9 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.1.2.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.1.3.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.1.2'
-PACKAGE_STRING='strongSwan 5.1.2'
+PACKAGE_VERSION='5.1.3'
+PACKAGE_STRING='strongSwan 5.1.3'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -921,6 +921,8 @@ USE_PKCS1_FALSE
USE_PKCS1_TRUE
USE_PUBKEY_FALSE
USE_PUBKEY_TRUE
+USE_ACERT_FALSE
+USE_ACERT_TRUE
USE_CONSTRAINTS_FALSE
USE_CONSTRAINTS_TRUE
USE_REVOCATION_FALSE
@@ -974,7 +976,6 @@ manager_plugins
scripts_plugins
pki_plugins
scepclient_plugins
-openac_plugins
attest_plugins
pool_plugins
starter_plugins
@@ -1196,58 +1197,58 @@ with_tss
with_capabilities
with_mpz_powm_sec
with_dev_headers
+with_printf_hooks
with_systemdsystemunitdir
with_user
with_group
with_charon_udp_port
with_charon_natt_port
-enable_curl
-enable_unbound
-enable_soup
-enable_ldap
enable_aes
-enable_des
+enable_af_alg
enable_blowfish
-enable_rc2
+enable_ccm
+enable_cmac
+enable_ctr
+enable_des
+enable_fips_prf
+enable_gcm
+enable_gcrypt
+enable_gmp
+enable_hmac
enable_md4
enable_md5
+enable_nonce
+enable_ntru
+enable_openssl
+enable_padlock
+enable_random
+enable_rc2
+enable_rdrand
enable_sha1
enable_sha2
-enable_fips_prf
-enable_gmp
-enable_rdrand
-enable_random
-enable_nonce
-enable_x509
-enable_revocation
-enable_constraints
-enable_pubkey
+enable_xcbc
+enable_dnskey
+enable_pem
+enable_pgp
enable_pkcs1
enable_pkcs7
enable_pkcs8
enable_pkcs12
-enable_pgp
-enable_dnskey
+enable_pubkey
enable_sshkey
-enable_dnscert
-enable_ipseckey
-enable_pem
-enable_hmac
-enable_cmac
-enable_xcbc
-enable_af_alg
-enable_test_vectors
+enable_x509
+enable_curl
+enable_ldap
+enable_soup
+enable_unbound
enable_mysql
enable_sqlite
-enable_stroke
-enable_medsrv
-enable_medcli
-enable_smp
-enable_sql
-enable_leak_detective
-enable_lock_profiler
-enable_unit_tester
-enable_load_tester
+enable_addrblock
+enable_acert
+enable_agent
+enable_constraints
+enable_coupling
+enable_dnscert
enable_eap_sim
enable_eap_sim_file
enable_eap_sim_pcsc
@@ -1266,89 +1267,91 @@ enable_eap_peap
enable_eap_tnc
enable_eap_dynamic
enable_eap_radius
+enable_ipseckey
+enable_keychain
+enable_pkcs11
+enable_revocation
+enable_whitelist
enable_xauth_generic
enable_xauth_eap
enable_xauth_pam
enable_xauth_noauth
-enable_tnc_ifmap
-enable_tnc_pdp
-enable_tnc_imc
-enable_tnc_imv
-enable_tnccs_11
-enable_tnccs_20
-enable_tnccs_dynamic
-enable_imc_test
-enable_imv_test
-enable_imc_scanner
-enable_imv_scanner
-enable_imc_os
-enable_imv_os
-enable_imc_attestation
-enable_imv_attestation
-enable_imc_swid
-enable_imv_swid
enable_kernel_netlink
enable_kernel_pfkey
enable_kernel_pfroute
enable_kernel_klips
enable_kernel_libipsec
-enable_libipsec
enable_socket_default
enable_socket_dynamic
-enable_farp
-enable_dumm
-enable_fast
-enable_manager
-enable_mediation
-enable_integrity_test
-enable_load_warning
-enable_ikev1
-enable_ikev2
-enable_charon
-enable_tools
-enable_scripts
-enable_conftest
-enable_updown
+enable_stroke
+enable_smp
+enable_sql
+enable_uci
+enable_android_dns
enable_attr
enable_attr_sql
enable_dhcp
+enable_osx_attr
enable_resolve
-enable_padlock
-enable_openssl
-enable_gcrypt
-enable_agent
-enable_keychain
-enable_pkcs11
-enable_ctr
-enable_ccm
-enable_gcm
-enable_ntru
-enable_addrblock
enable_unity
-enable_uci
-enable_osx_attr
-enable_android_dns
+enable_imc_test
+enable_imv_test
+enable_imc_scanner
+enable_imv_scanner
+enable_imc_os
+enable_imv_os
+enable_imc_attestation
+enable_imv_attestation
+enable_imc_swid
+enable_imv_swid
+enable_tnc_ifmap
+enable_tnc_imc
+enable_tnc_imv
+enable_tnc_pdp
+enable_tnccs_11
+enable_tnccs_20
+enable_tnccs_dynamic
enable_android_log
-enable_maemo
-enable_nm
-enable_ha
-enable_whitelist
-enable_lookip
-enable_error_notify
enable_certexpire
-enable_systime_fix
-enable_led
enable_duplicheck
-enable_coupling
+enable_error_notify
+enable_farp
+enable_ha
+enable_led
+enable_load_tester
+enable_lookip
+enable_maemo
enable_radattr
-enable_vstr
-enable_monolithic
+enable_systime_fix
+enable_test_vectors
+enable_unit_tester
+enable_updown
+enable_charon
+enable_cmd
+enable_conftest
+enable_dumm
+enable_fast
+enable_libipsec
+enable_manager
+enable_medcli
+enable_medsrv
+enable_nm
+enable_scripts
+enable_tkm
+enable_tools
enable_bfd_backtraces
+enable_ikev1
+enable_ikev2
+enable_integrity_test
+enable_load_warning
+enable_mediation
enable_unwind_backtraces
enable_coverage
-enable_tkm
-enable_cmd
+enable_leak_detective
+enable_lock_profiler
+enable_monolithic
enable_defaults
+enable_all
enable_dependency_tracking
with_lib_prefix
enable_shared
@@ -1926,7 +1929,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 5.1.2 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.1.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1996,7 +1999,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 5.1.2:";;
+ short | recursive ) echo "Configuration of strongSwan 5.1.3:";;
esac
cat <<\_ACEOF
@@ -2006,64 +2009,61 @@ Optional Features:
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-silent-rules less verbose build output (undo: "make V=1")
--disable-silent-rules verbose build output (undo: "make V=0")
- --enable-curl enable CURL fetcher plugin to fetch files via
- libcurl. Requires libcurl.
- --enable-unbound enable UNBOUND resolver plugin to perform DNS
- queries via libunbound. Requires libldns and
- libunbound.
- --enable-soup enable soup fetcher plugin to fetch from HTTP via
- libsoup. Requires libsoup.
- --enable-ldap enable LDAP fetching plugin to fetch files via
- libldap. Requires openLDAP.
--disable-aes disable AES software implementation plugin.
- --disable-des disable DES/3DES software implementation plugin.
+ --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API.
--enable-blowfish enable Blowfish software implementation plugin.
- --disable-rc2 disable RC2 software implementation plugin.
+ --enable-ccm enables the CCM AEAD wrapper crypto plugin.
+ --disable-cmac disable CMAC crypto implementation plugin.
+ --enable-ctr enables the Counter Mode wrapper crypto plugin.
+ --disable-des disable DES/3DES software implementation plugin.
+ --disable-fips-prf disable FIPS PRF software implementation plugin.
+ --enable-gcm enables the GCM AEAD wrapper crypto plugin.
+ --enable-gcrypt enables the libgcrypt plugin.
+ --disable-gmp disable GNU MP (libgmp) based crypto implementation
+ plugin.
+ --disable-hmac disable HMAC crypto implementation plugin.
--enable-md4 enable MD4 software implementation plugin.
--disable-md5 disable MD5 software implementation plugin.
+ --disable-nonce disable nonce generation plugin.
+ --enable-ntru enables the NTRU crypto plugin.
+ --enable-openssl enables the OpenSSL crypto plugin.
+ --enable-padlock enables VIA Padlock crypto plugin.
+ --disable-random disable RNG implementation on top of /dev/(u)random.
+ --disable-rc2 disable RC2 software implementation plugin.
+ --enable-rdrand enable Intel RDRAND random generator plugin.
--disable-sha1 disable SHA1 software implementation plugin.
--disable-sha2 disable SHA256/SHA384/SHA512 software implementation
plugin.
- --disable-fips-prf disable FIPS PRF software implementation plugin.
- --disable-gmp disable GNU MP (libgmp) based crypto implementation
- plugin.
- --enable-rdrand enable Intel RDRAND random generator plugin.
- --disable-random disable RNG implementation on top of /dev/(u)random.
- --disable-nonce disable nonce generation plugin.
- --disable-x509 disable X509 certificate implementation plugin.
- --disable-revocation disable X509 CRL/OCSP revocation check plugin.
- --disable-constraints disable advanced X509 constraint checking plugin.
- --disable-pubkey disable RAW public key support plugin.
+ --disable-xcbc disable xcbc crypto implementation plugin.
+ --disable-dnskey disable DNS RR key decoding plugin.
+ --disable-pem disable PEM decoding plugin.
+ --disable-pgp disable PGP key decoding plugin.
--disable-pkcs1 disable PKCS1 key decoding plugin.
--disable-pkcs7 disable PKCS7 container support plugin.
--disable-pkcs8 disable PKCS8 private key decoding plugin.
--disable-pkcs12 disable PKCS12 container support plugin.
- --disable-pgp disable PGP key decoding plugin.
- --disable-dnskey disable DNS RR key decoding plugin.
+ --disable-pubkey disable RAW public key support plugin.
--disable-sshkey disable SSH key decoding plugin.
- --enable-dnscert enable DNSCERT authentication plugin.
- --enable-ipseckey enable IPSECKEY authentication plugin.
- --disable-pem disable PEM decoding plugin.
- --disable-hmac disable HMAC crypto implementation plugin.
- --disable-cmac disable CMAC crypto implementation plugin.
- --disable-xcbc disable xcbc crypto implementation plugin.
- --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API.
- --enable-test-vectors enable plugin providing crypto test vectors.
+ --disable-x509 disable X509 certificate implementation plugin.
+ --enable-curl enable CURL fetcher plugin to fetch files via
+ libcurl. Requires libcurl.
+ --enable-ldap enable LDAP fetching plugin to fetch files via
+ libldap. Requires openLDAP.
+ --enable-soup enable soup fetcher plugin to fetch from HTTP via
+ libsoup. Requires libsoup.
+ --enable-unbound enable UNBOUND resolver plugin to perform DNS
+ queries via libunbound. Requires libldns and
+ libunbound.
--enable-mysql enable MySQL database support. Requires
libmysqlclient_r.
--enable-sqlite enable SQLite database support. Requires libsqlite3.
- --disable-stroke disable charons stroke configuration backend.
- --enable-medsrv enable mediation server web frontend and daemon
- plugin.
- --enable-medcli enable mediation client configuration database
- plugin.
- --enable-smp enable SMP configuration and control interface.
- Requires libxml.
- --enable-sql enable SQL database configuration backend.
- --enable-leak-detective enable malloc hooks to find memory leaks.
- --enable-lock-profiler enable lock/mutex profiling code.
- --enable-unit-tester enable unit tests on IKEv2 daemon startup.
- --enable-load-tester enable load testing plugin for IKEv2 daemon.
+ --enable-addrblock enables RFC 3779 address block constraint support.
+ --enable-acert enable X509 attribute certificate checking plugin.
+ --enable-agent enables the ssh-agent signing plugin.
+ --disable-constraints disable advanced X509 constraint checking plugin.
+ --enable-coupling enable IKEv2 plugin to couple peer certificates
+ permanently to authentication.
+ --enable-dnscert enable DNSCERT authentication plugin.
--enable-eap-sim enable SIM authentication module for EAP.
--enable-eap-sim-file enable EAP-SIM backend based on a triplet file.
--enable-eap-sim-pcsc enable EAP-SIM backend based on a smartcard reader.
@@ -2088,31 +2088,17 @@ Optional Features:
--enable-eap-tnc enable EAP TNC trusted network connect module.
--enable-eap-dynamic enable dynamic EAP proxy module.
--enable-eap-radius enable RADIUS proxy authentication module.
+ --enable-ipseckey enable IPSECKEY authentication plugin.
+ --enable-keychain enables OS X Keychain Services credential set.
+ --enable-pkcs11 enables the PKCS11 token support plugin.
+ --disable-revocation disable X509 CRL/OCSP revocation check plugin.
+ --enable-whitelist enable peer identity whitelisting plugin.
--disable-xauth-generic disable generic XAuth backend.
--enable-xauth-eap enable XAuth backend using EAP methods to verify
passwords.
--enable-xauth-pam enable XAuth backend using PAM to verify passwords.
--enable-xauth-noauth enable XAuth pseudo-backend that does not actually
verify or even request any credentials.
- --enable-tnc-ifmap enable TNC IF-MAP module. Requires libxml
- --enable-tnc-pdp enable TNC policy decision point module.
- --enable-tnc-imc enable TNC IMC module.
- --enable-tnc-imv enable TNC IMV module.
- --enable-tnccs-11 enable TNCCS 1.1 protocol module. Requires libxml
- --enable-tnccs-20 enable TNCCS 2.0 protocol module.
- --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module.
- --enable-imc-test enable IMC test module.
- --enable-imv-test enable IMV test module.
- --enable-imc-scanner enable IMC port scanner module.
- --enable-imv-scanner enable IMV port scanner module.
- --enable-imc-os enable IMC operating system module.
- --enable-imv-os enable IMV operating system module.
- --enable-imc-attestation
- enable IMC attestation module.
- --enable-imv-attestation
- enable IMV attestation module.
- --enable-imc-swid enable IMC swid module.
- --enable-imv-swid enable IMV swid module.
--disable-kernel-netlink
disable the netlink kernel interface.
--enable-kernel-pfkey enable the PF_KEY kernel interface.
@@ -2120,85 +2106,103 @@ Optional Features:
--enable-kernel-klips enable the KLIPS kernel interface.
--enable-kernel-libipsec
enable the libipsec kernel interface.
- --enable-libipsec enable user space IPsec implementation.
--disable-socket-default
disable default socket implementation for charon.
--enable-socket-dynamic enable dynamic socket implementation for charon
- --enable-farp enable ARP faking plugin that responds to ARP
- requests to peers virtual IP
- --enable-dumm enable the DUMM UML test framework.
- --enable-fast enable libfast (FastCGI Application Server w/
- templates.
- --enable-manager enable web management console (proof of concept).
- --enable-mediation enable IKEv2 Mediation Extension.
- --enable-integrity-test enable integrity testing of libstrongswan and
- plugins.
- --disable-load-warning disable the charon plugin load option warning in
- starter.
- --disable-ikev1 disable IKEv1 protocol support in charon.
- --disable-ikev2 disable IKEv2 protocol support in charon.
- --disable-charon disable the IKEv1/IKEv2 keying daemon charon.
- --disable-tools disable additional utilities (openac, scepclient and
- pki).
- --disable-scripts disable additional utilities (found in directory
- scripts).
- --enable-conftest enforce Suite B conformance test framework.
- --disable-updown disable updown firewall script plugin.
+ --disable-stroke disable charons stroke configuration backend.
+ --enable-smp enable SMP configuration and control interface.
+ Requires libxml.
+ --enable-sql enable SQL database configuration backend.
+ --enable-uci enable OpenWRT UCI configuration plugin.
+ --enable-android-dns enable Android specific DNS handler.
--disable-attr disable strongswan.conf based configuration
attribute plugin.
--enable-attr-sql enable SQL based configuration attribute plugin.
--enable-dhcp enable DHCP based attribute provider plugin.
+ --enable-osx-attr enable OS X SystemConfiguration attribute handler.
--disable-resolve disable resolve DNS handler plugin.
- --enable-padlock enables VIA Padlock crypto plugin.
- --enable-openssl enables the OpenSSL crypto plugin.
- --enable-gcrypt enables the libgcrypt plugin.
- --enable-agent enables the ssh-agent signing plugin.
- --enable-keychain enables OS X Keychain Services credential set.
- --enable-pkcs11 enables the PKCS11 token support plugin.
- --enable-ctr enables the Counter Mode wrapper crypto plugin.
- --enable-ccm enables the CCM AEAD wrapper crypto plugin.
- --enable-gcm enables the GCM AEAD wrapper crypto plugin.
- --enable-ntru enables the NTRU crypto plugin.
- --enable-addrblock enables RFC 3779 address block constraint support.
--enable-unity enables Cisco Unity extension plugin.
- --enable-uci enable OpenWRT UCI configuration plugin.
- --enable-osx-attr enable OS X SystemConfiguration attribute handler.
- --enable-android-dns enable Android specific DNS handler.
+ --enable-imc-test enable IMC test module.
+ --enable-imv-test enable IMV test module.
+ --enable-imc-scanner enable IMC port scanner module.
+ --enable-imv-scanner enable IMV port scanner module.
+ --enable-imc-os enable IMC operating system module.
+ --enable-imv-os enable IMV operating system module.
+ --enable-imc-attestation
+ enable IMC attestation module.
+ --enable-imv-attestation
+ enable IMV attestation module.
+ --enable-imc-swid enable IMC swid module.
+ --enable-imv-swid enable IMV swid module.
+ --enable-tnc-ifmap enable TNC IF-MAP module. Requires libxml
+ --enable-tnc-imc enable TNC IMC module.
+ --enable-tnc-imv enable TNC IMV module.
+ --enable-tnc-pdp enable TNC policy decision point module.
+ --enable-tnccs-11 enable TNCCS 1.1 protocol module. Requires libxml
+ --enable-tnccs-20 enable TNCCS 2.0 protocol module.
+ --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module.
--enable-android-log enable Android specific logger plugin.
- --enable-maemo enable Maemo specific plugin.
- --enable-nm enable NetworkManager backend.
- --enable-ha enable high availability cluster plugin.
- --enable-whitelist enable peer identity whitelisting plugin.
- --enable-lookip enable fast virtual IP lookup and notification
- plugin.
- --enable-error-notify enable error notification plugin.
--enable-certexpire enable CSV export of expiration dates of used
certificates.
- --enable-systime-fix enable plugin to handle cert lifetimes with invalid
- system time gracefully.
- --enable-led enable plugin to control LEDs on IKEv2 activity
- using the Linux kernel LED subsystem.
--enable-duplicheck advanced duplicate checking plugin using liveness
checks.
- --enable-coupling enable IKEv2 plugin to couple peer certificates
- permanently to authentication.
+ --enable-error-notify enable error notification plugin.
+ --enable-farp enable ARP faking plugin that responds to ARP
+ requests to peers virtual IP
+ --enable-ha enable high availability cluster plugin.
+ --enable-led enable plugin to control LEDs on IKEv2 activity
+ using the Linux kernel LED subsystem.
+ --enable-load-tester enable load testing plugin for IKEv2 daemon.
+ --enable-lookip enable fast virtual IP lookup and notification
+ plugin.
+ --enable-maemo enable Maemo specific plugin.
--enable-radattr enable plugin to inject and process custom RADIUS
attributes as IKEv2 client.
- --enable-vstr enforce using the Vstr string library to replace
- glibc-like printf hooks.
- --enable-monolithic build monolithic version of libstrongswan that
- includes all enabled plugins. Similarly, the plugins
- of charon are assembled in libcharon.
+ --enable-systime-fix enable plugin to handle cert lifetimes with invalid
+ system time gracefully.
+ --enable-test-vectors enable plugin providing crypto test vectors.
+ --enable-unit-tester enable unit tests on IKEv2 daemon startup.
+ --disable-updown disable updown firewall script plugin.
+ --disable-charon disable the IKEv1/IKEv2 keying daemon charon.
+ --enable-cmd enable the command line IKE client charon-cmd.
+ --enable-conftest enforce Suite B conformance test framework.
+ --enable-dumm enable the DUMM UML test framework.
+ --enable-fast enable libfast (FastCGI Application Server w/
+ templates.
+ --enable-libipsec enable user space IPsec implementation.
+ --enable-manager enable web management console (proof of concept).
+ --enable-medcli enable mediation client configuration database
+ plugin.
+ --enable-medsrv enable mediation server web frontend and daemon
+ plugin.
+ --enable-nm enable NetworkManager backend.
+ --disable-scripts disable additional utilities (found in directory
+ scripts).
+ --enable-tkm enable Trusted Key Manager support.
+ --disable-tools disable additional utilities (scepclient and pki).
--enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
leaks and segfaults.
+ --disable-ikev1 disable IKEv1 protocol support in charon.
+ --disable-ikev2 disable IKEv2 protocol support in charon.
+ --enable-integrity-test enable integrity testing of libstrongswan and
+ plugins.
+ --disable-load-warning disable the charon plugin load option warning in
+ starter.
+ --enable-mediation enable IKEv2 Mediation Extension.
--enable-unwind-backtraces
use libunwind to create backtraces for memory leaks
and segfaults.
--enable-coverage enable lcov coverage report generation.
- --enable-tkm enable Trusted Key Manager support.
- --enable-cmd enable the command line IKE client charon-cmd.
+ --enable-leak-detective enable malloc hooks to find memory leaks.
+ --enable-lock-profiler enable lock/mutex profiling code.
+ --enable-monolithic build monolithic version of libstrongswan that
+ includes all enabled plugins. Similarly, the plugins
+ of charon are assembled in libcharon.
--disable-defaults disable all default plugins (they can be enabled
with their respective --enable options)
+ --enable-all enable all plugins and features (they can be
+ disabled with their respective --disable options).
+ Mainly for testing.
--enable-dependency-tracking
do not reject slow dependency extractors
--disable-dependency-tracking
@@ -2257,6 +2261,9 @@ Optional Packages:
libgmp, if available (default: yes).
--with-dev-headers=arg install strongSwan development headers to directory.
(default: no).
+ --with-printf-hooks=arg force the use of a specific printf hook
+ implementation (auto, builtin, glibc, vstr).
+ (default: auto).
--with-systemdsystemunitdir=arg
directory for systemd service files (default:
$systemdsystemunitdir_default).
@@ -2382,7 +2389,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 5.1.2
+strongSwan configure 5.1.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2904,7 +2911,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.1.2, which was
+It was created by strongSwan $as_me 5.1.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3767,7 +3774,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='5.1.2'
+ VERSION='5.1.3'
cat >>confdefs.h <<_ACEOF
@@ -4426,6 +4433,16 @@ fi
+# Check whether --with-printf-hooks was given.
+if test "${with_printf_hooks+set}" = set; then :
+ withval=$with_printf_hooks; printf_hooks="$withval"
+else
+ printf_hooks=auto
+
+fi
+
+
+
if test -n "$PKG_CONFIG"; then
systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
fi
@@ -4534,6 +4551,7 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
# ARG_ENABL_SET(option, help)
# ---------------------------
# Create a --enable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $disabled_by_default
# ARG_DISBL_SET(option, help)
@@ -4543,81 +4561,102 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
-# Check whether --enable-curl was given.
-if test "${enable_curl+set}" = set; then :
- enableval=$enable_curl; curl_given=true
+# crypto plugins
+# Check whether --enable-aes was given.
+if test "${enable_aes+set}" = set; then :
+ enableval=$enable_aes; aes_given=true
if test x$enableval = xyes; then
- curl=true
+ aes=true
else
- curl=false
+ aes=false
fi
else
- curl=false
- curl_given=false
+ aes=true
+ aes_given=false
fi
+ enabled_by_default=${enabled_by_default}" aes"
-# Check whether --enable-unbound was given.
-if test "${enable_unbound+set}" = set; then :
- enableval=$enable_unbound; unbound_given=true
+# Check whether --enable-af-alg was given.
+if test "${enable_af_alg+set}" = set; then :
+ enableval=$enable_af_alg; af_alg_given=true
if test x$enableval = xyes; then
- unbound=true
+ af_alg=true
else
- unbound=false
+ af_alg=false
fi
else
- unbound=false
- unbound_given=false
+ af_alg=false
+ af_alg_given=false
fi
+ disabled_by_default=${disabled_by_default}" af_alg"
-# Check whether --enable-soup was given.
-if test "${enable_soup+set}" = set; then :
- enableval=$enable_soup; soup_given=true
+# Check whether --enable-blowfish was given.
+if test "${enable_blowfish+set}" = set; then :
+ enableval=$enable_blowfish; blowfish_given=true
if test x$enableval = xyes; then
- soup=true
+ blowfish=true
else
- soup=false
+ blowfish=false
fi
else
- soup=false
- soup_given=false
+ blowfish=false
+ blowfish_given=false
fi
+ disabled_by_default=${disabled_by_default}" blowfish"
-# Check whether --enable-ldap was given.
-if test "${enable_ldap+set}" = set; then :
- enableval=$enable_ldap; ldap_given=true
+# Check whether --enable-ccm was given.
+if test "${enable_ccm+set}" = set; then :
+ enableval=$enable_ccm; ccm_given=true
if test x$enableval = xyes; then
- ldap=true
+ ccm=true
else
- ldap=false
+ ccm=false
fi
else
- ldap=false
- ldap_given=false
+ ccm=false
+ ccm_given=false
fi
+ disabled_by_default=${disabled_by_default}" ccm"
-# Check whether --enable-aes was given.
-if test "${enable_aes+set}" = set; then :
- enableval=$enable_aes; aes_given=true
+# Check whether --enable-cmac was given.
+if test "${enable_cmac+set}" = set; then :
+ enableval=$enable_cmac; cmac_given=true
if test x$enableval = xyes; then
- aes=true
+ cmac=true
else
- aes=false
+ cmac=false
fi
else
- aes=true
- aes_given=false
+ cmac=true
+ cmac_given=false
fi
- enabled_by_default=${enabled_by_default}" aes"
+ enabled_by_default=${enabled_by_default}" cmac"
+
+# Check whether --enable-ctr was given.
+if test "${enable_ctr+set}" = set; then :
+ enableval=$enable_ctr; ctr_given=true
+ if test x$enableval = xyes; then
+ ctr=true
+ else
+ ctr=false
+ fi
+else
+ ctr=false
+ ctr_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" ctr"
# Check whether --enable-des was given.
if test "${enable_des+set}" = set; then :
@@ -4635,36 +4674,85 @@ fi
enabled_by_default=${enabled_by_default}" des"
-# Check whether --enable-blowfish was given.
-if test "${enable_blowfish+set}" = set; then :
- enableval=$enable_blowfish; blowfish_given=true
+# Check whether --enable-fips-prf was given.
+if test "${enable_fips_prf+set}" = set; then :
+ enableval=$enable_fips_prf; fips_prf_given=true
if test x$enableval = xyes; then
- blowfish=true
+ fips_prf=true
else
- blowfish=false
+ fips_prf=false
fi
else
- blowfish=false
- blowfish_given=false
+ fips_prf=true
+ fips_prf_given=false
fi
+ enabled_by_default=${enabled_by_default}" fips_prf"
-# Check whether --enable-rc2 was given.
-if test "${enable_rc2+set}" = set; then :
- enableval=$enable_rc2; rc2_given=true
+# Check whether --enable-gcm was given.
+if test "${enable_gcm+set}" = set; then :
+ enableval=$enable_gcm; gcm_given=true
if test x$enableval = xyes; then
- rc2=true
+ gcm=true
else
- rc2=false
+ gcm=false
fi
else
- rc2=true
- rc2_given=false
+ gcm=false
+ gcm_given=false
fi
- enabled_by_default=${enabled_by_default}" rc2"
+ disabled_by_default=${disabled_by_default}" gcm"
+
+# Check whether --enable-gcrypt was given.
+if test "${enable_gcrypt+set}" = set; then :
+ enableval=$enable_gcrypt; gcrypt_given=true
+ if test x$enableval = xyes; then
+ gcrypt=true
+ else
+ gcrypt=false
+ fi
+else
+ gcrypt=false
+ gcrypt_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" gcrypt"
+
+# Check whether --enable-gmp was given.
+if test "${enable_gmp+set}" = set; then :
+ enableval=$enable_gmp; gmp_given=true
+ if test x$enableval = xyes; then
+ gmp=true
+ else
+ gmp=false
+ fi
+else
+ gmp=true
+ gmp_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" gmp"
+
+# Check whether --enable-hmac was given.
+if test "${enable_hmac+set}" = set; then :
+ enableval=$enable_hmac; hmac_given=true
+ if test x$enableval = xyes; then
+ hmac=true
+ else
+ hmac=false
+ fi
+else
+ hmac=true
+ hmac_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" hmac"
# Check whether --enable-md4 was given.
if test "${enable_md4+set}" = set; then :
@@ -4680,6 +4768,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" md4"
# Check whether --enable-md5 was given.
if test "${enable_md5+set}" = set; then :
@@ -4697,84 +4786,69 @@ fi
enabled_by_default=${enabled_by_default}" md5"
-# Check whether --enable-sha1 was given.
-if test "${enable_sha1+set}" = set; then :
- enableval=$enable_sha1; sha1_given=true
- if test x$enableval = xyes; then
- sha1=true
- else
- sha1=false
- fi
-else
- sha1=true
- sha1_given=false
-
-fi
-
- enabled_by_default=${enabled_by_default}" sha1"
-
-# Check whether --enable-sha2 was given.
-if test "${enable_sha2+set}" = set; then :
- enableval=$enable_sha2; sha2_given=true
+# Check whether --enable-nonce was given.
+if test "${enable_nonce+set}" = set; then :
+ enableval=$enable_nonce; nonce_given=true
if test x$enableval = xyes; then
- sha2=true
+ nonce=true
else
- sha2=false
+ nonce=false
fi
else
- sha2=true
- sha2_given=false
+ nonce=true
+ nonce_given=false
fi
- enabled_by_default=${enabled_by_default}" sha2"
+ enabled_by_default=${enabled_by_default}" nonce"
-# Check whether --enable-fips-prf was given.
-if test "${enable_fips_prf+set}" = set; then :
- enableval=$enable_fips_prf; fips_prf_given=true
+# Check whether --enable-ntru was given.
+if test "${enable_ntru+set}" = set; then :
+ enableval=$enable_ntru; ntru_given=true
if test x$enableval = xyes; then
- fips_prf=true
+ ntru=true
else
- fips_prf=false
+ ntru=false
fi
else
- fips_prf=true
- fips_prf_given=false
+ ntru=false
+ ntru_given=false
fi
- enabled_by_default=${enabled_by_default}" fips_prf"
+ disabled_by_default=${disabled_by_default}" ntru"
-# Check whether --enable-gmp was given.
-if test "${enable_gmp+set}" = set; then :
- enableval=$enable_gmp; gmp_given=true
+# Check whether --enable-openssl was given.
+if test "${enable_openssl+set}" = set; then :
+ enableval=$enable_openssl; openssl_given=true
if test x$enableval = xyes; then
- gmp=true
+ openssl=true
else
- gmp=false
+ openssl=false
fi
else
- gmp=true
- gmp_given=false
+ openssl=false
+ openssl_given=false
fi
- enabled_by_default=${enabled_by_default}" gmp"
+ disabled_by_default=${disabled_by_default}" openssl"
-# Check whether --enable-rdrand was given.
-if test "${enable_rdrand+set}" = set; then :
- enableval=$enable_rdrand; rdrand_given=true
+# Check whether --enable-padlock was given.
+if test "${enable_padlock+set}" = set; then :
+ enableval=$enable_padlock; padlock_given=true
if test x$enableval = xyes; then
- rdrand=true
+ padlock=true
else
- rdrand=false
+ padlock=false
fi
else
- rdrand=false
- rdrand_given=false
+ padlock=false
+ padlock_given=false
fi
+ disabled_by_default=${disabled_by_default}" padlock"
# Check whether --enable-random was given.
if test "${enable_random+set}" = set; then :
@@ -4792,149 +4866,118 @@ fi
enabled_by_default=${enabled_by_default}" random"
-# Check whether --enable-nonce was given.
-if test "${enable_nonce+set}" = set; then :
- enableval=$enable_nonce; nonce_given=true
+# Check whether --enable-rc2 was given.
+if test "${enable_rc2+set}" = set; then :
+ enableval=$enable_rc2; rc2_given=true
if test x$enableval = xyes; then
- nonce=true
+ rc2=true
else
- nonce=false
+ rc2=false
fi
else
- nonce=true
- nonce_given=false
+ rc2=true
+ rc2_given=false
fi
- enabled_by_default=${enabled_by_default}" nonce"
+ enabled_by_default=${enabled_by_default}" rc2"
-# Check whether --enable-x509 was given.
-if test "${enable_x509+set}" = set; then :
- enableval=$enable_x509; x509_given=true
+# Check whether --enable-rdrand was given.
+if test "${enable_rdrand+set}" = set; then :
+ enableval=$enable_rdrand; rdrand_given=true
if test x$enableval = xyes; then
- x509=true
+ rdrand=true
else
- x509=false
+ rdrand=false
fi
else
- x509=true
- x509_given=false
+ rdrand=false
+ rdrand_given=false
fi
- enabled_by_default=${enabled_by_default}" x509"
+ disabled_by_default=${disabled_by_default}" rdrand"
-# Check whether --enable-revocation was given.
-if test "${enable_revocation+set}" = set; then :
- enableval=$enable_revocation; revocation_given=true
+# Check whether --enable-sha1 was given.
+if test "${enable_sha1+set}" = set; then :
+ enableval=$enable_sha1; sha1_given=true
if test x$enableval = xyes; then
- revocation=true
+ sha1=true
else
- revocation=false
+ sha1=false
fi
else
- revocation=true
- revocation_given=false
+ sha1=true
+ sha1_given=false
fi
- enabled_by_default=${enabled_by_default}" revocation"
+ enabled_by_default=${enabled_by_default}" sha1"
-# Check whether --enable-constraints was given.
-if test "${enable_constraints+set}" = set; then :
- enableval=$enable_constraints; constraints_given=true
+# Check whether --enable-sha2 was given.
+if test "${enable_sha2+set}" = set; then :
+ enableval=$enable_sha2; sha2_given=true
if test x$enableval = xyes; then
- constraints=true
+ sha2=true
else
- constraints=false
+ sha2=false
fi
else
- constraints=true
- constraints_given=false
+ sha2=true
+ sha2_given=false
fi
- enabled_by_default=${enabled_by_default}" constraints"
+ enabled_by_default=${enabled_by_default}" sha2"
-# Check whether --enable-pubkey was given.
-if test "${enable_pubkey+set}" = set; then :
- enableval=$enable_pubkey; pubkey_given=true
+# Check whether --enable-xcbc was given.
+if test "${enable_xcbc+set}" = set; then :
+ enableval=$enable_xcbc; xcbc_given=true
if test x$enableval = xyes; then
- pubkey=true
+ xcbc=true
else
- pubkey=false
+ xcbc=false
fi
else
- pubkey=true
- pubkey_given=false
+ xcbc=true
+ xcbc_given=false
fi
- enabled_by_default=${enabled_by_default}" pubkey"
+ enabled_by_default=${enabled_by_default}" xcbc"
-# Check whether --enable-pkcs1 was given.
-if test "${enable_pkcs1+set}" = set; then :
- enableval=$enable_pkcs1; pkcs1_given=true
+# encoding/decoding plugins
+# Check whether --enable-dnskey was given.
+if test "${enable_dnskey+set}" = set; then :
+ enableval=$enable_dnskey; dnskey_given=true
if test x$enableval = xyes; then
- pkcs1=true
+ dnskey=true
else
- pkcs1=false
+ dnskey=false
fi
else
- pkcs1=true
- pkcs1_given=false
+ dnskey=true
+ dnskey_given=false
fi
- enabled_by_default=${enabled_by_default}" pkcs1"
+ enabled_by_default=${enabled_by_default}" dnskey"
-# Check whether --enable-pkcs7 was given.
-if test "${enable_pkcs7+set}" = set; then :
- enableval=$enable_pkcs7; pkcs7_given=true
+# Check whether --enable-pem was given.
+if test "${enable_pem+set}" = set; then :
+ enableval=$enable_pem; pem_given=true
if test x$enableval = xyes; then
- pkcs7=true
+ pem=true
else
- pkcs7=false
+ pem=false
fi
else
- pkcs7=true
- pkcs7_given=false
+ pem=true
+ pem_given=false
fi
- enabled_by_default=${enabled_by_default}" pkcs7"
-
-# Check whether --enable-pkcs8 was given.
-if test "${enable_pkcs8+set}" = set; then :
- enableval=$enable_pkcs8; pkcs8_given=true
- if test x$enableval = xyes; then
- pkcs8=true
- else
- pkcs8=false
- fi
-else
- pkcs8=true
- pkcs8_given=false
-
-fi
-
- enabled_by_default=${enabled_by_default}" pkcs8"
-
-# Check whether --enable-pkcs12 was given.
-if test "${enable_pkcs12+set}" = set; then :
- enableval=$enable_pkcs12; pkcs12_given=true
- if test x$enableval = xyes; then
- pkcs12=true
- else
- pkcs12=false
- fi
-else
- pkcs12=true
- pkcs12_given=false
-
-fi
-
- enabled_by_default=${enabled_by_default}" pkcs12"
+ enabled_by_default=${enabled_by_default}" pem"
# Check whether --enable-pgp was given.
if test "${enable_pgp+set}" = set; then :
@@ -4952,162 +4995,184 @@ fi
enabled_by_default=${enabled_by_default}" pgp"
-# Check whether --enable-dnskey was given.
-if test "${enable_dnskey+set}" = set; then :
- enableval=$enable_dnskey; dnskey_given=true
+# Check whether --enable-pkcs1 was given.
+if test "${enable_pkcs1+set}" = set; then :
+ enableval=$enable_pkcs1; pkcs1_given=true
if test x$enableval = xyes; then
- dnskey=true
+ pkcs1=true
else
- dnskey=false
+ pkcs1=false
fi
else
- dnskey=true
- dnskey_given=false
+ pkcs1=true
+ pkcs1_given=false
fi
- enabled_by_default=${enabled_by_default}" dnskey"
+ enabled_by_default=${enabled_by_default}" pkcs1"
-# Check whether --enable-sshkey was given.
-if test "${enable_sshkey+set}" = set; then :
- enableval=$enable_sshkey; sshkey_given=true
+# Check whether --enable-pkcs7 was given.
+if test "${enable_pkcs7+set}" = set; then :
+ enableval=$enable_pkcs7; pkcs7_given=true
if test x$enableval = xyes; then
- sshkey=true
+ pkcs7=true
else
- sshkey=false
+ pkcs7=false
fi
else
- sshkey=true
- sshkey_given=false
+ pkcs7=true
+ pkcs7_given=false
fi
- enabled_by_default=${enabled_by_default}" sshkey"
+ enabled_by_default=${enabled_by_default}" pkcs7"
-# Check whether --enable-dnscert was given.
-if test "${enable_dnscert+set}" = set; then :
- enableval=$enable_dnscert; dnscert_given=true
+# Check whether --enable-pkcs8 was given.
+if test "${enable_pkcs8+set}" = set; then :
+ enableval=$enable_pkcs8; pkcs8_given=true
if test x$enableval = xyes; then
- dnscert=true
+ pkcs8=true
else
- dnscert=false
+ pkcs8=false
fi
else
- dnscert=false
- dnscert_given=false
+ pkcs8=true
+ pkcs8_given=false
fi
+ enabled_by_default=${enabled_by_default}" pkcs8"
-# Check whether --enable-ipseckey was given.
-if test "${enable_ipseckey+set}" = set; then :
- enableval=$enable_ipseckey; ipseckey_given=true
+# Check whether --enable-pkcs12 was given.
+if test "${enable_pkcs12+set}" = set; then :
+ enableval=$enable_pkcs12; pkcs12_given=true
if test x$enableval = xyes; then
- ipseckey=true
+ pkcs12=true
else
- ipseckey=false
+ pkcs12=false
fi
else
- ipseckey=false
- ipseckey_given=false
+ pkcs12=true
+ pkcs12_given=false
fi
+ enabled_by_default=${enabled_by_default}" pkcs12"
-# Check whether --enable-pem was given.
-if test "${enable_pem+set}" = set; then :
- enableval=$enable_pem; pem_given=true
+# Check whether --enable-pubkey was given.
+if test "${enable_pubkey+set}" = set; then :
+ enableval=$enable_pubkey; pubkey_given=true
if test x$enableval = xyes; then
- pem=true
+ pubkey=true
else
- pem=false
+ pubkey=false
fi
else
- pem=true
- pem_given=false
+ pubkey=true
+ pubkey_given=false
fi
- enabled_by_default=${enabled_by_default}" pem"
+ enabled_by_default=${enabled_by_default}" pubkey"
-# Check whether --enable-hmac was given.
-if test "${enable_hmac+set}" = set; then :
- enableval=$enable_hmac; hmac_given=true
+# Check whether --enable-sshkey was given.
+if test "${enable_sshkey+set}" = set; then :
+ enableval=$enable_sshkey; sshkey_given=true
if test x$enableval = xyes; then
- hmac=true
+ sshkey=true
else
- hmac=false
+ sshkey=false
fi
else
- hmac=true
- hmac_given=false
+ sshkey=true
+ sshkey_given=false
fi
- enabled_by_default=${enabled_by_default}" hmac"
+ enabled_by_default=${enabled_by_default}" sshkey"
-# Check whether --enable-cmac was given.
-if test "${enable_cmac+set}" = set; then :
- enableval=$enable_cmac; cmac_given=true
+# Check whether --enable-x509 was given.
+if test "${enable_x509+set}" = set; then :
+ enableval=$enable_x509; x509_given=true
if test x$enableval = xyes; then
- cmac=true
+ x509=true
else
- cmac=false
+ x509=false
fi
else
- cmac=true
- cmac_given=false
+ x509=true
+ x509_given=false
fi
- enabled_by_default=${enabled_by_default}" cmac"
+ enabled_by_default=${enabled_by_default}" x509"
-# Check whether --enable-xcbc was given.
-if test "${enable_xcbc+set}" = set; then :
- enableval=$enable_xcbc; xcbc_given=true
+# fetcher/resolver plugins
+# Check whether --enable-curl was given.
+if test "${enable_curl+set}" = set; then :
+ enableval=$enable_curl; curl_given=true
if test x$enableval = xyes; then
- xcbc=true
+ curl=true
else
- xcbc=false
+ curl=false
fi
else
- xcbc=true
- xcbc_given=false
+ curl=false
+ curl_given=false
fi
- enabled_by_default=${enabled_by_default}" xcbc"
+ disabled_by_default=${disabled_by_default}" curl"
-# Check whether --enable-af-alg was given.
-if test "${enable_af_alg+set}" = set; then :
- enableval=$enable_af_alg; af_alg_given=true
+# Check whether --enable-ldap was given.
+if test "${enable_ldap+set}" = set; then :
+ enableval=$enable_ldap; ldap_given=true
if test x$enableval = xyes; then
- af_alg=true
+ ldap=true
else
- af_alg=false
+ ldap=false
fi
else
- af_alg=false
- af_alg_given=false
+ ldap=false
+ ldap_given=false
fi
+ disabled_by_default=${disabled_by_default}" ldap"
-# Check whether --enable-test-vectors was given.
-if test "${enable_test_vectors+set}" = set; then :
- enableval=$enable_test_vectors; test_vectors_given=true
+# Check whether --enable-soup was given.
+if test "${enable_soup+set}" = set; then :
+ enableval=$enable_soup; soup_given=true
if test x$enableval = xyes; then
- test_vectors=true
+ soup=true
else
- test_vectors=false
+ soup=false
fi
else
- test_vectors=false
- test_vectors_given=false
+ soup=false
+ soup_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" soup"
+
+# Check whether --enable-unbound was given.
+if test "${enable_unbound+set}" = set; then :
+ enableval=$enable_unbound; unbound_given=true
+ if test x$enableval = xyes; then
+ unbound=true
+ else
+ unbound=false
+ fi
+else
+ unbound=false
+ unbound_given=false
fi
+ disabled_by_default=${disabled_by_default}" unbound"
+# database plugins
# Check whether --enable-mysql was given.
if test "${enable_mysql+set}" = set; then :
enableval=$enable_mysql; mysql_given=true
@@ -5122,6 +5187,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" mysql"
# Check whether --enable-sqlite was given.
if test "${enable_sqlite+set}" = set; then :
@@ -5137,142 +5203,104 @@ else
fi
+ disabled_by_default=${disabled_by_default}" sqlite"
-# Check whether --enable-stroke was given.
-if test "${enable_stroke+set}" = set; then :
- enableval=$enable_stroke; stroke_given=true
+# authentication/credential plugins
+# Check whether --enable-addrblock was given.
+if test "${enable_addrblock+set}" = set; then :
+ enableval=$enable_addrblock; addrblock_given=true
if test x$enableval = xyes; then
- stroke=true
+ addrblock=true
else
- stroke=false
+ addrblock=false
fi
else
- stroke=true
- stroke_given=false
+ addrblock=false
+ addrblock_given=false
fi
- enabled_by_default=${enabled_by_default}" stroke"
+ disabled_by_default=${disabled_by_default}" addrblock"
-# Check whether --enable-medsrv was given.
-if test "${enable_medsrv+set}" = set; then :
- enableval=$enable_medsrv; medsrv_given=true
+# Check whether --enable-acert was given.
+if test "${enable_acert+set}" = set; then :
+ enableval=$enable_acert; acert_given=true
if test x$enableval = xyes; then
- medsrv=true
+ acert=true
else
- medsrv=false
+ acert=false
fi
else
- medsrv=false
- medsrv_given=false
+ acert=false
+ acert_given=false
fi
+ disabled_by_default=${disabled_by_default}" acert"
-# Check whether --enable-medcli was given.
-if test "${enable_medcli+set}" = set; then :
- enableval=$enable_medcli; medcli_given=true
+# Check whether --enable-agent was given.
+if test "${enable_agent+set}" = set; then :
+ enableval=$enable_agent; agent_given=true
if test x$enableval = xyes; then
- medcli=true
+ agent=true
else
- medcli=false
+ agent=false
fi
else
- medcli=false
- medcli_given=false
+ agent=false
+ agent_given=false
fi
+ disabled_by_default=${disabled_by_default}" agent"
-# Check whether --enable-smp was given.
-if test "${enable_smp+set}" = set; then :
- enableval=$enable_smp; smp_given=true
+# Check whether --enable-constraints was given.
+if test "${enable_constraints+set}" = set; then :
+ enableval=$enable_constraints; constraints_given=true
if test x$enableval = xyes; then
- smp=true
+ constraints=true
else
- smp=false
+ constraints=false
fi
else
- smp=false
- smp_given=false
+ constraints=true
+ constraints_given=false
fi
+ enabled_by_default=${enabled_by_default}" constraints"
-# Check whether --enable-sql was given.
-if test "${enable_sql+set}" = set; then :
- enableval=$enable_sql; sql_given=true
- if test x$enableval = xyes; then
- sql=true
- else
- sql=false
- fi
-else
- sql=false
- sql_given=false
-
-fi
-
-
-# Check whether --enable-leak-detective was given.
-if test "${enable_leak_detective+set}" = set; then :
- enableval=$enable_leak_detective; leak_detective_given=true
- if test x$enableval = xyes; then
- leak_detective=true
- else
- leak_detective=false
- fi
-else
- leak_detective=false
- leak_detective_given=false
-
-fi
-
-
-# Check whether --enable-lock-profiler was given.
-if test "${enable_lock_profiler+set}" = set; then :
- enableval=$enable_lock_profiler; lock_profiler_given=true
- if test x$enableval = xyes; then
- lock_profiler=true
- else
- lock_profiler=false
- fi
-else
- lock_profiler=false
- lock_profiler_given=false
-
-fi
-
-
-# Check whether --enable-unit-tester was given.
-if test "${enable_unit_tester+set}" = set; then :
- enableval=$enable_unit_tester; unit_tester_given=true
+# Check whether --enable-coupling was given.
+if test "${enable_coupling+set}" = set; then :
+ enableval=$enable_coupling; coupling_given=true
if test x$enableval = xyes; then
- unit_tester=true
+ coupling=true
else
- unit_tester=false
+ coupling=false
fi
else
- unit_tester=false
- unit_tester_given=false
+ coupling=false
+ coupling_given=false
fi
+ disabled_by_default=${disabled_by_default}" coupling"
-# Check whether --enable-load-tester was given.
-if test "${enable_load_tester+set}" = set; then :
- enableval=$enable_load_tester; load_tester_given=true
+# Check whether --enable-dnscert was given.
+if test "${enable_dnscert+set}" = set; then :
+ enableval=$enable_dnscert; dnscert_given=true
if test x$enableval = xyes; then
- load_tester=true
+ dnscert=true
else
- load_tester=false
+ dnscert=false
fi
else
- load_tester=false
- load_tester_given=false
+ dnscert=false
+ dnscert_given=false
fi
+ disabled_by_default=${disabled_by_default}" dnscert"
# Check whether --enable-eap-sim was given.
if test "${enable_eap_sim+set}" = set; then :
@@ -5288,6 +5316,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_sim"
# Check whether --enable-eap-sim-file was given.
if test "${enable_eap_sim_file+set}" = set; then :
@@ -5303,6 +5332,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_sim_file"
# Check whether --enable-eap-sim-pcsc was given.
if test "${enable_eap_sim_pcsc+set}" = set; then :
@@ -5318,6 +5348,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_sim_pcsc"
# Check whether --enable-eap-aka was given.
if test "${enable_eap_aka+set}" = set; then :
@@ -5333,6 +5364,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_aka"
# Check whether --enable-eap-aka-3gpp2 was given.
if test "${enable_eap_aka_3gpp2+set}" = set; then :
@@ -5348,6 +5380,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_aka_3gpp2"
# Check whether --enable-eap-simaka-sql was given.
if test "${enable_eap_simaka_sql+set}" = set; then :
@@ -5363,6 +5396,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_simaka_sql"
# Check whether --enable-eap-simaka-pseudonym was given.
if test "${enable_eap_simaka_pseudonym+set}" = set; then :
@@ -5378,6 +5412,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_simaka_pseudonym"
# Check whether --enable-eap-simaka-reauth was given.
if test "${enable_eap_simaka_reauth+set}" = set; then :
@@ -5393,6 +5428,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_simaka_reauth"
# Check whether --enable-eap-identity was given.
if test "${enable_eap_identity+set}" = set; then :
@@ -5408,6 +5444,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_identity"
# Check whether --enable-eap-md5 was given.
if test "${enable_eap_md5+set}" = set; then :
@@ -5423,6 +5460,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_md5"
# Check whether --enable-eap-gtc was given.
if test "${enable_eap_gtc+set}" = set; then :
@@ -5438,6 +5476,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_gtc"
# Check whether --enable-eap-mschapv2 was given.
if test "${enable_eap_mschapv2+set}" = set; then :
@@ -5453,6 +5492,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_mschapv2"
# Check whether --enable-eap-tls was given.
if test "${enable_eap_tls+set}" = set; then :
@@ -5468,6 +5508,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_tls"
# Check whether --enable-eap-ttls was given.
if test "${enable_eap_ttls+set}" = set; then :
@@ -5483,6 +5524,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_ttls"
# Check whether --enable-eap-peap was given.
if test "${enable_eap_peap+set}" = set; then :
@@ -5498,6 +5540,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_peap"
# Check whether --enable-eap-tnc was given.
if test "${enable_eap_tnc+set}" = set; then :
@@ -5513,6 +5556,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_tnc"
# Check whether --enable-eap-dynamic was given.
if test "${enable_eap_dynamic+set}" = set; then :
@@ -5528,6 +5572,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_dynamic"
# Check whether --enable-eap-radius was given.
if test "${enable_eap_radius+set}" = set; then :
@@ -5543,6 +5588,87 @@ else
fi
+ disabled_by_default=${disabled_by_default}" eap_radius"
+
+# Check whether --enable-ipseckey was given.
+if test "${enable_ipseckey+set}" = set; then :
+ enableval=$enable_ipseckey; ipseckey_given=true
+ if test x$enableval = xyes; then
+ ipseckey=true
+ else
+ ipseckey=false
+ fi
+else
+ ipseckey=false
+ ipseckey_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" ipseckey"
+
+# Check whether --enable-keychain was given.
+if test "${enable_keychain+set}" = set; then :
+ enableval=$enable_keychain; keychain_given=true
+ if test x$enableval = xyes; then
+ keychain=true
+ else
+ keychain=false
+ fi
+else
+ keychain=false
+ keychain_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" keychain"
+
+# Check whether --enable-pkcs11 was given.
+if test "${enable_pkcs11+set}" = set; then :
+ enableval=$enable_pkcs11; pkcs11_given=true
+ if test x$enableval = xyes; then
+ pkcs11=true
+ else
+ pkcs11=false
+ fi
+else
+ pkcs11=false
+ pkcs11_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" pkcs11"
+
+# Check whether --enable-revocation was given.
+if test "${enable_revocation+set}" = set; then :
+ enableval=$enable_revocation; revocation_given=true
+ if test x$enableval = xyes; then
+ revocation=true
+ else
+ revocation=false
+ fi
+else
+ revocation=true
+ revocation_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" revocation"
+
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+ enableval=$enable_whitelist; whitelist_given=true
+ if test x$enableval = xyes; then
+ whitelist=true
+ else
+ whitelist=false
+ fi
+else
+ whitelist=false
+ whitelist_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" whitelist"
# Check whether --enable-xauth-generic was given.
if test "${enable_xauth_generic+set}" = set; then :
@@ -5574,6 +5700,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" xauth_eap"
# Check whether --enable-xauth-pam was given.
if test "${enable_xauth_pam+set}" = set; then :
@@ -5589,6 +5716,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" xauth_pam"
# Check whether --enable-xauth-noauth was given.
if test "${enable_xauth_noauth+set}" = set; then :
@@ -5604,126 +5732,315 @@ else
fi
+ disabled_by_default=${disabled_by_default}" xauth_noauth"
-# Check whether --enable-tnc-ifmap was given.
-if test "${enable_tnc_ifmap+set}" = set; then :
- enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
+# kernel interfaces / sockets
+# Check whether --enable-kernel-netlink was given.
+if test "${enable_kernel_netlink+set}" = set; then :
+ enableval=$enable_kernel_netlink; kernel_netlink_given=true
if test x$enableval = xyes; then
- tnc_ifmap=true
+ kernel_netlink=true
else
- tnc_ifmap=false
+ kernel_netlink=false
fi
else
- tnc_ifmap=false
- tnc_ifmap_given=false
+ kernel_netlink=true
+ kernel_netlink_given=false
fi
+ enabled_by_default=${enabled_by_default}" kernel_netlink"
-# Check whether --enable-tnc-pdp was given.
-if test "${enable_tnc_pdp+set}" = set; then :
- enableval=$enable_tnc_pdp; tnc_pdp_given=true
+# Check whether --enable-kernel-pfkey was given.
+if test "${enable_kernel_pfkey+set}" = set; then :
+ enableval=$enable_kernel_pfkey; kernel_pfkey_given=true
if test x$enableval = xyes; then
- tnc_pdp=true
+ kernel_pfkey=true
else
- tnc_pdp=false
+ kernel_pfkey=false
fi
else
- tnc_pdp=false
- tnc_pdp_given=false
+ kernel_pfkey=false
+ kernel_pfkey_given=false
fi
+ disabled_by_default=${disabled_by_default}" kernel_pfkey"
-# Check whether --enable-tnc-imc was given.
-if test "${enable_tnc_imc+set}" = set; then :
- enableval=$enable_tnc_imc; tnc_imc_given=true
+# Check whether --enable-kernel-pfroute was given.
+if test "${enable_kernel_pfroute+set}" = set; then :
+ enableval=$enable_kernel_pfroute; kernel_pfroute_given=true
if test x$enableval = xyes; then
- tnc_imc=true
+ kernel_pfroute=true
else
- tnc_imc=false
+ kernel_pfroute=false
fi
else
- tnc_imc=false
- tnc_imc_given=false
+ kernel_pfroute=false
+ kernel_pfroute_given=false
fi
+ disabled_by_default=${disabled_by_default}" kernel_pfroute"
-# Check whether --enable-tnc-imv was given.
-if test "${enable_tnc_imv+set}" = set; then :
- enableval=$enable_tnc_imv; tnc_imv_given=true
+# Check whether --enable-kernel-klips was given.
+if test "${enable_kernel_klips+set}" = set; then :
+ enableval=$enable_kernel_klips; kernel_klips_given=true
if test x$enableval = xyes; then
- tnc_imv=true
+ kernel_klips=true
else
- tnc_imv=false
+ kernel_klips=false
fi
else
- tnc_imv=false
- tnc_imv_given=false
+ kernel_klips=false
+ kernel_klips_given=false
fi
+ disabled_by_default=${disabled_by_default}" kernel_klips"
-# Check whether --enable-tnccs-11 was given.
-if test "${enable_tnccs_11+set}" = set; then :
- enableval=$enable_tnccs_11; tnccs_11_given=true
+# Check whether --enable-kernel-libipsec was given.
+if test "${enable_kernel_libipsec+set}" = set; then :
+ enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
if test x$enableval = xyes; then
- tnccs_11=true
+ kernel_libipsec=true
else
- tnccs_11=false
+ kernel_libipsec=false
fi
else
- tnccs_11=false
- tnccs_11_given=false
+ kernel_libipsec=false
+ kernel_libipsec_given=false
fi
+ disabled_by_default=${disabled_by_default}" kernel_libipsec"
-# Check whether --enable-tnccs-20 was given.
-if test "${enable_tnccs_20+set}" = set; then :
- enableval=$enable_tnccs_20; tnccs_20_given=true
+# Check whether --enable-socket-default was given.
+if test "${enable_socket_default+set}" = set; then :
+ enableval=$enable_socket_default; socket_default_given=true
if test x$enableval = xyes; then
- tnccs_20=true
+ socket_default=true
else
- tnccs_20=false
+ socket_default=false
fi
else
- tnccs_20=false
- tnccs_20_given=false
+ socket_default=true
+ socket_default_given=false
fi
+ enabled_by_default=${enabled_by_default}" socket_default"
-# Check whether --enable-tnccs-dynamic was given.
-if test "${enable_tnccs_dynamic+set}" = set; then :
- enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true
+# Check whether --enable-socket-dynamic was given.
+if test "${enable_socket_dynamic+set}" = set; then :
+ enableval=$enable_socket_dynamic; socket_dynamic_given=true
if test x$enableval = xyes; then
- tnccs_dynamic=true
+ socket_dynamic=true
else
- tnccs_dynamic=false
+ socket_dynamic=false
fi
else
- tnccs_dynamic=false
- tnccs_dynamic_given=false
+ socket_dynamic=false
+ socket_dynamic_given=false
fi
+ disabled_by_default=${disabled_by_default}" socket_dynamic"
-# Check whether --enable-imc-test was given.
-if test "${enable_imc_test+set}" = set; then :
- enableval=$enable_imc_test; imc_test_given=true
+# configuration/control plugins
+# Check whether --enable-stroke was given.
+if test "${enable_stroke+set}" = set; then :
+ enableval=$enable_stroke; stroke_given=true
if test x$enableval = xyes; then
- imc_test=true
+ stroke=true
else
- imc_test=false
+ stroke=false
fi
else
- imc_test=false
- imc_test_given=false
+ stroke=true
+ stroke_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" stroke"
+
+# Check whether --enable-smp was given.
+if test "${enable_smp+set}" = set; then :
+ enableval=$enable_smp; smp_given=true
+ if test x$enableval = xyes; then
+ smp=true
+ else
+ smp=false
+ fi
+else
+ smp=false
+ smp_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" smp"
+
+# Check whether --enable-sql was given.
+if test "${enable_sql+set}" = set; then :
+ enableval=$enable_sql; sql_given=true
+ if test x$enableval = xyes; then
+ sql=true
+ else
+ sql=false
+ fi
+else
+ sql=false
+ sql_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" sql"
+
+# Check whether --enable-uci was given.
+if test "${enable_uci+set}" = set; then :
+ enableval=$enable_uci; uci_given=true
+ if test x$enableval = xyes; then
+ uci=true
+ else
+ uci=false
+ fi
+else
+ uci=false
+ uci_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" uci"
+
+# attribute provider/consumer plugins
+# Check whether --enable-android-dns was given.
+if test "${enable_android_dns+set}" = set; then :
+ enableval=$enable_android_dns; android_dns_given=true
+ if test x$enableval = xyes; then
+ android_dns=true
+ else
+ android_dns=false
+ fi
+else
+ android_dns=false
+ android_dns_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" android_dns"
+
+# Check whether --enable-attr was given.
+if test "${enable_attr+set}" = set; then :
+ enableval=$enable_attr; attr_given=true
+ if test x$enableval = xyes; then
+ attr=true
+ else
+ attr=false
+ fi
+else
+ attr=true
+ attr_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" attr"
+
+# Check whether --enable-attr-sql was given.
+if test "${enable_attr_sql+set}" = set; then :
+ enableval=$enable_attr_sql; attr_sql_given=true
+ if test x$enableval = xyes; then
+ attr_sql=true
+ else
+ attr_sql=false
+ fi
+else
+ attr_sql=false
+ attr_sql_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" attr_sql"
+
+# Check whether --enable-dhcp was given.
+if test "${enable_dhcp+set}" = set; then :
+ enableval=$enable_dhcp; dhcp_given=true
+ if test x$enableval = xyes; then
+ dhcp=true
+ else
+ dhcp=false
+ fi
+else
+ dhcp=false
+ dhcp_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" dhcp"
+
+# Check whether --enable-osx-attr was given.
+if test "${enable_osx_attr+set}" = set; then :
+ enableval=$enable_osx_attr; osx_attr_given=true
+ if test x$enableval = xyes; then
+ osx_attr=true
+ else
+ osx_attr=false
+ fi
+else
+ osx_attr=false
+ osx_attr_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" osx_attr"
+
+# Check whether --enable-resolve was given.
+if test "${enable_resolve+set}" = set; then :
+ enableval=$enable_resolve; resolve_given=true
+ if test x$enableval = xyes; then
+ resolve=true
+ else
+ resolve=false
+ fi
+else
+ resolve=true
+ resolve_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" resolve"
+
+# Check whether --enable-unity was given.
+if test "${enable_unity+set}" = set; then :
+ enableval=$enable_unity; unity_given=true
+ if test x$enableval = xyes; then
+ unity=true
+ else
+ unity=false
+ fi
+else
+ unity=false
+ unity_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" unity"
+
+# TNC modules/plugins
+# Check whether --enable-imc-test was given.
+if test "${enable_imc_test+set}" = set; then :
+ enableval=$enable_imc_test; imc_test_given=true
+ if test x$enableval = xyes; then
+ imc_test=true
+ else
+ imc_test=false
+ fi
+else
+ imc_test=false
+ imc_test_given=false
fi
+ disabled_by_default=${disabled_by_default}" imc_test"
# Check whether --enable-imv-test was given.
if test "${enable_imv_test+set}" = set; then :
@@ -5739,6 +6056,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imv_test"
# Check whether --enable-imc-scanner was given.
if test "${enable_imc_scanner+set}" = set; then :
@@ -5754,6 +6072,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imc_scanner"
# Check whether --enable-imv-scanner was given.
if test "${enable_imv_scanner+set}" = set; then :
@@ -5769,6 +6088,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imv_scanner"
# Check whether --enable-imc-os was given.
if test "${enable_imc_os+set}" = set; then :
@@ -5784,6 +6104,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imc_os"
# Check whether --enable-imv-os was given.
if test "${enable_imv_os+set}" = set; then :
@@ -5799,6 +6120,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imv_os"
# Check whether --enable-imc-attestation was given.
if test "${enable_imc_attestation+set}" = set; then :
@@ -5814,6 +6136,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imc_attestation"
# Check whether --enable-imv-attestation was given.
if test "${enable_imv_attestation+set}" = set; then :
@@ -5829,6 +6152,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imv_attestation"
# Check whether --enable-imc-swid was given.
if test "${enable_imc_swid+set}" = set; then :
@@ -5844,6 +6168,7 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imc_swid"
# Check whether --enable-imv-swid was given.
if test "${enable_imv_swid+set}" = set; then :
@@ -5859,329 +6184,344 @@ else
fi
+ disabled_by_default=${disabled_by_default}" imv_swid"
-# Check whether --enable-kernel-netlink was given.
-if test "${enable_kernel_netlink+set}" = set; then :
- enableval=$enable_kernel_netlink; kernel_netlink_given=true
+# Check whether --enable-tnc-ifmap was given.
+if test "${enable_tnc_ifmap+set}" = set; then :
+ enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
if test x$enableval = xyes; then
- kernel_netlink=true
+ tnc_ifmap=true
else
- kernel_netlink=false
+ tnc_ifmap=false
fi
else
- kernel_netlink=true
- kernel_netlink_given=false
+ tnc_ifmap=false
+ tnc_ifmap_given=false
fi
- enabled_by_default=${enabled_by_default}" kernel_netlink"
+ disabled_by_default=${disabled_by_default}" tnc_ifmap"
-# Check whether --enable-kernel-pfkey was given.
-if test "${enable_kernel_pfkey+set}" = set; then :
- enableval=$enable_kernel_pfkey; kernel_pfkey_given=true
+# Check whether --enable-tnc-imc was given.
+if test "${enable_tnc_imc+set}" = set; then :
+ enableval=$enable_tnc_imc; tnc_imc_given=true
if test x$enableval = xyes; then
- kernel_pfkey=true
+ tnc_imc=true
else
- kernel_pfkey=false
+ tnc_imc=false
fi
else
- kernel_pfkey=false
- kernel_pfkey_given=false
+ tnc_imc=false
+ tnc_imc_given=false
fi
+ disabled_by_default=${disabled_by_default}" tnc_imc"
-# Check whether --enable-kernel-pfroute was given.
-if test "${enable_kernel_pfroute+set}" = set; then :
- enableval=$enable_kernel_pfroute; kernel_pfroute_given=true
+# Check whether --enable-tnc-imv was given.
+if test "${enable_tnc_imv+set}" = set; then :
+ enableval=$enable_tnc_imv; tnc_imv_given=true
if test x$enableval = xyes; then
- kernel_pfroute=true
+ tnc_imv=true
else
- kernel_pfroute=false
+ tnc_imv=false
fi
else
- kernel_pfroute=false
- kernel_pfroute_given=false
+ tnc_imv=false
+ tnc_imv_given=false
fi
+ disabled_by_default=${disabled_by_default}" tnc_imv"
-# Check whether --enable-kernel-klips was given.
-if test "${enable_kernel_klips+set}" = set; then :
- enableval=$enable_kernel_klips; kernel_klips_given=true
+# Check whether --enable-tnc-pdp was given.
+if test "${enable_tnc_pdp+set}" = set; then :
+ enableval=$enable_tnc_pdp; tnc_pdp_given=true
if test x$enableval = xyes; then
- kernel_klips=true
+ tnc_pdp=true
else
- kernel_klips=false
+ tnc_pdp=false
fi
else
- kernel_klips=false
- kernel_klips_given=false
+ tnc_pdp=false
+ tnc_pdp_given=false
fi
+ disabled_by_default=${disabled_by_default}" tnc_pdp"
-# Check whether --enable-kernel-libipsec was given.
-if test "${enable_kernel_libipsec+set}" = set; then :
- enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
+# Check whether --enable-tnccs-11 was given.
+if test "${enable_tnccs_11+set}" = set; then :
+ enableval=$enable_tnccs_11; tnccs_11_given=true
if test x$enableval = xyes; then
- kernel_libipsec=true
+ tnccs_11=true
else
- kernel_libipsec=false
+ tnccs_11=false
fi
else
- kernel_libipsec=false
- kernel_libipsec_given=false
+ tnccs_11=false
+ tnccs_11_given=false
fi
+ disabled_by_default=${disabled_by_default}" tnccs_11"
-# Check whether --enable-libipsec was given.
-if test "${enable_libipsec+set}" = set; then :
- enableval=$enable_libipsec; libipsec_given=true
+# Check whether --enable-tnccs-20 was given.
+if test "${enable_tnccs_20+set}" = set; then :
+ enableval=$enable_tnccs_20; tnccs_20_given=true
if test x$enableval = xyes; then
- libipsec=true
+ tnccs_20=true
else
- libipsec=false
+ tnccs_20=false
fi
else
- libipsec=false
- libipsec_given=false
+ tnccs_20=false
+ tnccs_20_given=false
fi
+ disabled_by_default=${disabled_by_default}" tnccs_20"
-# Check whether --enable-socket-default was given.
-if test "${enable_socket_default+set}" = set; then :
- enableval=$enable_socket_default; socket_default_given=true
+# Check whether --enable-tnccs-dynamic was given.
+if test "${enable_tnccs_dynamic+set}" = set; then :
+ enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true
if test x$enableval = xyes; then
- socket_default=true
+ tnccs_dynamic=true
else
- socket_default=false
+ tnccs_dynamic=false
fi
else
- socket_default=true
- socket_default_given=false
+ tnccs_dynamic=false
+ tnccs_dynamic_given=false
fi
- enabled_by_default=${enabled_by_default}" socket_default"
+ disabled_by_default=${disabled_by_default}" tnccs_dynamic"
-# Check whether --enable-socket-dynamic was given.
-if test "${enable_socket_dynamic+set}" = set; then :
- enableval=$enable_socket_dynamic; socket_dynamic_given=true
+# misc plugins
+# Check whether --enable-android-log was given.
+if test "${enable_android_log+set}" = set; then :
+ enableval=$enable_android_log; android_log_given=true
if test x$enableval = xyes; then
- socket_dynamic=true
+ android_log=true
else
- socket_dynamic=false
+ android_log=false
fi
else
- socket_dynamic=false
- socket_dynamic_given=false
+ android_log=false
+ android_log_given=false
fi
+ disabled_by_default=${disabled_by_default}" android_log"
-# Check whether --enable-farp was given.
-if test "${enable_farp+set}" = set; then :
- enableval=$enable_farp; farp_given=true
+# Check whether --enable-certexpire was given.
+if test "${enable_certexpire+set}" = set; then :
+ enableval=$enable_certexpire; certexpire_given=true
if test x$enableval = xyes; then
- farp=true
+ certexpire=true
else
- farp=false
+ certexpire=false
fi
else
- farp=false
- farp_given=false
+ certexpire=false
+ certexpire_given=false
fi
+ disabled_by_default=${disabled_by_default}" certexpire"
-# Check whether --enable-dumm was given.
-if test "${enable_dumm+set}" = set; then :
- enableval=$enable_dumm; dumm_given=true
+# Check whether --enable-duplicheck was given.
+if test "${enable_duplicheck+set}" = set; then :
+ enableval=$enable_duplicheck; duplicheck_given=true
if test x$enableval = xyes; then
- dumm=true
+ duplicheck=true
else
- dumm=false
+ duplicheck=false
fi
else
- dumm=false
- dumm_given=false
+ duplicheck=false
+ duplicheck_given=false
fi
+ disabled_by_default=${disabled_by_default}" duplicheck"
-# Check whether --enable-fast was given.
-if test "${enable_fast+set}" = set; then :
- enableval=$enable_fast; fast_given=true
+# Check whether --enable-error-notify was given.
+if test "${enable_error_notify+set}" = set; then :
+ enableval=$enable_error_notify; error_notify_given=true
if test x$enableval = xyes; then
- fast=true
+ error_notify=true
else
- fast=false
+ error_notify=false
fi
else
- fast=false
- fast_given=false
+ error_notify=false
+ error_notify_given=false
fi
+ disabled_by_default=${disabled_by_default}" error_notify"
-# Check whether --enable-manager was given.
-if test "${enable_manager+set}" = set; then :
- enableval=$enable_manager; manager_given=true
+# Check whether --enable-farp was given.
+if test "${enable_farp+set}" = set; then :
+ enableval=$enable_farp; farp_given=true
if test x$enableval = xyes; then
- manager=true
+ farp=true
else
- manager=false
+ farp=false
fi
else
- manager=false
- manager_given=false
+ farp=false
+ farp_given=false
fi
+ disabled_by_default=${disabled_by_default}" farp"
-# Check whether --enable-mediation was given.
-if test "${enable_mediation+set}" = set; then :
- enableval=$enable_mediation; mediation_given=true
+# Check whether --enable-ha was given.
+if test "${enable_ha+set}" = set; then :
+ enableval=$enable_ha; ha_given=true
if test x$enableval = xyes; then
- mediation=true
+ ha=true
else
- mediation=false
+ ha=false
fi
else
- mediation=false
- mediation_given=false
+ ha=false
+ ha_given=false
fi
+ disabled_by_default=${disabled_by_default}" ha"
-# Check whether --enable-integrity-test was given.
-if test "${enable_integrity_test+set}" = set; then :
- enableval=$enable_integrity_test; integrity_test_given=true
+# Check whether --enable-led was given.
+if test "${enable_led+set}" = set; then :
+ enableval=$enable_led; led_given=true
if test x$enableval = xyes; then
- integrity_test=true
+ led=true
else
- integrity_test=false
+ led=false
fi
else
- integrity_test=false
- integrity_test_given=false
+ led=false
+ led_given=false
fi
+ disabled_by_default=${disabled_by_default}" led"
-# Check whether --enable-load-warning was given.
-if test "${enable_load_warning+set}" = set; then :
- enableval=$enable_load_warning; load_warning_given=true
+# Check whether --enable-load-tester was given.
+if test "${enable_load_tester+set}" = set; then :
+ enableval=$enable_load_tester; load_tester_given=true
if test x$enableval = xyes; then
- load_warning=true
+ load_tester=true
else
- load_warning=false
+ load_tester=false
fi
else
- load_warning=true
- load_warning_given=false
+ load_tester=false
+ load_tester_given=false
fi
- enabled_by_default=${enabled_by_default}" load_warning"
+ disabled_by_default=${disabled_by_default}" load_tester"
-# Check whether --enable-ikev1 was given.
-if test "${enable_ikev1+set}" = set; then :
- enableval=$enable_ikev1; ikev1_given=true
+# Check whether --enable-lookip was given.
+if test "${enable_lookip+set}" = set; then :
+ enableval=$enable_lookip; lookip_given=true
if test x$enableval = xyes; then
- ikev1=true
+ lookip=true
else
- ikev1=false
+ lookip=false
fi
else
- ikev1=true
- ikev1_given=false
+ lookip=false
+ lookip_given=false
fi
- enabled_by_default=${enabled_by_default}" ikev1"
+ disabled_by_default=${disabled_by_default}" lookip"
-# Check whether --enable-ikev2 was given.
-if test "${enable_ikev2+set}" = set; then :
- enableval=$enable_ikev2; ikev2_given=true
+# Check whether --enable-maemo was given.
+if test "${enable_maemo+set}" = set; then :
+ enableval=$enable_maemo; maemo_given=true
if test x$enableval = xyes; then
- ikev2=true
+ maemo=true
else
- ikev2=false
+ maemo=false
fi
else
- ikev2=true
- ikev2_given=false
+ maemo=false
+ maemo_given=false
fi
- enabled_by_default=${enabled_by_default}" ikev2"
+ disabled_by_default=${disabled_by_default}" maemo"
-# Check whether --enable-charon was given.
-if test "${enable_charon+set}" = set; then :
- enableval=$enable_charon; charon_given=true
+# Check whether --enable-radattr was given.
+if test "${enable_radattr+set}" = set; then :
+ enableval=$enable_radattr; radattr_given=true
if test x$enableval = xyes; then
- charon=true
+ radattr=true
else
- charon=false
+ radattr=false
fi
else
- charon=true
- charon_given=false
+ radattr=false
+ radattr_given=false
fi
- enabled_by_default=${enabled_by_default}" charon"
+ disabled_by_default=${disabled_by_default}" radattr"
-# Check whether --enable-tools was given.
-if test "${enable_tools+set}" = set; then :
- enableval=$enable_tools; tools_given=true
+# Check whether --enable-systime-fix was given.
+if test "${enable_systime_fix+set}" = set; then :
+ enableval=$enable_systime_fix; systime_fix_given=true
if test x$enableval = xyes; then
- tools=true
+ systime_fix=true
else
- tools=false
+ systime_fix=false
fi
else
- tools=true
- tools_given=false
+ systime_fix=false
+ systime_fix_given=false
fi
- enabled_by_default=${enabled_by_default}" tools"
+ disabled_by_default=${disabled_by_default}" systime_fix"
-# Check whether --enable-scripts was given.
-if test "${enable_scripts+set}" = set; then :
- enableval=$enable_scripts; scripts_given=true
+# Check whether --enable-test-vectors was given.
+if test "${enable_test_vectors+set}" = set; then :
+ enableval=$enable_test_vectors; test_vectors_given=true
if test x$enableval = xyes; then
- scripts=true
+ test_vectors=true
else
- scripts=false
+ test_vectors=false
fi
else
- scripts=true
- scripts_given=false
+ test_vectors=false
+ test_vectors_given=false
fi
- enabled_by_default=${enabled_by_default}" scripts"
+ disabled_by_default=${disabled_by_default}" test_vectors"
-# Check whether --enable-conftest was given.
-if test "${enable_conftest+set}" = set; then :
- enableval=$enable_conftest; conftest_given=true
+# Check whether --enable-unit-tester was given.
+if test "${enable_unit_tester+set}" = set; then :
+ enableval=$enable_unit_tester; unit_tester_given=true
if test x$enableval = xyes; then
- conftest=true
+ unit_tester=true
else
- conftest=false
+ unit_tester=false
fi
else
- conftest=false
- conftest_given=false
+ unit_tester=false
+ unit_tester_given=false
fi
+ disabled_by_default=${disabled_by_default}" unit_tester"
# Check whether --enable-updown was given.
if test "${enable_updown+set}" = set; then :
@@ -6199,532 +6539,311 @@ fi
enabled_by_default=${enabled_by_default}" updown"
-# Check whether --enable-attr was given.
-if test "${enable_attr+set}" = set; then :
- enableval=$enable_attr; attr_given=true
+# programs/components
+# Check whether --enable-charon was given.
+if test "${enable_charon+set}" = set; then :
+ enableval=$enable_charon; charon_given=true
if test x$enableval = xyes; then
- attr=true
+ charon=true
else
- attr=false
+ charon=false
fi
else
- attr=true
- attr_given=false
+ charon=true
+ charon_given=false
fi
- enabled_by_default=${enabled_by_default}" attr"
+ enabled_by_default=${enabled_by_default}" charon"
-# Check whether --enable-attr-sql was given.
-if test "${enable_attr_sql+set}" = set; then :
- enableval=$enable_attr_sql; attr_sql_given=true
+# Check whether --enable-cmd was given.
+if test "${enable_cmd+set}" = set; then :
+ enableval=$enable_cmd; cmd_given=true
if test x$enableval = xyes; then
- attr_sql=true
+ cmd=true
else
- attr_sql=false
+ cmd=false
fi
else
- attr_sql=false
- attr_sql_given=false
+ cmd=false
+ cmd_given=false
fi
+ disabled_by_default=${disabled_by_default}" cmd"
-# Check whether --enable-dhcp was given.
-if test "${enable_dhcp+set}" = set; then :
- enableval=$enable_dhcp; dhcp_given=true
+# Check whether --enable-conftest was given.
+if test "${enable_conftest+set}" = set; then :
+ enableval=$enable_conftest; conftest_given=true
if test x$enableval = xyes; then
- dhcp=true
+ conftest=true
else
- dhcp=false
+ conftest=false
fi
else
- dhcp=false
- dhcp_given=false
-
-fi
-
-
-# Check whether --enable-resolve was given.
-if test "${enable_resolve+set}" = set; then :
- enableval=$enable_resolve; resolve_given=true
- if test x$enableval = xyes; then
- resolve=true
- else
- resolve=false
- fi
-else
- resolve=true
- resolve_given=false
-
-fi
-
- enabled_by_default=${enabled_by_default}" resolve"
-
-# Check whether --enable-padlock was given.
-if test "${enable_padlock+set}" = set; then :
- enableval=$enable_padlock; padlock_given=true
- if test x$enableval = xyes; then
- padlock=true
- else
- padlock=false
- fi
-else
- padlock=false
- padlock_given=false
-
-fi
-
-
-# Check whether --enable-openssl was given.
-if test "${enable_openssl+set}" = set; then :
- enableval=$enable_openssl; openssl_given=true
- if test x$enableval = xyes; then
- openssl=true
- else
- openssl=false
- fi
-else
- openssl=false
- openssl_given=false
-
-fi
-
-
-# Check whether --enable-gcrypt was given.
-if test "${enable_gcrypt+set}" = set; then :
- enableval=$enable_gcrypt; gcrypt_given=true
- if test x$enableval = xyes; then
- gcrypt=true
- else
- gcrypt=false
- fi
-else
- gcrypt=false
- gcrypt_given=false
-
-fi
-
-
-# Check whether --enable-agent was given.
-if test "${enable_agent+set}" = set; then :
- enableval=$enable_agent; agent_given=true
- if test x$enableval = xyes; then
- agent=true
- else
- agent=false
- fi
-else
- agent=false
- agent_given=false
-
-fi
-
-
-# Check whether --enable-keychain was given.
-if test "${enable_keychain+set}" = set; then :
- enableval=$enable_keychain; keychain_given=true
- if test x$enableval = xyes; then
- keychain=true
- else
- keychain=false
- fi
-else
- keychain=false
- keychain_given=false
-
-fi
-
-
-# Check whether --enable-pkcs11 was given.
-if test "${enable_pkcs11+set}" = set; then :
- enableval=$enable_pkcs11; pkcs11_given=true
- if test x$enableval = xyes; then
- pkcs11=true
- else
- pkcs11=false
- fi
-else
- pkcs11=false
- pkcs11_given=false
-
-fi
-
-
-# Check whether --enable-ctr was given.
-if test "${enable_ctr+set}" = set; then :
- enableval=$enable_ctr; ctr_given=true
- if test x$enableval = xyes; then
- ctr=true
- else
- ctr=false
- fi
-else
- ctr=false
- ctr_given=false
-
-fi
-
-
-# Check whether --enable-ccm was given.
-if test "${enable_ccm+set}" = set; then :
- enableval=$enable_ccm; ccm_given=true
- if test x$enableval = xyes; then
- ccm=true
- else
- ccm=false
- fi
-else
- ccm=false
- ccm_given=false
-
-fi
-
-
-# Check whether --enable-gcm was given.
-if test "${enable_gcm+set}" = set; then :
- enableval=$enable_gcm; gcm_given=true
- if test x$enableval = xyes; then
- gcm=true
- else
- gcm=false
- fi
-else
- gcm=false
- gcm_given=false
-
-fi
-
-
-# Check whether --enable-ntru was given.
-if test "${enable_ntru+set}" = set; then :
- enableval=$enable_ntru; ntru_given=true
- if test x$enableval = xyes; then
- ntru=true
- else
- ntru=false
- fi
-else
- ntru=false
- ntru_given=false
-
-fi
-
-
-# Check whether --enable-addrblock was given.
-if test "${enable_addrblock+set}" = set; then :
- enableval=$enable_addrblock; addrblock_given=true
- if test x$enableval = xyes; then
- addrblock=true
- else
- addrblock=false
- fi
-else
- addrblock=false
- addrblock_given=false
-
-fi
-
-
-# Check whether --enable-unity was given.
-if test "${enable_unity+set}" = set; then :
- enableval=$enable_unity; unity_given=true
- if test x$enableval = xyes; then
- unity=true
- else
- unity=false
- fi
-else
- unity=false
- unity_given=false
-
-fi
-
-
-# Check whether --enable-uci was given.
-if test "${enable_uci+set}" = set; then :
- enableval=$enable_uci; uci_given=true
- if test x$enableval = xyes; then
- uci=true
- else
- uci=false
- fi
-else
- uci=false
- uci_given=false
-
-fi
-
-
-# Check whether --enable-osx-attr was given.
-if test "${enable_osx_attr+set}" = set; then :
- enableval=$enable_osx_attr; osx_attr_given=true
- if test x$enableval = xyes; then
- osx_attr=true
- else
- osx_attr=false
- fi
-else
- osx_attr=false
- osx_attr_given=false
-
-fi
-
-
-# Check whether --enable-android-dns was given.
-if test "${enable_android_dns+set}" = set; then :
- enableval=$enable_android_dns; android_dns_given=true
- if test x$enableval = xyes; then
- android_dns=true
- else
- android_dns=false
- fi
-else
- android_dns=false
- android_dns_given=false
+ conftest=false
+ conftest_given=false
fi
+ disabled_by_default=${disabled_by_default}" conftest"
-# Check whether --enable-android-log was given.
-if test "${enable_android_log+set}" = set; then :
- enableval=$enable_android_log; android_log_given=true
+# Check whether --enable-dumm was given.
+if test "${enable_dumm+set}" = set; then :
+ enableval=$enable_dumm; dumm_given=true
if test x$enableval = xyes; then
- android_log=true
+ dumm=true
else
- android_log=false
+ dumm=false
fi
else
- android_log=false
- android_log_given=false
+ dumm=false
+ dumm_given=false
fi
+ disabled_by_default=${disabled_by_default}" dumm"
-# Check whether --enable-maemo was given.
-if test "${enable_maemo+set}" = set; then :
- enableval=$enable_maemo; maemo_given=true
+# Check whether --enable-fast was given.
+if test "${enable_fast+set}" = set; then :
+ enableval=$enable_fast; fast_given=true
if test x$enableval = xyes; then
- maemo=true
+ fast=true
else
- maemo=false
+ fast=false
fi
else
- maemo=false
- maemo_given=false
+ fast=false
+ fast_given=false
fi
+ disabled_by_default=${disabled_by_default}" fast"
-# Check whether --enable-nm was given.
-if test "${enable_nm+set}" = set; then :
- enableval=$enable_nm; nm_given=true
+# Check whether --enable-libipsec was given.
+if test "${enable_libipsec+set}" = set; then :
+ enableval=$enable_libipsec; libipsec_given=true
if test x$enableval = xyes; then
- nm=true
+ libipsec=true
else
- nm=false
+ libipsec=false
fi
-else
- nm=false
- nm_given=false
+else
+ libipsec=false
+ libipsec_given=false
fi
+ disabled_by_default=${disabled_by_default}" libipsec"
-# Check whether --enable-ha was given.
-if test "${enable_ha+set}" = set; then :
- enableval=$enable_ha; ha_given=true
+# Check whether --enable-manager was given.
+if test "${enable_manager+set}" = set; then :
+ enableval=$enable_manager; manager_given=true
if test x$enableval = xyes; then
- ha=true
+ manager=true
else
- ha=false
+ manager=false
fi
else
- ha=false
- ha_given=false
+ manager=false
+ manager_given=false
fi
+ disabled_by_default=${disabled_by_default}" manager"
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
- enableval=$enable_whitelist; whitelist_given=true
+# Check whether --enable-medcli was given.
+if test "${enable_medcli+set}" = set; then :
+ enableval=$enable_medcli; medcli_given=true
if test x$enableval = xyes; then
- whitelist=true
+ medcli=true
else
- whitelist=false
+ medcli=false
fi
else
- whitelist=false
- whitelist_given=false
+ medcli=false
+ medcli_given=false
fi
+ disabled_by_default=${disabled_by_default}" medcli"
-# Check whether --enable-lookip was given.
-if test "${enable_lookip+set}" = set; then :
- enableval=$enable_lookip; lookip_given=true
+# Check whether --enable-medsrv was given.
+if test "${enable_medsrv+set}" = set; then :
+ enableval=$enable_medsrv; medsrv_given=true
if test x$enableval = xyes; then
- lookip=true
+ medsrv=true
else
- lookip=false
+ medsrv=false
fi
else
- lookip=false
- lookip_given=false
+ medsrv=false
+ medsrv_given=false
fi
+ disabled_by_default=${disabled_by_default}" medsrv"
-# Check whether --enable-error-notify was given.
-if test "${enable_error_notify+set}" = set; then :
- enableval=$enable_error_notify; error_notify_given=true
+# Check whether --enable-nm was given.
+if test "${enable_nm+set}" = set; then :
+ enableval=$enable_nm; nm_given=true
if test x$enableval = xyes; then
- error_notify=true
+ nm=true
else
- error_notify=false
+ nm=false
fi
else
- error_notify=false
- error_notify_given=false
+ nm=false
+ nm_given=false
fi
+ disabled_by_default=${disabled_by_default}" nm"
-# Check whether --enable-certexpire was given.
-if test "${enable_certexpire+set}" = set; then :
- enableval=$enable_certexpire; certexpire_given=true
+# Check whether --enable-scripts was given.
+if test "${enable_scripts+set}" = set; then :
+ enableval=$enable_scripts; scripts_given=true
if test x$enableval = xyes; then
- certexpire=true
+ scripts=true
else
- certexpire=false
+ scripts=false
fi
else
- certexpire=false
- certexpire_given=false
+ scripts=true
+ scripts_given=false
fi
+ enabled_by_default=${enabled_by_default}" scripts"
-# Check whether --enable-systime-fix was given.
-if test "${enable_systime_fix+set}" = set; then :
- enableval=$enable_systime_fix; systime_fix_given=true
+# Check whether --enable-tkm was given.
+if test "${enable_tkm+set}" = set; then :
+ enableval=$enable_tkm; tkm_given=true
if test x$enableval = xyes; then
- systime_fix=true
+ tkm=true
else
- systime_fix=false
+ tkm=false
fi
else
- systime_fix=false
- systime_fix_given=false
+ tkm=false
+ tkm_given=false
fi
+ disabled_by_default=${disabled_by_default}" tkm"
-# Check whether --enable-led was given.
-if test "${enable_led+set}" = set; then :
- enableval=$enable_led; led_given=true
+# Check whether --enable-tools was given.
+if test "${enable_tools+set}" = set; then :
+ enableval=$enable_tools; tools_given=true
if test x$enableval = xyes; then
- led=true
+ tools=true
else
- led=false
+ tools=false
fi
else
- led=false
- led_given=false
+ tools=true
+ tools_given=false
fi
+ enabled_by_default=${enabled_by_default}" tools"
-# Check whether --enable-duplicheck was given.
-if test "${enable_duplicheck+set}" = set; then :
- enableval=$enable_duplicheck; duplicheck_given=true
+# optional features
+# Check whether --enable-bfd-backtraces was given.
+if test "${enable_bfd_backtraces+set}" = set; then :
+ enableval=$enable_bfd_backtraces; bfd_backtraces_given=true
if test x$enableval = xyes; then
- duplicheck=true
+ bfd_backtraces=true
else
- duplicheck=false
+ bfd_backtraces=false
fi
else
- duplicheck=false
- duplicheck_given=false
+ bfd_backtraces=false
+ bfd_backtraces_given=false
fi
+ disabled_by_default=${disabled_by_default}" bfd_backtraces"
-# Check whether --enable-coupling was given.
-if test "${enable_coupling+set}" = set; then :
- enableval=$enable_coupling; coupling_given=true
+# Check whether --enable-ikev1 was given.
+if test "${enable_ikev1+set}" = set; then :
+ enableval=$enable_ikev1; ikev1_given=true
if test x$enableval = xyes; then
- coupling=true
+ ikev1=true
else
- coupling=false
+ ikev1=false
fi
else
- coupling=false
- coupling_given=false
+ ikev1=true
+ ikev1_given=false
fi
+ enabled_by_default=${enabled_by_default}" ikev1"
-# Check whether --enable-radattr was given.
-if test "${enable_radattr+set}" = set; then :
- enableval=$enable_radattr; radattr_given=true
+# Check whether --enable-ikev2 was given.
+if test "${enable_ikev2+set}" = set; then :
+ enableval=$enable_ikev2; ikev2_given=true
if test x$enableval = xyes; then
- radattr=true
+ ikev2=true
else
- radattr=false
+ ikev2=false
fi
else
- radattr=false
- radattr_given=false
+ ikev2=true
+ ikev2_given=false
fi
+ enabled_by_default=${enabled_by_default}" ikev2"
-# Check whether --enable-vstr was given.
-if test "${enable_vstr+set}" = set; then :
- enableval=$enable_vstr; vstr_given=true
+# Check whether --enable-integrity-test was given.
+if test "${enable_integrity_test+set}" = set; then :
+ enableval=$enable_integrity_test; integrity_test_given=true
if test x$enableval = xyes; then
- vstr=true
+ integrity_test=true
else
- vstr=false
+ integrity_test=false
fi
else
- vstr=false
- vstr_given=false
+ integrity_test=false
+ integrity_test_given=false
fi
+ disabled_by_default=${disabled_by_default}" integrity_test"
-# Check whether --enable-monolithic was given.
-if test "${enable_monolithic+set}" = set; then :
- enableval=$enable_monolithic; monolithic_given=true
+# Check whether --enable-load-warning was given.
+if test "${enable_load_warning+set}" = set; then :
+ enableval=$enable_load_warning; load_warning_given=true
if test x$enableval = xyes; then
- monolithic=true
+ load_warning=true
else
- monolithic=false
+ load_warning=false
fi
else
- monolithic=false
- monolithic_given=false
+ load_warning=true
+ load_warning_given=false
fi
+ enabled_by_default=${enabled_by_default}" load_warning"
-# Check whether --enable-bfd-backtraces was given.
-if test "${enable_bfd_backtraces+set}" = set; then :
- enableval=$enable_bfd_backtraces; bfd_backtraces_given=true
+# Check whether --enable-mediation was given.
+if test "${enable_mediation+set}" = set; then :
+ enableval=$enable_mediation; mediation_given=true
if test x$enableval = xyes; then
- bfd_backtraces=true
+ mediation=true
else
- bfd_backtraces=false
+ mediation=false
fi
else
- bfd_backtraces=false
- bfd_backtraces_given=false
+ mediation=false
+ mediation_given=false
fi
+ disabled_by_default=${disabled_by_default}" mediation"
# Check whether --enable-unwind-backtraces was given.
if test "${enable_unwind_backtraces+set}" = set; then :
@@ -6740,7 +6859,9 @@ else
fi
+ disabled_by_default=${disabled_by_default}" unwind_backtraces"
+# compile options
# Check whether --enable-coverage was given.
if test "${enable_coverage+set}" = set; then :
enableval=$enable_coverage; coverage_given=true
@@ -6755,36 +6876,55 @@ else
fi
+ disabled_by_default=${disabled_by_default}" coverage"
-# Check whether --enable-tkm was given.
-if test "${enable_tkm+set}" = set; then :
- enableval=$enable_tkm; tkm_given=true
+# Check whether --enable-leak-detective was given.
+if test "${enable_leak_detective+set}" = set; then :
+ enableval=$enable_leak_detective; leak_detective_given=true
if test x$enableval = xyes; then
- tkm=true
+ leak_detective=true
else
- tkm=false
+ leak_detective=false
fi
else
- tkm=false
- tkm_given=false
+ leak_detective=false
+ leak_detective_given=false
fi
+ disabled_by_default=${disabled_by_default}" leak_detective"
-# Check whether --enable-cmd was given.
-if test "${enable_cmd+set}" = set; then :
- enableval=$enable_cmd; cmd_given=true
+# Check whether --enable-lock-profiler was given.
+if test "${enable_lock_profiler+set}" = set; then :
+ enableval=$enable_lock_profiler; lock_profiler_given=true
if test x$enableval = xyes; then
- cmd=true
+ lock_profiler=true
else
- cmd=false
+ lock_profiler=false
fi
else
- cmd=false
- cmd_given=false
+ lock_profiler=false
+ lock_profiler_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" lock_profiler"
+
+# Check whether --enable-monolithic was given.
+if test "${enable_monolithic+set}" = set; then :
+ enableval=$enable_monolithic; monolithic_given=true
+ if test x$enableval = xyes; then
+ monolithic=true
+ else
+ monolithic=false
+ fi
+else
+ monolithic=false
+ monolithic_given=false
fi
+ disabled_by_default=${disabled_by_default}" monolithic"
# ===================================
@@ -6811,7 +6951,35 @@ fi
if test x$defaults = xfalse; then
for option in $enabled_by_default; do
eval test x\${${option}_given} = xtrue && continue
- let $option=false
+ eval $option=false
+ done
+fi
+
+# ==============================
+# option to enable all options
+# ==============================
+
+# Check whether --enable-all was given.
+if test "${enable_all+set}" = set; then :
+ enableval=$enable_all; all_given=true
+ if test x$enableval = xyes; then
+ all=true
+ else
+ all=false
+ fi
+else
+ all=false
+ all_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" all"
+
+
+if test x$all_given = xtrue; then
+ for option in $disabled_by_default; do
+ eval test x\${${option}_given} = xtrue && continue
+ eval $option=true
done
fi
@@ -17646,6 +17814,7 @@ fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS="$save_CFLAGS"
+
fi
@@ -17948,9 +18117,20 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
fi
-# check for the new register_printf_specifier function with len argument,
-# or the deprecated register_printf_function without
-ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
+case "$printf_hooks" in
+auto|builtin|glibc|vstr)
+ ;;
+*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: invalid printf hook implementation, defaulting to 'auto'" >&5
+$as_echo "$as_me: invalid printf hook implementation, defaulting to 'auto'" >&6;}
+ printf_hooks=auto
+ ;;
+esac
+
+if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then
+ # check for the new register_printf_specifier function with len argument,
+ # or the deprecated register_printf_function without
+ ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
$as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h
@@ -17963,9 +18143,14 @@ $as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: printf does not support custom format specifiers!" >&5
-$as_echo "$as_me: printf does not support custom format specifiers!" >&6;}
- builtin_printf=true
+ { $as_echo "$as_me:${as_lineno-$LINENO}: printf(3) does not support custom format specifiers!" >&5
+$as_echo "$as_me: printf(3) does not support custom format specifiers!" >&6;}
+ if test x$printf_hooks = xglibc; then
+ as_fn_error $? "please select a different printf hook implementation" "$LINENO" 5
+ else
+ # fallback to builtin printf hook implementation
+ printf_hooks=builtin
+ fi
fi
@@ -17973,8 +18158,9 @@ fi
fi
+fi
-if test x$vstr = xtrue; then
+if test x$printf_hooks = xvstr; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
$as_echo_n "checking for main in -lvstr... " >&6; }
if ${ac_cv_lib_vstr_main+:} false; then :
@@ -18014,10 +18200,9 @@ fi
$as_echo "#define USE_VSTR /**/" >>confdefs.h
- builtin_printf=false
fi
-if test x$builtin_printf = xtrue; then
+if test x$printf_hooks = xbuiltin; then
$as_echo "#define USE_BUILTIN_PRINTF /**/" >>confdefs.h
@@ -20162,7 +20347,6 @@ charon_plugins=
starter_plugins=
pool_plugins=
attest_plugins=
-openac_plugins=
scepclient_plugins=
pki_plugins=
scripts_plugins=
@@ -20181,7 +20365,6 @@ t_plugins=
if test x$test_vectors = xtrue; then
s_plugins=${s_plugins}" test-vectors"
charon_plugins=${charon_plugins}" test-vectors"
- openac_plugins=${openac_plugins}" test-vectors"
scepclient_plugins=${scepclient_plugins}" test-vectors"
pki_plugins=${pki_plugins}" test-vectors"
@@ -20255,7 +20438,6 @@ if test x$pkcs11 = xtrue; then
if test x$aes = xtrue; then
s_plugins=${s_plugins}" aes"
charon_plugins=${charon_plugins}" aes"
- openac_plugins=${openac_plugins}" aes"
scepclient_plugins=${scepclient_plugins}" aes"
pki_plugins=${pki_plugins}" aes"
scripts_plugins=${scripts_plugins}" aes"
@@ -20267,7 +20449,6 @@ if test x$aes = xtrue; then
if test x$des = xtrue; then
s_plugins=${s_plugins}" des"
charon_plugins=${charon_plugins}" des"
- openac_plugins=${openac_plugins}" des"
scepclient_plugins=${scepclient_plugins}" des"
pki_plugins=${pki_plugins}" des"
scripts_plugins=${scripts_plugins}" des"
@@ -20279,7 +20460,6 @@ if test x$des = xtrue; then
if test x$blowfish = xtrue; then
s_plugins=${s_plugins}" blowfish"
charon_plugins=${charon_plugins}" blowfish"
- openac_plugins=${openac_plugins}" blowfish"
scepclient_plugins=${scepclient_plugins}" blowfish"
pki_plugins=${pki_plugins}" blowfish"
scripts_plugins=${scripts_plugins}" blowfish"
@@ -20291,7 +20471,6 @@ if test x$blowfish = xtrue; then
if test x$rc2 = xtrue; then
s_plugins=${s_plugins}" rc2"
charon_plugins=${charon_plugins}" rc2"
- openac_plugins=${openac_plugins}" rc2"
scepclient_plugins=${scepclient_plugins}" rc2"
pki_plugins=${pki_plugins}" rc2"
scripts_plugins=${scripts_plugins}" rc2"
@@ -20303,7 +20482,6 @@ if test x$rc2 = xtrue; then
if test x$sha1 = xtrue; then
s_plugins=${s_plugins}" sha1"
charon_plugins=${charon_plugins}" sha1"
- openac_plugins=${openac_plugins}" sha1"
scepclient_plugins=${scepclient_plugins}" sha1"
pki_plugins=${pki_plugins}" sha1"
scripts_plugins=${scripts_plugins}" sha1"
@@ -20317,7 +20495,6 @@ if test x$sha1 = xtrue; then
if test x$sha2 = xtrue; then
s_plugins=${s_plugins}" sha2"
charon_plugins=${charon_plugins}" sha2"
- openac_plugins=${openac_plugins}" sha2"
scepclient_plugins=${scepclient_plugins}" sha2"
pki_plugins=${pki_plugins}" sha2"
scripts_plugins=${scripts_plugins}" sha2"
@@ -20331,7 +20508,6 @@ if test x$sha2 = xtrue; then
if test x$md4 = xtrue; then
s_plugins=${s_plugins}" md4"
charon_plugins=${charon_plugins}" md4"
- openac_plugins=${openac_plugins}" md4"
manager_plugins=${manager_plugins}" md4"
scepclient_plugins=${scepclient_plugins}" md4"
pki_plugins=${pki_plugins}" md4"
@@ -20343,7 +20519,6 @@ if test x$md4 = xtrue; then
if test x$md5 = xtrue; then
s_plugins=${s_plugins}" md5"
charon_plugins=${charon_plugins}" md5"
- openac_plugins=${openac_plugins}" md5"
scepclient_plugins=${scepclient_plugins}" md5"
pki_plugins=${pki_plugins}" md5"
scripts_plugins=${scripts_plugins}" md5"
@@ -20356,7 +20531,6 @@ if test x$md5 = xtrue; then
if test x$rdrand = xtrue; then
s_plugins=${s_plugins}" rdrand"
charon_plugins=${charon_plugins}" rdrand"
- openac_plugins=${openac_plugins}" rdrand"
scepclient_plugins=${scepclient_plugins}" rdrand"
pki_plugins=${pki_plugins}" rdrand"
scripts_plugins=${scripts_plugins}" rdrand"
@@ -20370,7 +20544,6 @@ if test x$rdrand = xtrue; then
if test x$random = xtrue; then
s_plugins=${s_plugins}" random"
charon_plugins=${charon_plugins}" random"
- openac_plugins=${openac_plugins}" random"
scepclient_plugins=${scepclient_plugins}" random"
pki_plugins=${pki_plugins}" random"
scripts_plugins=${scripts_plugins}" random"
@@ -20392,7 +20565,6 @@ if test x$nonce = xtrue; then
if test x$x509 = xtrue; then
s_plugins=${s_plugins}" x509"
charon_plugins=${charon_plugins}" x509"
- openac_plugins=${openac_plugins}" x509"
scepclient_plugins=${scepclient_plugins}" x509"
pki_plugins=${pki_plugins}" x509"
scripts_plugins=${scripts_plugins}" x509"
@@ -20418,6 +20590,12 @@ if test x$constraints = xtrue; then
fi
+if test x$acert = xtrue; then
+ s_plugins=${s_plugins}" acert"
+ charon_plugins=${charon_plugins}" acert"
+
+ fi
+
if test x$pubkey = xtrue; then
s_plugins=${s_plugins}" pubkey"
charon_plugins=${charon_plugins}" pubkey"
@@ -20428,7 +20606,6 @@ if test x$pubkey = xtrue; then
if test x$pkcs1 = xtrue; then
s_plugins=${s_plugins}" pkcs1"
charon_plugins=${charon_plugins}" pkcs1"
- openac_plugins=${openac_plugins}" pkcs1"
scepclient_plugins=${scepclient_plugins}" pkcs1"
pki_plugins=${pki_plugins}" pkcs1"
scripts_plugins=${scripts_plugins}" pkcs1"
@@ -20454,7 +20631,6 @@ if test x$pkcs7 = xtrue; then
if test x$pkcs8 = xtrue; then
s_plugins=${s_plugins}" pkcs8"
charon_plugins=${charon_plugins}" pkcs8"
- openac_plugins=${openac_plugins}" pkcs8"
scepclient_plugins=${scepclient_plugins}" pkcs8"
pki_plugins=${pki_plugins}" pkcs8"
scripts_plugins=${scripts_plugins}" pkcs8"
@@ -20513,7 +20689,6 @@ if test x$ipseckey = xtrue; then
if test x$pem = xtrue; then
s_plugins=${s_plugins}" pem"
charon_plugins=${charon_plugins}" pem"
- openac_plugins=${openac_plugins}" pem"
scepclient_plugins=${scepclient_plugins}" pem"
pki_plugins=${pki_plugins}" pem"
scripts_plugins=${scripts_plugins}" pem"
@@ -20534,7 +20709,6 @@ if test x$padlock = xtrue; then
if test x$openssl = xtrue; then
s_plugins=${s_plugins}" openssl"
charon_plugins=${charon_plugins}" openssl"
- openac_plugins=${openac_plugins}" openssl"
scepclient_plugins=${scepclient_plugins}" openssl"
pki_plugins=${pki_plugins}" openssl"
scripts_plugins=${scripts_plugins}" openssl"
@@ -20549,7 +20723,6 @@ if test x$openssl = xtrue; then
if test x$gcrypt = xtrue; then
s_plugins=${s_plugins}" gcrypt"
charon_plugins=${charon_plugins}" gcrypt"
- openac_plugins=${openac_plugins}" gcrypt"
scepclient_plugins=${scepclient_plugins}" gcrypt"
pki_plugins=${pki_plugins}" gcrypt"
scripts_plugins=${scripts_plugins}" gcrypt"
@@ -20564,7 +20737,6 @@ if test x$gcrypt = xtrue; then
if test x$af_alg = xtrue; then
s_plugins=${s_plugins}" af-alg"
charon_plugins=${charon_plugins}" af-alg"
- openac_plugins=${openac_plugins}" af-alg"
scepclient_plugins=${scepclient_plugins}" af-alg"
pki_plugins=${pki_plugins}" af-alg"
scripts_plugins=${scripts_plugins}" af-alg"
@@ -20586,7 +20758,6 @@ if test x$fips_prf = xtrue; then
if test x$gmp = xtrue; then
s_plugins=${s_plugins}" gmp"
charon_plugins=${charon_plugins}" gmp"
- openac_plugins=${openac_plugins}" gmp"
scepclient_plugins=${scepclient_plugins}" gmp"
pki_plugins=${pki_plugins}" gmp"
scripts_plugins=${scripts_plugins}" gmp"
@@ -21125,7 +21296,6 @@ if test x$unit_tester = xtrue; then
-
# ======================
# set Makefile.am vars
# ======================
@@ -21300,6 +21470,14 @@ else
USE_CONSTRAINTS_FALSE=
fi
+ if test x$acert = xtrue; then
+ USE_ACERT_TRUE=
+ USE_ACERT_FALSE='#'
+else
+ USE_ACERT_TRUE='#'
+ USE_ACERT_FALSE=
+fi
+
if test x$pubkey = xtrue; then
USE_PUBKEY_TRUE=
USE_PUBKEY_FALSE='#'
@@ -22357,7 +22535,7 @@ else
USE_LIBCAP_FALSE=
fi
- if test x$vstr = xtrue; then
+ if test x$printf_hooks = xvstr; then
USE_VSTR_TRUE=
USE_VSTR_FALSE='#'
else
@@ -22365,7 +22543,7 @@ else
USE_VSTR_FALSE=
fi
- if test x$builtin_printf = xtrue; then
+ if test x$printf_hooks = xbuiltin; then
USE_BUILTIN_PRINTF_TRUE=
USE_BUILTIN_PRINTF_FALSE='#'
else
@@ -22535,14 +22713,14 @@ fi
# build Makefiles
# =================
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/li [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/li [...]
# =================
# build man pages
# =================
-ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1"
cat >confcache <<\_ACEOF
@@ -22771,6 +22949,10 @@ if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then
as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_ACERT_TRUE}" && test -z "${USE_ACERT_FALSE}"; then
+ as_fn_error $? "conditional \"USE_ACERT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
as_fn_error $? "conditional \"USE_PUBKEY\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23744,7 +23926,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 5.1.2, which was
+This file was extended by strongSwan $as_me 5.1.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23810,7 +23992,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 5.1.2
+strongSwan config.status 5.1.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -24246,6 +24428,7 @@ do
"src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
"src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;;
"src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
+ "src/libstrongswan/plugins/acert/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/acert/Makefile" ;;
"src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
"src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
"src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
@@ -24285,6 +24468,7 @@ do
"src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
"src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
"src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
+ "src/libtls/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/tests/Makefile" ;;
"src/libradius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libradius/Makefile" ;;
"src/libtncif/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtncif/Makefile" ;;
"src/libtnccs/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/Makefile" ;;
@@ -24374,7 +24558,6 @@ do
"src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
"src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
"src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
- "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
"src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
"src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
"src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;;
@@ -24404,6 +24587,7 @@ do
"src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;;
"src/pki/man/pki---self.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---self.1" ;;
"src/pki/man/pki---signcrl.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---signcrl.1" ;;
+ "src/pki/man/pki---acert.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---acert.1" ;;
"src/pki/man/pki---verify.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---verify.1" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
diff --git a/configure.ac b/configure.ac
index 8a925c2..2ad372b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
-AC_INIT([strongSwan],[5.1.2])
+AC_INIT([strongSwan],[5.1.3])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
@@ -66,6 +66,7 @@ ARG_WITH_SET([tss], [no], [set implementation of the Trusted Co
ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
ARG_WITH_SET([dev-headers], [no], [install strongSwan development headers to directory.])
+ARG_WITH_SET([printf-hooks], [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
if test -n "$PKG_CONFIG"; then
systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -118,53 +119,57 @@ AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
m4_include(m4/macros/enable-disable.m4)
-ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
-ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
-ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
-ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+# crypto plugins
ARG_DISBL_SET([aes], [disable AES software implementation plugin.])
-ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.])
ARG_ENABL_SET([blowfish], [enable Blowfish software implementation plugin.])
-ARG_DISBL_SET([rc2], [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.])
+ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
+ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.])
+ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.])
+ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin.])
+ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
+ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.])
+ARG_DISBL_SET([nonce], [disable nonce generation plugin.])
+ARG_ENABL_SET([ntru], [enables the NTRU crypto plugin.])
+ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.])
+ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.])
+ARG_DISBL_SET([rc2], [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.])
ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.])
ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.])
-ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin.])
-ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.])
-ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.])
-ARG_DISBL_SET([nonce], [disable nonce generation plugin.])
-ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.])
-ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.])
-ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.])
-ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.])
+ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.])
+# encoding/decoding plugins
+ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([pem], [disable PEM decoding plugin.])
+ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.])
ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.])
ARG_DISBL_SET([pkcs7], [disable PKCS7 container support plugin.])
ARG_DISBL_SET([pkcs8], [disable PKCS8 private key decoding plugin.])
ARG_DISBL_SET([pkcs12], [disable PKCS12 container support plugin.])
-ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.])
-ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.])
ARG_DISBL_SET([sshkey], [disable SSH key decoding plugin.])
-ARG_ENABL_SET([dnscert], [enable DNSCERT authentication plugin.])
-ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
-ARG_DISBL_SET([pem], [disable PEM decoding plugin.])
-ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
-ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
-ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.])
-ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.])
-ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
+ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.])
+# fetcher/resolver plugins
+ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
+ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
+# database plugins
ARG_ENABL_SET([mysql], [enable MySQL database support. Requires libmysqlclient_r.])
ARG_ENABL_SET([sqlite], [enable SQLite database support. Requires libsqlite3.])
-ARG_DISBL_SET([stroke], [disable charons stroke configuration backend.])
-ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.])
-ARG_ENABL_SET([medcli], [enable mediation client configuration database plugin.])
-ARG_ENABL_SET([smp], [enable SMP configuration and control interface. Requires libxml.])
-ARG_ENABL_SET([sql], [enable SQL database configuration backend.])
-ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
-ARG_ENABL_SET([lock-profiler], [enable lock/mutex profiling code.])
-ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.])
-ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.])
+# authentication/credential plugins
+ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.])
+ARG_ENABL_SET([acert], [enable X509 attribute certificate checking plugin.])
+ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.])
+ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.])
+ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([dnscert], [enable DNSCERT authentication plugin.])
ARG_ENABL_SET([eap-sim], [enable SIM authentication module for EAP.])
ARG_ENABL_SET([eap-sim-file], [enable EAP-SIM backend based on a triplet file.])
ARG_ENABL_SET([eap-sim-pcsc], [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
@@ -183,88 +188,97 @@ ARG_ENABL_SET([eap-peap], [enable EAP PEAP authentication module.])
ARG_ENABL_SET([eap-tnc], [enable EAP TNC trusted network connect module.])
ARG_ENABL_SET([eap-dynamic], [enable dynamic EAP proxy module.])
ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
+ARG_ENABL_SET([keychain], [enables OS X Keychain Services credential set.])
+ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.])
+ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.])
+ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.])
ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.])
ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.])
ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.])
ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
-ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module. Requires libxml])
-ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.])
-ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
-ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.])
-ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module. Requires libxml])
-ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.])
-ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.])
-ARG_ENABL_SET([imc-test], [enable IMC test module.])
-ARG_ENABL_SET([imv-test], [enable IMV test module.])
-ARG_ENABL_SET([imc-scanner], [enable IMC port scanner module.])
-ARG_ENABL_SET([imv-scanner], [enable IMV port scanner module.])
-ARG_ENABL_SET([imc-os], [enable IMC operating system module.])
-ARG_ENABL_SET([imv-os], [enable IMV operating system module.])
-ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
-ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
-ARG_ENABL_SET([imc-swid], [enable IMC swid module.])
-ARG_ENABL_SET([imv-swid], [enable IMV swid module.])
+# kernel interfaces / sockets
ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.])
ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
ARG_ENABL_SET([kernel-klips], [enable the KLIPS kernel interface.])
ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
-ARG_ENABL_SET([libipsec], [enable user space IPsec implementation.])
ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
-ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
-ARG_ENABL_SET([dumm], [enable the DUMM UML test framework.])
-ARG_ENABL_SET([fast], [enable libfast (FastCGI Application Server w/ templates.])
-ARG_ENABL_SET([manager], [enable web management console (proof of concept).])
-ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.])
-ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
-ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning in starter.])
-ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.])
-ARG_DISBL_SET([ikev2], [disable IKEv2 protocol support in charon.])
-ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
-ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).])
-ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
-ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.])
-ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
+# configuration/control plugins
+ARG_DISBL_SET([stroke], [disable charons stroke configuration backend.])
+ARG_ENABL_SET([smp], [enable SMP configuration and control interface. Requires libxml.])
+ARG_ENABL_SET([sql], [enable SQL database configuration backend.])
+ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
+# attribute provider/consumer plugins
+ARG_ENABL_SET([android-dns], [enable Android specific DNS handler.])
ARG_DISBL_SET([attr], [disable strongswan.conf based configuration attribute plugin.])
ARG_ENABL_SET([attr-sql], [enable SQL based configuration attribute plugin.])
ARG_ENABL_SET([dhcp], [enable DHCP based attribute provider plugin.])
+ARG_ENABL_SET([osx-attr], [enable OS X SystemConfiguration attribute handler.])
ARG_DISBL_SET([resolve], [disable resolve DNS handler plugin.])
-ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.])
-ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.])
-ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
-ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.])
-ARG_ENABL_SET([keychain], [enables OS X Keychain Services credential set.])
-ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.])
-ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.])
-ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([ntru], [enables the NTRU crypto plugin.])
-ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.])
ARG_ENABL_SET([unity], [enables Cisco Unity extension plugin.])
-ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([osx-attr], [enable OS X SystemConfiguration attribute handler.])
-ARG_ENABL_SET([android-dns], [enable Android specific DNS handler.])
+# TNC modules/plugins
+ARG_ENABL_SET([imc-test], [enable IMC test module.])
+ARG_ENABL_SET([imv-test], [enable IMV test module.])
+ARG_ENABL_SET([imc-scanner], [enable IMC port scanner module.])
+ARG_ENABL_SET([imv-scanner], [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os], [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os], [enable IMV operating system module.])
+ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
+ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
+ARG_ENABL_SET([imc-swid], [enable IMC swid module.])
+ARG_ENABL_SET([imv-swid], [enable IMV swid module.])
+ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module. Requires libxml])
+ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.])
+ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.])
+ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module. Requires libxml])
+ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.])
+ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.])
+# misc plugins
ARG_ENABL_SET([android-log], [enable Android specific logger plugin.])
-ARG_ENABL_SET([maemo], [enable Maemo specific plugin.])
-ARG_ENABL_SET([nm], [enable NetworkManager backend.])
-ARG_ENABL_SET([ha], [enable high availability cluster plugin.])
-ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.])
-ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.])
-ARG_ENABL_SET([error-notify], [enable error notification plugin.])
ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.])
-ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.])
-ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.])
-ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([error-notify], [enable error notification plugin.])
+ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
+ARG_ENABL_SET([ha], [enable high availability cluster plugin.])
+ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
+ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.])
+ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([maemo], [enable Maemo specific plugin.])
ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
-ARG_ENABL_SET([vstr], [enforce using the Vstr string library to replace glibc-like printf hooks.])
-ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.])
+ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
+ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.])
+ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
+# programs/components
+ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
+ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.])
+ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.])
+ARG_ENABL_SET([dumm], [enable the DUMM UML test framework.])
+ARG_ENABL_SET([fast], [enable libfast (FastCGI Application Server w/ templates.])
+ARG_ENABL_SET([libipsec], [enable user space IPsec implementation.])
+ARG_ENABL_SET([manager], [enable web management console (proof of concept).])
+ARG_ENABL_SET([medcli], [enable mediation client configuration database plugin.])
+ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.])
+ARG_ENABL_SET([nm], [enable NetworkManager backend.])
+ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.])
+ARG_DISBL_SET([tools], [disable additional utilities (scepclient and pki).])
+# optional features
ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.])
+ARG_DISBL_SET([ikev2], [disable IKEv2 protocol support in charon.])
+ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning in starter.])
+ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.])
ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
+# compile options
ARG_ENABL_SET([coverage], [enable lcov coverage report generation.])
-ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.])
-ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.])
+ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
+ARG_ENABL_SET([lock-profiler], [enable lock/mutex profiling code.])
+ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
# ===================================
# option to disable default options
@@ -275,7 +289,20 @@ ARG_DISBL_SET([defaults], [disable all default plugins (they can be enable
if test x$defaults = xfalse; then
for option in $enabled_by_default; do
eval test x\${${option}_given} = xtrue && continue
- let $option=false
+ eval $option=false
+ done
+fi
+
+# ==============================
+# option to enable all options
+# ==============================
+
+ARG_ENABL_SET([all], [enable all plugins and features (they can be disabled with their respective --disable options). Mainly for testing.])
+
+if test x$all_given = xtrue; then
+ for option in $disabled_by_default; do
+ eval test x\${${option}_given} = xtrue && continue
+ eval $option=true
done
fi
@@ -528,8 +555,7 @@ AC_CHECK_FUNC(
AC_MSG_FAILURE([qsort_r has unknown semantics])])
])
CFLAGS="$save_CFLAGS"
- ],
- []
+ ]
)
AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
@@ -660,28 +686,43 @@ AC_RUN_IFELSE([AC_LANG_SOURCE(
[AC_MSG_RESULT([no])]
)
-# check for the new register_printf_specifier function with len argument,
-# or the deprecated register_printf_function without
-AC_CHECK_FUNC(
- [register_printf_specifier],
- [AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
- [AC_CHECK_FUNC(
- [register_printf_function],
- [AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
- [
- AC_MSG_NOTICE([printf does not support custom format specifiers!])
- builtin_printf=true
- ]
- )]
-)
+case "$printf_hooks" in
+auto|builtin|glibc|vstr)
+ ;;
+*)
+ AC_MSG_NOTICE([invalid printf hook implementation, defaulting to 'auto'])
+ printf_hooks=auto
+ ;;
+esac
+
+if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then
+ # check for the new register_printf_specifier function with len argument,
+ # or the deprecated register_printf_function without
+ AC_CHECK_FUNC(
+ [register_printf_specifier],
+ [AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
+ [AC_CHECK_FUNC(
+ [register_printf_function],
+ [AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
+ [
+ AC_MSG_NOTICE([printf(3) does not support custom format specifiers!])
+ if test x$printf_hooks = xglibc; then
+ AC_MSG_ERROR([please select a different printf hook implementation])
+ else
+ # fallback to builtin printf hook implementation
+ printf_hooks=builtin
+ fi
+ ]
+ )]
+ )
+fi
-if test x$vstr = xtrue; then
+if test x$printf_hooks = xvstr; then
AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
- builtin_printf=false
fi
-if test x$builtin_printf = xtrue; then
+if test x$printf_hooks = xbuiltin; then
AC_DEFINE([USE_BUILTIN_PRINTF], [], [using builtin printf for printf hooks])
fi
@@ -1012,7 +1053,6 @@ charon_plugins=
starter_plugins=
pool_plugins=
attest_plugins=
-openac_plugins=
scepclient_plugins=
pki_plugins=
scripts_plugins=
@@ -1028,7 +1068,7 @@ h_plugins=
s_plugins=
t_plugins=
-ADD_PLUGIN([test-vectors], [s charon openac scepclient pki])
+ADD_PLUGIN([test-vectors], [s charon scepclient pki])
ADD_PLUGIN([curl], [s charon scepclient scripts nm cmd])
ADD_PLUGIN([soup], [s charon scripts nm cmd])
ADD_PLUGIN([unbound], [s charon scripts])
@@ -1036,37 +1076,38 @@ ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd])
ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest])
ADD_PLUGIN([pkcs11], [s charon pki nm cmd])
-ADD_PLUGIN([aes], [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([des], [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([blowfish], [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([rc2], [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1], [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([sha2], [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([md4], [s charon openac manager scepclient pki nm cmd])
-ADD_PLUGIN([md5], [s charon openac scepclient pki scripts attest nm cmd])
-ADD_PLUGIN([rdrand], [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([random], [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd])
+ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd])
ADD_PLUGIN([nonce], [s charon nm cmd])
-ADD_PLUGIN([x509], [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd])
ADD_PLUGIN([revocation], [s charon nm cmd])
ADD_PLUGIN([constraints], [s charon nm cmd])
+ADD_PLUGIN([acert], [s charon])
ADD_PLUGIN([pubkey], [s charon cmd])
-ADD_PLUGIN([pkcs1], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs1], [s charon scepclient pki scripts manager medsrv attest nm cmd])
ADD_PLUGIN([pkcs7], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs8], [s charon scepclient pki scripts manager medsrv attest nm cmd])
ADD_PLUGIN([pkcs12], [s charon scepclient pki scripts cmd])
ADD_PLUGIN([pgp], [s charon])
ADD_PLUGIN([dnskey], [s charon pki])
ADD_PLUGIN([sshkey], [s charon pki nm cmd])
ADD_PLUGIN([dnscert], [c charon])
ADD_PLUGIN([ipseckey], [c charon])
-ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pem], [s charon scepclient pki scripts manager medsrv attest nm cmd])
ADD_PLUGIN([padlock], [s charon])
-ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([gcrypt], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg], [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([openssl], [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
-ADD_PLUGIN([gmp], [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([xcbc], [s charon nm cmd])
@@ -1148,7 +1189,6 @@ AC_SUBST(charon_plugins)
AC_SUBST(starter_plugins)
AC_SUBST(pool_plugins)
AC_SUBST(attest_plugins)
-AC_SUBST(openac_plugins)
AC_SUBST(scepclient_plugins)
AC_SUBST(pki_plugins)
AC_SUBST(scripts_plugins)
@@ -1189,6 +1229,7 @@ AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
+AM_CONDITIONAL(USE_ACERT, test x$acert = xtrue)
AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
@@ -1329,8 +1370,8 @@ AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
-AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
-AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$builtin_printf = xtrue)
+AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr)
+AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin)
AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
@@ -1414,6 +1455,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/x509/Makefile
src/libstrongswan/plugins/revocation/Makefile
src/libstrongswan/plugins/constraints/Makefile
+ src/libstrongswan/plugins/acert/Makefile
src/libstrongswan/plugins/pubkey/Makefile
src/libstrongswan/plugins/pkcs1/Makefile
src/libstrongswan/plugins/pkcs7/Makefile
@@ -1453,6 +1495,7 @@ AC_CONFIG_FILES([
src/libipsec/Makefile
src/libsimaka/Makefile
src/libtls/Makefile
+ src/libtls/tests/Makefile
src/libradius/Makefile
src/libtncif/Makefile
src/libtnccs/Makefile
@@ -1542,7 +1585,6 @@ AC_CONFIG_FILES([
src/_updown/Makefile
src/_updown_espmark/Makefile
src/_copyright/Makefile
- src/openac/Makefile
src/scepclient/Makefile
src/pki/Makefile
src/pki/man/Makefile
@@ -1579,6 +1621,7 @@ AC_CONFIG_FILES([
src/pki/man/pki---req.1
src/pki/man/pki---self.1
src/pki/man/pki---signcrl.1
+ src/pki/man/pki---acert.1
src/pki/man/pki---verify.1
])
diff --git a/init/Makefile.in b/init/Makefile.in
index c9ace23..9937f3b 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 7664026..18d789d 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -316,7 +316,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
index 2e45520..9d51cb9 100644
--- a/m4/macros/enable-disable.m4
+++ b/m4/macros/enable-disable.m4
@@ -2,6 +2,7 @@
# ARG_ENABL_SET(option, help)
# ---------------------------
# Create a --enable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $disabled_by_default
AC_DEFUN([ARG_ENABL_SET],
[AC_ARG_ENABLE(
[$1],
@@ -14,7 +15,8 @@ AC_DEFUN([ARG_ENABL_SET],
fi],
[patsubst([$1], [-], [_])=false
patsubst([$1], [-], [_])_given=false]
- )]
+ )
+ disabled_by_default=${disabled_by_default}" patsubst([$1], [-], [_])"]
)
# ARG_DISBL_SET(option, help)
diff --git a/man/Makefile.in b/man/Makefile.in
index d4a38b1..72312c4 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -318,7 +318,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 40001f8..f55ce75 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -419,7 +419,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/scripts/aes-test.c b/scripts/aes-test.c
index eb94180..425a4dc 100644
--- a/scripts/aes-test.c
+++ b/scripts/aes-test.c
@@ -313,7 +313,7 @@ static bool do_test_gcm(test_vector_t *test)
return FALSE;
}
- aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len);
+ aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len, 4);
if (!aead)
{
DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported",
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 729472e..1768d76 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -61,7 +61,7 @@ int main(int argc, char *argv[])
if (encryption_algorithm_is_aead(token->algorithm))
{
aead = lib->crypto->create_aead(lib->crypto,
- token->algorithm, token->keysize / 8);
+ token->algorithm, token->keysize / 8, 0);
if (!aead)
{
fprintf(stderr, "aead '%s' not supported!\n", argv[1]);
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 7ec477a..84a32f9 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server,
close(fd);
return 1;
}
- tls = tls_socket_create(FALSE, server, client, fd, cache);
+ tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE);
if (!tls)
{
close(fd);
@@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server,
}
DBG1(DBG_TLS, "%#H connected", host);
- tls = tls_socket_create(TRUE, server, NULL, cfd, cache);
+ tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
if (!tls)
{
close(fd);
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d11893..93da489 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -73,7 +73,7 @@ if USE_UPDOWN
endif
if USE_TOOLS
- SUBDIRS += openac scepclient pki
+ SUBDIRS += scepclient pki
endif
if USE_CONFTEST
diff --git a/src/Makefile.in b/src/Makefile.in
index 1c2a427..d1950d1 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -95,7 +95,7 @@ host_triplet = @host@
@USE_NM_TRUE at am__append_16 = charon-nm
@USE_STROKE_TRUE at am__append_17 = stroke
@USE_UPDOWN_TRUE at am__append_18 = _updown _updown_espmark
- at USE_TOOLS_TRUE@am__append_19 = openac scepclient pki
+ at USE_TOOLS_TRUE@am__append_19 = scepclient pki
@USE_CONFTEST_TRUE at am__append_20 = conftest
@USE_DUMM_TRUE at am__append_21 = dumm
@USE_FAST_TRUE at am__append_22 = libfast
@@ -183,9 +183,9 @@ CTAGS = ctags
DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
libtls libradius libtncif libtnccs libpttls libimcv libpts \
libcharon starter ipsec _copyright charon charon-nm stroke \
- _updown _updown_espmark openac scepclient pki conftest dumm \
- libfast manager medsrv pool charon-tkm charon-cmd \
- pt-tls-client checksum
+ _updown _updown_espmark scepclient pki conftest dumm libfast \
+ manager medsrv pool charon-tkm charon-cmd pt-tls-client \
+ checksum
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 0783f9e..4377ca0 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -339,7 +339,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index e770495..b015e3d 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 918bd6a..ee814a4 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 62d6cd7..0e5c00a 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 955d153..edc3d77 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index f0daff6..67366a0 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -329,7 +329,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
"Failed to create dummy TUN device.");
- gateway->destroy(gateway);
return FALSE;
}
address = nm_setting_vpn_get_data_item(vpn, "address");
@@ -660,6 +659,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
key->destroy(key);
return FALSE;
}
+ else if (nm_setting_vpn_get_secret(settings, "password"))
+ {
+ return FALSE;
+ }
}
}
else if (streq(method, "smartcard"))
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 15e654d..8005d07 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f3b7cfd..f808ce0 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -343,7 +343,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index d172b15..82bbadc 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -100,7 +100,6 @@ if USE_CMD
endif
if USE_TOOLS
- exes += $(DESTDIR)$(ipsecdir)/openac
exes += $(DESTDIR)$(ipsecdir)/scepclient
exes += $(DESTDIR)$(bindir)/pki
endif
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index cdfbf10..d798d31 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -105,8 +105,7 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
@USE_CHARON_TRUE at am__append_24 = $(DESTDIR)$(ipsecdir)/charon
@MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
@USE_CMD_TRUE at am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/openac \
- at USE_TOOLS_TRUE@ $(DESTDIR)$(ipsecdir)/scepclient \
+ at USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient \
@USE_TOOLS_TRUE@ $(DESTDIR)$(bindir)/pki
@USE_ATTR_SQL_TRUE at am__append_28 = $(DESTDIR)$(ipsecdir)/pool
@USE_IMV_ATTESTATION_TRUE at am__append_29 = $(DESTDIR)$(ipsecdir)/attest
@@ -412,7 +411,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index ee6bf57..453e8f8 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -357,7 +357,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index f1628ef..2f7b2ea 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 1987dbd..f5277e3 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 69b736a..545123b 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index b7d820e..1701060 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.1.2rc2" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.2.0dr1" "strongSwan"
.
.SH NAME
.
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 3c1f998..6163218 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -70,7 +70,6 @@ case "$1" in
echo " rereadcacerts|rereadaacerts|rereadocspcerts"
echo " rereadacerts|rereadcrls|rereadall"
echo " purgeocsp|purgecrls|purgecerts|purgeike"
- echo " openac"
echo " scepclient"
echo " secrets"
echo " starter"
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 5f84536..b300df3 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -870,7 +870,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index c74daa0..e08bb3f 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -385,7 +385,7 @@ METHOD(ike_cfg_t, equals, bool,
return FALSE;
}
e1 = this->proposals->create_enumerator(this->proposals);
- e2 = this->proposals->create_enumerator(this->proposals);
+ e2 = other->proposals->create_enumerator(other->proposals);
while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
{
if (!p1->equals(p1, p2))
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 891d1be..2ecdb4f 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2014 Tobias Brunner
* Copyright (C) 2006-2010 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -193,7 +193,7 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
{
enumerator_t *e1, *e2;
u_int16_t alg1, alg2, ks1, ks2;
- bool found = FALSE;
+ bool found = FALSE, optional = FALSE;
if (type == INTEGRITY_ALGORITHM &&
selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) &&
@@ -202,12 +202,27 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
/* no integrity algorithm required, we have an AEAD */
return TRUE;
}
+ if (type == DIFFIE_HELLMAN_GROUP)
+ {
+ optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH;
+ }
e1 = create_enumerator(this, type);
e2 = other->create_enumerator(other, type);
- if (!e1->enumerate(e1, NULL, NULL) && !e2->enumerate(e2, NULL, NULL))
+ if (!e1->enumerate(e1, NULL, NULL))
{
- found = TRUE;
+ if (!e2->enumerate(e2, &alg2, NULL))
+ {
+ found = TRUE;
+ }
+ else if (optional)
+ {
+ do
+ { /* if the other peer proposes NONE, we accept the proposal */
+ found = !alg2;
+ }
+ while (!found && e2->enumerate(e2, &alg2, NULL));
+ }
}
e1->destroy(e1);
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index a32f570..05d4105 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -224,6 +224,9 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
case ENC_X509_SIGNATURE:
type = CERT_X509;
break;
+ case ENC_X509_ATTRIBUTE:
+ type = CERT_X509_AC;
+ break;
case ENC_CRL:
type = CERT_X509_CRL;
break;
@@ -333,6 +336,9 @@ cert_payload_t *cert_payload_create_from_cert(payload_type_t type,
case CERT_X509:
this->encoding = ENC_X509_SIGNATURE;
break;
+ case CERT_X509_AC:
+ this->encoding = ENC_X509_ATTRIBUTE;
+ break;
default:
DBG1(DBG_ENC, "embedding %N certificate in payload failed",
certificate_type_names, cert->get_type(cert));
@@ -380,4 +386,3 @@ cert_payload_t *cert_payload_create_custom(payload_type_t type,
return &this->public;
}
-
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index cb9b359..3e35b75 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -361,12 +361,20 @@ METHOD(payload_t, verify, status_t,
}
break;
case PROTO_IKE:
- if (this->spi.len != 0 && this->spi.len != 8)
+ if (this->type == PROPOSAL_SUBSTRUCTURE_V1)
{
- DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
- return FAILED;
+ if (this->spi.len <= 16)
+ { /* according to RFC 2409, section 3.5 anything between
+ * 0 and 16 is fine */
+ break;
+ }
}
- break;
+ else if (this->spi.len == 0 || this->spi.len == 8)
+ {
+ break;
+ }
+ DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
+ return FAILED;
default:
break;
}
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index bc32b5a..0aa635a 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 6278a62..f44734c 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index ae64a87..361b361 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index f812770..e218c8a 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index d8eb802..bb95126 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 395cd76..81f2b78 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index e092771..f5325b5 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -47,22 +47,6 @@ struct private_dhcp_provider_t {
};
/**
- * Hashtable hash function
- */
-static u_int hash(void *key)
-{
- return (uintptr_t)key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(void *a, void *b)
-{
- return a == b;
-}
-
-/**
* Hash ID and host to a key
*/
static uintptr_t hash_id_host(identification_t *id, host_t *host)
@@ -226,7 +210,8 @@ dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket)
},
.socket = socket,
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .transactions = hashtable_create(hash, equals, 8),
+ .transactions = hashtable_create(hashtable_hash_ptr,
+ hashtable_equals_ptr, 8),
);
return &this->public;
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 4be453e..d9eeddf 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index e9da68e..0b12cf3 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 67cf667..9e771ae 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 7d6ae95..91c4bb1 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 6ff0acb..16d0b42 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 99ae94e..1c8d51b 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 688879a..4c536b2 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 150b131..d9938dd 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index d52f26a..7caac9c 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 49e3dd1..5115068 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -792,12 +792,14 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
"invalid auth string");
goto error;
}
+ chunk_free(&auth_string);
hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
auth_string = chunk_from_hex(hex, NULL);
}
else if (strpfx(token, "M="))
{
token += 2;
+ free(msg);
msg = strdup(token);
}
}
@@ -883,6 +885,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
"invalid challenge");
goto error;
}
+ chunk_free(&challenge);
hex = chunk_create(token, 2 * CHALLENGE_LEN);
challenge = chunk_from_hex(hex, NULL);
}
@@ -893,6 +896,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
else if (strpfx(token, "M="))
{
token += 2;
+ free(msg);
msg = strdup(token);
}
}
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 7ac4a6e..29d8c8b 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 3e2bf04..fbce312 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 8c780e7..5fb1bbb 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -410,7 +410,12 @@ static job_requeue_t send_interim(interim_data_t *data)
{
if (!send_message(this, message))
{
- eap_radius_handle_timeout(data->id);
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.eap-radius.accounting_close_on_timeout",
+ TRUE, lib->ns))
+ {
+ eap_radius_handle_timeout(data->id);
+ }
}
message->destroy(message);
}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index b873e1d..54d52a9 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -74,22 +74,6 @@ typedef struct {
static private_eap_radius_forward_t *singleton = NULL;
/**
- * Hashtable hash function
- */
-static u_int hash(uintptr_t key)
-{
- return key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(uintptr_t a, uintptr_t b)
-{
- return a == b;
-}
-
-/**
* Free a queue entry
*/
static void free_attribute(chunk_t *chunk)
@@ -442,10 +426,8 @@ eap_radius_forward_t *eap_radius_forward_create()
.to_attr = parse_selector(lib->settings->get_str(lib->settings,
"%s.plugins.eap-radius.forward.radius_to_ike", "",
lib->ns)),
- .from = hashtable_create((hashtable_hash_t)hash,
- (hashtable_equals_t)equals, 8),
- .to = hashtable_create((hashtable_hash_t)hash,
- (hashtable_equals_t)equals, 8),
+ .from = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
+ .to = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 3707f64..10b881f 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 05bbc31..e4552d1 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index a22a5c3..628f537 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 189baac..4a8127f 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 33443a1..8ac480d 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 02cf153..79b45a9 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index ec189f8..c2b8b4f 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 6d4ff87..1f2ace2 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index a22b1e2..b693787 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index d8a135c..8dd7875 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 60c55f0..13f0e52 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 2f32630..d7a77ee 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index ce1afe6..60e75fc 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -59,22 +59,6 @@ struct private_ha_cache_t {
};
/**
- * Hashtable hash function
- */
-static u_int hash(void *key)
-{
- return (uintptr_t)key;
-}
-
-/**
- * Hashtable equals function
- */
-static bool equals(void *a, void *b)
-{
- return a == b;
-}
-
-/**
* Cache entry for an IKE_SA
*/
typedef struct {
@@ -380,7 +364,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
.count = count,
.kernel = kernel,
.socket = socket,
- .cache = hashtable_create(hash, equals, 8),
+ .cache = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 2ee5a49..1f62f40 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 1726c68..3bc289d 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 48163af..f7179cf 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 2369044..561d69a 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -383,7 +383,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 4b6d214..57aaeea 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 314088a..e1d4ee3 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 8d7ca04..b6a04df 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 7abc23e..82d985e 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index b891f55..ce8d67c 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index bf85d57..3dbebd8 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 43f3c6f..e0134e7 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 155113e..894c1f9 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index da40a43..a0e2d2d 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 9638049..02967d0 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 11a8771..253203d 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index ea16805..1aa49ce 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -31,8 +31,9 @@
#include <credentials/certificates/ac.h>
#include <credentials/certificates/crl.h>
#include <credentials/certificates/pgp_certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
#include <config/peer_cfg.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
/* warning intervals for list functions */
#define CERT_WARNING_INTERVAL 30 /* days */
@@ -1027,16 +1028,19 @@ static void stroke_list_certs(linked_list_t *list, char *label,
static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
{
bool first = TRUE;
- time_t thisUpdate, nextUpdate, now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
+ time_t notBefore, notAfter, now = time(NULL);
+ enumerator_t *enumerator;
certificate_t *cert;
- while (enumerator->enumerate(enumerator, (void**)&cert))
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &cert))
{
ac_t *ac = (ac_t*)cert;
+ ac_group_type_t type;
identification_t *id;
- ietf_attributes_t *groups;
+ enumerator_t *groups;
chunk_t chunk;
+ bool firstgroup = TRUE;
if (first)
{
@@ -1061,30 +1065,79 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
{
fprintf(out, " hserial: %#B\n", &chunk);
}
- groups = ac->get_groups(ac);
- if (groups)
+ groups = ac->create_group_enumerator(ac);
+ while (groups->enumerate(groups, &type, &chunk))
{
- fprintf(out, " groups: %s\n", groups->get_string(groups));
- groups->destroy(groups);
+ int oid;
+ char *str;
+
+ if (firstgroup)
+ {
+ fprintf(out, " groups: ");
+ firstgroup = FALSE;
+ }
+ else
+ {
+ fprintf(out, " ");
+ }
+ switch (type)
+ {
+ case AC_GROUP_TYPE_STRING:
+ fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
+ break;
+ case AC_GROUP_TYPE_OID:
+ oid = asn1_known_oid(chunk);
+ if (oid == OID_UNKNOWN)
+ {
+ str = asn1_oid_to_string(chunk);
+ if (str)
+ {
+ fprintf(out, "%s", str);
+ free(str);
+ }
+ else
+ {
+ fprintf(out, "OID:%#B", &chunk);
+ }
+ }
+ else
+ {
+ fprintf(out, "%s", oid_names[oid].name);
+ }
+ break;
+ case AC_GROUP_TYPE_OCTETS:
+ fprintf(out, "%#B", &chunk);
+ break;
+ }
+ fprintf(out, "\n");
}
+ groups->destroy(groups);
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
chunk = chunk_skip_zero(ac->get_serial(ac));
fprintf(out, " serial: %#B\n", &chunk);
/* list validity */
- cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
- fprintf(out, " updates: this %T\n", &thisUpdate, utc);
- fprintf(out, " next %T, ", &nextUpdate, utc);
- if (now > nextUpdate)
+ cert->get_validity(cert, &now, ¬Before, ¬After);
+ fprintf(out, " validity: not before %T, ", ¬Before, utc);
+ if (now < notBefore)
{
- fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
+ fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before);
+ }
+ else
+ {
+ fprintf(out, "ok\n");
+ }
+ fprintf(out, " not after %T, ", ¬After, utc);
+ if (now > notAfter)
+ {
+ fprintf(out, "expired (%V ago)\n", &now, ¬After);
}
else
{
fprintf(out, "ok");
- if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
+ if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
{
- fprintf(out, " (expires in %V)", &now, &nextUpdate);
+ fprintf(out, " (expires in %V)", &now, ¬After);
}
fprintf(out, " \n");
}
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 6372472..76b2c57 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index ace18e7..1941130 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 8f24dae..a652e70 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -779,7 +779,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
return FALSE;
}
DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
- this->creds->add_cert(this->creds, TRUE, cert);
+ cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
/* load MAP client private key */
if (client_key)
@@ -876,7 +876,8 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
}
/* open TLS socket */
- this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL);
+ this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
+ NULL, TLS_1_2, FALSE);
if (!this->tls)
{
DBG1(DBG_TNC, "creating TLS socket failed");
@@ -923,4 +924,3 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
return &this->public;
}
-
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index cc7c934..48de825 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -15,12 +15,13 @@ if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
else
plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
+endif
+
libstrongswan_tnc_pdp_la_LIBADD = \
$(top_builddir)/src/libradius/libradius.la \
$(top_builddir)/src/libpttls/libpttls.la \
$(top_builddir)/src/libtls/libtls.la \
$(top_builddir)/src/libtnccs/libtnccs.la
-endif
libstrongswan_tnc_pdp_la_SOURCES = \
tnc_pdp_plugin.h tnc_pdp_plugin.c \
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index b2958ef..875aa99 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -127,11 +127,11 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
- at MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES = \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libradius/libradius.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libpttls/libpttls.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la
+libstrongswan_tnc_pdp_la_DEPENDENCIES = \
+ $(top_builddir)/src/libradius/libradius.la \
+ $(top_builddir)/src/libpttls/libpttls.la \
+ $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libtnccs/libtnccs.la
am_libstrongswan_tnc_pdp_la_OBJECTS = tnc_pdp_plugin.lo tnc_pdp.lo \
tnc_pdp_connections.lo
libstrongswan_tnc_pdp_la_OBJECTS = \
@@ -377,7 +377,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -432,11 +431,11 @@ AM_CFLAGS = \
@MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
@MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
- at MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_LIBADD = \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libradius/libradius.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libpttls/libpttls.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la \
- at MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la
+libstrongswan_tnc_pdp_la_LIBADD = \
+ $(top_builddir)/src/libradius/libradius.la \
+ $(top_builddir)/src/libpttls/libpttls.la \
+ $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libtnccs/libtnccs.la
libstrongswan_tnc_pdp_la_SOURCES = \
tnc_pdp_plugin.h tnc_pdp_plugin.c \
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index b2b473c..8c38cea 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 2d9f596..165590d 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 65fe14e..efb7e95 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index e2d6d32..36cf78e 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index aa8ad2e..e3588ad 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index cf0c326..b78a917 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 2d18f60..e4d96a9 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 8173631..5fe4c06 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 1ee269e..2a6aec0 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 8c7ba8d..88ad14f 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
{
aead_t *aead_i, *aead_r;
chunk_t key = chunk_empty;
+ u_int salt_size;
+
+ switch (alg)
+ {
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ /* RFC 4106 */
+ salt_size = 4;
+ break;
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ /* RFC 4309 */
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ /* RFC 5529 */
+ salt_size = 3;
+ break;
+ default:
+ DBG1(DBG_IKE, "nonce size for %N unknown!",
+ encryption_algorithm_names, alg);
+ return FALSE;
+ }
/* SK_ei/SK_er used for encryption */
- aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
- aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+ aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+ aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
if (aead_i == NULL || aead_r == NULL)
{
DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index ac3be90..a5252ab 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
case CREATE_CHILD_SA:
{ /* FIXME: we should prevent this on mediation connections */
bool notify_found = FALSE, ts_found = FALSE;
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+ {
+ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
+ "unestablished IKE_SA, rejected");
+ return FAILED;
+ }
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index e898efc..88b032c 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -17,6 +17,7 @@
#include <daemon.h>
#include <encoding/payloads/delete_payload.h>
+#include <sa/ikev2/tasks/child_create.h>
typedef struct private_child_delete_t private_child_delete_t;
@@ -313,6 +314,17 @@ METHOD(task_t, build_i, status_t,
}
log_children(this);
build_payloads(this, message);
+
+ if (!this->rekeyed && this->expired)
+ {
+ child_cfg_t *child_cfg;
+
+ DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire");
+ child_cfg = child_sa->get_config(child_sa);
+ this->ike_sa->queue_task(this->ike_sa, (task_t*)
+ child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg),
+ FALSE, NULL, NULL));
+ }
return NEED_MORE;
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index a93e513..6dbc4de 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -22,6 +22,7 @@
#include <encoding/payloads/certreq_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
typedef struct private_ike_cert_post_t private_ike_cert_post_t;
@@ -105,12 +106,109 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
}
/**
+ * Add subject certificate to message
+ */
+static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth,
+ message_t *message)
+{
+ cert_payload_t *payload;
+ certificate_t *cert;
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert)
+ {
+ return FALSE;
+ }
+ payload = build_cert_payload(this, cert);
+ if (!payload)
+ {
+ return FALSE;
+ }
+ DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+ return TRUE;
+}
+
+/**
+ * Add intermediate CA certificates to message
+ */
+static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth,
+ message_t *message)
+{
+ cert_payload_t *payload;
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ auth_rule_t type;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &cert))
+ {
+ if (type == AUTH_RULE_IM_CERT)
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ if (payload)
+ {
+ DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Add any valid attribute certificates of subject to message
+ */
+static void add_attribute_certs(private_ike_cert_post_t *this,
+ auth_cfg_t *auth, message_t *message)
+{
+ certificate_t *subject, *cert;
+
+ subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (subject && subject->get_type(subject) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)subject;
+ identification_t *id, *serial;
+ enumerator_t *enumerator;
+ cert_payload_t *payload;
+ ac_t *ac;
+
+ /* we look for attribute certs having our serial and holder issuer,
+ * which is recommended by RFC 5755 */
+ serial = identification_create_from_encoding(ID_KEY_ID,
+ x509->get_serial(x509));
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_X509_AC, KEY_ANY, serial, FALSE);
+ while (enumerator->enumerate(enumerator, &ac))
+ {
+ cert = &ac->certificate;
+ id = ac->get_holderIssuer(ac);
+ if (id && id->equals(id, subject->get_issuer(subject)) &&
+ cert->get_validity(cert, NULL, NULL, NULL))
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ if (payload)
+ {
+ DBG1(DBG_IKE, "sending attribute certificate "
+ "issued by \"%Y\"", cert->get_issuer(cert));
+ message->add_payload(message, (payload_t*)payload);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ serial->destroy(serial);
+ }
+}
+
+/**
* add certificates to message
*/
static void build_certs(private_ike_cert_post_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
auth_payload_t *payload;
+ auth_cfg_t *auth;
payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
@@ -130,46 +228,13 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
}
/* FALL */
case CERT_ALWAYS_SEND:
- {
- cert_payload_t *payload;
- enumerator_t *enumerator;
- certificate_t *cert;
- auth_rule_t type;
- auth_cfg_t *auth;
-
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
- /* get subject cert first, then issuing certificates */
- cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
- if (!cert)
+ if (add_subject_cert(this, auth, message))
{
- break;
+ add_im_certs(this, auth, message);
+ add_attribute_certs(this, auth, message);
}
- payload = build_cert_payload(this, cert);
- if (!payload)
- {
- break;
- }
- DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
-
- enumerator = auth->create_enumerator(auth);
- while (enumerator->enumerate(enumerator, &type, &cert))
- {
- if (type == AUTH_RULE_IM_CERT)
- {
- payload = cert_payload_create_from_cert(CERTIFICATE, cert);
- if (payload)
- {
- DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
- }
- }
- }
- enumerator->destroy(enumerator);
- }
+ break;
}
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index bd28b29..558b1e9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -260,6 +260,30 @@ static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
}
/**
+ * Process an attribute certificate payload
+ */
+static void process_ac(cert_payload_t *payload, auth_cfg_t *auth)
+{
+ certificate_t *cert;
+
+ cert = payload->get_cert(payload);
+ if (cert)
+ {
+ if (cert->get_issuer(cert))
+ {
+ DBG1(DBG_IKE, "received attribute certificate issued by \"%Y\"",
+ cert->get_issuer(cert));
+ }
+ else if (cert->get_subject(cert))
+ {
+ DBG1(DBG_IKE, "received attribute certificate for \"%Y\"",
+ cert->get_subject(cert));
+ }
+ auth->add(auth, AUTH_HELPER_AC_CERT, cert);
+ }
+}
+
+/**
* Process certificate payloads
*/
static void process_certs(private_ike_cert_pre_t *this, message_t *message)
@@ -298,13 +322,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
case ENC_CRL:
process_crl(cert_payload, auth);
break;
+ case ENC_X509_ATTRIBUTE:
+ process_ac(cert_payload, auth);
+ break;
case ENC_PKCS7_WRAPPED_X509:
case ENC_PGP:
case ENC_DNS_SIGNED_KEY:
case ENC_KERBEROS_TOKEN:
case ENC_ARL:
case ENC_SPKI:
- case ENC_X509_ATTRIBUTE:
case ENC_RAW_RSA_KEY:
case ENC_X509_HASH_AND_URL_BUNDLE:
case ENC_OCSP_CONTENT:
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index dbfb988..f4405ae 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 5e0bf3f..be3e36c 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -430,7 +430,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index e762b77..ed13f1e 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index a27fd57..c1788df 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -242,10 +242,13 @@ static void load_entries(private_attr_provider_t *this)
{
if (family == AF_INET)
{ /* IPv4 attributes contain a subnet mask */
- u_int32_t netmask;
+ u_int32_t netmask = 0;
- mask = 32 - mask;
- netmask = htonl((0xFFFFFFFF >> mask) << mask);
+ if (mask)
+ { /* shifting u_int32_t by 32 or more is undefined */
+ mask = 32 - mask;
+ netmask = htonl((0xFFFFFFFF >> mask) << mask);
+ }
data = chunk_cat("cc", host->get_address(host),
chunk_from_thing(netmask));
}
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 1d258f2..5d88c77 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index c804c8e..f20ceb4 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 5910cfd..26cde7c 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 5d0e927..658ec7b 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 8e01d29..cdb09b1 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index a8a57a5..63c38bb 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1576,16 +1576,20 @@ retry:
}
DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno));
}
- if (!host)
+ if (nexthop)
{
- return NULL;
+ host = host ?: dest->clone(dest);
}
- if (!nexthop)
+ else
{ /* make sure the source address is not virtual and usable */
addr_entry_t *entry, lookup = {
.ip = host,
};
+ if (!host)
+ {
+ return NULL;
+ }
this->lock->read_lock(this->lock);
entry = this->addrs->get_match(this->addrs, &lookup,
(void*)addr_map_entry_match_up_and_usable);
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 0e520f1..e76ba57 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4c8287b..9d8d863 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -450,7 +450,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 9d938b9..7f3bae8 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -204,6 +204,18 @@ INSERT INTO products ( /* 34 */
'Android 4.4.2'
);
+INSERT INTO products ( /* 35 */
+ name
+) VALUES (
+ 'Ubuntu 14.04 i686'
+);
+
+INSERT INTO products ( /* 36 */
+ name
+) VALUES (
+ 'Ubuntu 14.04 x86_64'
+);
+
/* Directories */
INSERT INTO directories ( /* 1 */
@@ -729,6 +741,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 6, 35
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
7, 8
);
@@ -777,6 +795,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 7, 36
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
3, 21
);
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index bfb3f00..7b25614 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 3db0f2b..afcaf1a 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 64e1c27..1c30654 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 856ced8..0441750 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 748b9a7..525f445 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 3c73e8f..3724cc5 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 737edad..f1a099e 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -410,7 +410,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 66e14f9..5e58f66 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -216,7 +216,8 @@ static bool create_aead(private_esp_context_t *this, int alg,
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
/* the key includes a 4 byte salt */
- this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4);
+ this->aead = lib->crypto->create_aead(lib->crypto, alg,
+ key.len - 4, 4);
break;
default:
break;
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 05c27d9..af5eafd 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -448,7 +448,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 7a539ef..dd347d2 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 467b998..c71b216 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
TNC_Version max_version,
TNC_Version *actual_version)
{
+ bool mandatory_dh_groups;
+
if (imc_attestation)
{
DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
@@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
return TNC_RESULT_FATAL;
}
+ mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+ "%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
+
if (!pts_meas_algo_probe(&supported_algorithms) ||
- !pts_dh_group_probe(&supported_dh_groups))
+ !pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
{
imc_attestation->destroy(imc_attestation);
imc_attestation = NULL;
diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in
index e1c932e..5840263 100644
--- a/src/libpts/plugins/imc_swid/Makefile.in
+++ b/src/libpts/plugins/imc_swid/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index c1c14d4..ff94363 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -382,7 +382,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index b8a6854..8f4df39 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -278,12 +278,14 @@ static void do_args(int argc, char *argv[])
exit(EXIT_FAILURE);
}
}
- free(file);
free(dir);
+
if (!attest->set_file(attest, file, op == OP_ADD))
{
+ free(file);
exit(EXIT_FAILURE);
}
+ free(file);
continue;
}
case 'G':
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index e8c3c5e..ae2660b 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -482,6 +482,22 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
}
}
+ /* do TPM TRUSTED BOOT measurements */
+ if (strchr(workitem->get_arg_str(workitem), 'T'))
+ {
+ comp_name = pts_comp_func_name_create(PEN_ITA,
+ PTS_ITA_COMP_FUNC_NAME_TBOOT,
+ PTS_ITA_QUALIFIER_FLAG_KERNEL |
+ PTS_ITA_QUALIFIER_TYPE_TRUSTED);
+ comp = attestation_state->create_component(
+ attestation_state, comp_name,
+ 0, this->pts_db);
+ if (!comp)
+ {
+ comp_name->log(comp_name, "unregistered ");
+ comp_name->destroy(comp_name);
+ }
+ }
attestation_state->set_handshake_state(attestation_state,
IMV_ATTESTATION_STATE_NONCE_REQ);
continue;
@@ -706,6 +722,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
private_imv_attestation_agent_t *this;
imv_agent_t *agent;
char *hash_alg, *dh_group, *cadir;
+ bool mandatory_dh_groups;
agent = imv_agent_create(name, msg_types, countof(msg_types), id,
actual_version);
@@ -718,6 +735,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
dh_group = lib->settings->get_str(lib->settings,
"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
+ mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+ "%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
cadir = lib->settings->get_str(lib->settings,
"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
@@ -742,7 +761,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
libpts_init();
if (!pts_meas_algo_probe(&this->supported_algorithms) ||
- !pts_dh_group_probe(&this->supported_dh_groups) ||
+ !pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
!pts_dh_group_update(dh_group, &this->supported_dh_groups))
{
diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in
index b92f7d4..f9bd93c 100644
--- a/src/libpts/plugins/imv_swid/Makefile.in
+++ b/src/libpts/plugins/imv_swid/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 8699282..3ab9b92 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -393,7 +393,7 @@ static void load_aik_blob(private_pts_t *this)
fseek(fp, 0L, SEEK_SET);
this->aik_blob = chunk_alloc(aikBlobLen);
- if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp))
+ if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp) == aikBlobLen)
{
DBG2(DBG_PTS, "loaded AIK Blob from '%s'", blob_path);
DBG3(DBG_PTS, "AIK Blob: %B", &this->aik_blob);
@@ -401,6 +401,7 @@ static void load_aik_blob(private_pts_t *this)
else
{
DBG1(DBG_PTS, "unable to read AIK Blob file '%s'", blob_path);
+ chunk_free(&this->aik_blob);
}
fclose(fp);
return;
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 07e8ae1..fda644a 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -280,20 +280,17 @@ METHOD(pts_database_t, check_file_measurement, status_t,
DB_TEXT, dir, DB_INT);
if (!e)
{
- free(file);
- free(dir);
- return FAILED;
+ status = FAILED;
+ goto err;
}
dir_found = e->enumerate(e, &did);
e->destroy(e);
if (!dir_found)
{
- free(file);
- free(dir);
- return NOT_FOUND;
+ status = NOT_FOUND;
+ goto err;
}
-
e = this->db->query(this->db,
"SELECT fh.hash FROM file_hashes AS fh "
"JOIN files AS f ON f.id = fh.file "
@@ -302,12 +299,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo,
DB_BLOB);
}
- free(file);
- free(dir);
-
if (!e)
{
- return FAILED;
+ status = FAILED;
+ goto err;
}
while (e->enumerate(e, &hash))
{
@@ -324,6 +319,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
}
e->destroy(e);
+err:
+ free(file);
+ free(dir);
+
return status;
}
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index 41a4360..305b4ec 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -20,7 +20,7 @@
/**
* Described in header.
*/
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
{
enumerator_t *enumerator;
diffie_hellman_group_t dh_group;
@@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
if (*dh_groups & PTS_DH_GROUP_IKE19)
{
+ /* mandatory PTS DH group is available */
return TRUE;
}
- else
+ if (*dh_groups == PTS_DH_GROUP_NONE)
+ {
+ DBG1(DBG_PTS, "no PTS DH group available");
+ return FALSE;
+ }
+ if (mandatory_dh_groups)
{
DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
ECP_256_BIT);
+ return FALSE;
}
- return FALSE;
+
+ /* at least one optional PTS DH group is available */
+ return TRUE;
}
/**
diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h
index 2aab902..f5d951e 100644
--- a/src/libpts/pts/pts_dh_group.h
+++ b/src/libpts/pts/pts_dh_group.h
@@ -59,10 +59,13 @@ enum pts_dh_group_t {
/**
* Probe available PTS Diffie-Hellman groups
*
- * @param dh_groups returns set of available DH groups
- * @return TRUE if mandatory DH groups are available
+ * @param dh_groups returns set of available DH groups
+ * @param mandatory_dh_groups if TRUE enforce mandatory PTS DH groups
+ * @return TRUE if mandatory DH groups are available
+ * or at least one optional DH group if
+ * mandatory_dh_groups is set to FALSE.
*/
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
/**
* Update supported Diffie-Hellman groups according to configuration
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index c827cb5..788c8ca 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 01a84cd..315129d 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -84,7 +84,8 @@ static bool make_connection(private_pt_tls_client_t *this)
return FALSE;
}
- this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+ this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
+ NULL, TLS_1_2, FALSE);
if (!this->tls)
{
close(fd);
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 9af00e7..cedc263 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
.destroy = _destroy,
},
.state = PT_TLS_SERVER_VERSION,
- .tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+ .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
.tnccs = (tls_t*)tnccs,
.auth = auth,
);
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index d903de8..6e687a3 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ee824ab..cb27f05 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 4409130..2b58db5 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -20,7 +20,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
credentials/certificates/certificate.c credentials/certificates/crl.c \
credentials/certificates/ocsp_response.c \
credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index b3a4eda..3462d2f 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -18,7 +18,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \
credentials/certificates/certificate.c credentials/certificates/crl.c \
credentials/certificates/ocsp_response.c \
credentials/containers/container.c credentials/containers/pkcs12.c \
-credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/credential_manager.c \
credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
@@ -61,7 +61,6 @@ credentials/certificates/ocsp_response.h \
credentials/certificates/pgp_certificate.h \
credentials/containers/container.h credentials/containers/pkcs7.h \
credentials/containers/pkcs12.h \
-credentials/ietf_attributes/ietf_attributes.h \
credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
@@ -308,6 +307,13 @@ if MONOLITHIC
endif
endif
+if USE_ACERT
+ SUBDIRS += plugins/acert
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/acert/libstrongswan-acert.la
+endif
+endif
+
if USE_PUBKEY
SUBDIRS += plugins/pubkey
if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 64396b5..af5ea40 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -128,60 +128,62 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_47 = plugins/revocation/libstrongswan-revocation.la
@USE_CONSTRAINTS_TRUE at am__append_48 = plugins/constraints
@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_49 = plugins/constraints/libstrongswan-constraints.la
- at USE_PUBKEY_TRUE@am__append_50 = plugins/pubkey
- at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_51 = plugins/pubkey/libstrongswan-pubkey.la
- at USE_PKCS1_TRUE@am__append_52 = plugins/pkcs1
- at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_53 = plugins/pkcs1/libstrongswan-pkcs1.la
- at USE_PKCS7_TRUE@am__append_54 = plugins/pkcs7
- at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_55 = plugins/pkcs7/libstrongswan-pkcs7.la
- at USE_PKCS8_TRUE@am__append_56 = plugins/pkcs8
- at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_57 = plugins/pkcs8/libstrongswan-pkcs8.la
- at USE_PKCS12_TRUE@am__append_58 = plugins/pkcs12
- at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_59 = plugins/pkcs12/libstrongswan-pkcs12.la
- at USE_PGP_TRUE@am__append_60 = plugins/pgp
- at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_61 = plugins/pgp/libstrongswan-pgp.la
- at USE_DNSKEY_TRUE@am__append_62 = plugins/dnskey
- at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_63 = plugins/dnskey/libstrongswan-dnskey.la
- at USE_SSHKEY_TRUE@am__append_64 = plugins/sshkey
- at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_65 = plugins/sshkey/libstrongswan-sshkey.la
- at USE_PEM_TRUE@am__append_66 = plugins/pem
- at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_67 = plugins/pem/libstrongswan-pem.la
- at USE_CURL_TRUE@am__append_68 = plugins/curl
- at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_69 = plugins/curl/libstrongswan-curl.la
- at USE_UNBOUND_TRUE@am__append_70 = plugins/unbound
- at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_71 = plugins/unbound/libstrongswan-unbound.la
- at USE_SOUP_TRUE@am__append_72 = plugins/soup
- at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_73 = plugins/soup/libstrongswan-soup.la
- at USE_LDAP_TRUE@am__append_74 = plugins/ldap
- at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_75 = plugins/ldap/libstrongswan-ldap.la
- at USE_MYSQL_TRUE@am__append_76 = plugins/mysql
- at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_77 = plugins/mysql/libstrongswan-mysql.la
- at USE_SQLITE_TRUE@am__append_78 = plugins/sqlite
- at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_79 = plugins/sqlite/libstrongswan-sqlite.la
- at USE_PADLOCK_TRUE@am__append_80 = plugins/padlock
- at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_81 = plugins/padlock/libstrongswan-padlock.la
- at USE_OPENSSL_TRUE@am__append_82 = plugins/openssl
- at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_83 = plugins/openssl/libstrongswan-openssl.la
- at USE_GCRYPT_TRUE@am__append_84 = plugins/gcrypt
- at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_85 = plugins/gcrypt/libstrongswan-gcrypt.la
- at USE_FIPS_PRF_TRUE@am__append_86 = plugins/fips_prf
- at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_87 = plugins/fips_prf/libstrongswan-fips-prf.la
- at USE_AGENT_TRUE@am__append_88 = plugins/agent
- at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_89 = plugins/agent/libstrongswan-agent.la
- at USE_KEYCHAIN_TRUE@am__append_90 = plugins/keychain
- at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_91 = plugins/keychain/libstrongswan-keychain.la
- at USE_PKCS11_TRUE@am__append_92 = plugins/pkcs11
- at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_93 = plugins/pkcs11/libstrongswan-pkcs11.la
- at USE_CTR_TRUE@am__append_94 = plugins/ctr
- at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_95 = plugins/ctr/libstrongswan-ctr.la
- at USE_CCM_TRUE@am__append_96 = plugins/ccm
- at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_97 = plugins/ccm/libstrongswan-ccm.la
- at USE_GCM_TRUE@am__append_98 = plugins/gcm
- at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_99 = plugins/gcm/libstrongswan-gcm.la
- at USE_NTRU_TRUE@am__append_100 = plugins/ntru
- at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_101 = plugins/ntru/libstrongswan-ntru.la
- at USE_TEST_VECTORS_TRUE@am__append_102 = plugins/test_vectors
- at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_103 = plugins/test_vectors/libstrongswan-test-vectors.la
+ at USE_ACERT_TRUE@am__append_50 = plugins/acert
+ at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_51 = plugins/acert/libstrongswan-acert.la
+ at USE_PUBKEY_TRUE@am__append_52 = plugins/pubkey
+ at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_53 = plugins/pubkey/libstrongswan-pubkey.la
+ at USE_PKCS1_TRUE@am__append_54 = plugins/pkcs1
+ at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_55 = plugins/pkcs1/libstrongswan-pkcs1.la
+ at USE_PKCS7_TRUE@am__append_56 = plugins/pkcs7
+ at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_57 = plugins/pkcs7/libstrongswan-pkcs7.la
+ at USE_PKCS8_TRUE@am__append_58 = plugins/pkcs8
+ at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_59 = plugins/pkcs8/libstrongswan-pkcs8.la
+ at USE_PKCS12_TRUE@am__append_60 = plugins/pkcs12
+ at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_61 = plugins/pkcs12/libstrongswan-pkcs12.la
+ at USE_PGP_TRUE@am__append_62 = plugins/pgp
+ at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_63 = plugins/pgp/libstrongswan-pgp.la
+ at USE_DNSKEY_TRUE@am__append_64 = plugins/dnskey
+ at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_65 = plugins/dnskey/libstrongswan-dnskey.la
+ at USE_SSHKEY_TRUE@am__append_66 = plugins/sshkey
+ at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_67 = plugins/sshkey/libstrongswan-sshkey.la
+ at USE_PEM_TRUE@am__append_68 = plugins/pem
+ at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_69 = plugins/pem/libstrongswan-pem.la
+ at USE_CURL_TRUE@am__append_70 = plugins/curl
+ at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_71 = plugins/curl/libstrongswan-curl.la
+ at USE_UNBOUND_TRUE@am__append_72 = plugins/unbound
+ at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_73 = plugins/unbound/libstrongswan-unbound.la
+ at USE_SOUP_TRUE@am__append_74 = plugins/soup
+ at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_75 = plugins/soup/libstrongswan-soup.la
+ at USE_LDAP_TRUE@am__append_76 = plugins/ldap
+ at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_77 = plugins/ldap/libstrongswan-ldap.la
+ at USE_MYSQL_TRUE@am__append_78 = plugins/mysql
+ at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_79 = plugins/mysql/libstrongswan-mysql.la
+ at USE_SQLITE_TRUE@am__append_80 = plugins/sqlite
+ at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_81 = plugins/sqlite/libstrongswan-sqlite.la
+ at USE_PADLOCK_TRUE@am__append_82 = plugins/padlock
+ at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_83 = plugins/padlock/libstrongswan-padlock.la
+ at USE_OPENSSL_TRUE@am__append_84 = plugins/openssl
+ at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_85 = plugins/openssl/libstrongswan-openssl.la
+ at USE_GCRYPT_TRUE@am__append_86 = plugins/gcrypt
+ at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_87 = plugins/gcrypt/libstrongswan-gcrypt.la
+ at USE_FIPS_PRF_TRUE@am__append_88 = plugins/fips_prf
+ at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_89 = plugins/fips_prf/libstrongswan-fips-prf.la
+ at USE_AGENT_TRUE@am__append_90 = plugins/agent
+ at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_91 = plugins/agent/libstrongswan-agent.la
+ at USE_KEYCHAIN_TRUE@am__append_92 = plugins/keychain
+ at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_93 = plugins/keychain/libstrongswan-keychain.la
+ at USE_PKCS11_TRUE@am__append_94 = plugins/pkcs11
+ at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_95 = plugins/pkcs11/libstrongswan-pkcs11.la
+ at USE_CTR_TRUE@am__append_96 = plugins/ctr
+ at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_97 = plugins/ctr/libstrongswan-ctr.la
+ at USE_CCM_TRUE@am__append_98 = plugins/ccm
+ at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_99 = plugins/ccm/libstrongswan-ccm.la
+ at USE_GCM_TRUE@am__append_100 = plugins/gcm
+ at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_101 = plugins/gcm/libstrongswan-gcm.la
+ at USE_NTRU_TRUE@am__append_102 = plugins/ntru
+ at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_103 = plugins/ntru/libstrongswan-ntru.la
+ at USE_TEST_VECTORS_TRUE@am__append_104 = plugins/test_vectors
+ at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_105 = plugins/test_vectors/libstrongswan-test-vectors.la
subdir = src/libstrongswan
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp \
@@ -254,7 +256,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__append_83) $(am__append_85) $(am__append_87) \
$(am__append_89) $(am__append_91) $(am__append_93) \
$(am__append_95) $(am__append_97) $(am__append_99) \
- $(am__append_101) $(am__append_103)
+ $(am__append_101) $(am__append_103) $(am__append_105)
am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
bio/bio_writer.c collections/blocking_queue.c \
@@ -277,7 +279,6 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
credentials/certificates/ocsp_response.c \
credentials/containers/container.c \
credentials/containers/pkcs12.c \
- credentials/ietf_attributes/ietf_attributes.c \
credentials/credential_manager.c \
credentials/sets/auth_cfg_wrapper.c \
credentials/sets/ocsp_response_wrapper.c \
@@ -332,7 +333,6 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
credentials/certificates/ocsp_response.lo \
credentials/containers/container.lo \
credentials/containers/pkcs12.lo \
- credentials/ietf_attributes/ietf_attributes.lo \
credentials/credential_manager.lo \
credentials/sets/auth_cfg_wrapper.lo \
credentials/sets/ocsp_response_wrapper.lo \
@@ -438,7 +438,6 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
credentials/certificates/pgp_certificate.h \
credentials/containers/container.h \
credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
- credentials/ietf_attributes/ietf_attributes.h \
credentials/credential_manager.h \
credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.h \
@@ -502,11 +501,11 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \
plugins/random plugins/nonce plugins/hmac plugins/cmac \
plugins/xcbc plugins/x509 plugins/revocation \
- plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
- plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
- plugins/sshkey plugins/pem plugins/curl plugins/unbound \
- plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
- plugins/padlock plugins/openssl plugins/gcrypt \
+ plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \
+ plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \
+ plugins/dnskey plugins/sshkey plugins/pem plugins/curl \
+ plugins/unbound plugins/soup plugins/ldap plugins/mysql \
+ plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
plugins/ctr plugins/ccm plugins/gcm plugins/ntru \
plugins/test_vectors tests
@@ -705,7 +704,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -767,7 +765,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
credentials/certificates/ocsp_response.c \
credentials/containers/container.c \
credentials/containers/pkcs12.c \
- credentials/ietf_attributes/ietf_attributes.c \
credentials/credential_manager.c \
credentials/sets/auth_cfg_wrapper.c \
credentials/sets/ocsp_response_wrapper.c \
@@ -816,7 +813,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
@USE_DEV_HEADERS_TRUE at credentials/certificates/pgp_certificate.h \
@USE_DEV_HEADERS_TRUE at credentials/containers/container.h credentials/containers/pkcs7.h \
@USE_DEV_HEADERS_TRUE at credentials/containers/pkcs12.h \
- at USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
@USE_DEV_HEADERS_TRUE at credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
@USE_DEV_HEADERS_TRUE at credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
@USE_DEV_HEADERS_TRUE at credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
@@ -858,7 +854,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
$(am__append_81) $(am__append_83) $(am__append_85) \
$(am__append_87) $(am__append_89) $(am__append_91) \
$(am__append_93) $(am__append_95) $(am__append_97) \
- $(am__append_99) $(am__append_101) $(am__append_103)
+ $(am__append_99) $(am__append_101) $(am__append_103) \
+ $(am__append_105)
AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
-DPLUGINDIR=\"${plugindir}\" \
@@ -905,7 +902,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_FALSE@ $(am__append_88) $(am__append_90) \
@MONOLITHIC_FALSE@ $(am__append_92) $(am__append_94) \
@MONOLITHIC_FALSE@ $(am__append_96) $(am__append_98) \
- at MONOLITHIC_FALSE@ $(am__append_100) $(am__append_102) tests
+ at MONOLITHIC_FALSE@ $(am__append_100) $(am__append_102) \
+ at MONOLITHIC_FALSE@ $(am__append_104) tests
# build plugins with their own Makefile
#######################################
@@ -931,7 +929,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_TRUE@ $(am__append_88) $(am__append_90) \
@MONOLITHIC_TRUE@ $(am__append_92) $(am__append_94) \
@MONOLITHIC_TRUE@ $(am__append_96) $(am__append_98) \
- at MONOLITHIC_TRUE@ $(am__append_100) $(am__append_102) . tests
+ at MONOLITHIC_TRUE@ $(am__append_100) $(am__append_102) \
+ at MONOLITHIC_TRUE@ $(am__append_104) . tests
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -1172,15 +1171,6 @@ credentials/containers/container.lo: \
credentials/containers/pkcs12.lo: \
credentials/containers/$(am__dirstamp) \
credentials/containers/$(DEPDIR)/$(am__dirstamp)
-credentials/ietf_attributes/$(am__dirstamp):
- @$(MKDIR_P) credentials/ietf_attributes
- @: > credentials/ietf_attributes/$(am__dirstamp)
-credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp):
- @$(MKDIR_P) credentials/ietf_attributes/$(DEPDIR)
- @: > credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
-credentials/ietf_attributes/ietf_attributes.lo: \
- credentials/ietf_attributes/$(am__dirstamp) \
- credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
credentials/credential_manager.lo: credentials/$(am__dirstamp) \
credentials/$(DEPDIR)/$(am__dirstamp)
credentials/sets/$(am__dirstamp):
@@ -1409,8 +1399,6 @@ mostlyclean-compile:
-rm -f credentials/certificates/*.lo
-rm -f credentials/containers/*.$(OBJEXT)
-rm -f credentials/containers/*.lo
- -rm -f credentials/ietf_attributes/*.$(OBJEXT)
- -rm -f credentials/ietf_attributes/*.lo
-rm -f credentials/keys/*.$(OBJEXT)
-rm -f credentials/keys/*.lo
-rm -f credentials/sets/*.$(OBJEXT)
@@ -1488,7 +1476,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at credentials/certificates/$(DEPDIR)/ocsp_response.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at credentials/containers/$(DEPDIR)/container.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at credentials/containers/$(DEPDIR)/pkcs12.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at credentials/ietf_attributes/$(DEPDIR)/ietf_attributes.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at credentials/keys/$(DEPDIR)/private_key.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at credentials/keys/$(DEPDIR)/public_key.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at credentials/keys/$(DEPDIR)/shared_key.Plo at am__quote@
@@ -1598,7 +1585,6 @@ clean-libtool:
-rm -rf credentials/.libs credentials/_libs
-rm -rf credentials/certificates/.libs credentials/certificates/_libs
-rm -rf credentials/containers/.libs credentials/containers/_libs
- -rm -rf credentials/ietf_attributes/.libs credentials/ietf_attributes/_libs
-rm -rf credentials/keys/.libs credentials/keys/_libs
-rm -rf credentials/sets/.libs credentials/sets/_libs
-rm -rf crypto/.libs crypto/_libs
@@ -1852,8 +1838,6 @@ distclean-generic:
-rm -f credentials/certificates/$(am__dirstamp)
-rm -f credentials/containers/$(DEPDIR)/$(am__dirstamp)
-rm -f credentials/containers/$(am__dirstamp)
- -rm -f credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp)
- -rm -f credentials/ietf_attributes/$(am__dirstamp)
-rm -f credentials/keys/$(DEPDIR)/$(am__dirstamp)
-rm -f credentials/keys/$(am__dirstamp)
-rm -f credentials/sets/$(DEPDIR)/$(am__dirstamp)
@@ -1918,7 +1902,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
distclean: distclean-recursive
- -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipse [...]
+ -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) netwo [...]
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -1965,7 +1949,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
- -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipse [...]
+ -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) netwo [...]
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 6fa8f4e..b479b0f 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -199,243 +199,268 @@ const oid_t oid_names[] = {
{ 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */
{ 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */
- {0x2B, 372, 1, 0, "" }, /* 189 */
- { 0x06, 286, 1, 1, "dod" }, /* 190 */
+ {0x2B, 391, 1, 0, "" }, /* 189 */
+ { 0x06, 305, 1, 1, "dod" }, /* 190 */
{ 0x01, 0, 1, 2, "internet" }, /* 191 */
- { 0x04, 237, 1, 3, "private" }, /* 192 */
+ { 0x04, 256, 1, 3, "private" }, /* 192 */
{ 0x01, 0, 1, 4, "enterprise" }, /* 193 */
- { 0x82, 207, 1, 5, "" }, /* 194 */
- { 0x37, 204, 1, 6, "Microsoft" }, /* 195 */
+ { 0x82, 210, 1, 5, "" }, /* 194 */
+ { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */
{ 0x0A, 200, 1, 7, "" }, /* 196 */
{ 0x03, 0, 1, 8, "" }, /* 197 */
{ 0x03, 199, 0, 9, "msSGC" }, /* 198 */
{ 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 199 */
- { 0x14, 0, 1, 7, "msEnrollmentInfrastructure" }, /* 200 */
+ { 0x14, 204, 1, 7, "msEnrollmentInfrastructure" }, /* 200 */
{ 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 201 */
{ 0x02, 203, 0, 9, "msSmartcardLogon" }, /* 202 */
{ 0x03, 0, 0, 9, "msUPN" }, /* 203 */
- { 0xA0, 0, 1, 6, "" }, /* 204 */
- { 0x2A, 0, 1, 7, "ITA" }, /* 205 */
- { 0x01, 0, 0, 8, "strongSwan" }, /* 206 */
- { 0x89, 214, 1, 5, "" }, /* 207 */
- { 0x31, 0, 1, 6, "" }, /* 208 */
- { 0x01, 0, 1, 7, "" }, /* 209 */
- { 0x01, 0, 1, 8, "" }, /* 210 */
- { 0x02, 0, 1, 9, "" }, /* 211 */
- { 0x02, 0, 1, 10, "" }, /* 212 */
- { 0x4B, 0, 0, 11, "TCGID" }, /* 213 */
- { 0xc1, 0, 1, 5, "" }, /* 214 */
- { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 215 */
- { 0x01, 0, 1, 7, "eess" }, /* 216 */
- { 0x01, 0, 1, 8, "eess1" }, /* 217 */
- { 0x01, 222, 1, 9, "eess1-algs" }, /* 218 */
- { 0x01, 220, 0, 10, "ntru-EESS1v1-SVES" }, /* 219 */
- { 0x02, 221, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 220 */
- { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 221 */
- { 0x02, 236, 1, 9, "eess1-params" }, /* 222 */
- { 0x01, 224, 0, 10, "ees251ep1" }, /* 223 */
- { 0x02, 225, 0, 10, "ees347ep1" }, /* 224 */
- { 0x03, 226, 0, 10, "ees503ep1" }, /* 225 */
- { 0x07, 227, 0, 10, "ees251sp2" }, /* 226 */
- { 0x0C, 228, 0, 10, "ees251ep4" }, /* 227 */
- { 0x0D, 229, 0, 10, "ees251ep5" }, /* 228 */
- { 0x0E, 230, 0, 10, "ees251sp3" }, /* 229 */
- { 0x0F, 231, 0, 10, "ees251sp4" }, /* 230 */
- { 0x10, 232, 0, 10, "ees251sp5" }, /* 231 */
- { 0x11, 233, 0, 10, "ees251sp6" }, /* 232 */
- { 0x12, 234, 0, 10, "ees251sp7" }, /* 233 */
- { 0x13, 235, 0, 10, "ees251sp8" }, /* 234 */
- { 0x14, 0, 0, 10, "ees251sp9" }, /* 235 */
- { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 236 */
- { 0x05, 0, 1, 3, "security" }, /* 237 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 238 */
- { 0x07, 283, 1, 5, "id-pkix" }, /* 239 */
- { 0x01, 244, 1, 6, "id-pe" }, /* 240 */
- { 0x01, 242, 0, 7, "authorityInfoAccess" }, /* 241 */
- { 0x03, 243, 0, 7, "qcStatements" }, /* 242 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 243 */
- { 0x02, 247, 1, 6, "id-qt" }, /* 244 */
- { 0x01, 246, 0, 7, "cps" }, /* 245 */
- { 0x02, 0, 0, 7, "unotice" }, /* 246 */
- { 0x03, 257, 1, 6, "id-kp" }, /* 247 */
- { 0x01, 249, 0, 7, "serverAuth" }, /* 248 */
- { 0x02, 250, 0, 7, "clientAuth" }, /* 249 */
- { 0x03, 251, 0, 7, "codeSigning" }, /* 250 */
- { 0x04, 252, 0, 7, "emailProtection" }, /* 251 */
- { 0x05, 253, 0, 7, "ipsecEndSystem" }, /* 252 */
- { 0x06, 254, 0, 7, "ipsecTunnel" }, /* 253 */
- { 0x07, 255, 0, 7, "ipsecUser" }, /* 254 */
- { 0x08, 256, 0, 7, "timeStamping" }, /* 255 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 256 */
- { 0x08, 265, 1, 6, "id-otherNames" }, /* 257 */
- { 0x01, 259, 0, 7, "personalData" }, /* 258 */
- { 0x02, 260, 0, 7, "userGroup" }, /* 259 */
- { 0x03, 261, 0, 7, "id-on-permanentIdentifier" }, /* 260 */
- { 0x04, 262, 0, 7, "id-on-hardwareModuleName" }, /* 261 */
- { 0x05, 263, 0, 7, "xmppAddr" }, /* 262 */
- { 0x06, 264, 0, 7, "id-on-SIM" }, /* 263 */
- { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 264 */
- { 0x0A, 270, 1, 6, "id-aca" }, /* 265 */
- { 0x01, 267, 0, 7, "authenticationInfo" }, /* 266 */
- { 0x02, 268, 0, 7, "accessIdentity" }, /* 267 */
- { 0x03, 269, 0, 7, "chargingIdentity" }, /* 268 */
- { 0x04, 0, 0, 7, "group" }, /* 269 */
- { 0x0B, 271, 0, 6, "subjectInfoAccess" }, /* 270 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 271 */
- { 0x01, 280, 1, 7, "ocsp" }, /* 272 */
- { 0x01, 274, 0, 8, "basic" }, /* 273 */
- { 0x02, 275, 0, 8, "nonce" }, /* 274 */
- { 0x03, 276, 0, 8, "crl" }, /* 275 */
- { 0x04, 277, 0, 8, "response" }, /* 276 */
- { 0x05, 278, 0, 8, "noCheck" }, /* 277 */
- { 0x06, 279, 0, 8, "archiveCutoff" }, /* 278 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 279 */
- { 0x02, 281, 0, 7, "caIssuers" }, /* 280 */
- { 0x03, 282, 0, 7, "timeStamping" }, /* 281 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 282 */
- { 0x08, 0, 1, 5, "ipsec" }, /* 283 */
- { 0x02, 0, 1, 6, "certificate" }, /* 284 */
- { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 285 */
- { 0x0E, 292, 1, 1, "oiw" }, /* 286 */
- { 0x03, 0, 1, 2, "secsig" }, /* 287 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 288 */
- { 0x07, 290, 0, 4, "des-cbc" }, /* 289 */
- { 0x1A, 291, 0, 4, "sha-1" }, /* 290 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 291 */
- { 0x24, 338, 1, 1, "TeleTrusT" }, /* 292 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 293 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 294 */
- { 0x01, 299, 1, 4, "rsaSignature" }, /* 295 */
- { 0x02, 297, 0, 5, "rsaSigWithripemd160" }, /* 296 */
- { 0x03, 298, 0, 5, "rsaSigWithripemd128" }, /* 297 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 298 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 299 */
- { 0x01, 301, 0, 5, "ecSignWithsha1" }, /* 300 */
- { 0x02, 302, 0, 5, "ecSignWithripemd160" }, /* 301 */
- { 0x03, 303, 0, 5, "ecSignWithmd2" }, /* 302 */
- { 0x04, 304, 0, 5, "ecSignWithmd5" }, /* 303 */
- { 0x05, 321, 1, 5, "ttt-ecg" }, /* 304 */
- { 0x01, 309, 1, 6, "fieldType" }, /* 305 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 306 */
- { 0x01, 0, 1, 8, "basisType" }, /* 307 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 308 */
- { 0x02, 311, 1, 6, "keyType" }, /* 309 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 310 */
- { 0x03, 312, 0, 6, "curve" }, /* 311 */
- { 0x04, 319, 1, 6, "signatures" }, /* 312 */
- { 0x01, 314, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 313 */
- { 0x02, 315, 0, 7, "ecgdsa-with-SHA1" }, /* 314 */
- { 0x03, 316, 0, 7, "ecgdsa-with-SHA224" }, /* 315 */
- { 0x04, 317, 0, 7, "ecgdsa-with-SHA256" }, /* 316 */
- { 0x05, 318, 0, 7, "ecgdsa-with-SHA384" }, /* 317 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 318 */
- { 0x05, 0, 1, 6, "module" }, /* 319 */
- { 0x01, 0, 0, 7, "1" }, /* 320 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 321 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 322 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 323 */
- { 0x01, 325, 0, 8, "brainpoolP160r1" }, /* 324 */
- { 0x02, 326, 0, 8, "brainpoolP160t1" }, /* 325 */
- { 0x03, 327, 0, 8, "brainpoolP192r1" }, /* 326 */
- { 0x04, 328, 0, 8, "brainpoolP192t1" }, /* 327 */
- { 0x05, 329, 0, 8, "brainpoolP224r1" }, /* 328 */
- { 0x06, 330, 0, 8, "brainpoolP224t1" }, /* 329 */
- { 0x07, 331, 0, 8, "brainpoolP256r1" }, /* 330 */
- { 0x08, 332, 0, 8, "brainpoolP256t1" }, /* 331 */
- { 0x09, 333, 0, 8, "brainpoolP320r1" }, /* 332 */
- { 0x0A, 334, 0, 8, "brainpoolP320t1" }, /* 333 */
- { 0x0B, 335, 0, 8, "brainpoolP384r1" }, /* 334 */
- { 0x0C, 336, 0, 8, "brainpoolP384t1" }, /* 335 */
- { 0x0D, 337, 0, 8, "brainpoolP512r1" }, /* 336 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 337 */
- { 0x81, 0, 1, 1, "" }, /* 338 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 339 */
- { 0x00, 0, 1, 3, "curve" }, /* 340 */
- { 0x01, 342, 0, 4, "sect163k1" }, /* 341 */
- { 0x02, 343, 0, 4, "sect163r1" }, /* 342 */
- { 0x03, 344, 0, 4, "sect239k1" }, /* 343 */
- { 0x04, 345, 0, 4, "sect113r1" }, /* 344 */
- { 0x05, 346, 0, 4, "sect113r2" }, /* 345 */
- { 0x06, 347, 0, 4, "secp112r1" }, /* 346 */
- { 0x07, 348, 0, 4, "secp112r2" }, /* 347 */
- { 0x08, 349, 0, 4, "secp160r1" }, /* 348 */
- { 0x09, 350, 0, 4, "secp160k1" }, /* 349 */
- { 0x0A, 351, 0, 4, "secp256k1" }, /* 350 */
- { 0x0F, 352, 0, 4, "sect163r2" }, /* 351 */
- { 0x10, 353, 0, 4, "sect283k1" }, /* 352 */
- { 0x11, 354, 0, 4, "sect283r1" }, /* 353 */
- { 0x16, 355, 0, 4, "sect131r1" }, /* 354 */
- { 0x17, 356, 0, 4, "sect131r2" }, /* 355 */
- { 0x18, 357, 0, 4, "sect193r1" }, /* 356 */
- { 0x19, 358, 0, 4, "sect193r2" }, /* 357 */
- { 0x1A, 359, 0, 4, "sect233k1" }, /* 358 */
- { 0x1B, 360, 0, 4, "sect233r1" }, /* 359 */
- { 0x1C, 361, 0, 4, "secp128r1" }, /* 360 */
- { 0x1D, 362, 0, 4, "secp128r2" }, /* 361 */
- { 0x1E, 363, 0, 4, "secp160r2" }, /* 362 */
- { 0x1F, 364, 0, 4, "secp192k1" }, /* 363 */
- { 0x20, 365, 0, 4, "secp224k1" }, /* 364 */
- { 0x21, 366, 0, 4, "secp224r1" }, /* 365 */
- { 0x22, 367, 0, 4, "secp384r1" }, /* 366 */
- { 0x23, 368, 0, 4, "secp521r1" }, /* 367 */
- { 0x24, 369, 0, 4, "sect409k1" }, /* 368 */
- { 0x25, 370, 0, 4, "sect409r1" }, /* 369 */
- { 0x26, 371, 0, 4, "sect571k1" }, /* 370 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 371 */
- {0x60, 420, 1, 0, "" }, /* 372 */
- { 0x86, 0, 1, 1, "" }, /* 373 */
- { 0x48, 0, 1, 2, "" }, /* 374 */
- { 0x01, 0, 1, 3, "organization" }, /* 375 */
- { 0x65, 396, 1, 4, "gov" }, /* 376 */
- { 0x03, 0, 1, 5, "csor" }, /* 377 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 378 */
- { 0x01, 389, 1, 7, "aes" }, /* 379 */
- { 0x02, 381, 0, 8, "id-aes128-CBC" }, /* 380 */
- { 0x06, 382, 0, 8, "id-aes128-GCM" }, /* 381 */
- { 0x07, 383, 0, 8, "id-aes128-CCM" }, /* 382 */
- { 0x16, 384, 0, 8, "id-aes192-CBC" }, /* 383 */
- { 0x1A, 385, 0, 8, "id-aes192-GCM" }, /* 384 */
- { 0x1B, 386, 0, 8, "id-aes192-CCM" }, /* 385 */
- { 0x2A, 387, 0, 8, "id-aes256-CBC" }, /* 386 */
- { 0x2E, 388, 0, 8, "id-aes256-GCM" }, /* 387 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 388 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 389 */
- { 0x01, 391, 0, 8, "id-SHA-256" }, /* 390 */
- { 0x02, 392, 0, 8, "id-SHA-384" }, /* 391 */
- { 0x03, 393, 0, 8, "id-SHA-512" }, /* 392 */
- { 0x04, 394, 0, 8, "id-SHA-224" }, /* 393 */
- { 0x05, 395, 0, 8, "id-SHA-512-224" }, /* 394 */
- { 0x06, 0, 0, 8, "id-SHA-512-256" }, /* 395 */
- { 0x86, 0, 1, 4, "" }, /* 396 */
- { 0xf8, 0, 1, 5, "" }, /* 397 */
- { 0x42, 410, 1, 6, "netscape" }, /* 398 */
- { 0x01, 405, 1, 7, "" }, /* 399 */
- { 0x01, 401, 0, 8, "nsCertType" }, /* 400 */
- { 0x03, 402, 0, 8, "nsRevocationUrl" }, /* 401 */
- { 0x04, 403, 0, 8, "nsCaRevocationUrl" }, /* 402 */
- { 0x08, 404, 0, 8, "nsCaPolicyUrl" }, /* 403 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 404 */
- { 0x03, 408, 1, 7, "directory" }, /* 405 */
- { 0x01, 0, 1, 8, "" }, /* 406 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 407 */
- { 0x04, 0, 1, 7, "policy" }, /* 408 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 409 */
- { 0x45, 0, 1, 6, "verisign" }, /* 410 */
- { 0x01, 0, 1, 7, "pki" }, /* 411 */
- { 0x09, 0, 1, 8, "attributes" }, /* 412 */
- { 0x02, 414, 0, 9, "messageType" }, /* 413 */
- { 0x03, 415, 0, 9, "pkiStatus" }, /* 414 */
- { 0x04, 416, 0, 9, "failInfo" }, /* 415 */
- { 0x05, 417, 0, 9, "senderNonce" }, /* 416 */
- { 0x06, 418, 0, 9, "recipientNonce" }, /* 417 */
- { 0x07, 419, 0, 9, "transID" }, /* 418 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 419 */
- {0x67, 0, 1, 0, "" }, /* 420 */
- { 0x81, 0, 1, 1, "" }, /* 421 */
- { 0x05, 0, 1, 2, "" }, /* 422 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 423 */
- { 0x01, 425, 0, 4, "tcg-at-tpmManufacturer" }, /* 424 */
- { 0x02, 426, 0, 4, "tcg-at-tpmModel" }, /* 425 */
- { 0x03, 427, 0, 4, "tcg-at-tpmVersion" }, /* 426 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 427 */
+ { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 204 */
+ { 0x07, 206, 0, 8, "msCertTemplate" }, /* 205 */
+ { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 206 */
+ { 0xA0, 0, 1, 6, "" }, /* 207 */
+ { 0x2A, 0, 1, 7, "ITA" }, /* 208 */
+ { 0x01, 0, 0, 8, "strongSwan" }, /* 209 */
+ { 0x89, 217, 1, 5, "" }, /* 210 */
+ { 0x31, 0, 1, 6, "" }, /* 211 */
+ { 0x01, 0, 1, 7, "" }, /* 212 */
+ { 0x01, 0, 1, 8, "" }, /* 213 */
+ { 0x02, 0, 1, 9, "" }, /* 214 */
+ { 0x02, 0, 1, 10, "" }, /* 215 */
+ { 0x4B, 0, 0, 11, "TCGID" }, /* 216 */
+ { 0xC1, 0, 1, 5, "" }, /* 217 */
+ { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 218 */
+ { 0x01, 0, 1, 7, "eess" }, /* 219 */
+ { 0x01, 0, 1, 8, "eess1" }, /* 220 */
+ { 0x01, 225, 1, 9, "eess1-algs" }, /* 221 */
+ { 0x01, 223, 0, 10, "ntru-EESS1v1-SVES" }, /* 222 */
+ { 0x02, 224, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 223 */
+ { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 224 */
+ { 0x02, 255, 1, 9, "eess1-params" }, /* 225 */
+ { 0x01, 227, 0, 10, "ees251ep1" }, /* 226 */
+ { 0x02, 228, 0, 10, "ees347ep1" }, /* 227 */
+ { 0x03, 229, 0, 10, "ees503ep1" }, /* 228 */
+ { 0x07, 230, 0, 10, "ees251sp2" }, /* 229 */
+ { 0x0C, 231, 0, 10, "ees251ep4" }, /* 230 */
+ { 0x0D, 232, 0, 10, "ees251ep5" }, /* 231 */
+ { 0x0E, 233, 0, 10, "ees251sp3" }, /* 232 */
+ { 0x0F, 234, 0, 10, "ees251sp4" }, /* 233 */
+ { 0x10, 235, 0, 10, "ees251sp5" }, /* 234 */
+ { 0x11, 236, 0, 10, "ees251sp6" }, /* 235 */
+ { 0x12, 237, 0, 10, "ees251sp7" }, /* 236 */
+ { 0x13, 238, 0, 10, "ees251sp8" }, /* 237 */
+ { 0x14, 239, 0, 10, "ees251sp9" }, /* 238 */
+ { 0x22, 240, 0, 10, "ees401ep1" }, /* 239 */
+ { 0x23, 241, 0, 10, "ees449ep1" }, /* 240 */
+ { 0x24, 242, 0, 10, "ees677ep1" }, /* 241 */
+ { 0x25, 243, 0, 10, "ees1087ep2" }, /* 242 */
+ { 0x26, 244, 0, 10, "ees541ep1" }, /* 243 */
+ { 0x27, 245, 0, 10, "ees613ep1" }, /* 244 */
+ { 0x28, 246, 0, 10, "ees887ep1" }, /* 245 */
+ { 0x29, 247, 0, 10, "ees1171ep1" }, /* 246 */
+ { 0x2A, 248, 0, 10, "ees659ep1" }, /* 247 */
+ { 0x2B, 249, 0, 10, "ees761ep1" }, /* 248 */
+ { 0x2C, 250, 0, 10, "ees1087ep1" }, /* 249 */
+ { 0x2D, 251, 0, 10, "ees1499ep1" }, /* 250 */
+ { 0x2E, 252, 0, 10, "ees401ep2" }, /* 251 */
+ { 0x2F, 253, 0, 10, "ees439ep1" }, /* 252 */
+ { 0x30, 254, 0, 10, "ees593ep1" }, /* 253 */
+ { 0x31, 0, 0, 10, "ees743ep1" }, /* 254 */
+ { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 255 */
+ { 0x05, 0, 1, 3, "security" }, /* 256 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 257 */
+ { 0x07, 302, 1, 5, "id-pkix" }, /* 258 */
+ { 0x01, 263, 1, 6, "id-pe" }, /* 259 */
+ { 0x01, 261, 0, 7, "authorityInfoAccess" }, /* 260 */
+ { 0x03, 262, 0, 7, "qcStatements" }, /* 261 */
+ { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 262 */
+ { 0x02, 266, 1, 6, "id-qt" }, /* 263 */
+ { 0x01, 265, 0, 7, "cps" }, /* 264 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 265 */
+ { 0x03, 276, 1, 6, "id-kp" }, /* 266 */
+ { 0x01, 268, 0, 7, "serverAuth" }, /* 267 */
+ { 0x02, 269, 0, 7, "clientAuth" }, /* 268 */
+ { 0x03, 270, 0, 7, "codeSigning" }, /* 269 */
+ { 0x04, 271, 0, 7, "emailProtection" }, /* 270 */
+ { 0x05, 272, 0, 7, "ipsecEndSystem" }, /* 271 */
+ { 0x06, 273, 0, 7, "ipsecTunnel" }, /* 272 */
+ { 0x07, 274, 0, 7, "ipsecUser" }, /* 273 */
+ { 0x08, 275, 0, 7, "timeStamping" }, /* 274 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 275 */
+ { 0x08, 284, 1, 6, "id-otherNames" }, /* 276 */
+ { 0x01, 278, 0, 7, "personalData" }, /* 277 */
+ { 0x02, 279, 0, 7, "userGroup" }, /* 278 */
+ { 0x03, 280, 0, 7, "id-on-permanentIdentifier" }, /* 279 */
+ { 0x04, 281, 0, 7, "id-on-hardwareModuleName" }, /* 280 */
+ { 0x05, 282, 0, 7, "xmppAddr" }, /* 281 */
+ { 0x06, 283, 0, 7, "id-on-SIM" }, /* 282 */
+ { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 283 */
+ { 0x0A, 289, 1, 6, "id-aca" }, /* 284 */
+ { 0x01, 286, 0, 7, "authenticationInfo" }, /* 285 */
+ { 0x02, 287, 0, 7, "accessIdentity" }, /* 286 */
+ { 0x03, 288, 0, 7, "chargingIdentity" }, /* 287 */
+ { 0x04, 0, 0, 7, "group" }, /* 288 */
+ { 0x0B, 290, 0, 6, "subjectInfoAccess" }, /* 289 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 290 */
+ { 0x01, 299, 1, 7, "ocsp" }, /* 291 */
+ { 0x01, 293, 0, 8, "basic" }, /* 292 */
+ { 0x02, 294, 0, 8, "nonce" }, /* 293 */
+ { 0x03, 295, 0, 8, "crl" }, /* 294 */
+ { 0x04, 296, 0, 8, "response" }, /* 295 */
+ { 0x05, 297, 0, 8, "noCheck" }, /* 296 */
+ { 0x06, 298, 0, 8, "archiveCutoff" }, /* 297 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 298 */
+ { 0x02, 300, 0, 7, "caIssuers" }, /* 299 */
+ { 0x03, 301, 0, 7, "timeStamping" }, /* 300 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 301 */
+ { 0x08, 0, 1, 5, "ipsec" }, /* 302 */
+ { 0x02, 0, 1, 6, "certificate" }, /* 303 */
+ { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 304 */
+ { 0x0E, 311, 1, 1, "oiw" }, /* 305 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 306 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 307 */
+ { 0x07, 309, 0, 4, "des-cbc" }, /* 308 */
+ { 0x1A, 310, 0, 4, "sha-1" }, /* 309 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 310 */
+ { 0x24, 357, 1, 1, "TeleTrusT" }, /* 311 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 312 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 313 */
+ { 0x01, 318, 1, 4, "rsaSignature" }, /* 314 */
+ { 0x02, 316, 0, 5, "rsaSigWithripemd160" }, /* 315 */
+ { 0x03, 317, 0, 5, "rsaSigWithripemd128" }, /* 316 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 317 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 318 */
+ { 0x01, 320, 0, 5, "ecSignWithsha1" }, /* 319 */
+ { 0x02, 321, 0, 5, "ecSignWithripemd160" }, /* 320 */
+ { 0x03, 322, 0, 5, "ecSignWithmd2" }, /* 321 */
+ { 0x04, 323, 0, 5, "ecSignWithmd5" }, /* 322 */
+ { 0x05, 340, 1, 5, "ttt-ecg" }, /* 323 */
+ { 0x01, 328, 1, 6, "fieldType" }, /* 324 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 325 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 326 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 327 */
+ { 0x02, 330, 1, 6, "keyType" }, /* 328 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 329 */
+ { 0x03, 331, 0, 6, "curve" }, /* 330 */
+ { 0x04, 338, 1, 6, "signatures" }, /* 331 */
+ { 0x01, 333, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 332 */
+ { 0x02, 334, 0, 7, "ecgdsa-with-SHA1" }, /* 333 */
+ { 0x03, 335, 0, 7, "ecgdsa-with-SHA224" }, /* 334 */
+ { 0x04, 336, 0, 7, "ecgdsa-with-SHA256" }, /* 335 */
+ { 0x05, 337, 0, 7, "ecgdsa-with-SHA384" }, /* 336 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 337 */
+ { 0x05, 0, 1, 6, "module" }, /* 338 */
+ { 0x01, 0, 0, 7, "1" }, /* 339 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 340 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 341 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 342 */
+ { 0x01, 344, 0, 8, "brainpoolP160r1" }, /* 343 */
+ { 0x02, 345, 0, 8, "brainpoolP160t1" }, /* 344 */
+ { 0x03, 346, 0, 8, "brainpoolP192r1" }, /* 345 */
+ { 0x04, 347, 0, 8, "brainpoolP192t1" }, /* 346 */
+ { 0x05, 348, 0, 8, "brainpoolP224r1" }, /* 347 */
+ { 0x06, 349, 0, 8, "brainpoolP224t1" }, /* 348 */
+ { 0x07, 350, 0, 8, "brainpoolP256r1" }, /* 349 */
+ { 0x08, 351, 0, 8, "brainpoolP256t1" }, /* 350 */
+ { 0x09, 352, 0, 8, "brainpoolP320r1" }, /* 351 */
+ { 0x0A, 353, 0, 8, "brainpoolP320t1" }, /* 352 */
+ { 0x0B, 354, 0, 8, "brainpoolP384r1" }, /* 353 */
+ { 0x0C, 355, 0, 8, "brainpoolP384t1" }, /* 354 */
+ { 0x0D, 356, 0, 8, "brainpoolP512r1" }, /* 355 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 356 */
+ { 0x81, 0, 1, 1, "" }, /* 357 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 358 */
+ { 0x00, 0, 1, 3, "curve" }, /* 359 */
+ { 0x01, 361, 0, 4, "sect163k1" }, /* 360 */
+ { 0x02, 362, 0, 4, "sect163r1" }, /* 361 */
+ { 0x03, 363, 0, 4, "sect239k1" }, /* 362 */
+ { 0x04, 364, 0, 4, "sect113r1" }, /* 363 */
+ { 0x05, 365, 0, 4, "sect113r2" }, /* 364 */
+ { 0x06, 366, 0, 4, "secp112r1" }, /* 365 */
+ { 0x07, 367, 0, 4, "secp112r2" }, /* 366 */
+ { 0x08, 368, 0, 4, "secp160r1" }, /* 367 */
+ { 0x09, 369, 0, 4, "secp160k1" }, /* 368 */
+ { 0x0A, 370, 0, 4, "secp256k1" }, /* 369 */
+ { 0x0F, 371, 0, 4, "sect163r2" }, /* 370 */
+ { 0x10, 372, 0, 4, "sect283k1" }, /* 371 */
+ { 0x11, 373, 0, 4, "sect283r1" }, /* 372 */
+ { 0x16, 374, 0, 4, "sect131r1" }, /* 373 */
+ { 0x17, 375, 0, 4, "sect131r2" }, /* 374 */
+ { 0x18, 376, 0, 4, "sect193r1" }, /* 375 */
+ { 0x19, 377, 0, 4, "sect193r2" }, /* 376 */
+ { 0x1A, 378, 0, 4, "sect233k1" }, /* 377 */
+ { 0x1B, 379, 0, 4, "sect233r1" }, /* 378 */
+ { 0x1C, 380, 0, 4, "secp128r1" }, /* 379 */
+ { 0x1D, 381, 0, 4, "secp128r2" }, /* 380 */
+ { 0x1E, 382, 0, 4, "secp160r2" }, /* 381 */
+ { 0x1F, 383, 0, 4, "secp192k1" }, /* 382 */
+ { 0x20, 384, 0, 4, "secp224k1" }, /* 383 */
+ { 0x21, 385, 0, 4, "secp224r1" }, /* 384 */
+ { 0x22, 386, 0, 4, "secp384r1" }, /* 385 */
+ { 0x23, 387, 0, 4, "secp521r1" }, /* 386 */
+ { 0x24, 388, 0, 4, "sect409k1" }, /* 387 */
+ { 0x25, 389, 0, 4, "sect409r1" }, /* 388 */
+ { 0x26, 390, 0, 4, "sect571k1" }, /* 389 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 390 */
+ {0x60, 445, 1, 0, "" }, /* 391 */
+ { 0x86, 0, 1, 1, "" }, /* 392 */
+ { 0x48, 0, 1, 2, "" }, /* 393 */
+ { 0x01, 0, 1, 3, "organization" }, /* 394 */
+ { 0x65, 421, 1, 4, "gov" }, /* 395 */
+ { 0x03, 0, 1, 5, "csor" }, /* 396 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 397 */
+ { 0x01, 408, 1, 7, "aes" }, /* 398 */
+ { 0x02, 400, 0, 8, "id-aes128-CBC" }, /* 399 */
+ { 0x06, 401, 0, 8, "id-aes128-GCM" }, /* 400 */
+ { 0x07, 402, 0, 8, "id-aes128-CCM" }, /* 401 */
+ { 0x16, 403, 0, 8, "id-aes192-CBC" }, /* 402 */
+ { 0x1A, 404, 0, 8, "id-aes192-GCM" }, /* 403 */
+ { 0x1B, 405, 0, 8, "id-aes192-CCM" }, /* 404 */
+ { 0x2A, 406, 0, 8, "id-aes256-CBC" }, /* 405 */
+ { 0x2E, 407, 0, 8, "id-aes256-GCM" }, /* 406 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 407 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 408 */
+ { 0x01, 410, 0, 8, "id-sha256" }, /* 409 */
+ { 0x02, 411, 0, 8, "id-sha384" }, /* 410 */
+ { 0x03, 412, 0, 8, "id-sha512" }, /* 411 */
+ { 0x04, 413, 0, 8, "id-sha224" }, /* 412 */
+ { 0x05, 414, 0, 8, "id-sha512-224" }, /* 413 */
+ { 0x06, 415, 0, 8, "id-sha512-256" }, /* 414 */
+ { 0x07, 416, 0, 8, "id-sha3-224" }, /* 415 */
+ { 0x08, 417, 0, 8, "id-sha3-256" }, /* 416 */
+ { 0x09, 418, 0, 8, "id-sha3-384" }, /* 417 */
+ { 0x0A, 419, 0, 8, "id-sha3-512" }, /* 418 */
+ { 0x0B, 420, 0, 8, "id-shake128" }, /* 419 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 420 */
+ { 0x86, 0, 1, 4, "" }, /* 421 */
+ { 0xf8, 0, 1, 5, "" }, /* 422 */
+ { 0x42, 435, 1, 6, "netscape" }, /* 423 */
+ { 0x01, 430, 1, 7, "" }, /* 424 */
+ { 0x01, 426, 0, 8, "nsCertType" }, /* 425 */
+ { 0x03, 427, 0, 8, "nsRevocationUrl" }, /* 426 */
+ { 0x04, 428, 0, 8, "nsCaRevocationUrl" }, /* 427 */
+ { 0x08, 429, 0, 8, "nsCaPolicyUrl" }, /* 428 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 429 */
+ { 0x03, 433, 1, 7, "directory" }, /* 430 */
+ { 0x01, 0, 1, 8, "" }, /* 431 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 432 */
+ { 0x04, 0, 1, 7, "policy" }, /* 433 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 434 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 435 */
+ { 0x01, 0, 1, 7, "pki" }, /* 436 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 437 */
+ { 0x02, 439, 0, 9, "messageType" }, /* 438 */
+ { 0x03, 440, 0, 9, "pkiStatus" }, /* 439 */
+ { 0x04, 441, 0, 9, "failInfo" }, /* 440 */
+ { 0x05, 442, 0, 9, "senderNonce" }, /* 441 */
+ { 0x06, 443, 0, 9, "recipientNonce" }, /* 442 */
+ { 0x07, 444, 0, 9, "transID" }, /* 443 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 444 */
+ {0x67, 0, 1, 0, "" }, /* 445 */
+ { 0x81, 0, 1, 1, "" }, /* 446 */
+ { 0x05, 0, 1, 2, "" }, /* 447 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 448 */
+ { 0x01, 450, 0, 4, "tcg-at-tpmManufacturer" }, /* 449 */
+ { 0x02, 451, 0, 4, "tcg-at-tpmModel" }, /* 450 */
+ { 0x03, 452, 0, 4, "tcg-at-tpmVersion" }, /* 451 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 452 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 14f774a..d72d986 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -138,101 +138,102 @@ extern const oid_t oid_names[];
#define OID_ECDSA_WITH_SHA256 186
#define OID_ECDSA_WITH_SHA384 187
#define OID_ECDSA_WITH_SHA512 188
+#define OID_MS_SMARTCARD_LOGON 202
#define OID_USER_PRINCIPAL_NAME 203
-#define OID_STRONGSWAN 206
-#define OID_TCGID 213
-#define OID_AUTHORITY_INFO_ACCESS 241
-#define OID_IP_ADDR_BLOCKS 243
-#define OID_POLICY_QUALIFIER_CPS 245
-#define OID_POLICY_QUALIFIER_UNOTICE 246
-#define OID_SERVER_AUTH 248
-#define OID_CLIENT_AUTH 249
-#define OID_OCSP_SIGNING 256
-#define OID_XMPP_ADDR 262
-#define OID_AUTHENTICATION_INFO 266
-#define OID_ACCESS_IDENTITY 267
-#define OID_CHARGING_IDENTITY 268
-#define OID_GROUP 269
-#define OID_OCSP 272
-#define OID_BASIC 273
-#define OID_NONCE 274
-#define OID_CRL 275
-#define OID_RESPONSE 276
-#define OID_NO_CHECK 277
-#define OID_ARCHIVE_CUTOFF 278
-#define OID_SERVICE_LOCATOR 279
-#define OID_CA_ISSUERS 280
-#define OID_IKE_INTERMEDIATE 285
-#define OID_DES_CBC 289
-#define OID_SHA1 290
-#define OID_SHA1_WITH_RSA_OIW 291
-#define OID_ECGDSA_PUBKEY 310
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 313
-#define OID_ECGDSA_SIG_WITH_SHA1 314
-#define OID_ECGDSA_SIG_WITH_SHA224 315
-#define OID_ECGDSA_SIG_WITH_SHA256 316
-#define OID_ECGDSA_SIG_WITH_SHA384 317
-#define OID_ECGDSA_SIG_WITH_SHA512 318
-#define OID_SECT163K1 341
-#define OID_SECT163R1 342
-#define OID_SECT239K1 343
-#define OID_SECT113R1 344
-#define OID_SECT113R2 345
-#define OID_SECT112R1 346
-#define OID_SECT112R2 347
-#define OID_SECT160R1 348
-#define OID_SECT160K1 349
-#define OID_SECT256K1 350
-#define OID_SECT163R2 351
-#define OID_SECT283K1 352
-#define OID_SECT283R1 353
-#define OID_SECT131R1 354
-#define OID_SECT131R2 355
-#define OID_SECT193R1 356
-#define OID_SECT193R2 357
-#define OID_SECT233K1 358
-#define OID_SECT233R1 359
-#define OID_SECT128R1 360
-#define OID_SECT128R2 361
-#define OID_SECT160R2 362
-#define OID_SECT192K1 363
-#define OID_SECT224K1 364
-#define OID_SECT224R1 365
-#define OID_SECT384R1 366
-#define OID_SECT521R1 367
-#define OID_SECT409K1 368
-#define OID_SECT409R1 369
-#define OID_SECT571K1 370
-#define OID_SECT571R1 371
-#define OID_AES128_CBC 380
-#define OID_AES128_GCM 381
-#define OID_AES128_CCM 382
-#define OID_AES192_CBC 383
-#define OID_AES192_GCM 384
-#define OID_AES192_CCM 385
-#define OID_AES256_CBC 386
-#define OID_AES256_GCM 387
-#define OID_AES256_CCM 388
-#define OID_SHA256 390
-#define OID_SHA384 391
-#define OID_SHA512 392
-#define OID_SHA224 393
-#define OID_NS_REVOCATION_URL 401
-#define OID_NS_CA_REVOCATION_URL 402
-#define OID_NS_CA_POLICY_URL 403
-#define OID_NS_COMMENT 404
-#define OID_EMPLOYEE_NUMBER 407
-#define OID_PKI_MESSAGE_TYPE 413
-#define OID_PKI_STATUS 414
-#define OID_PKI_FAIL_INFO 415
-#define OID_PKI_SENDER_NONCE 416
-#define OID_PKI_RECIPIENT_NONCE 417
-#define OID_PKI_TRANS_ID 418
-#define OID_TPM_MANUFACTURER 424
-#define OID_TPM_MODEL 425
-#define OID_TPM_VERSION 426
-#define OID_TPM_ID_LABEL 427
+#define OID_STRONGSWAN 209
+#define OID_TCGID 216
+#define OID_AUTHORITY_INFO_ACCESS 260
+#define OID_IP_ADDR_BLOCKS 262
+#define OID_POLICY_QUALIFIER_CPS 264
+#define OID_POLICY_QUALIFIER_UNOTICE 265
+#define OID_SERVER_AUTH 267
+#define OID_CLIENT_AUTH 268
+#define OID_OCSP_SIGNING 275
+#define OID_XMPP_ADDR 281
+#define OID_AUTHENTICATION_INFO 285
+#define OID_ACCESS_IDENTITY 286
+#define OID_CHARGING_IDENTITY 287
+#define OID_GROUP 288
+#define OID_OCSP 291
+#define OID_BASIC 292
+#define OID_NONCE 293
+#define OID_CRL 294
+#define OID_RESPONSE 295
+#define OID_NO_CHECK 296
+#define OID_ARCHIVE_CUTOFF 297
+#define OID_SERVICE_LOCATOR 298
+#define OID_CA_ISSUERS 299
+#define OID_IKE_INTERMEDIATE 304
+#define OID_DES_CBC 308
+#define OID_SHA1 309
+#define OID_SHA1_WITH_RSA_OIW 310
+#define OID_ECGDSA_PUBKEY 329
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 332
+#define OID_ECGDSA_SIG_WITH_SHA1 333
+#define OID_ECGDSA_SIG_WITH_SHA224 334
+#define OID_ECGDSA_SIG_WITH_SHA256 335
+#define OID_ECGDSA_SIG_WITH_SHA384 336
+#define OID_ECGDSA_SIG_WITH_SHA512 337
+#define OID_SECT163K1 360
+#define OID_SECT163R1 361
+#define OID_SECT239K1 362
+#define OID_SECT113R1 363
+#define OID_SECT113R2 364
+#define OID_SECT112R1 365
+#define OID_SECT112R2 366
+#define OID_SECT160R1 367
+#define OID_SECT160K1 368
+#define OID_SECT256K1 369
+#define OID_SECT163R2 370
+#define OID_SECT283K1 371
+#define OID_SECT283R1 372
+#define OID_SECT131R1 373
+#define OID_SECT131R2 374
+#define OID_SECT193R1 375
+#define OID_SECT193R2 376
+#define OID_SECT233K1 377
+#define OID_SECT233R1 378
+#define OID_SECT128R1 379
+#define OID_SECT128R2 380
+#define OID_SECT160R2 381
+#define OID_SECT192K1 382
+#define OID_SECT224K1 383
+#define OID_SECT224R1 384
+#define OID_SECT384R1 385
+#define OID_SECT521R1 386
+#define OID_SECT409K1 387
+#define OID_SECT409R1 388
+#define OID_SECT571K1 389
+#define OID_SECT571R1 390
+#define OID_AES128_CBC 399
+#define OID_AES128_GCM 400
+#define OID_AES128_CCM 401
+#define OID_AES192_CBC 402
+#define OID_AES192_GCM 403
+#define OID_AES192_CCM 404
+#define OID_AES256_CBC 405
+#define OID_AES256_GCM 406
+#define OID_AES256_CCM 407
+#define OID_SHA256 409
+#define OID_SHA384 410
+#define OID_SHA512 411
+#define OID_SHA224 412
+#define OID_NS_REVOCATION_URL 426
+#define OID_NS_CA_REVOCATION_URL 427
+#define OID_NS_CA_POLICY_URL 428
+#define OID_NS_COMMENT 429
+#define OID_EMPLOYEE_NUMBER 432
+#define OID_PKI_MESSAGE_TYPE 438
+#define OID_PKI_STATUS 439
+#define OID_PKI_FAIL_INFO 440
+#define OID_PKI_SENDER_NONCE 441
+#define OID_PKI_RECIPIENT_NONCE 442
+#define OID_PKI_TRANS_ID 443
+#define OID_TPM_MANUFACTURER 449
+#define OID_TPM_MODEL 450
+#define OID_TPM_VERSION 451
+#define OID_TPM_ID_LABEL 452
-#define OID_MAX 428
+#define OID_MAX 453
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index c15a1cc..e545188 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -200,8 +200,11 @@
0x04 "msEncryptingFileSystem"
0x14 "msEnrollmentInfrastructure"
0x02 "msCertificateTypeExtension"
- 0x02 "msSmartcardLogon"
+ 0x02 "msSmartcardLogon" OID_MS_SMARTCARD_LOGON
0x03 "msUPN" OID_USER_PRINCIPAL_NAME
+ 0x15 "msCertSrvInfrastructure"
+ 0x07 "msCertTemplate"
+ 0x0A "msApplicationCertPolicies"
0xA0 ""
0x2A "ITA"
0x01 "strongSwan" OID_STRONGSWAN
@@ -212,7 +215,7 @@
0x02 ""
0x02 ""
0x4B "TCGID" OID_TCGID
- 0xc1 ""
+ 0xC1 ""
0x16 "ntruCryptosystems"
0x01 "eess"
0x01 "eess1"
@@ -234,6 +237,22 @@
0x12 "ees251sp7"
0x13 "ees251sp8"
0x14 "ees251sp9"
+ 0x22 "ees401ep1"
+ 0x23 "ees449ep1"
+ 0x24 "ees677ep1"
+ 0x25 "ees1087ep2"
+ 0x26 "ees541ep1"
+ 0x27 "ees613ep1"
+ 0x28 "ees887ep1"
+ 0x29 "ees1171ep1"
+ 0x2A "ees659ep1"
+ 0x2B "ees761ep1"
+ 0x2C "ees1087ep1"
+ 0x2D "ees1499ep1"
+ 0x2E "ees401ep2"
+ 0x2F "ees439ep1"
+ 0x30 "ees593ep1"
+ 0x31 "ees743ep1"
0x03 "eess1-encodingMethods"
0x05 "security"
0x05 "mechanisms"
@@ -388,12 +407,18 @@
0x2E "id-aes256-GCM" OID_AES256_GCM
0x2F "id-aes256-CCM" OID_AES256_CCM
0x02 "hashalgs"
- 0x01 "id-SHA-256" OID_SHA256
- 0x02 "id-SHA-384" OID_SHA384
- 0x03 "id-SHA-512" OID_SHA512
- 0x04 "id-SHA-224" OID_SHA224
- 0x05 "id-SHA-512-224"
- 0x06 "id-SHA-512-256"
+ 0x01 "id-sha256" OID_SHA256
+ 0x02 "id-sha384" OID_SHA384
+ 0x03 "id-sha512" OID_SHA512
+ 0x04 "id-sha224" OID_SHA224
+ 0x05 "id-sha512-224"
+ 0x06 "id-sha512-256"
+ 0x07 "id-sha3-224"
+ 0x08 "id-sha3-256"
+ 0x09 "id-sha3-384"
+ 0x0A "id-sha3-512"
+ 0x0B "id-shake128"
+ 0x0C "id-shake256"
0x86 ""
0xf8 ""
0x42 "netscape"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 314e8e9..75efb85 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -141,7 +141,7 @@ static void remove_tail(array_t *array, int idx)
/* move all items after idx one down */
memmove(array->data + get_size(array, idx + array->head),
array->data + get_size(array, idx + array->head + 1),
- get_size(array, array->count - idx));
+ get_size(array, array->count - 1 - idx));
array->count--;
array->tail++;
}
diff --git a/src/libstrongswan/collections/hashtable.c b/src/libstrongswan/collections/hashtable.c
index 1003aa0..ca31d83 100644
--- a/src/libstrongswan/collections/hashtable.c
+++ b/src/libstrongswan/collections/hashtable.c
@@ -30,7 +30,7 @@ struct pair_t {
/**
* Key of a hash table item.
*/
- void *key;
+ const void *key;
/**
* Value of a hash table item.
@@ -51,7 +51,7 @@ struct pair_t {
/**
* Creates an empty pair object.
*/
-static inline pair_t *pair_create(void *key, void *value, u_int hash)
+static inline pair_t *pair_create(const void *key, void *value, u_int hash)
{
pair_t *this;
@@ -153,7 +153,7 @@ struct private_enumerator_t {
/*
* See header.
*/
-u_int hashtable_hash_ptr(void *key)
+u_int hashtable_hash_ptr(const void *key)
{
return chunk_hash(chunk_from_thing(key));
}
@@ -161,7 +161,7 @@ u_int hashtable_hash_ptr(void *key)
/*
* See header.
*/
-u_int hashtable_hash_str(void *key)
+u_int hashtable_hash_str(const void *key)
{
return chunk_hash(chunk_from_str((char*)key));
}
@@ -169,7 +169,7 @@ u_int hashtable_hash_str(void *key)
/*
* See header.
*/
-bool hashtable_equals_ptr(void *key, void *other_key)
+bool hashtable_equals_ptr(const void *key, const void *other_key)
{
return key == other_key;
}
@@ -177,7 +177,7 @@ bool hashtable_equals_ptr(void *key, void *other_key)
/*
* See header.
*/
-bool hashtable_equals_str(void *key, void *other_key)
+bool hashtable_equals_str(const void *key, const void *other_key)
{
return streq(key, other_key);
}
@@ -250,7 +250,7 @@ static void rehash(private_hashtable_t *this)
}
METHOD(hashtable_t, put, void*,
- private_hashtable_t *this, void *key, void *value)
+ private_hashtable_t *this, const void *key, void *value)
{
void *old_value = NULL;
pair_t *pair;
@@ -284,7 +284,7 @@ METHOD(hashtable_t, put, void*,
return old_value;
}
-static void *get_internal(private_hashtable_t *this, void *key,
+static void *get_internal(private_hashtable_t *this, const void *key,
hashtable_equals_t equals)
{
void *value = NULL;
@@ -309,19 +309,19 @@ static void *get_internal(private_hashtable_t *this, void *key,
}
METHOD(hashtable_t, get, void*,
- private_hashtable_t *this, void *key)
+ private_hashtable_t *this, const void *key)
{
return get_internal(this, key, this->equals);
}
METHOD(hashtable_t, get_match, void*,
- private_hashtable_t *this, void *key, hashtable_equals_t match)
+ private_hashtable_t *this, const void *key, hashtable_equals_t match)
{
return get_internal(this, key, match);
}
METHOD(hashtable_t, remove_, void*,
- private_hashtable_t *this, void *key)
+ private_hashtable_t *this, const void *key)
{
void *value = NULL;
pair_t *pair, *prev = NULL;
@@ -379,7 +379,7 @@ METHOD(hashtable_t, get_count, u_int,
}
METHOD(enumerator_t, enumerate, bool,
- private_enumerator_t *this, void **key, void **value)
+ private_enumerator_t *this, const void **key, void **value)
{
while (this->count && this->row < this->table->capacity)
{
diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h
index 520a86c..0a7ebeb 100644
--- a/src/libstrongswan/collections/hashtable.h
+++ b/src/libstrongswan/collections/hashtable.h
@@ -31,7 +31,7 @@ typedef struct hashtable_t hashtable_t;
* @param key key to hash
* @return hash code
*/
-typedef u_int (*hashtable_hash_t)(void *key);
+typedef u_int (*hashtable_hash_t)(const void *key);
/**
* Hashtable hash function calculation the hash solely based on the key pointer.
@@ -39,7 +39,7 @@ typedef u_int (*hashtable_hash_t)(void *key);
* @param key key to hash
* @return hash of key
*/
-u_int hashtable_hash_ptr(void *key);
+u_int hashtable_hash_ptr(const void *key);
/**
* Hashtable hash function calculation the hash for char* keys.
@@ -47,7 +47,7 @@ u_int hashtable_hash_ptr(void *key);
* @param key key to hash, a char*
* @return hash of key
*/
-u_int hashtable_hash_str(void *key);
+u_int hashtable_hash_str(const void *key);
/**
* Prototype for a function that compares the two keys for equality.
@@ -56,7 +56,7 @@ u_int hashtable_hash_str(void *key);
* @param other_key second key
* @return TRUE if the keys are equal
*/
-typedef bool (*hashtable_equals_t)(void *key, void *other_key);
+typedef bool (*hashtable_equals_t)(const void *key, const void *other_key);
/**
* Hashtable equals function comparing pointers.
@@ -65,7 +65,7 @@ typedef bool (*hashtable_equals_t)(void *key, void *other_key);
* @param other_key other key to compare
* @return TRUE if key == other_key
*/
-bool hashtable_equals_ptr(void *key, void *other_key);
+bool hashtable_equals_ptr(const void *key, const void *other_key);
/**
* Hashtable equals function comparing char* keys.
@@ -74,7 +74,7 @@ bool hashtable_equals_ptr(void *key, void *other_key);
* @param other_key other key to compare
* @return TRUE if streq(key, other_key)
*/
-bool hashtable_equals_str(void *key, void *other_key);
+bool hashtable_equals_str(const void *key, const void *other_key);
/**
* Class implementing a hash table.
@@ -100,7 +100,7 @@ struct hashtable_t {
* @param value the value to store
* @return NULL if no item was replaced, the old value otherwise
*/
- void *(*put) (hashtable_t *this, void *key, void *value);
+ void *(*put) (hashtable_t *this, const void *key, void *value);
/**
* Returns the value with the given key, if the hash table contains such an
@@ -109,7 +109,7 @@ struct hashtable_t {
* @param key the key of the requested value
* @return the value, NULL if not found
*/
- void *(*get) (hashtable_t *this, void *key);
+ void *(*get) (hashtable_t *this, const void *key);
/**
* Returns the value with a matching key, if the hash table contains such an
@@ -125,7 +125,8 @@ struct hashtable_t {
* @param match match function to be used when comparing keys
* @return the value, NULL if not found
*/
- void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match);
+ void *(*get_match) (hashtable_t *this, const void *key,
+ hashtable_equals_t match);
/**
* Removes the value with the given key from the hash table and returns the
@@ -134,7 +135,7 @@ struct hashtable_t {
* @param key the key of the value to remove
* @return the removed value, NULL if not found
*/
- void *(*remove) (hashtable_t *this, void *key);
+ void *(*remove) (hashtable_t *this, const void *key);
/**
* Removes the key and value pair from the hash table at which the given
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 2203519..4ff9aa6 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -31,7 +31,7 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH,
"XAuth",
);
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
"RULE_IDENTITY",
"RULE_IDENTITY_LOOSE",
"RULE_AUTH_CLASS",
@@ -56,6 +56,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
"HELPER_IM_HASH_URL",
"HELPER_SUBJECT_HASH_URL",
"HELPER_REVOCATION_CERT",
+ "HELPER_AC_CERT",
);
/**
@@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
return TRUE;
}
return FALSE;
@@ -224,6 +226,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
/* pointer type */
this->value = va_arg(args, void*);
break;
@@ -262,6 +265,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
{
certificate_t *c1, *c2;
@@ -319,6 +323,7 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
{
certificate_t *cert = (certificate_t*)entry->value;
cert->destroy(cert);
@@ -390,6 +395,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
/* pointer type */
entry->value = va_arg(args, void*);
break;
@@ -467,6 +473,7 @@ METHOD(auth_cfg_t, get, void*,
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
case AUTH_RULE_MAX:
break;
}
@@ -736,6 +743,7 @@ METHOD(auth_cfg_t, complies, bool,
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
case AUTH_RULE_MAX:
/* skip helpers */
continue;
@@ -868,6 +876,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
{
certificate_t *cert = (certificate_t*)value;
@@ -1029,6 +1038,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_HELPER_AC_CERT:
{
certificate_t *cert = (certificate_t*)value;
clone->add(clone, type, cert->get_ref(cert));
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index d879355..95b36d7 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -117,6 +117,8 @@ enum auth_rule_t {
AUTH_HELPER_SUBJECT_HASH_URL,
/** revocation certificate (CRL, OCSP), certificate_t* */
AUTH_HELPER_REVOCATION_CERT,
+ /** attribute certificate for authorization decisions, certificate_t */
+ AUTH_HELPER_AC_CERT,
/** helper to determine the number of elements in this enum */
AUTH_RULE_MAX,
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 4e52272..ddb64ef 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -38,7 +38,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_SERIAL",
"BUILD_DIGEST_ALG",
"BUILD_ENCRYPTION_ALG",
- "BUILD_IETF_GROUP_ATTR",
+ "BUILD_AC_GROUP_STRINGS",
"BUILD_CA_CERT",
"BUILD_CERT",
"BUILD_CRL_DISTRIBUTION_POINTS",
@@ -72,4 +72,3 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_THRESHOLD",
"BUILD_END",
);
-
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 103b823..627e093 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -87,8 +87,8 @@ enum builder_part_t {
BUILD_DIGEST_ALG,
/** encryption algorithm to use, encryption_algorithm_t */
BUILD_ENCRYPTION_ALG,
- /** a comma-separated list of ietf group attributes, char* */
- BUILD_IETF_GROUP_ATTR,
+ /** list of AC group memberships, linked_list_t* with char* */
+ BUILD_AC_GROUP_STRINGS,
/** a ca certificate, certificate_t* */
BUILD_CA_CERT,
/** a certificate, certificate_t* */
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index 57b44ad..9a3d8f0 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -24,9 +24,18 @@
#include <library.h>
#include <credentials/certificates/certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
typedef struct ac_t ac_t;
+typedef enum ac_group_type_t ac_group_type_t;
+
+/**
+ * Common group types, from IETF Attributes Syntax
+ */
+enum ac_group_type_t {
+ AC_GROUP_TYPE_OCTETS,
+ AC_GROUP_TYPE_STRING,
+ AC_GROUP_TYPE_OID,
+};
/**
* X.509 attribute certificate interface.
@@ -70,19 +79,11 @@ struct ac_t {
chunk_t (*get_authKeyIdentifier)(ac_t *this);
/**
- * Get the group memberships as a list of IETF attributes
- *
- * @return object containing a list of IETF attributes
- */
- ietf_attributes_t* (*get_groups)(ac_t *this);
-
- /**
- * @brief Checks if two attribute certificates belong to the same holder
+ * Create an enumerator of contained Group memberships.
*
- * @param that other attribute certificate
- * @return TRUE if same holder
+ * @return enumerator over (ac_group_type_t, chunk_t)
*/
- bool (*equals_holder) (ac_t *this, ac_t *other);
+ enumerator_t* (*create_group_enumerator)(ac_t *this);
};
#endif /** AC_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 4e8d431..6cbfcde 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -39,25 +39,27 @@ typedef enum x509_constraint_t x509_constraint_t;
*/
enum x509_flag_t {
/** cert has no constraints */
- X509_NONE = 0,
+ X509_NONE = 0,
/** cert has CA constraint */
- X509_CA = (1<<0),
+ X509_CA = (1<<0),
/** cert has AA constraint */
- X509_AA = (1<<1),
+ X509_AA = (1<<1),
/** cert has OCSP signer constraint */
- X509_OCSP_SIGNER = (1<<2),
+ X509_OCSP_SIGNER = (1<<2),
/** cert has serverAuth key usage */
- X509_SERVER_AUTH = (1<<3),
+ X509_SERVER_AUTH = (1<<3),
/** cert has clientAuth key usage */
- X509_CLIENT_AUTH = (1<<4),
+ X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
- X509_SELF_SIGNED = (1<<5),
+ X509_SELF_SIGNED = (1<<5),
/** cert has an ipAddrBlocks extension */
- X509_IP_ADDR_BLOCKS = (1<<6),
+ X509_IP_ADDR_BLOCKS = (1<<6),
/** cert has CRL sign key usage */
- X509_CRL_SIGN = (1<<7),
+ X509_CRL_SIGN = (1<<7),
/** cert has iKEIntermediate key usage */
- X509_IKE_INTERMEDIATE = (1<<8),
+ X509_IKE_INTERMEDIATE = (1<<8),
+ /** cert has Microsoft Smartcard Logon usage */
+ X509_MS_SMARTCARD_LOGON = (1<<9),
};
/**
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 53ac13c..3038163 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -94,22 +94,6 @@ bool cred_encoding_args(va_list args, ...)
return !failed;
}
-/**
- * hashtable hash() function
- */
-static u_int hash(void *key)
-{
- return (uintptr_t)key;
-}
-
-/**
- * hashtable equals() function
- */
-static bool equals(void *key1, void *key2)
-{
- return key1 == key2;
-}
-
METHOD(cred_encoding_t, get_cache, bool,
private_cred_encoding_t *this, cred_encoding_type_t type, void *cache,
chunk_t *encoding)
@@ -289,7 +273,8 @@ cred_encoding_t *cred_encoding_create()
for (type = 0; type < CRED_ENCODING_MAX; type++)
{
- this->cache[type] = hashtable_create(hash, equals, 8);
+ this->cache[type] = hashtable_create(hashtable_hash_ptr,
+ hashtable_equals_ptr, 8);
}
return &this->public;
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
deleted file mode 100644
index 49af5a0..0000000
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ /dev/null
@@ -1,534 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <collections/linked_list.h>
-#include <utils/lexparser.h>
-
-#include "ietf_attributes.h"
-
-/**
- * Private definition of IETF attribute types
- */
-typedef enum {
- IETF_ATTRIBUTE_OCTETS = 0,
- IETF_ATTRIBUTE_OID = 1,
- IETF_ATTRIBUTE_STRING = 2
-} ietf_attribute_type_t;
-
-typedef struct ietf_attr_t ietf_attr_t;
-
-/**
- * Private definition of an IETF attribute
- */
-struct ietf_attr_t {
- /**
- * IETF attribute type
- */
- ietf_attribute_type_t type;
-
- /**
- * IETF attribute value
- */
- chunk_t value;
-
- /**
- * Compares two IETF attributes
- *
- * return -1 if this is earlier in the alphabet than other
- * return 0 if this equals other
- * return +1 if this is later in the alphabet than other
- *
- * @param other other object
- */
- int (*compare) (ietf_attr_t *this, ietf_attr_t *other);
-
- /**
- * Destroys an ietf_attr_t object.
- */
- void (*destroy) (ietf_attr_t *this);
-};
-
-/**
- * Implements ietf_attr_t.compare.
- */
-static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other)
-{
- int cmp_len, len, cmp_value;
-
- /* OID attributes are appended after STRING and OCTETS attributes */
- if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID)
- {
- return -1;
- }
- if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID)
- {
- return 1;
- }
-
- cmp_len = this->value.len - other->value.len;
- len = (cmp_len < 0) ? this->value.len : other->value.len;
- cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
-
- return (cmp_value == 0) ? cmp_len : cmp_value;
-}
-
-/**
- * Implements ietf_attr_t.destroy.
- */
-static void ietf_attr_destroy(ietf_attr_t *this)
-{
- free(this->value.ptr);
- free(this);
-}
-
-/**
- * Creates an ietf_attr_t object.
- */
-static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value)
-{
- ietf_attr_t *this;
-
- INIT(this,
- .compare = ietf_attr_compare,
- .destroy = ietf_attr_destroy,
- .type = type,
- .value = chunk_clone(value),
- );
-
- return this;
-}
-
-typedef struct private_ietf_attributes_t private_ietf_attributes_t;
-
-/**
- * Private data of an ietf_attributes_t object.
- */
-struct private_ietf_attributes_t {
- /**
- * Public interface.
- */
- ietf_attributes_t public;
-
- /**
- * Printable representation of the IETF attributes
- */
- char *string;
-
- /**
- * Linked list of IETF attributes.
- */
- linked_list_t *list;
-
- /**
- * reference count
- */
- refcount_t ref;
-};
-
-METHOD(ietf_attributes_t, get_string, char*,
- private_ietf_attributes_t *this)
-{
- if (this->string == NULL)
- {
- char buf[BUF_LEN];
- char *pos = buf;
- int len = BUF_LEN;
- bool first = TRUE;
- ietf_attr_t *attr;
- enumerator_t *enumerator;
-
- enumerator = this->list->create_enumerator(this->list);
- while (enumerator->enumerate(enumerator, &attr))
- {
- int written;
-
- if (first)
- {
- first = FALSE;
- }
- else
- {
- written = snprintf(pos, len, ", ");
- if (written < 0 || written >= len)
- {
- break;
- }
- pos += written;
- len -= written;
- }
-
- switch (attr->type)
- {
- case IETF_ATTRIBUTE_OCTETS:
- case IETF_ATTRIBUTE_STRING:
- written = snprintf(pos, len, "%.*s", (int)attr->value.len,
- attr->value.ptr);
- break;
- case IETF_ATTRIBUTE_OID:
- {
- int oid = asn1_known_oid(attr->value);
-
- if (oid == OID_UNKNOWN)
- {
- written = snprintf(pos, len, "0x%#B", &attr->value);
- }
- else
- {
- written = snprintf(pos, len, "%s", oid_names[oid].name);
- }
- break;
- }
- default:
- written = 0;
- break;
- }
- if (written < 0 || written >= len)
- {
- break;
- }
- pos += written;
- len -= written;
- }
- enumerator->destroy(enumerator);
- if (len < BUF_LEN)
- {
- this->string = strdup(buf);
- }
- }
- return this->string;
-}
-
-METHOD(ietf_attributes_t, get_encoding, chunk_t,
- private_ietf_attributes_t *this)
-{
- chunk_t values;
- size_t size = 0;
- u_char *pos;
- ietf_attr_t *attr;
- enumerator_t *enumerator;
-
- /* precalculate the total size of all values */
- enumerator = this->list->create_enumerator(this->list);
- while (enumerator->enumerate(enumerator, &attr))
- {
- size_t len = attr->value.len;
-
- size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
- }
- enumerator->destroy(enumerator);
-
- pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
-
- enumerator = this->list->create_enumerator(this->list);
- while (enumerator->enumerate(enumerator, &attr))
- {
- chunk_t ietfAttribute;
- asn1_t type = ASN1_NULL;
-
- switch (attr->type)
- {
- case IETF_ATTRIBUTE_OCTETS:
- type = ASN1_OCTET_STRING;
- break;
- case IETF_ATTRIBUTE_STRING:
- type = ASN1_UTF8STRING;
- break;
- case IETF_ATTRIBUTE_OID:
- type = ASN1_OID;
- break;
- }
- ietfAttribute = asn1_simple_object(type, attr->value);
-
- /* copy ietfAttribute into values chunk */
- memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
- pos += ietfAttribute.len;
- free(ietfAttribute.ptr);
- }
- enumerator->destroy(enumerator);
-
- return asn1_wrap(ASN1_SEQUENCE, "m", values);
-}
-
-/**
- * Implementation of ietf_attributes_t.equals.
- */
-static bool equals(private_ietf_attributes_t *this,
- private_ietf_attributes_t *other)
-{
- bool result = TRUE;
-
- /* lists must have the same number of attributes */
- if (other == NULL ||
- this->list->get_count(this->list) != other->list->get_count(other->list))
- {
- return FALSE;
- }
-
- /* compare two alphabetically-sorted lists */
- {
- ietf_attr_t *attr_a, *attr_b;
- enumerator_t *enum_a, *enum_b;
-
- enum_a = this->list->create_enumerator(this->list);
- enum_b = other->list->create_enumerator(other->list);
- while (enum_a->enumerate(enum_a, &attr_a) &&
- enum_b->enumerate(enum_b, &attr_b))
- {
- if (attr_a->compare(attr_a, attr_b) != 0)
- {
- /* we have a mismatch */
- result = FALSE;
- break;
- }
- }
- enum_a->destroy(enum_a);
- enum_b->destroy(enum_b);
- }
- return result;
-}
-
-/**
- * Implementation of ietf_attributes_t.matches.
- */
-static bool matches(private_ietf_attributes_t *this,
- private_ietf_attributes_t *other)
-{
- bool result = FALSE;
- ietf_attr_t *attr_a, *attr_b;
- enumerator_t *enum_a, *enum_b;
-
- /* always match if this->list does not contain any attributes */
- if (this->list->get_count(this->list) == 0)
- {
- return TRUE;
- }
-
- /* never match if other->list does not contain any attributes */
- if (other == NULL || other->list->get_count(other->list) == 0)
- {
- return FALSE;
- }
-
- /* get first attribute from both lists */
- enum_a = this->list->create_enumerator(this->list);
- enum_a->enumerate(enum_a, &attr_a);
- enum_b = other->list->create_enumerator(other->list);
- enum_b->enumerate(enum_b, &attr_b);
-
- /* look for at least one common attribute */
- while (TRUE)
- {
- int cmp = attr_a->compare(attr_a, attr_b);
-
- if (cmp == 0)
- {
- /* we have a match */
- result = TRUE;
- break;
- }
- if (cmp == -1)
- {
- /* attr_a is earlier in the alphabet, get next attr_a */
- if (!enum_a->enumerate(enum_a, &attr_a))
- {
- /* we have reached the end of enum_a */
- break;
- }
- }
- else
- {
- /* attr_a is later in the alphabet, get next attr_b */
- if (!enum_b->enumerate(enum_b, &attr_b))
- {
- /* we have reached the end of enum_b */
- break;
- }
- }
- }
- enum_a->destroy(enum_a);
- enum_b->destroy(enum_b);
-
- return result;
-}
-
-METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*,
- private_ietf_attributes_t *this)
-{
- ref_get(&this->ref);
- return &this->public;
-}
-
-METHOD(ietf_attributes_t, destroy, void,
- private_ietf_attributes_t *this)
-{
- if (ref_put(&this->ref))
- {
- this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy));
- free(this->string);
- free(this);
- }
-}
-
-static private_ietf_attributes_t* create_empty(void)
-{
- private_ietf_attributes_t *this;
-
- INIT(this,
- .public = {
- .get_string = _get_string,
- .get_encoding = _get_encoding,
- .equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals,
- .matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches,
- .get_ref = _get_ref,
- .destroy = _destroy,
- },
- .list = linked_list_create(),
- .ref = 1,
- );
-
- return this;
-}
-
-/**
- * Adds an ietf_attr_t object to a sorted linked list
- */
-static void ietf_attributes_add(private_ietf_attributes_t *this,
- ietf_attr_t *attr)
-{
- ietf_attr_t *current_attr;
- enumerator_t *enumerator;
- int cmp = -1;
-
- enumerator = this->list->create_enumerator(this->list);
- while (enumerator->enumerate(enumerator, (void **)¤t_attr) &&
- (cmp = attr->compare(attr, current_attr)) > 0)
- {
- continue;
- }
- if (cmp == 0)
- {
- attr->destroy(attr);
- }
- else
- { /* the enumerator either points to the end or to the attribute > attr */
- this->list->insert_before(this->list, enumerator, attr);
- }
- enumerator->destroy(enumerator);
-}
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string)
-{
- private_ietf_attributes_t *this = create_empty();
-
- chunk_t line = { string, strlen(string) };
-
- while (eat_whitespace(&line))
- {
- chunk_t group;
-
- /* extract the next comma-separated group attribute */
- if (!extract_token(&group, ',', &line))
- {
- group = line;
- line.len = 0;
- }
-
- /* remove any trailing spaces */
- while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
- {
- group.len--;
- }
-
- /* add the group attribute to the list */
- if (group.len > 0)
- {
- ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group);
-
- ietf_attributes_add(this, attr);
- }
- }
-
- return &(this->public);
-}
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
- { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
- ASN1_BODY }, /* 1 */
- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
- { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */
- { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT |
- ASN1_BODY }, /* 4 */
- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
- { 2, "oid", ASN1_OID, ASN1_OPT |
- ASN1_BODY }, /* 6 */
- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
- { 2, "string", ASN1_UTF8STRING, ASN1_OPT |
- ASN1_BODY }, /* 8 */
- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define IETF_ATTR_OCTETS 4
-#define IETF_ATTR_OID 6
-#define IETF_ATTR_STRING 8
-
-/*
- * Described in header.
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded)
-{
- private_ietf_attributes_t *this = create_empty();
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
-
- parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case IETF_ATTR_OCTETS:
- case IETF_ATTR_OID:
- case IETF_ATTR_STRING:
- {
- ietf_attribute_type_t type;
- ietf_attr_t *attr;
-
- type = (objectID - IETF_ATTR_OCTETS) / 2;
- attr = ietf_attr_create(type, object);
- ietf_attributes_add(this, attr);
- }
- break;
- default:
- break;
- }
- }
- parser->destroy(parser);
-
- return &(this->public);
-}
-
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
deleted file mode 100644
index ab6bae9..0000000
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2007-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ietf_attributes ietf_attributes
- * @{ @ingroup credentials
- */
-
-#ifndef IETF_ATTRIBUTES_H_
-#define IETF_ATTRIBUTES_H_
-
-typedef struct ietf_attributes_t ietf_attributes_t;
-
-#include <library.h>
-
-/**
- *
- */
-struct ietf_attributes_t {
-
- /**
- * Get the an alphabetically sorted list of printable IETF attributes.
- *
- * Result points to internal data, do not free.
- *
- * @return a string containing printable attributes
- */
- char* (*get_string) (ietf_attributes_t *this);
-
- /**
- * Get the ASN.1 encoding of the IETF attributes.
- *
- * @return allocated chunk containing the encoded bytes
- */
- chunk_t (*get_encoding) (ietf_attributes_t *this);
-
- /**
- * Check for equality between two lists.
- *
- * @param other attribute list to be checked for equality
- * @return TRUE if equal
- */
- bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other);
-
- /**
- * Check for common attributes between two lists.
- *
- * @param other attribute list to be matched
- * @return TRUE if there is at least a common attribute
- */
- bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other);
-
- /**
- * Get a new reference to the IETF attributes.
- *
- * @return this, with an increased refcount
- */
- ietf_attributes_t* (*get_ref)(ietf_attributes_t *this);
-
- /**
- * Destroys an ietf_attributes_t object.
- */
- void (*destroy) (ietf_attributes_t *this);
-};
-
-/**
- * @param string input string, which will be converted
- * @return ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_string(char *string);
-
-/**
- * @param encoded ASN.1 encoded bytes, such as from ietf_attributes.get_encoding
- * @return ietf_attributes_t
- */
-ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded);
-
-#endif /** IETF_ATTRIBUTES_H_ @}*/
-
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 46bfb5c..c6b8d0c 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -133,7 +133,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
}
else if (rule != AUTH_HELPER_SUBJECT_CERT &&
rule != AUTH_HELPER_IM_CERT &&
- rule != AUTH_HELPER_REVOCATION_CERT)
+ rule != AUTH_HELPER_REVOCATION_CERT &&
+ rule != AUTH_HELPER_AC_CERT)
{ /* handle only HELPER certificates */
continue;
}
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
index c887f53..43f71b6 100644
--- a/src/libstrongswan/crypto/aead.h
+++ b/src/libstrongswan/crypto/aead.h
@@ -102,6 +102,10 @@ struct aead_t {
/**
* Get the size of the key material (for encryption and authentication).
*
+ * This includes any additional bytes requires for the implicit nonce part.
+ * For AEADs based on traditional ciphers, the length is for both
+ * the integrity and the encryption key in total.
+ *
* @return key size in bytes
*/
size_t (*get_key_size)(aead_t *this);
@@ -109,6 +113,11 @@ struct aead_t {
/**
* Set the key for encryption and authentication.
*
+ * If the AEAD uses an implicit nonce, the last part of the key shall
+ * be the implicit nonce. For AEADs based on traditional ciphers, the
+ * key shall include both integrity and encryption keys, concatenated
+ * in that order.
+ *
* @param key encryption and authentication key
* @return TRUE if key set successfully
*/
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index dba3f6f..6dea30e 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2014 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -20,6 +20,7 @@
#include <threading/rwlock.h>
#include <collections/linked_list.h>
#include <crypto/crypto_tester.h>
+#include <utils/test.h>
const char *default_plugin_name = "default";
@@ -175,7 +176,7 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*,
METHOD(crypto_factory_t, create_aead, aead_t*,
private_crypto_factory_t *this, encryption_algorithm_t algo,
- size_t key_size)
+ size_t key_size, size_t salt_size)
{
enumerator_t *enumerator;
entry_t *entry;
@@ -189,12 +190,12 @@ METHOD(crypto_factory_t, create_aead, aead_t*,
{
if (this->test_on_create &&
!this->tester->test_aead(this->tester, algo, key_size,
- entry->create_aead, NULL,
+ salt_size, entry->create_aead, NULL,
default_plugin_name))
{
continue;
}
- aead = entry->create_aead(algo, key_size);
+ aead = entry->create_aead(algo, key_size, salt_size);
if (aead)
{
break;
@@ -473,7 +474,7 @@ METHOD(crypto_factory_t, add_aead, bool,
u_int speed = 0;
if (!this->test_on_add ||
- this->tester->test_aead(this->tester, algo, 0, create,
+ this->tester->test_aead(this->tester, algo, 0, 0, create,
this->bench ? &speed : NULL, plugin_name))
{
add_entry(this, this->aeads, algo, plugin_name, speed, create);
@@ -976,3 +977,39 @@ crypto_factory_t *crypto_factory_create()
return &this->public;
}
+
+/**
+ * Manually verify all registered algorithms against test vectors
+ */
+static u_int verify_registered_algorithms(crypto_factory_t *factory)
+{
+ private_crypto_factory_t *this = (private_crypto_factory_t*)factory;
+ enumerator_t *enumerator;
+ entry_t *entry;
+ u_int failures = 0;
+
+#define TEST_ALGORITHMS(test, ...) do { \
+ enumerator = this->test##s->create_enumerator(this->test##s); \
+ while (enumerator->enumerate(enumerator, &entry)) \
+ { \
+ if (!this->tester->test_##test(this->tester, entry->algo, ##__VA_ARGS__, \
+ entry->create_##test, NULL, entry->plugin_name)) \
+ { \
+ failures++; \
+ } \
+ } \
+ enumerator->destroy(enumerator); \
+} while (0)
+
+ this->lock->read_lock(this->lock);
+ TEST_ALGORITHMS(crypter, 0);
+ TEST_ALGORITHMS(aead, 0, 0);
+ TEST_ALGORITHMS(signer);
+ TEST_ALGORITHMS(hasher);
+ TEST_ALGORITHMS(prf);
+ TEST_ALGORITHMS(rng);
+ this->lock->unlock(this->lock);
+ return failures;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms);
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 281dc25..7865bcb 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -46,7 +46,7 @@ typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo,
* Constructor function for aead transforms
*/
typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo,
- size_t key_size);
+ size_t key_size, size_t salt_size);
/**
* Constructor function for signers
*/
@@ -100,10 +100,12 @@ struct crypto_factory_t {
*
* @param algo encryption algorithm
* @param key_size length of the key in bytes
+ * @param salt_size size of salt, implicit part of the nonce
* @return aead_t instance, NULL if not supported
*/
aead_t* (*create_aead)(crypto_factory_t *this,
- encryption_algorithm_t algo, size_t key_size);
+ encryption_algorithm_t algo,
+ size_t key_size, size_t salt_size);
/**
* Create a symmetric signer instance.
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 30724b1..c6780da 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -204,16 +204,13 @@ METHOD(crypto_tester_t, test_crypter, bool,
continue;
}
- tested++;
- failed = TRUE;
crypter = create(alg, vector->key_size);
if (!crypter)
- {
- DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
- encryption_algorithm_names, alg, plugin_name,
- BITS_PER_BYTE * vector->key_size);
+ { /* key size not supported */
continue;
}
+ tested++;
+ failed = TRUE;
key = chunk_create(vector->key, crypter->get_key_size(crypter));
if (!crypter->set_key(crypter, key))
@@ -318,7 +315,7 @@ static u_int bench_aead(private_crypto_tester_t *this,
{
aead_t *aead;
- aead = create(alg, 0);
+ aead = create(alg, 0, 0);
if (aead)
{
char iv[aead->get_iv_size(aead)];
@@ -367,7 +364,8 @@ static u_int bench_aead(private_crypto_tester_t *this,
METHOD(crypto_tester_t, test_aead, bool,
private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
- aead_constructor_t create, u_int *speed, const char *plugin_name)
+ size_t salt_size, aead_constructor_t create,
+ u_int *speed, const char *plugin_name)
{
enumerator_t *enumerator;
aead_test_vector_t *vector;
@@ -389,10 +387,14 @@ METHOD(crypto_tester_t, test_aead, bool,
{ /* test only vectors with a specific key size, if key size given */
continue;
}
+ if (salt_size && salt_size != vector->salt_size)
+ {
+ continue;
+ }
tested++;
failed = TRUE;
- aead = create(alg, vector->key_size);
+ aead = create(alg, vector->key_size, vector->salt_size);
if (!aead)
{
DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
@@ -1221,4 +1223,3 @@ crypto_tester_t *crypto_tester_create()
return &this->public;
}
-
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index 9ac6659..add3b1c 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -54,6 +54,8 @@ struct aead_test_vector_t {
encryption_algorithm_t alg;
/** key length to use, in bytes */
size_t key_size;
+ /** salt length to use, in bytes */
+ size_t salt_size;
/** encryption key of test vector */
u_char *key;
/** initialization vector, using crypters blocksize bytes */
@@ -150,13 +152,15 @@ struct crypto_tester_t {
*
* @param alg algorithm to test
* @param key_size key size to test, 0 for default
+ * @param salt_size salt length to test, 0 for default
* @param create constructor function for the aead transform
* @param speed speed test result, NULL to omit
* @return TRUE if test passed
*/
bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
- size_t key_size, aead_constructor_t create,
- u_int *speed, const char *plugin_name);
+ size_t key_size, size_t salt_size,
+ aead_constructor_t create,
+ u_int *speed, const char *plugin_name);
/**
* Test a signer algorithm.
*
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8472c30..c5bb4cd 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -265,8 +265,11 @@ bool library_init(char *settings, const char *namespace)
#ifdef LEAK_DETECTIVE
lib->leak_detective = leak_detective_create();
- lib->leak_detective->set_report_cb(lib->leak_detective,
- report_leaks, sum_leaks, NULL);
+ if (lib->leak_detective)
+ {
+ lib->leak_detective->set_report_cb(lib->leak_detective,
+ report_leaks, sum_leaks, NULL);
+ }
#endif /* LEAK_DETECTIVE */
pfh = printf_hook_create();
diff --git a/src/libstrongswan/plugins/acert/Makefile.am b/src/libstrongswan/plugins/acert/Makefile.am
new file mode 100644
index 0000000..ba16f41
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-acert.la
+else
+plugin_LTLIBRARIES = libstrongswan-acert.la
+endif
+
+libstrongswan_acert_la_SOURCES = \
+ acert_validator.h acert_validator.c \
+ acert_plugin.h acert_plugin.c
+
+libstrongswan_acert_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
similarity index 94%
copy from src/libstrongswan/plugins/nonce/Makefile.in
copy to src/libstrongswan/plugins/acert/Makefile.in
index 25437bd..3dd650d 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libstrongswan/plugins/nonce
+subdir = src/libstrongswan/plugins/acert
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -127,20 +127,20 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_nonce_la_LIBADD =
-am_libstrongswan_nonce_la_OBJECTS = nonce_plugin.lo nonce_nonceg.lo
-libstrongswan_nonce_la_OBJECTS = $(am_libstrongswan_nonce_la_OBJECTS)
+libstrongswan_acert_la_LIBADD =
+am_libstrongswan_acert_la_OBJECTS = acert_validator.lo acert_plugin.lo
+libstrongswan_acert_la_OBJECTS = $(am_libstrongswan_acert_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
-libstrongswan_nonce_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_acert_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
- $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_nonce_la_LDFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_acert_la_LDFLAGS) \
$(LDFLAGS) -o $@
- at MONOLITHIC_FALSE@am_libstrongswan_nonce_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@am_libstrongswan_acert_la_rpath = -rpath \
@MONOLITHIC_FALSE@ $(plugindir)
- at MONOLITHIC_TRUE@am_libstrongswan_nonce_la_rpath =
+ at MONOLITHIC_TRUE@am_libstrongswan_acert_la_rpath =
AM_V_P = $(am__v_P_ at AM_V@)
am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
am__v_P_0 = false
@@ -175,8 +175,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(libstrongswan_nonce_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_nonce_la_SOURCES)
+SOURCES = $(libstrongswan_acert_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_acert_la_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -417,13 +416,13 @@ AM_CPPFLAGS = \
AM_CFLAGS = \
-rdynamic
- at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-nonce.la
- at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-nonce.la
-libstrongswan_nonce_la_SOURCES = \
- nonce_plugin.h nonce_plugin.c \
- nonce_nonceg.c nonce_nonceg.h
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-acert.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-acert.la
+libstrongswan_acert_la_SOURCES = \
+ acert_validator.h acert_validator.c \
+ acert_plugin.h acert_plugin.c
-libstrongswan_nonce_la_LDFLAGS = -module -avoid-version
+libstrongswan_acert_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
@@ -437,9 +436,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/nonce/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libstrongswan/plugins/nonce/Makefile
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -505,8 +504,8 @@ clean-pluginLTLIBRARIES:
rm -f $${locs}; \
}
-libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) $(EXTRA_libstrongswan_nonce_la_DEPENDENCIES)
- $(AM_V_CCLD)$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
+libstrongswan-acert.la: $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_DEPENDENCIES) $(EXTRA_libstrongswan_acert_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_acert_la_LINK) $(am_libstrongswan_acert_la_rpath) $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -514,8 +513,8 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/nonce_nonceg.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/nonce_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/acert_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/acert_validator.Plo at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libstrongswan/plugins/acert/acert_plugin.c b/src/libstrongswan/plugins/acert/acert_plugin.c
new file mode 100644
index 0000000..01d9ae3
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_plugin.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "acert_plugin.h"
+#include "acert_validator.h"
+
+#include <library.h>
+
+typedef struct private_acert_plugin_t private_acert_plugin_t;
+
+/**
+ * private data of acert_plugin
+ */
+struct private_acert_plugin_t {
+
+ /**
+ * public functions
+ */
+ acert_plugin_t public;
+
+ /**
+ * Validator implementation instance.
+ */
+ acert_validator_t *validator;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_acert_plugin_t *this)
+{
+ return "acert";
+}
+
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_acert_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+ }
+ else
+ {
+ lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_acert_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "acert"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_acert_plugin_t *this)
+{
+ this->validator->destroy(this->validator);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *acert_plugin_create()
+{
+ private_acert_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ .validator = acert_validator_create(),
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/pki/pki.h b/src/libstrongswan/plugins/acert/acert_plugin.h
similarity index 54%
copy from src/pki/pki.h
copy to src/libstrongswan/plugins/acert/acert_plugin.h
index 09c50c6..97d1293 100644
--- a/src/pki/pki.h
+++ b/src/libstrongswan/plugins/acert/acert_plugin.h
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -14,23 +14,29 @@
*/
/**
- * @defgroup pki pki
+ * @defgroup acert acert
+ * @ingroup plugins
*
- * @addtogroup pki
- * @{
+ * @defgroup acert_plugin acert_plugin
+ * @{ @ingroup acert
*/
-#ifndef PKI_H_
-#define PKI_H_
+#ifndef ACERT_PLUGIN_H_
+#define ACERT_PLUGIN_H_
-#include "command.h"
+#include <plugins/plugin.h>
-#include <library.h>
-#include <credentials/keys/private_key.h>
+typedef struct acert_plugin_t acert_plugin_t;
/**
- * Convert a form string to a encoding type
+ * X.509 attribute certificate group membership checking.
*/
-bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
+struct acert_plugin_t {
-#endif /** PKI_H_ @}*/
+ /**
+ * Implements plugin_t. interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** ACERT_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/acert/acert_validator.c b/src/libstrongswan/plugins/acert/acert_validator.c
new file mode 100644
index 0000000..ab15dba
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_validator.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <library.h>
+
+#include "acert_validator.h"
+
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
+
+typedef struct private_acert_validator_t private_acert_validator_t;
+
+/**
+ * Private data of an acert_validator_t object.
+ */
+struct private_acert_validator_t {
+
+ /**
+ * Public acert_validator_t interface.
+ */
+ acert_validator_t public;
+};
+
+/**
+ * Check if an AC can be trusted
+ */
+static bool verify(private_acert_validator_t *this, certificate_t *ac)
+{
+ certificate_t *issuer;
+ enumerator_t *enumerator;
+ bool verified = FALSE;
+
+ if (!ac->get_validity(ac, NULL, NULL, NULL))
+ {
+ return FALSE;
+ }
+ DBG1(DBG_CFG, "verifying attribute certificate issued by \"%Y\"",
+ ac->get_issuer(ac));
+ enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+ ac->get_issuer(ac), TRUE);
+ while (enumerator->enumerate(enumerator, &issuer, NULL))
+ {
+ if (issuer->get_validity(issuer, NULL, NULL, NULL))
+ {
+ if (lib->credmgr->issued_by(lib->credmgr, ac, issuer, NULL))
+ {
+ verified = TRUE;
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return verified;
+}
+
+/**
+ * Apply AC group membership to auth config
+ */
+static void apply(private_acert_validator_t *this, ac_t *ac, auth_cfg_t *auth)
+{
+ enumerator_t *enumerator;
+ ac_group_type_t type;
+ chunk_t chunk;
+
+ enumerator = ac->create_group_enumerator(ac);
+ while (enumerator->enumerate(enumerator, &type, &chunk))
+ {
+ if (type == AC_GROUP_TYPE_STRING)
+ {
+ auth->add(auth, AUTH_RULE_GROUP,
+ identification_create_from_data(chunk));
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(cert_validator_t, validate, bool,
+ private_acert_validator_t *this, certificate_t *subject,
+ certificate_t *issuer, bool online, u_int pathlen, bool anchor,
+ auth_cfg_t *auth)
+{
+ /* for X.509 end entity certs only */
+ if (pathlen == 0 && subject->get_type(subject) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)subject;
+ enumerator_t *enumerator;
+ identification_t *id, *serial;
+ ac_t *ac;
+
+ /* find attribute certificates by serial and issuer. A lookup by
+ * the holder DN would work as well, but RFC 5755 recommends the use
+ * of baseCertificateID. */
+ serial = identification_create_from_encoding(ID_KEY_ID,
+ x509->get_serial(x509));
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_X509_AC, KEY_ANY, serial, FALSE);
+ while (enumerator->enumerate(enumerator, &ac))
+ {
+ id = ac->get_holderIssuer(ac);
+ if (id && id->equals(id, subject->get_issuer(subject)))
+ {
+ if (verify(this, &ac->certificate))
+ {
+ apply(this, ac, auth);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ serial->destroy(serial);
+ }
+ return TRUE;
+}
+
+METHOD(acert_validator_t, destroy, void,
+ private_acert_validator_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+acert_validator_t *acert_validator_create()
+{
+ private_acert_validator_t *this;
+
+ INIT(this,
+ .public = {
+ .validator.validate = _validate,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/acert/acert_validator.h b/src/libstrongswan/plugins/acert/acert_validator.h
new file mode 100644
index 0000000..507776f
--- /dev/null
+++ b/src/libstrongswan/plugins/acert/acert_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup acert_validator acert_validator
+ * @{ @ingroup acert
+ */
+
+#ifndef ACERT_VALIDATOR_H_
+#define ACERT_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct acert_validator_t acert_validator_t;
+
+/**
+ * Attribute certificate group membership checking
+ */
+struct acert_validator_t {
+
+ /**
+ * Implements cert_validator_t interface.
+ */
+ cert_validator_t validator;
+
+ /**
+ * Destroy a acert_validator_t.
+ */
+ void (*destroy)(acert_validator_t *this);
+};
+
+/**
+ * Create a acert_validator instance.
+ */
+acert_validator_t *acert_validator_create();
+
+#endif /** ACERT_VALIDATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9e91e86..f9c0750 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 4ea1e8f..08f5e94 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 150e8d4..bfd9f2b 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index f13a964..1e3f69f 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index ed3f056..b1e0f16 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
index 65eccb2..6d4b2e1 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.c
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -343,7 +343,8 @@ METHOD(aead_t, destroy, void,
/**
* See header
*/
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo,
+ size_t key_size, size_t salt_size)
{
private_ccm_aead_t *this;
size_t icv_size;
@@ -360,6 +361,11 @@ ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
default:
return NULL;
}
+ if (salt_size && salt_size != SALT_SIZE)
+ {
+ /* currently not supported */
+ return NULL;
+ }
switch (algo)
{
case ENCR_AES_CCM_ICV8:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index 79ab318..0f1ec09 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -44,8 +44,10 @@ struct ccm_aead_t {
*
* @param algo algorithm to implement, a CCM mode
* @param key_size key size in bytes
+ * @param salt_size size of implicit salt length
* @return aead, NULL if not supported
*/
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size,
+ size_t salt_size);
#endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 620d835..a609e71 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 060287d..654800b 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index ff34435..b6789e7 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index a756a0a..67a92b3 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index ca79430..fb38b07 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index b94b644..6986a81 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 3bb540d..71a61f6 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 7bce3c9..dbf9d11 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
index ba5f2e4..4ab1701 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.c
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -375,7 +375,8 @@ METHOD(aead_t, destroy, void,
/**
* See header
*/
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo,
+ size_t key_size, size_t salt_size)
{
private_gcm_aead_t *this;
size_t icv_size;
@@ -392,6 +393,11 @@ gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
default:
return NULL;
}
+ if (salt_size && salt_size != SALT_SIZE)
+ {
+ /* currently not supported */
+ return NULL;
+ }
switch (algo)
{
case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index 846c3c7..5c09477 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -44,8 +44,10 @@ struct gcm_aead_t {
*
* @param algo algorithm to implement, a gcm mode
* @param key_size key size in bytes
+ * @param salt_size size of implicit salt length
* @return aead, NULL if not supported
*/
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size,
+ size_t salt_size);
#endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 4ce3cf9..731375d 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 73e0645..6b63e19 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index f5e38fa..d255cc9 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 42093e4..38a478b 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 7f14fbf..bd5bd43 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index bdd446c..a5caf8d 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 32aac7b..c448931 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index a35f805..fb36d16 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 25437bd..60e45db 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
index b33cbc8..e241554 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.am
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -12,21 +12,15 @@ endif
libstrongswan_ntru_la_SOURCES = \
ntru_plugin.h ntru_plugin.c \
+ ntru_convert.h ntru_convert.c \
ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
ntru_mgf1.h ntru_mgf1.c \
+ ntru_param_set.h ntru_param_set.c \
ntru_poly.h ntru_poly.c \
- ntru_trits.h ntru_trits.c \
- ntru_crypto/ntru_crypto.h \
- ntru_crypto/ntru_crypto_ntru_convert.h \
- ntru_crypto/ntru_crypto_ntru_convert.c \
- ntru_crypto/ntru_crypto_ntru_encrypt.c \
- ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
- ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
- ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
- ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
- ntru_crypto/ntru_crypto_ntru_poly.h \
- ntru_crypto/ntru_crypto_ntru_poly.c
+ ntru_public_key.h ntru_public_key.c \
+ ntru_private_key.h ntru_private_key.c \
+ ntru_trits.h ntru_trits.c
libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index af192d2..3825804 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -128,14 +128,10 @@ am__uninstall_files_from_dir = { \
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
libstrongswan_ntru_la_LIBADD =
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \
- ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \
- ntru_crypto/ntru_crypto_ntru_convert.lo \
- ntru_crypto/ntru_crypto_ntru_encrypt.lo \
- ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \
- ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \
- ntru_crypto/ntru_crypto_ntru_poly.lo
+am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \
+ ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \
+ ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \
+ ntru_trits.lo
libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
@@ -377,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -427,21 +422,15 @@ AM_CFLAGS = \
@MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-ntru.la
libstrongswan_ntru_la_SOURCES = \
ntru_plugin.h ntru_plugin.c \
+ ntru_convert.h ntru_convert.c \
ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
ntru_mgf1.h ntru_mgf1.c \
+ ntru_param_set.h ntru_param_set.c \
ntru_poly.h ntru_poly.c \
- ntru_trits.h ntru_trits.c \
- ntru_crypto/ntru_crypto.h \
- ntru_crypto/ntru_crypto_ntru_convert.h \
- ntru_crypto/ntru_crypto_ntru_convert.c \
- ntru_crypto/ntru_crypto_ntru_encrypt.c \
- ntru_crypto/ntru_crypto_ntru_encrypt_key.h \
- ntru_crypto/ntru_crypto_ntru_encrypt_key.c \
- ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
- ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
- ntru_crypto/ntru_crypto_ntru_poly.h \
- ntru_crypto/ntru_crypto_ntru_poly.c
+ ntru_public_key.h ntru_public_key.c \
+ ntru_private_key.h ntru_private_key.c \
+ ntru_trits.h ntru_trits.c
libstrongswan_ntru_la_LDFLAGS = -module -avoid-version
all: all-am
@@ -524,47 +513,26 @@ clean-pluginLTLIBRARIES:
echo rm -f $${locs}; \
rm -f $${locs}; \
}
-ntru_crypto/$(am__dirstamp):
- @$(MKDIR_P) ntru_crypto
- @: > ntru_crypto/$(am__dirstamp)
-ntru_crypto/$(DEPDIR)/$(am__dirstamp):
- @$(MKDIR_P) ntru_crypto/$(DEPDIR)
- @: > ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \
- ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \
- ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt_key.lo: \
- ntru_crypto/$(am__dirstamp) \
- ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo: \
- ntru_crypto/$(am__dirstamp) \
- ntru_crypto/$(DEPDIR)/$(am__dirstamp)
-ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \
- ntru_crypto/$(DEPDIR)/$(am__dirstamp)
libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES)
$(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
- -rm -f ntru_crypto/*.$(OBJEXT)
- -rm -f ntru_crypto/*.lo
distclean-compile:
-rm -f *.tab.c
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_convert.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_drbg.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_ke.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_mgf1.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_param_set.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_plugin.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_poly.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_private_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_public_key.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ntru_trits.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -595,7 +563,6 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
- -rm -rf ntru_crypto/.libs ntru_crypto/_libs
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -712,8 +679,6 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
- -rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp)
- -rm -f ntru_crypto/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -724,7 +689,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -770,7 +735,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_convert.c
new file mode 100644
index 0000000..6330b2e
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_convert.c
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "ntru_convert.h"
+
+/**
+ * 3-bit to 2-trit conversion tables: 2 represents -1
+ */
+static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
+static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
+
+/**
+ * See header.
+ */
+void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, uint8_t *trits)
+{
+ uint32_t bits24, bits3, shift;
+
+ while (num_trits >= 16)
+ {
+ /* get next three octets */
+ bits24 = ((uint32_t)(*octets++)) << 16;
+ bits24 |= ((uint32_t)(*octets++)) << 8;
+ bits24 |= (uint32_t)(*octets++);
+
+ /* for each 3 bits in the three octets, output 2 trits */
+ bits3 = (bits24 >> 21) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 18) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 15) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 12) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 9) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 6) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = (bits24 >> 3) & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ bits3 = bits24 & 0x7;
+ *trits++ = bits_2_trit1[bits3];
+ *trits++ = bits_2_trit2[bits3];
+
+ num_trits -= 16;
+ }
+ if (num_trits == 0)
+ {
+ return;
+ }
+
+ /* get three octets */
+ bits24 = ((uint32_t)(*octets++)) << 16;
+ bits24 |= ((uint32_t)(*octets++)) << 8;
+ bits24 |= (uint32_t)(*octets++);
+
+ shift = 21;
+ while (num_trits)
+ {
+ /**
+ * for each 3 bits in the three octets, output up to 2 trits
+ * until all trits needed are produced
+ */
+ bits3 = (bits24 >> shift) & 0x7;
+ shift -= 3;
+ *trits++ = bits_2_trit1[bits3];
+ if (--num_trits)
+ {
+ *trits++ = bits_2_trit2[bits3];
+ --num_trits;
+ }
+ }
+}
+
+/**
+ * See header.
+ */
+bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, uint8_t *octets)
+{
+ bool all_trits_valid = TRUE;
+ uint32_t bits24, bits3, shift;
+
+ while (num_trits >= 16)
+ {
+ /* convert each 2 trits to 3 bits and pack */
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 = (bits3 << 21);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 18);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 15);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 12);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 9);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 6);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << 3);
+
+ bits3 = *trits++ * 3;
+ bits3 += *trits++;
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= bits3;
+
+ num_trits -= 16;
+
+ /* output three octets */
+ *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+ *octets++ = (uint8_t)((bits24 >> 8) & 0xff);
+ *octets++ = (uint8_t)(bits24 & 0xff);
+ }
+
+ bits24 = 0;
+ shift = 21;
+ while (num_trits)
+ {
+ /* convert each 2 trits to 3 bits and pack */
+ bits3 = *trits++ * 3;
+ if (--num_trits)
+ {
+ bits3 += *trits++;
+ --num_trits;
+ }
+ if (bits3 > 7)
+ {
+ bits3 = 7;
+ all_trits_valid = FALSE;
+ }
+ bits24 |= (bits3 << shift);
+ shift -= 3;
+ }
+
+ /* output three octets */
+ *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
+ *octets++ = (uint8_t)((bits24 >> 8) & 0xff);
+ *octets++ = (uint8_t)(bits24 & 0xff);
+
+ return all_trits_valid;
+}
+
+/**
+ * See header
+ */
+void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, uint8_t *octets)
+{
+ uint8_t bits2;
+ int shift, i;
+
+ *octets = 0;
+ shift = 6;
+ for (i = 0; i < num_coeffs; i++)
+ {
+ bits2 = (uint8_t)(coeffs[i] & 0x3);
+ *octets |= bits2 << shift;
+ shift -= 2;
+ if (shift < 0)
+ {
+ ++octets;
+ *octets = 0;
+ shift = 6;
+ }
+ }
+}
+
+/**
+ * See header.
+ */
+void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet)
+{
+ int i;
+
+ *octet = 0;
+ for (i = 4; i >= 0; i--)
+ {
+ *octet = (*octet * 3) + trits[i];
+ }
+}
+
+/**
+ * See header.
+ */
+void ntru_octet_2_trits(uint8_t octet, uint8_t *trits)
+{
+ int i;
+
+ for (i = 0; i < 5; i++)
+ {
+ trits[i] = octet % 3;
+ octet = (octet - trits[i]) / 3;
+ }
+}
+
+/**
+ * See header.
+ */
+void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1,
+ uint8_t *out)
+{
+ uint8_t trit = plus1 ? 1 : 2;
+ int i;
+
+ for (i = 0; i < in_len; i++)
+ {
+ out[in[i]] = trit;
+ }
+}
+
+/**
+ * See header.
+ */
+void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits,
+ uint16_t *indices_plus1,
+ uint16_t *indices_minus1)
+{
+ uint8_t trits[5];
+ uint16_t i = 0;
+ int j;
+
+ while (num_trits >= 5)
+ {
+ ntru_octet_2_trits(*in++, trits);
+ num_trits -= 5;
+ for (j = 0; j < 5; j++, i++)
+ {
+ if (trits[j] == 1)
+ {
+ *indices_plus1 = i;
+ ++indices_plus1;
+ }
+ else if (trits[j] == 2)
+ {
+ *indices_minus1 = i;
+ ++indices_minus1;
+ }
+ }
+ }
+ if (num_trits)
+ {
+ ntru_octet_2_trits(*in, trits);
+ for (j = 0; num_trits && (j < 5); j++, i++)
+ {
+ if (trits[j] == 1)
+ {
+ *indices_plus1 = i;
+ ++indices_plus1;
+ }
+ else if (trits[j] == 2)
+ {
+ *indices_minus1 = i;
+ ++indices_minus1;
+ }
+ --num_trits;
+ }
+ }
+}
+
+/**
+ * See header.
+ */
+void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1,
+ uint16_t num_minus1, uint16_t num_trits,
+ uint8_t *buf, uint8_t *out)
+{
+ /* convert indices to an array of trits */
+ memset(buf, 0, num_trits);
+ ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
+ ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
+
+ /* pack the array of trits */
+ while (num_trits >= 5)
+ {
+ ntru_trits_2_octet(buf, out);
+ num_trits -= 5;
+ buf += 5;
+ ++out;
+ }
+ if (num_trits)
+ {
+ uint8_t trits[5];
+
+ memcpy(trits, buf, num_trits);
+ memset(trits + num_trits, 0, sizeof(trits) - num_trits);
+ ntru_trits_2_octet(trits, out);
+ }
+}
+
+/**
+ * See header
+ */
+void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits,
+ uint8_t *out)
+{
+ uint16_t temp;
+ int shift, i;
+
+ /* pack */
+ temp = 0;
+ shift = n_bits - 8;
+ i = 0;
+ while (i < in_len)
+ {
+ /* add bits to temp to fill an octet and output the octet */
+ temp |= in[i] >> shift;
+ *out++ = (uint8_t)(temp & 0xff);
+ shift = 8 - shift;
+ if (shift < 1)
+ {
+ /* next full octet is in current input word */
+ shift += n_bits;
+ temp = 0;
+ }
+ else
+ {
+ /* put remaining bits of input word in temp as partial octet,
+ * and increment index to next input word
+ */
+ temp = in[i] << (uint16_t)shift;
+ ++i;
+ }
+ shift = n_bits - shift;
+ }
+
+ /* output any bits remaining in last input word */
+ if (shift != n_bits - 8)
+ {
+ *out++ = (uint8_t)(temp & 0xff);
+ }
+}
+
+
+/**
+ * See header.
+ */
+void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits,
+ uint16_t *out)
+{
+ uint16_t temp;
+ uint16_t mask = (1 << n_bits) - 1;
+ int shift, i;
+
+ /* unpack */
+ temp = 0;
+ shift = n_bits;
+ i = 0;
+ while (i < in_len)
+ {
+ shift = 8 - shift;
+ if (shift < 0)
+ {
+ /* the current octet will not fill the current element */
+ shift += n_bits;
+ }
+ else
+ {
+ /* add bits from the current octet to fill the current element and
+ * output the element
+ */
+ temp |= ((uint16_t)in[i]) >> shift;
+ *out++ = temp & mask;
+ temp = 0;
+ }
+
+ /* add the remaining bits of the current octet to start an element */
+ shift = n_bits - shift;
+ temp |= ((uint16_t)in[i]) << shift;
+ ++i;
+ }
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_convert.h
new file mode 100644
index 0000000..31594b1
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_convert.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_convert ntru_convert
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_CONVERT_H_
+#define NTRU_CONVERT_H_
+
+#include <library.h>
+
+/**
+ * Each 3 bits in an array of octets is converted to 2 trits in an array
+ * of trits.
+ *
+ * @param octets pointer to array of octets
+ * @param num_trits number of trits to produce
+ * @param trits address for array of trits
+ */
+void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits,
+ uint8_t *trits);
+
+/**
+ * Each 2 trits in an array of trits is converted to 3 bits, and the bits
+ * are packed in an array of octets. A multiple of 3 octets is output.
+ * Any bits in the final octets not derived from trits are zero.
+ *
+ * @param trits pointer to array of trits
+ * @param num_trits number of trits to convert
+ * @param octets address for array of octets
+ * @return TRUE if all trits were valid
+ * FALSE if invalid trits were found
+ */
+bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits,
+ uint8_t *octets);
+
+/**
+ * Takes an array of coefficients mod 4 and packs the results into an
+ * octet string.
+ *
+ * @param num_coeffs number of coefficients
+ * @param coeffs pointer to coefficients
+ * @param octets address for octets
+ */
+void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs,
+ uint8_t *octets);
+
+/**
+ * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
+ *
+ * @param trits pointer to trits
+ * @param octet address for octet
+ */
+void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet);
+
+/**
+ * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
+ *
+ * @param octet octet to be unpacked
+ * @param trits address for trits
+ */
+void ntru_octet_2_trits(uint8_t octet, uint8_t *trits);
+
+/**
+ *
+ * Converts a list of the nonzero indices of a polynomial into an array of
+ * trits.
+ *
+ * @param in_len no. of indices
+ * @param in pointer to list of indices
+ * @param plus1 if list is +1 coefficients
+ * @param out address of output polynomial
+ */
+void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1,
+ uint8_t *out);
+
+/**
+ * Unpacks an array of N trits and creates a list of array indices
+ * corresponding to trits = +1, and list of array indices corresponding to
+ * trits = -1.
+ *
+ * @param in pointer to packed-trit octets
+ * @param num_trits no. of packed trits
+ * @param indices_plus1 address for indices of +1 trits
+ * @param indices_minus1 address for indices of -1 trits
+ */
+void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits,
+ uint16_t *indices_plus1,
+ uint16_t *indices_minus1);
+
+/**
+ * Takes a list of array indices corresponding to elements whose values
+ * are +1 or -1, and packs the N-element array of trits described by these
+ * lists into octets, 5 trits per octet.
+ *
+ * @param indices pointer to indices
+ * @param num_plus1 no. of indices for +1 trits
+ * @param num_minus1 no. of indices for -1 trits
+ * @param num_trits N, no. of trits in array
+ * @param buf temp buf, N octets
+ * @param out address for packed octet
+ */
+void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1,
+ uint16_t num_minus1, uint16_t num_trits,
+ uint8_t *buf, uint8_t *out);
+
+/**
+ * Packs an array of n-bit elements into an array of
+ * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
+ *
+ * @param in_len no. of elements to be packed
+ * @param in ptr to elements to be packed
+ * @param n_bits no. of bits in input element
+ * @param out addr for output octets
+ */
+void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits,
+ uint8_t *out);
+
+/**
+ * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
+ * n-bit elements, 8 < n < 16. Any extra bits are discarded.
+ *
+ * @param in_len no. of octets to be unpacked
+ * @param in ptr to octets to be unpacked
+ * @param n_bits no. of bits in output element
+ * @param out addr for output elements
+ */
+void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits,
+ uint16_t *out);
+
+#endif /** NTRU_CONVERT_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
deleted file mode 100644
index 72f4703..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
+++ /dev/null
@@ -1,235 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-
-/******************************************************************************
- *
- * File: ntru_crypto.h
- *
- * Contents: Public header file for NTRUEncrypt.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_H
-#define NTRU_CRYPTO_H
-
-#include <library.h>
-
-#include "ntru_drbg.h"
-
-#if !defined( NTRUCALL )
- #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC)
- // Linux, or a Win32 static library
- #define NTRUCALL extern uint32_t
- #elif defined (NTRUCRYPTO_EXPORTS)
- // Win32 DLL build
- #define NTRUCALL extern __declspec(dllexport) uint32_t
- #else
- // Win32 DLL import
- #define NTRUCALL extern __declspec(dllimport) uint32_t
- #endif
-#endif /* NTRUCALL */
-
-/* parameter set ID list */
-
-typedef enum _NTRU_ENCRYPT_PARAM_SET_ID {
- NTRU_EES401EP1,
- NTRU_EES449EP1,
- NTRU_EES677EP1,
- NTRU_EES1087EP2,
- NTRU_EES541EP1,
- NTRU_EES613EP1,
- NTRU_EES887EP1,
- NTRU_EES1171EP1,
- NTRU_EES659EP1,
- NTRU_EES761EP1,
- NTRU_EES1087EP1,
- NTRU_EES1499EP1,
- NTRU_EES401EP2,
- NTRU_EES439EP1,
- NTRU_EES593EP1,
- NTRU_EES743EP1,
-} NTRU_ENCRYPT_PARAM_SET_ID;
-
-
-/* error codes */
-
-#define NTRU_OK 0
-#define NTRU_FAIL 1
-#define NTRU_BAD_PARAMETER 2
-#define NTRU_BAD_LENGTH 3
-#define NTRU_BUFFER_TOO_SMALL 4
-#define NTRU_INVALID_PARAMETER_SET 5
-#define NTRU_BAD_PUBLIC_KEY 6
-#define NTRU_BAD_PRIVATE_KEY 7
-#define NTRU_OUT_OF_MEMORY 8
-#define NTRU_BAD_ENCODING 9
-#define NTRU_OID_NOT_RECOGNIZED 10
-#define NTRU_DRBG_FAIL 11
-#define NTRU_MGF1_FAIL 12
-
-/* function declarations */
-
-/* ntru_crypto_ntru_encrypt
- *
- * Implements NTRU encryption (SVES) for the parameter set specified in
- * the public key blob.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
- *
- * The required minimum size of the output ciphertext buffer (ct) may be
- * queried by invoking this function with ct = NULL. In this case, no
- * encryption is performed, NTRU_OK is returned, and the required minimum
- * size for ct is returned in ct_len.
- *
- * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
- * Upon return it is the actual size of the ciphertext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
- * zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
- * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt(
- ntru_drbg_t *drbg , /* in - handle for DRBG */
- uint16_t pubkey_blob_len, /* in - no. of octets in public key
- blob */
- uint8_t const *pubkey_blob, /* in - pointer to public key */
- uint16_t pt_len, /* in - no. of octets in plaintext */
- uint8_t const *pt, /* in - pointer to plaintext */
- uint16_t *ct_len, /* in/out - no. of octets in ct, addr for
- no. of octets in ciphertext */
- uint8_t *ct); /* out - address for ciphertext */
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL. In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- * ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-NTRUCALL
-ntru_crypto_ntru_decrypt(
- uint16_t privkey_blob_len, /* in - no. of octets in private key
- blob */
- uint8_t const *privkey_blob, /* in - pointer to private key */
- uint16_t ct_len, /* in - no. of octets in ciphertext */
- uint8_t const *ct, /* in - pointer to ciphertext */
- uint16_t *pt_len, /* in/out - no. of octets in pt, addr for
- no. of octets in plaintext */
- uint8_t *pt); /* out - address for plaintext */
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning NTRU_DRBG_FAIL.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
- * or privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- * privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- * Should this occur, this function should simply be invoked again.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt_keygen(
- ntru_drbg_t *drbg, /* in - handle of DRBG */
- NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
- uint16_t *pubkey_blob_len, /* in/out - no. of octets in
- pubkey_blob, addr
- for no. of octets
- in pubkey_blob */
- uint8_t *pubkey_blob, /* out - address for
- public key blob */
- uint16_t *privkey_blob_len, /* in/out - no. of octets in
- privkey_blob, addr
- for no. of octets
- in privkey_blob */
- uint8_t *privkey_blob); /* out - address for
- private key blob */
-#endif /* NTRU_CRYPTO_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
deleted file mode 100644
index 3d6dfde..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c
+++ /dev/null
@@ -1,581 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_convert.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_convert.c
- *
- * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking,
- * and others.
- *
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto_ntru_convert.h"
-
-
-/* 3-bit to 2-trit conversion tables: 2 represents -1 */
-
-static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2};
-static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1};
-
-
-/* ntru_bits_2_trits
- *
- * Each 3 bits in an array of octets is converted to 2 trits in an array
- * of trits.
- *
- * The octet array may overlap the end of the trit array.
- */
-
-void
-ntru_bits_2_trits(
- uint8_t const *octets, /* in - pointer to array of octets */
- uint16_t num_trits, /* in - number of trits to produce */
- uint8_t *trits) /* out - address for array of trits */
-{
- uint32_t bits24;
- uint32_t bits3;
- uint32_t shift;
-
- assert(octets);
- assert(trits);
-
- while (num_trits >= 16) {
-
- /* get next three octets */
-
- bits24 = ((uint32_t)(*octets++)) << 16;
- bits24 |= ((uint32_t)(*octets++)) << 8;
- bits24 |= (uint32_t)(*octets++);
-
- /* for each 3 bits in the three octets, output 2 trits */
-
- bits3 = (bits24 >> 21) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 18) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 15) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 12) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 9) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 6) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = (bits24 >> 3) & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- bits3 = bits24 & 0x7;
- *trits++ = bits_2_trit1[bits3];
- *trits++ = bits_2_trit2[bits3];
-
- num_trits -= 16;
- }
- if (num_trits == 0)
- return;
-
- /* get three octets */
-
- bits24 = ((uint32_t)(*octets++)) << 16;
- bits24 |= ((uint32_t)(*octets++)) << 8;
- bits24 |= (uint32_t)(*octets++);
-
- shift = 21;
- while (num_trits) {
-
- /* for each 3 bits in the three octets, output up to 2 trits
- * until all trits needed are produced
- */
-
- bits3 = (bits24 >> shift) & 0x7;
- shift -= 3;
- *trits++ = bits_2_trit1[bits3];
- if (--num_trits) {
- *trits++ = bits_2_trit2[bits3];
- --num_trits;
- }
- }
-}
-
-
-/* ntru_trits_2_bits
- *
- * Each 2 trits in an array of trits is converted to 3 bits, and the bits
- * are packed in an array of octets. A multiple of 3 octets is output.
- * Any bits in the final octets not derived from trits are zero.
- *
- * Returns TRUE if all trits were valid.
- * Returns FALSE if invalid trits were found.
- */
-
-bool
-ntru_trits_2_bits(
- uint8_t const *trits, /* in - pointer to array of trits */
- uint32_t num_trits, /* in - number of trits to convert */
- uint8_t *octets) /* out - address for array of octets */
-{
- bool all_trits_valid = TRUE;
- uint32_t bits24;
- uint32_t bits3;
- uint32_t shift;
-
- assert(octets);
- assert(trits);
-
- while (num_trits >= 16) {
-
- /* convert each 2 trits to 3 bits and pack */
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 = (bits3 << 21);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 18);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 15);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 12);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 9);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 6);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << 3);
-
- bits3 = *trits++ * 3;
- bits3 += *trits++;
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= bits3;
-
- num_trits -= 16;
-
- /* output three octets */
-
- *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
- *octets++ = (uint8_t)((bits24 >> 8) & 0xff);
- *octets++ = (uint8_t)(bits24 & 0xff);
- }
-
- bits24 = 0;
- shift = 21;
- while (num_trits) {
-
- /* convert each 2 trits to 3 bits and pack */
-
- bits3 = *trits++ * 3;
- if (--num_trits) {
- bits3 += *trits++;
- --num_trits;
- }
- if (bits3 > 7) {
- bits3 = 7;
- all_trits_valid = FALSE;
- }
- bits24 |= (bits3 << shift);
- shift -= 3;
- }
-
- /* output three octets */
-
- *octets++ = (uint8_t)((bits24 >> 16) & 0xff);
- *octets++ = (uint8_t)((bits24 >> 8) & 0xff);
- *octets++ = (uint8_t)(bits24 & 0xff);
-
- return all_trits_valid;
-}
-
-
-/* ntru_coeffs_mod4_2_octets
- *
- * Takes an array of ring element coefficients mod 4 and packs the
- * results into an octet string.
- */
-
-void
-ntru_coeffs_mod4_2_octets(
- uint16_t num_coeffs, /* in - number of coefficients */
- uint16_t const *coeffs, /* in - pointer to coefficients */
- uint8_t *octets) /* out - address for octets */
-{
- uint8_t bits2;
- int shift;
- uint16_t i;
-
- assert(coeffs);
- assert(octets);
-
- *octets = 0;
- shift = 6;
- for (i = 0; i < num_coeffs; i++) {
- bits2 = (uint8_t)(coeffs[i] & 0x3);
- *octets |= bits2 << shift;
- shift -= 2;
- if (shift < 0) {
- ++octets;
- *octets = 0;
- shift = 6;
- }
- }
-}
-
-
-/* ntru_trits_2_octet
- *
- * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
- */
-
-void
-ntru_trits_2_octet(
- uint8_t const *trits, /* in - pointer to trits */
- uint8_t *octet) /* out - address for octet */
-{
- int i;
-
- assert(trits);
- assert(octet);
-
- *octet = 0;
- for (i = 4; i >= 0; i--) {
- *octet = (*octet * 3) + trits[i];
- }
-}
-
-
-/* ntru_octet_2_trits
- *
- * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
- */
-
-void
-ntru_octet_2_trits(
- uint8_t octet, /* in - octet to be unpacked */
- uint8_t *trits) /* out - address for trits */
-{
- int i;
-
- assert(trits);
-
- for (i = 0; i < 5; i++) {
- trits[i] = octet % 3;
- octet = (octet - trits[i]) / 3;
- }
-}
-
-
-/* ntru_indices_2_trits
- *
- * Converts a list of the nonzero indices of a polynomial into an array of
- * trits.
- */
-
-void
-ntru_indices_2_trits(
- uint16_t in_len, /* in - no. of indices */
- uint16_t const *in, /* in - pointer to list of indices */
- bool plus1, /* in - if list is +1 cofficients */
- uint8_t *out) /* out - address of output polynomial */
-{
- uint8_t trit = plus1 ? 1 : 2;
- uint16_t i;
-
- assert(in);
- assert(out);
-
- for (i = 0; i < in_len; i++) {
- out[in[i]] = trit;
- }
-}
-
-
-/* ntru_packed_trits_2_indices
- *
- * Unpacks an array of N trits and creates a list of array indices
- * corresponding to trits = +1, and list of array indices corresponding to
- * trits = -1.
- */
-
-void
-ntru_packed_trits_2_indices(
- uint8_t const *in, /* in - pointer to packed-trit octets */
- uint16_t num_trits, /* in - no. of packed trits */
- uint16_t *indices_plus1, /* out - address for indices of +1 trits */
- uint16_t *indices_minus1) /* out - address for indices of -1 trits */
-{
- uint8_t trits[5];
- uint16_t i = 0;
- int j;
-
- assert(in);
- assert(indices_plus1);
- assert(indices_minus1);
-
- while (num_trits >= 5) {
- ntru_octet_2_trits(*in++, trits);
- num_trits -= 5;
- for (j = 0; j < 5; j++, i++) {
- if (trits[j] == 1) {
- *indices_plus1 = i;
- ++indices_plus1;
- } else if (trits[j] == 2) {
- *indices_minus1 = i;
- ++indices_minus1;
- }
- }
- }
- if (num_trits) {
- ntru_octet_2_trits(*in, trits);
- for (j = 0; num_trits && (j < 5); j++, i++) {
- if (trits[j] == 1) {
- *indices_plus1 = i;
- ++indices_plus1;
- } else if (trits[j] == 2) {
- *indices_minus1 = i;
- ++indices_minus1;
- }
- --num_trits;
- }
- }
-}
-
-
-/* ntru_indices_2_packed_trits
- *
- * Takes a list of array indices corresponding to elements whose values
- * are +1 or -1, and packs the N-element array of trits described by these
- * lists into octets, 5 trits per octet.
- */
-
-void
-ntru_indices_2_packed_trits(
- uint16_t const *indices, /* in - pointer to indices */
- uint16_t num_plus1, /* in - no. of indices for +1 trits */
- uint16_t num_minus1, /* in - no. of indices for -1 trits */
- uint16_t num_trits, /* in - N, no. of trits in array */
- uint8_t *buf, /* in - temp buf, N octets */
- uint8_t *out) /* out - address for packed octets */
-{
- assert(indices);
- assert(buf);
- assert(out);
-
- /* convert indices to an array of trits */
-
- memset(buf, 0, num_trits);
- ntru_indices_2_trits(num_plus1, indices, TRUE, buf);
- ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf);
-
- /* pack the array of trits */
-
- while (num_trits >= 5) {
- ntru_trits_2_octet(buf, out);
- num_trits -= 5;
- buf += 5;
- ++out;
- }
- if (num_trits) {
- uint8_t trits[5];
-
- memcpy(trits, buf, num_trits);
- memset(trits + num_trits, 0, sizeof(trits) - num_trits);
- ntru_trits_2_octet(trits, out);
- }
-}
-
-
-/* ntru_elements_2_octets
- *
- * Packs an array of n-bit elements into an array of
- * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
- */
-
-void
-ntru_elements_2_octets(
- uint16_t in_len, /* in - no. of elements to be packed */
- uint16_t const *in, /* in - ptr to elements to be packed */
- uint8_t n_bits, /* in - no. of bits in input element */
- uint8_t *out) /* out - addr for output octets */
-{
- uint16_t temp;
- int shift;
- uint16_t i;
-
- assert(in_len);
- assert(in);
- assert((n_bits > 8) && (n_bits < 16));
- assert(out);
-
- /* pack */
-
- temp = 0;
- shift = n_bits - 8;
- i = 0;
- while (i < in_len) {
-
- /* add bits to temp to fill an octet and output the octet */
-
- temp |= in[i] >> shift;
- *out++ = (uint8_t)(temp & 0xff);
- shift = 8 - shift;
- if (shift < 1) {
-
- /* next full octet is in current input word */
-
- shift += n_bits;
- temp = 0;
-
- } else {
-
- /* put remaining bits of input word in temp as partial octet,
- * and increment index to next input word
- */
- temp = in[i] << (uint16_t)shift;
-
- ++i;
- }
- shift = n_bits - shift;
- }
-
- /* output any bits remaining in last input word */
-
- if (shift != n_bits - 8) {
- *out++ = (uint8_t)(temp & 0xff);
- }
-}
-
-
-/* ntru_octets_2_elements
- *
- * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
- * n-bit elements, 8 < n_bits < 16. Any extra bits are discarded.
- */
-
-void
-ntru_octets_2_elements(
- uint16_t in_len, /* in - no. of octets to be unpacked */
- uint8_t const *in, /* in - ptr to octets to be unpacked */
- uint8_t n_bits, /* in - no. of bits in output element */
- uint16_t *out) /* out - addr for output elements */
-{
- uint16_t temp;
- uint16_t mask = (1 << n_bits) - 1;
- int shift;
- uint16_t i;
-
- assert(in_len > 1);
- assert(in);
- assert((n_bits > 8) && (n_bits < 16));
- assert(out);
-
- /* unpack */
-
- temp = 0;
- shift = n_bits;
- i = 0;
- while (i < in_len) {
- shift = 8 - shift;
- if (shift < 0) {
-
- /* the current octet will not fill the current element */
-
- shift += n_bits;
-
- } else {
-
- /* add bits from the current octet to fill the current element and
- * output the element
- */
-
- temp |= ((uint16_t)in[i]) >> shift;
- *out++ = temp & mask;
- temp = 0;
- }
-
- /* add the remaining bits of the current octet to start an element */
-
- shift = n_bits - shift;
- temp |= ((uint16_t)in[i]) << shift;
- ++i;
- }
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
deleted file mode 100644
index 1c4b35b..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_convert.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_convert.h
- *
- * Contents: Definitions and declarations for conversion routines
- * for NTRUEncrypt, including packing, unpacking and others.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_NTRU_CONVERT_H
-#define NTRU_CRYPTO_NTRU_CONVERT_H
-
-#include "ntru_crypto.h"
-
-
-/* function declarations */
-
-/* ntru_bits_2_trits
- *
- * Each 3 bits in an array of octets is converted to 2 trits in an array
- * of trits.
- */
-
-extern void
-ntru_bits_2_trits(
- uint8_t const *octets, /* in - pointer to array of octets */
- uint16_t num_trits, /* in - number of trits to produce */
- uint8_t *trits); /* out - address for array of trits */
-
-
-/* ntru_trits_2_bits
- *
- * Each 2 trits in an array of trits is converted to 3 bits, and the bits
- * are packed in an array of octets. A multiple of 3 octets is output.
- * Any bits in the final octets not derived from trits are zero.
- *
- * Returns TRUE if all trits were valid.
- * Returns FALSE if invalid trits were found.
- */
-
-extern bool
-ntru_trits_2_bits(
- uint8_t const *trits, /* in - pointer to array of trits */
- uint32_t num_trits, /* in - number of trits to convert */
- uint8_t *octets); /* out - address for array of octets */
-
-
-/* ntru_coeffs_mod4_2_octets
- *
- * Takes an array of coefficients mod 4 and packs the results into an
- * octet string.
- */
-
-extern void
-ntru_coeffs_mod4_2_octets(
- uint16_t num_coeffs, /* in - number of coefficients */
- uint16_t const *coeffs, /* in - pointer to coefficients */
- uint8_t *octets); /* out - address for octets */
-
-
-/* ntru_trits_2_octet
- *
- * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1).
- */
-
-extern void
-ntru_trits_2_octet(
- uint8_t const *trits, /* in - pointer to trits */
- uint8_t *octet); /* out - address for octet */
-
-
-/* ntru_octet_2_trits
- *
- * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1).
- */
-
-extern void
-ntru_octet_2_trits(
- uint8_t octet, /* in - octet to be unpacked */
- uint8_t *trits); /* out - address for trits */
-
-
-/* ntru_indices_2_trits
- *
- * Converts a list of the nonzero indices of a polynomial into an array of
- * trits.
- */
-
-extern void
-ntru_indices_2_trits(
- uint16_t in_len, /* in - no. of indices */
- uint16_t const *in, /* in - pointer to list of indices */
- bool plus1, /* in - if list is +1 coefficients */
- uint8_t *out); /* out - address of output polynomial */
-
-
-/* ntru_packed_trits_2_indices
- *
- * Unpacks an array of N trits and creates a list of array indices
- * corresponding to trits = +1, and list of array indices corresponding to
- * trits = -1.
- */
-
-extern void
-ntru_packed_trits_2_indices(
- uint8_t const *in, /* in - pointer to packed-trit octets */
- uint16_t num_trits, /* in - no. of packed trits */
- uint16_t *indices_plus1, /* out - address for indices of +1 trits */
- uint16_t *indices_minus1); /* out - address for indices of -1 trits */
-
-
-/* ntru_indices_2_packed_trits
- *
- * Takes a list of array indices corresponding to elements whose values
- * are +1 or -1, and packs the N-element array of trits described by these
- * lists into octets, 5 trits per octet.
- */
-
-extern void
-ntru_indices_2_packed_trits(
- uint16_t const *indices, /* in - pointer to indices */
- uint16_t num_plus1, /* in - no. of indices for +1 trits */
- uint16_t num_minus1, /* in - no. of indices for -1 trits */
- uint16_t num_trits, /* in - N, no. of trits in array */
- uint8_t *buf, /* in - temp buf, N octets */
- uint8_t *out); /* out - address for packed octets */
-
-
-/* ntru_elements_2_octets
- *
- * Packs an array of n-bit elements into an array of
- * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16.
- */
-
-extern void
-ntru_elements_2_octets(
- uint16_t in_len, /* in - no. of elements to be packed */
- uint16_t const *in, /* in - ptr to elements to be packed */
- uint8_t n_bits, /* in - no. of bits in input element */
- uint8_t *out); /* out - addr for output octets */
-
-
-/* ntru_octets_2_elements
- *
- * Unpacks an octet string into an array of ((in_len * 8) / n_bits)
- * n-bit elements, 8 < n < 16. Any extra bits are discarded.
- */
-
-extern void
-ntru_octets_2_elements(
- uint16_t in_len, /* in - no. of octets to be unpacked */
- uint8_t const *in, /* in - ptr to octets to be unpacked */
- uint8_t n_bits, /* in - no. of bits in output element */
- uint16_t *out); /* out - addr for output elements */
-
-
-#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
deleted file mode 100644
index dba8191..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
+++ /dev/null
@@ -1,1034 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt.c
- *
- * Contents: Routines implementing NTRUEncrypt encryption and decryption and
- * key generation.
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto.h"
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-#include "ntru_crypto_ntru_encrypt_key.h"
-#include "ntru_crypto_ntru_convert.h"
-#include "ntru_crypto_ntru_poly.h"
-#
-#include "ntru_trits.h"
-#include "ntru_poly.h"
-
-/* ntru_crypto_ntru_encrypt
- *
- * Implements NTRU encryption (SVES) for the parameter set specified in
- * the public key blob.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH.
- *
- * The required minimum size of the output ciphertext buffer (ct) may be
- * queried by invoking this function with ct = NULL. In this case, no
- * encryption is performed, NTRU_OK is returned, and the required minimum
- * size for ct is returned in ct_len.
- *
- * When ct != NULL, at invocation *ct_len must be the size of the ct buffer.
- * Upon return it is the actual size of the ciphertext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is
- * zero, or if pt_len exceeds the maximum plaintext length for the parameter set.
- * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt(
- ntru_drbg_t *drbg, /* in - handle of DRBG */
- uint16_t pubkey_blob_len, /* in - no. of octets in public key
- blob */
- uint8_t const *pubkey_blob, /* in - pointer to public key */
- uint16_t pt_len, /* in - no. of octets in plaintext */
- uint8_t const *pt, /* in - pointer to plaintext */
- uint16_t *ct_len, /* in/out - no. of octets in ct, addr for
- no. of octets in ciphertext */
- uint8_t *ct) /* out - address for ciphertext */
-{
- NTRU_ENCRYPT_PARAM_SET *params = NULL;
- uint8_t const *pubkey_packed = NULL;
- uint8_t pubkey_pack_type = 0x00;
- uint16_t packed_ct_len;
- size_t scratch_buf_len;
- uint32_t dr;
- uint32_t dr1 = 0;
- uint32_t dr2 = 0;
- uint32_t dr3 = 0;
- uint16_t ring_mult_tmp_len;
- int16_t m1 = 0;
- uint16_t *scratch_buf = NULL;
- uint16_t *ringel_buf = NULL;
- uint8_t *b_buf = NULL;
- uint8_t *tmp_buf = NULL;
- bool msg_rep_good = FALSE;
- hash_algorithm_t hash_algid;
- uint16_t mprime_len = 0;
- uint16_t mod_q_mask;
- uint32_t result = NTRU_OK;
- ntru_trits_t *mask;
- uint8_t *mask_trits;
- chunk_t seed;
- ntru_poly_t *r_poly;
-
- /* check for bad parameters */
-
- if (!pubkey_blob || !pt || !ct_len)
- {
- return NTRU_BAD_PARAMETER;
- }
- if ((pubkey_blob_len == 0) || (pt_len == 0))
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* get a pointer to the parameter-set parameters, the packing type for
- * the public key, and a pointer to the packed public key
- */
-
- if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len,
- pubkey_blob, &pubkey_pack_type,
- NULL, ¶ms, &pubkey_packed,
- NULL))
- {
- return NTRU_BAD_PUBLIC_KEY;
- }
-
- /* return the ciphertext size if requested */
-
- packed_ct_len = (params->N * params->q_bits + 7) >> 3;
- if (!ct)
- {
- *ct_len = packed_ct_len;
- return NTRU_OK;
- }
-
- /* check the ciphertext buffer size */
-
- if (*ct_len < packed_ct_len)
- {
- return NTRU_BUFFER_TOO_SMALL;
- }
-
- /* check the plaintext length */
-
- if (pt_len > params->m_len_max)
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* allocate memory for all operations */
-
- if (params->is_product_form)
- {
- ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
- dr1 = params->dF_r & 0xff;
- dr2 = (params->dF_r >> 8) & 0xff;
- dr3 = (params->dF_r >> 16) & 0xff;
- dr = dr1 + dr2 + dr3;
- }
- else
- {
- ring_mult_tmp_len = params->N; /* N 16-bit word buffer */
- dr = params->dF_r;
- }
- scratch_buf_len = (ring_mult_tmp_len << 1) +
- /* X-byte temp buf for ring mult and
- other intermediate results */
- (params->N << 1) + /* 2N-byte buffer for ring elements
- and overflow from temp buffer */
- (dr << 2) + /* buffer for r indices */
- params->sec_strength_len;
- /* buffer for b */
- scratch_buf = malloc(scratch_buf_len);
- if (!scratch_buf)
- {
- return NTRU_OUT_OF_MEMORY;
- }
- ringel_buf = scratch_buf + ring_mult_tmp_len;
- b_buf = (uint8_t *)(ringel_buf + params->N);
- tmp_buf = (uint8_t *)scratch_buf;
-
- /* set hash algorithm based on security strength */
- hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
- /* set constants */
- mod_q_mask = params->q - 1;
-
- /* loop until a message representative with proper weight is achieved */
-
- do {
- uint8_t *ptr = tmp_buf;
-
- /* get b */
- if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
- params->sec_strength_len, b_buf))
- {
- result = NTRU_OK;
- }
- else
- {
- result = NTRU_FAIL;
- }
-
- if (result == NTRU_OK)
- {
-
- /* form sData (OID || m || b || hTrunc) */
- memcpy(ptr, params->OID, 3);
- ptr += 3;
- memcpy(ptr, pt, pt_len);
- ptr += pt_len;
- memcpy(ptr, b_buf, params->sec_strength_len);
- ptr += params->sec_strength_len;
- memcpy(ptr, pubkey_packed, params->sec_strength_len);
- ptr += params->sec_strength_len;
-
- DBG2(DBG_LIB, "generate polynomial r");
-
- seed = chunk_create(tmp_buf, ptr - tmp_buf);
- r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- if (!r_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- uint16_t pubkey_packed_len;
-
- /* unpack the public key */
- assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
- pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
- ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
- params->q_bits, ringel_buf);
-
- /* form R = h * r */
- r_poly->ring_mult(r_poly, ringel_buf, ringel_buf);
- r_poly->destroy(r_poly);
-
- /* form R mod 4 */
- ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf);
-
- /* form mask */
- seed = chunk_create(tmp_buf, (params->N + 3)/4);
- mask = ntru_trits_create(params->N, hash_algid, seed);
- if (!mask)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- uint8_t *Mtrin_buf = tmp_buf + params->N;
- uint8_t *M_buf = Mtrin_buf + params->N -
- (params->sec_strength_len + params->m_len_len +
- params->m_len_max + 2);
- uint16_t i;
-
- /* form the padded message M */
- ptr = M_buf;
- memcpy(ptr, b_buf, params->sec_strength_len);
- ptr += params->sec_strength_len;
- if (params->m_len_len == 2)
- *ptr++ = (uint8_t)((pt_len >> 8) & 0xff);
- *ptr++ = (uint8_t)(pt_len & 0xff);
- memcpy(ptr, pt, pt_len);
- ptr += pt_len;
-
- /* add an extra zero byte in case without it the bit string
- * is not a multiple of 3 bits and therefore might not be
- * able to produce enough trits
- */
-
- memset(ptr, 0, params->m_len_max - pt_len + 2);
-
- /* convert M to trits (Mbin to Mtrin) */
- mprime_len = params->N;
- if (params->is_product_form)
- {
- --mprime_len;
- }
-
- ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf);
- mask_trits = mask->get_trits(mask);
-
- /* form the msg representative m' by adding Mtrin to mask, mod p */
- if (params->is_product_form)
- {
- for (i = 0; i < mprime_len; i++)
- {
- tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
- if (tmp_buf[i] >= 3)
- {
- tmp_buf[i] -= 3;
- }
- if (tmp_buf[i] == 1)
- {
- ++m1;
- }
- else if (tmp_buf[i] == 2)
- {
- --m1;
- }
- }
- }
- else
- {
- for (i = 0; i < mprime_len; i++)
- {
- tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
- if (tmp_buf[i] >= 3)
- {
- tmp_buf[i] -= 3;
- }
- }
- }
- mask->destroy(mask);
-
- /* check that message representative meets minimum weight
- * requirements
- */
-
- if (params->is_product_form)
- msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) :
- (bool)( m1 <= params->min_msg_rep_wt);
- else
- msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
- params->min_msg_rep_wt);
- msg_rep_good = TRUE;
- }
- } while ((result == NTRU_OK) && !msg_rep_good);
-
- if (result == NTRU_OK)
- {
- uint16_t i;
-
- /* form ciphertext e by adding m' to R mod q */
-
- for (i = 0; i < mprime_len; i++) {
- if (tmp_buf[i] == 1)
- ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask;
- else if (tmp_buf[i] == 2)
- ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask;
- }
- if (params->is_product_form)
- ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask;
-
- /* pack ciphertext */
- ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct);
- *ct_len = packed_ct_len;
- }
-
- /* cleanup */
- memset(scratch_buf, 0, scratch_buf_len);
- free(scratch_buf);
-
- return result;
-}
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL. In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- * ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-uint32_t
-ntru_crypto_ntru_decrypt(
- uint16_t privkey_blob_len, /* in - no. of octets in private key
- blob */
- uint8_t const *privkey_blob, /* in - pointer to private key */
- uint16_t ct_len, /* in - no. of octets in ciphertext */
- uint8_t const *ct, /* in - pointer to ciphertext */
- uint16_t *pt_len, /* in/out - no. of octets in pt, addr for
- no. of octets in plaintext */
- uint8_t *pt) /* out - address for plaintext */
-{
- NTRU_ENCRYPT_PARAM_SET *params = NULL;
- uint8_t const *privkey_packed = NULL;
- uint8_t const *pubkey_packed = NULL;
- uint8_t privkey_pack_type = 0x00;
- uint8_t pubkey_pack_type = 0x00;
- size_t scratch_buf_len;
- uint32_t dF_r;
- uint32_t dF_r1 = 0;
- uint32_t dF_r2 = 0;
- uint32_t dF_r3 = 0;
- uint16_t ring_mult_tmp_len;
- int16_t m1 = 0;
- uint16_t *scratch_buf = NULL;
- uint16_t *ringel_buf1 = NULL;
- uint16_t *ringel_buf2 = NULL;
- uint16_t *i_buf = NULL;
- uint8_t *m_buf = NULL;
- uint8_t *tmp_buf = NULL;
- uint8_t *Mtrin_buf = NULL;
- uint8_t *M_buf = NULL;
- uint8_t *ptr = NULL;
- hash_algorithm_t hash_algid;
- uint16_t cmprime_len;
- uint16_t mod_q_mask;
- uint16_t q_mod_p;
- uint16_t cm_len = 0;
- uint16_t num_zeros;
- uint16_t i;
- bool decryption_ok = TRUE;
- uint32_t result = NTRU_OK;
- ntru_trits_t *mask;
- uint8_t *mask_trits;
- chunk_t seed;
- ntru_poly_t *F_poly, *r_poly;
-
- /* check for bad parameters */
- if (!privkey_blob || !ct || !pt_len)
- {
- return NTRU_BAD_PARAMETER;
- }
- if ((privkey_blob_len == 0) || (ct_len == 0))
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* get a pointer to the parameter-set parameters, the packing types for
- * the public and private keys, and pointers to the packed public and
- * private keys
- */
-
- if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
- privkey_blob_len,
- privkey_blob, &pubkey_pack_type,
- &privkey_pack_type, ¶ms,
- &pubkey_packed, &privkey_packed))
- {
- return NTRU_BAD_PRIVATE_KEY;
- }
-
- /* return the max plaintext size if requested */
-
- if (!pt)
- {
- *pt_len = params->m_len_max;
- return NTRU_OK;
- }
-
- /* cannot check the plaintext buffer size until after the plaintext
- * is derived, if we allow plaintext buffers only as large as the
- * actual plaintext
- */
-
- /* check the ciphertext length */
-
- if (ct_len != (params->N * params->q_bits + 7) >> 3)
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* allocate memory for all operations */
-
- if (params->is_product_form)
- {
- ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
- dF_r1 = params->dF_r & 0xff;
- dF_r2 = (params->dF_r >> 8) & 0xff;
- dF_r3 = (params->dF_r >> 16) & 0xff;
- dF_r = dF_r1 + dF_r2 + dF_r3;
- } else {
- ring_mult_tmp_len = params->N; /* N 16-bit word buffer */
- dF_r = params->dF_r;
- }
- scratch_buf_len = (ring_mult_tmp_len << 1) +
- /* X-byte temp buf for ring mult and
- other intermediate results */
- (params->N << 2) + /* 2 2N-byte bufs for ring elements
- and overflow from temp buffer */
- (dF_r << 2) + /* buffer for F, r indices */
- params->m_len_max; /* buffer for plaintext */
- scratch_buf = malloc(scratch_buf_len);
- if (!scratch_buf)
- {
- return NTRU_OUT_OF_MEMORY;
- }
- ringel_buf1 = scratch_buf + ring_mult_tmp_len;
- ringel_buf2 = ringel_buf1 + params->N;
- i_buf = ringel_buf2 + params->N;
- m_buf = (uint8_t *)(i_buf + (dF_r << 1));
- tmp_buf = (uint8_t *)scratch_buf;
- Mtrin_buf = (uint8_t *)ringel_buf1;
- M_buf = Mtrin_buf + params->N;
-
- /* set hash algorithm based on security strength */
- hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
- /* set constants */
- mod_q_mask = params->q - 1;
- q_mod_p = params->q % 3;
-
- /* unpack the ciphertext */
- ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
-
- /* unpack the private key */
- if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
- {
- ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
- i_buf + dF_r);
-
- }
- else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
- {
- ntru_octets_2_elements(
- (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
- privkey_packed, params->N_bits, i_buf);
-
- }
- else
- {
- assert(FALSE);
- }
-
- /* form cm':
- * F * e
- * A = e * (1 + pF) mod q = e + pFe mod q
- * a = A in the range [-q/2, q/2)
- * cm' = a mod p
- */
- F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
- F_poly->destroy(F_poly);
-
- cmprime_len = params->N;
- if (params->is_product_form)
- {
- --cmprime_len;
- for (i = 0; i < cmprime_len; i++)
- {
- ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
- if (ringel_buf1[i] >= (params->q >> 1))
- {
- ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
- }
- Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
- if (Mtrin_buf[i] == 1)
- {
- ++m1;
- }
- else if (Mtrin_buf[i] == 2)
- {
- --m1;
- }
- }
- }
- else
- {
- for (i = 0; i < cmprime_len; i++)
- {
- ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
- if (ringel_buf1[i] >= (params->q >> 1))
- {
- ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
- }
- Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
- }
- }
-
- /* check that the candidate message representative meets minimum weight
- * requirements
- */
-
- if (params->is_product_form)
- {
- decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) :
- (bool)( m1 <= params->min_msg_rep_wt);
- }
- else
- {
- decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
- params->min_msg_rep_wt);
- }
-
- /* form cR = e - cm' mod q */
- for (i = 0; i < cmprime_len; i++)
- {
- if (Mtrin_buf[i] == 1)
- {
- ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
- }
- else if (Mtrin_buf[i] == 2)
- {
- ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
- }
- }
- if (params->is_product_form)
- {
- ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
- }
-
- /* form cR mod 4 */
- ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
-
- /* form mask */
- seed = chunk_create(tmp_buf, (params->N + 3)/4);
- mask = ntru_trits_create(params->N, hash_algid, seed);
- if (!mask)
- {
- result = NTRU_MGF1_FAIL;
- }
- else
- {
- mask_trits = mask->get_trits(mask);
-
- /* form cMtrin by subtracting mask from cm', mod p */
- for (i = 0; i < cmprime_len; i++)
- {
- Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
- if (Mtrin_buf[i] >= 3)
- {
- Mtrin_buf[i] += 3;
- }
- }
- mask->destroy(mask);
-
- if (params->is_product_form)
-
- /* set the last trit to zero since that's what it was, and
- * because it can't be calculated from (cm' - mask) since
- * we don't have the correct value for the last cm' trit
- */
-
- Mtrin_buf[i] = 0;
-
- /* convert cMtrin to cM (Mtrin to Mbin) */
-
- if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
- decryption_ok = FALSE;
-
- /* validate the padded message cM and copy cm to m_buf */
-
- ptr = M_buf + params->sec_strength_len;
- if (params->m_len_len == 2)
- cm_len = (uint16_t)(*ptr++) << 16;
- cm_len |= (uint16_t)(*ptr++);
- if (cm_len > params->m_len_max) {
- cm_len = params->m_len_max;
- decryption_ok = FALSE;
- }
- memcpy(m_buf, ptr, cm_len);
- ptr += cm_len;
- num_zeros = params->m_len_max - cm_len + 1;
- for (i = 0; i < num_zeros; i++) {
- if (ptr[i] != 0)
- decryption_ok = FALSE;
- }
-
- /* form sData (OID || m || b || hTrunc) */
-
- ptr = tmp_buf;
- memcpy(ptr, params->OID, 3);
- ptr += 3;
- memcpy(ptr, m_buf, cm_len);
- ptr += cm_len;
- memcpy(ptr, M_buf, params->sec_strength_len);
- ptr += params->sec_strength_len;
- memcpy(ptr, pubkey_packed, params->sec_strength_len);
- ptr += params->sec_strength_len;
-
- /* generate cr */
- DBG2(DBG_LIB, "generate polynomial r");
-
- seed = chunk_create(tmp_buf, ptr - tmp_buf);
- r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- if (!r_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- /* unpack the public key */
- {
- uint16_t pubkey_packed_len;
-
- assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
- pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
- ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
- params->q_bits, ringel_buf1);
- }
-
- /* form cR' = h * cr */
- r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
- r_poly->destroy(r_poly);
-
- /* compare cR' to cR */
- for (i = 0; i < params->N; i++)
- {
- if (ringel_buf1[i] != ringel_buf2[i])
- {
- decryption_ok = FALSE;
- }
- }
-
- /* output plaintext and plaintext length */
- if (decryption_ok)
- {
- if (*pt_len < cm_len)
- {
- return NTRU_BUFFER_TOO_SMALL;
- }
- memcpy(pt, m_buf, cm_len);
- *pt_len = cm_len;
- }
- }
-
- /* cleanup */
- memset(scratch_buf, 0, scratch_buf_len);
- free(scratch_buf);
-
- if (!decryption_ok)
- {
- return NTRU_FAIL;
- }
-
- return result;
-}
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
- * privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- * privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- * Should this occur, this function should simply be invoked again.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt_keygen(
- ntru_drbg_t *drbg, /* in - handle of DRBG */
- NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */
- uint16_t *pubkey_blob_len, /* in/out - no. of octets in
- pubkey_blob, addr
- for no. of octets
- in pubkey_blob */
- uint8_t *pubkey_blob, /* out - address for
- public key blob */
- uint16_t *privkey_blob_len, /* in/out - no. of octets in
- privkey_blob, addr
- for no. of octets
- in privkey_blob */
- uint8_t *privkey_blob) /* out - address for
- private key blob */
-{
- NTRU_ENCRYPT_PARAM_SET *params = NULL;
- uint16_t public_key_blob_len;
- uint16_t private_key_blob_len;
- uint8_t pubkey_pack_type;
- uint8_t privkey_pack_type;
- size_t scratch_buf_len;
- uint32_t dF;
- uint32_t dF1 = 0;
- uint32_t dF2 = 0;
- uint32_t dF3 = 0;
- uint16_t *scratch_buf = NULL;
- uint16_t *ringel_buf1 = NULL;
- uint16_t *ringel_buf2 = NULL;
- uint8_t *tmp_buf = NULL;
- uint16_t mod_q_mask;
- hash_algorithm_t hash_algid;
- uint16_t seed_len;
- chunk_t seed;
- uint32_t result = NTRU_OK;
- ntru_poly_t *F_poly = NULL;
- ntru_poly_t *g_poly = NULL;
- uint16_t *F_indices;
-
- /* get a pointer to the parameter-set parameters */
-
- if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL)
- {
- return NTRU_INVALID_PARAMETER_SET;
- }
-
- /* check for bad parameters */
-
- if (!pubkey_blob_len || !privkey_blob_len)
- {
- return NTRU_BAD_PARAMETER;
- }
-
- /* get public and private key packing types and blob lengths */
-
- ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
- &public_key_blob_len,
- &privkey_pack_type,
- &private_key_blob_len);
-
- /* return the pubkey_blob size and/or privkey_blob size if requested */
-
- if (!pubkey_blob || !privkey_blob)
- {
- if (!pubkey_blob)
- *pubkey_blob_len = public_key_blob_len;
- if (!privkey_blob)
- *privkey_blob_len = private_key_blob_len;
- return NTRU_OK;
- }
-
- /* check size of output buffers */
-
- if ((*pubkey_blob_len < public_key_blob_len) ||
- (*privkey_blob_len < private_key_blob_len))
- {
- return NTRU_BUFFER_TOO_SMALL;
- }
-
- /* allocate memory for all operations */
- if (params->is_product_form) {
- dF1 = params->dF_r & 0xff;
- dF2 = (params->dF_r >> 8) & 0xff;
- dF3 = (params->dF_r >> 16) & 0xff;
- dF = dF1 + dF2 + dF3;
- } else {
- dF = params->dF_r;
- }
-
- scratch_buf_len = (params->N * 8) + /* 4N-byte temp buffer for ring inv
- and other intermediate results,
- 2N-byte buffer for f, g indices
- and overflow from temp buffer,
- 2N-byte buffer for f^-1 */
- (dF << 2); /* buffer for F indices */
- scratch_buf = malloc(scratch_buf_len);
- if (!scratch_buf)
- {
- return NTRU_OUT_OF_MEMORY;
- }
- ringel_buf1 = scratch_buf + (params->N << 1);
- ringel_buf2 = ringel_buf1 + params->N;
- tmp_buf = (uint8_t *)scratch_buf;
-
- /* set hash algorithm and seed length based on security strength */
- if (params->sec_strength_len <= 20)
- {
- hash_algid = HASH_SHA1;
- }
- else
- {
- hash_algid = HASH_SHA256;
- }
- seed_len = params->sec_strength_len + 8;
-
- /* set constants */
-
- mod_q_mask = params->q - 1;
-
- /* get random bytes for seed for generating trinary F
- * as a list of indices
- */
-
- if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
- seed_len, tmp_buf))
- {
- result = NTRU_OK;
- }
- else
- {
- result = NTRU_DRBG_FAIL;
- }
-
- if (result == NTRU_OK)
- {
- DBG2(DBG_LIB, "generate polynomial F");
-
- seed = chunk_create(tmp_buf, seed_len);
- F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- if (!F_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- int i;
-
- F_poly->get_array(F_poly, ringel_buf1);
-
- /* form f = 1 + pF */
- for (i = 0; i < params->N; i++)
- {
- ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
- }
- ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
-
- /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
- if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
- scratch_buf, ringel_buf2))
- {
- result = NTRU_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
-
- /* get random bytes for seed for generating trinary polynomial g
- * as a list of indices
- */
- if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
- seed_len, tmp_buf))
- {
- result = NTRU_DRBG_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- DBG2(DBG_LIB, "generate polynomial g");
-
- seed = chunk_create(tmp_buf, seed_len);
- g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dg + 1, params->dg, FALSE);
- if (!g_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- uint16_t i;
-
- /* compute h = p * (f^-1 * g) mod q */
- g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
- g_poly->destroy(g_poly);
-
- for (i = 0; i < params->N; i++)
- {
- ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
- }
-
- /* create public key blob */
- ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
- pubkey_pack_type,
- pubkey_blob);
- *pubkey_blob_len = public_key_blob_len;
-
- /* create private key blob */
- F_indices = F_poly->get_indices(F_poly);
- ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
- F_indices,
- privkey_pack_type,
- tmp_buf, privkey_blob);
- *privkey_blob_len = private_key_blob_len;
- }
-
- /* cleanup */
- DESTROY_IF(F_poly);
- memset(scratch_buf, 0, scratch_buf_len);
- free(scratch_buf);
-
- return result;
-}
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
deleted file mode 100644
index 90baaad..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
+++ /dev/null
@@ -1,360 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_key.c
- *
- * Contents: Routines for exporting and importing public and private keys
- * for NTRUEncrypt.
- *
- *****************************************************************************/
-
-
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include "ntru_crypto_ntru_encrypt_key.h"
-
-
-/* ntru_crypto_ntru_encrypt_key_parse
- *
- * Parses an NTRUEncrypt key blob.
- * If the blob is not corrupt, returns packing types for public and private
- * keys, a pointer to the parameter set, a pointer to the public key, and
- * a pointer to the private key if it exists.
- *
- * Returns TRUE if successful.
- * Returns FALSE if the blob is invalid.
- */
-
-bool
-ntru_crypto_ntru_encrypt_key_parse(
- bool pubkey_parse, /* in - if parsing pubkey
- blob */
- uint16_t key_blob_len, /* in - no. octets in key
- blob */
- uint8_t const *key_blob, /* in - pointer to key blob */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to
- parameter set */
- uint8_t const **pubkey, /* out - addr for ptr to
- packed pubkey */
- uint8_t const **privkey) /* out - addr for ptr to
- packed privkey */
-{
- uint8_t tag;
-
- assert(key_blob_len);
- assert(key_blob);
- assert(pubkey_pack_type);
- assert(params);
- assert(pubkey);
-
- /* parse key blob based on tag */
-
- tag = key_blob[0];
- switch (tag) {
- case NTRU_ENCRYPT_PUBKEY_TAG:
- if (!pubkey_parse)
- return FALSE;
- break;
- case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
- case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
- case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
- assert(privkey_pack_type);
- assert(privkey);
- if (pubkey_parse)
- return FALSE;
- break;
- default:
- return FALSE;
- }
-
- switch (tag) {
- case NTRU_ENCRYPT_PUBKEY_TAG:
- case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
- case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
- case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
-
- /* Version 0:
- * byte 0: tag
- * byte 1: no. of octets in OID
- * bytes 2-4: OID
- * bytes 5- : packed pubkey
- * [packed privkey]
- */
-
- {
- NTRU_ENCRYPT_PARAM_SET *p = NULL;
- uint16_t pubkey_packed_len;
-
- /* check OID length and minimum blob length for tag and OID */
-
- if ((key_blob_len < 5) || (key_blob[1] != 3))
- return FALSE;
-
- /* get a pointer to the parameter set corresponding to the OID */
-
- if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL)
- return FALSE;
-
- /* check blob length and assign pointers to blob fields */
-
- pubkey_packed_len = (p->N * p->q_bits + 7) / 8;
- if (pubkey_parse) { /* public-key parsing */
- if (key_blob_len != 5 + pubkey_packed_len)
- return FALSE;
-
- *pubkey = key_blob + 5;
-
- } else { /* private-key parsing */
- uint16_t privkey_packed_len;
- uint16_t privkey_packed_trits_len = (p->N + 4) / 5;
- uint16_t privkey_packed_indices_len;
- uint16_t dF;
-
- /* check packing type for product-form private keys */
-
- if (p->is_product_form &&
- (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
- return FALSE;
-
- /* set packed-key length for packed indices */
-
- if (p->is_product_form)
- dF = (uint16_t)( (p->dF_r & 0xff) + /* df1 */
- ((p->dF_r >> 8) & 0xff) + /* df2 */
- ((p->dF_r >> 16) & 0xff)); /* df3 */
- else
- dF = (uint16_t)p->dF_r;
- privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3;
-
- /* set private-key packing type if defaulted */
-
- if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
- if (p->is_product_form ||
- (privkey_packed_indices_len <=
- privkey_packed_trits_len))
- tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
- else
- tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
- }
-
- if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
- privkey_packed_len = privkey_packed_trits_len;
- else
- privkey_packed_len = privkey_packed_indices_len;
-
- if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len)
- return FALSE;
-
- *pubkey = key_blob + 5;
- *privkey = *pubkey + pubkey_packed_len;
- *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
- NTRU_ENCRYPT_KEY_PACKED_TRITS :
- NTRU_ENCRYPT_KEY_PACKED_INDICES;
- }
-
- /* return parameter set pointer */
-
- *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
- *params = p;
- }
- default:
- break; /* can't get here */
- }
- return TRUE;
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format. For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint16_t *pubkey_blob_len, /* out - addr for no. of
- bytes in
- pubkey blob */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- uint16_t *privkey_blob_len) /* out - addr for no. of
- bytes in
- privkey blob */
-{
- uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-
- assert(params);
- assert(pubkey_pack_type);
- assert(pubkey_blob_len);
-
- *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
- *pubkey_blob_len = 5 + pubkey_packed_len;
-
- if (privkey_pack_type && privkey_blob_len) {
- uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
- uint16_t privkey_packed_indices_len;
- uint16_t dF;
-
- if (params->is_product_form)
- dF = (uint16_t)( (params->dF_r & 0xff) + /* df1 */
- ((params->dF_r >> 8) & 0xff) + /* df2 */
- ((params->dF_r >> 16) & 0xff)); /* df3 */
- else
- dF = (uint16_t)params->dF_r;
- privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
-
- if (params->is_product_form ||
- (privkey_packed_indices_len <= privkey_packed_trits_len)) {
- *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
- *privkey_blob_len =
- 5 + pubkey_packed_len + privkey_packed_indices_len;
- } else {
- *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
- *privkey_blob_len =
- 5 + pubkey_packed_len + privkey_packed_trits_len;
- }
- }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint8_t pubkey_pack_type, /* out - pubkey packing
- type */
- uint8_t *pubkey_blob) /* out - addr for the
- pubkey blob */
-{
- assert(params);
- assert(pubkey);
- assert(pubkey_blob);
-
- switch (pubkey_pack_type) {
- case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
- *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
- *pubkey_blob++ = (uint8_t)sizeof(params->OID);
- memcpy(pubkey_blob, params->OID, sizeof(params->OID));
- pubkey_blob += sizeof(params->OID);
- ntru_elements_2_octets(params->N, pubkey, params->q_bits,
- pubkey_blob);
- break;
- default:
- assert(FALSE);
- }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a private key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint16_t const *privkey, /* in - pointer to the
- indices of the
- privkey */
- uint8_t privkey_pack_type, /* in - privkey packing
- type */
- uint8_t *buf, /* in - temp, N bytes */
- uint8_t *privkey_blob) /* out - addr for the
- privkey blob */
-{
- assert(params);
- assert(pubkey);
- assert(privkey);
- assert(privkey_blob);
-
- switch (privkey_pack_type) {
- case NTRU_ENCRYPT_KEY_PACKED_TRITS:
- case NTRU_ENCRYPT_KEY_PACKED_INDICES:
-
- /* format header and packed public key */
-
- *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
- *privkey_blob++ = (uint8_t)sizeof(params->OID);
- memcpy(privkey_blob, params->OID, sizeof(params->OID));
- privkey_blob += sizeof(params->OID);
- ntru_elements_2_octets(params->N, pubkey, params->q_bits,
- privkey_blob);
- privkey_blob += (params->N * params->q_bits + 7) >> 3;
-
- /* add packed private key */
-
- if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
- ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
- (uint16_t)params->dF_r,
- params->N, buf, privkey_blob);
- } else {
- uint32_t dF;
-
- if (params->is_product_form) {
- dF = (params->dF_r & 0xff) +
- ((params->dF_r >> 8) & 0xff) +
- ((params->dF_r >> 16) & 0xff);
- } else {
- dF = params->dF_r;
- }
- ntru_elements_2_octets((uint16_t)dF << 1, privkey,
- params->N_bits, privkey_blob);
- }
- break;
- default:
- assert(FALSE);
- break;
- }
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
deleted file mode 100644
index 6734f2a..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-
-#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
-#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H
-
-#include "ntru_crypto_ntru_convert.h"
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-
-
-/* key-blob definitions */
-
-#define NTRU_ENCRYPT_PUBKEY_TAG 0x01
-#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG 0x02
-#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG 0xfe
-#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG 0xff
-
-/* packing types */
-
-#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS 0x01
-#define NTRU_ENCRYPT_KEY_PACKED_INDICES 0x02
-#define NTRU_ENCRYPT_KEY_PACKED_TRITS 0x03
-
-/* function declarations */
-
-
-/* ntru_crypto_ntru_encrypt_key_parse
- *
- * Parses an NTRUEncrypt key blob.
- * If the blob is not corrupt, returns packing types for public and private
- * keys, a pointer to the parameter set, a pointer to the public key, and
- * a pointer to the private key if it exists.
- *
- * Returns TRUE if successful.
- * Returns FALSE if the blob is invalid.
- */
-
-extern bool
-ntru_crypto_ntru_encrypt_key_parse(
- bool pubkey_parse, /* in - if parsing pubkey
- blob */
- uint16_t key_blob_len, /* in - no. octets in key
- blob */
- uint8_t const *key_blob, /* in - pointer to key blob */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to
- parameter set */
- uint8_t const **pubkey, /* out - addr for ptr to
- packed pubkey */
- uint8_t const **privkey); /* out - addr for ptr to
- packed privkey */
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format. For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint16_t *pubkey_blob_len, /* out - addr for no. of
- bytes in
- pubkey blob */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- uint16_t *privkey_blob_len); /* out - addr for no. of
- bytes in
- privkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint8_t pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint8_t *pubkey_blob); /* out - addr for the
- pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
- *
- * Returns a public key blob, recreated from an already-packed public key.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint16_t packed_pubkey_len, /* in - no. octets in
- packed pubkey */
- uint8_t const *packed_pubkey, /* in - pointer to the
- packed pubkey */
- uint8_t pubkey_pack_type, /* out - pubkey packing
- type */
- uint8_t *pubkey_blob); /* out - addr for the
- pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a privlic key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
- NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint16_t const *privkey, /* in - pointer to the
- indices of the
- privkey */
- uint8_t privkey_pack_type, /* in - privkey packing
- type */
- uint8_t *buf, /* in - temp, N bytes */
- uint8_t *privkey_blob); /* out - addr for the
- privkey blob */
-
-
-#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
deleted file mode 100644
index e5e977a..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
+++ /dev/null
@@ -1,101 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_param_sets.h
- *
- * Contents: Definitions and declarations for the NTRUEncrypt parameter sets.
- *
- *****************************************************************************/
-
-#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
-#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
-
-#include "ntru_crypto.h"
-
-/* structures */
-
-typedef struct _NTRU_ENCRYPT_PARAM_SET {
- NTRU_ENCRYPT_PARAM_SET_ID id; /* parameter-set ID */
- uint8_t const OID[3]; /* pointer to OID */
- uint8_t der_id; /* parameter-set DER id */
- uint8_t N_bits; /* no. of bits in N (i.e. in
- an index */
- uint16_t N; /* ring dimension */
- uint16_t sec_strength_len; /* no. of octets of
- security strength */
- uint16_t q; /* big modulus */
- uint8_t q_bits; /* no. of bits in q (i.e. in
- a coefficient */
- bool is_product_form; /* if product form used */
- uint32_t dF_r; /* no. of 1 or -1 coefficients
- in ring elements F, r */
- uint16_t dg; /* no. - 1 of 1 coefficients
- or no. of -1 coefficients
- in ring element g */
- uint16_t m_len_max; /* max no. of plaintext
- octets */
- uint16_t min_msg_rep_wt; /* min. message
- representative weight */
- uint8_t c_bits; /* no. bits in candidate for
- deriving an index in
- IGF-2 */
- uint8_t m_len_len; /* no. of octets to hold
- mLenOctets */
-} NTRU_ENCRYPT_PARAM_SET;
-
-
-
-/* function declarations */
-
-/* ntru_encrypt_get_params_with_id
- *
- * Looks up a set of NTRU Encrypt parameters based on the id of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
- */
-
-extern NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_id(
- NTRU_ENCRYPT_PARAM_SET_ID id); /* in - parameter-set id */
-
-
-/* ntru_encrypt_get_params_with_OID
- *
- * Looks up a set of NTRU Encrypt parameters based on the OID of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
- */
-
-extern NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_OID(
- uint8_t const *oid); /* in - pointer to parameter-set OID */
-
-#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
deleted file mode 100644
index 8e4eede..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_poly.c is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <string.h>
-#include "ntru_crypto_ntru_poly.h"
-
-/* ntru_poly_check_min_weight
- *
- * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
- * a minimum weight.
- */
-
-bool
-ntru_poly_check_min_weight(
- uint16_t num_els, /* in - degree of polynomial */
- uint8_t *ringels, /* in - pointer to trinary ring elements */
- uint16_t min_wt) /* in - minimum weight */
-{
- uint16_t wt[3];
- uint16_t i;
-
- wt[0] = wt[1] = wt[2] = 0;
- for (i = 0; i < num_els; i++) {
- ++wt[ringels[i]];
- }
- if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) {
- return FALSE;
- }
- return TRUE;
-}
-
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-void
-ntru_ring_mult_coefficients(
- uint16_t const *a, /* in - pointer to polynomial a */
- uint16_t const *b, /* in - pointer to polynomial b */
- uint16_t N, /* in - no. of coefficients in a, b, c */
- uint16_t q, /* in - large modulus */
- uint16_t *c) /* out - address for polynomial c */
-{
- uint16_t const *bptr = b;
- uint16_t mod_q_mask = q - 1;
- uint16_t i, k;
-
- /* c[k] = sum(a[i] * b[k-i]) mod q */
- memset(c, 0, N * sizeof(uint16_t));
- for (k = 0; k < N; k++) {
- i = 0;
- while (i <= k)
- c[k] += a[i++] * *bptr--;
- bptr += N;
- while (i < N)
- c[k] += a[i++] * *bptr--;
- c[k] &= mod_q_mask;
- ++bptr;
- }
-}
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-bool
-ntru_ring_inv(
- uint16_t *a, /* in - pointer to polynomial a */
- uint16_t N, /* in - no. of coefficients in a */
- uint16_t q, /* in - large modulus */
- uint16_t *t, /* in - temp buffer of 2N elements */
- uint16_t *a_inv) /* out - address for polynomial a^-1 */
-{
- uint8_t *b = (uint8_t *)t; /* b cannot be in a_inv since it must be
- rotated and copied there as a^-1 mod 2 */
- uint8_t *c = b + N; /* c cannot be in a_inv since it exchanges
- with b, and b cannot be in a_inv */
- uint8_t *f = c + N;
- uint8_t *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
- uint16_t *t2 = t + N;
- uint16_t deg_b;
- uint16_t deg_c;
- uint16_t deg_f;
- uint16_t deg_g;
- uint16_t k = 0;
- bool done = FALSE;
- uint16_t i, j;
-
- /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
- memset(b, 0, (N << 1)); /* clear to init b, c */
-
- /* b(X) = 1 */
- b[0] = 1;
- deg_b = 0;
-
- /* c(X) = 0 (cleared above) */
- deg_c = 0;
-
- /* f(X) = a(X) mod 2 */
- for (i = 0; i < N; i++)
- f[i] = (uint8_t)(a[i] & 1);
- deg_f = N - 1;
-
- /* g(X) = X^N - 1 */
- g[0] = 1;
- memset(g + 1, 0, N - 1);
- g[N] = 1;
- deg_g = N;
-
- /* until f(X) = 1 */
-
- while (!done)
- {
-
- /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
-
- for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
- if (i > deg_f)
- return FALSE;
- if (i) {
- f = f + i;
- deg_f = deg_f - i;
- deg_c = deg_c + i;
- for (j = deg_c; j >= i; j--)
- c[j] = c[j-i];
- for (j = 0; j < i; j++)
- c[j] = 0;
- k = k + i;
- }
-
- /* adjust degree of f(X) if the highest coefficients are zero
- * Note: f[0] = 1 from above so the loop will terminate.
- */
-
- while (f[deg_f] == 0)
- --deg_f;
-
- /* if f(X) = 1, done
- * Note: f[0] = 1 from above, so only check the x term and up
- */
-
- for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
- if (i > deg_f) {
- done = TRUE;
- break;
- }
-
- /* if deg_f < deg_g, f <-> g, b <-> c */
-
- if (deg_f < deg_g) {
- uint8_t *x;
-
- x = f;
- f = g;
- g = x;
- deg_f ^= deg_g;
- deg_g ^= deg_f;
- deg_f ^= deg_g;
- x = b;
- b = c;
- c = x;
- deg_b ^= deg_c;
- deg_c ^= deg_b;
- deg_b ^= deg_c;
- }
-
- /* f(X) += g(X), b(X) += c(X) */
-
- for (i = 0; i <= deg_g; i++)
- f[i] ^= g[i];
-
- if (deg_c > deg_b)
- deg_b = deg_c;
- for (i = 0; i <= deg_c; i++)
- b[i] ^= c[i];
- }
-
- /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
-
- j = 0;
- if (k >= N)
- k = k - N;
- for (i = k; i < N; i++)
- a_inv[j++] = (uint16_t)(b[i]);
- for (i = 0; i < k; i++)
- a_inv[j++] = (uint16_t)(b[i]);
-
- /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
-
- for (j = 0; j < 4; ++j) { /* assumes 256 < q <= 65536 */
-
- /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
-
- memcpy(t2, a_inv, N * sizeof(uint16_t));
- ntru_ring_mult_coefficients(a, t2, N, q, t);
- for (i = 0; i < N; ++i)
- t[i] = q - t[i];
- t[0] = t[0] + 2;
- ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
- }
-
- return TRUE;
-
-
-}
-
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
deleted file mode 100644
index 1e9d467..0000000
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_poly.h is a component of ntru-crypto.
- *
- * Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_poly.h
- *
- * Contents: Public header file for generating and operating on polynomials
- * in the NTRU algorithm.
- *
- *****************************************************************************/
-
-
-#ifndef NTRU_CRYPTO_NTRU_POLY_H
-#define NTRU_CRYPTO_NTRU_POLY_H
-
-
-#include "ntru_crypto.h"
-
-#include <crypto/hashers/hasher.h>
-
-
-/* function declarations */
-
-/* ntru_poly_check_min_weight
- *
- * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
- * a minimum weight.
- */
-
-extern bool
-ntru_poly_check_min_weight(
- uint16_t num_els, /* in - degree of polynomial */
- uint8_t *ringels, /* in - pointer to trinary ring elements */
- uint16_t min_wt); /* in - minimum weight */
-
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-extern void
-ntru_ring_mult_coefficients(
- uint16_t const *a, /* in - pointer to polynomial a */
- uint16_t const *b, /* in - pointer to polynomial b */
- uint16_t N, /* in - no. of coefficients in a, b, c */
- uint16_t q, /* in - large modulus */
- uint16_t *c); /* out - address for polynomial c */
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-extern bool
-ntru_ring_inv(
- uint16_t *a, /* in - pointer to polynomial a */
- uint16_t N, /* in - no. of coefficients in a */
- uint16_t q, /* in - large modulus */
- uint16_t *t, /* in - temp buffer of 2N elements */
- uint16_t *a_inv); /* out - address for polynomial a^-1 */
-
-
-#endif /* NTRU_CRYPTO_NTRU_POLY_H */
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c
index 181a589..ef0d3d9 100644
--- a/src/libstrongswan/plugins/ntru/ntru_drbg.c
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c
@@ -67,6 +67,10 @@ struct private_ntru_drbg_t {
*/
chunk_t value;
+ /**
+ * reference count
+ */
+ refcount_t ref;
};
/**
@@ -180,13 +184,23 @@ METHOD(ntru_drbg_t, generate, bool,
return TRUE;
}
+METHOD(ntru_drbg_t, get_ref, ntru_drbg_t*,
+ private_ntru_drbg_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
METHOD(ntru_drbg_t, destroy, void,
private_ntru_drbg_t *this)
{
- this->hmac->destroy(this->hmac);
- chunk_clear(&this->key);
- chunk_clear(&this->value);
- free(this);
+ if (ref_put(&this->ref))
+ {
+ this->hmac->destroy(this->hmac);
+ chunk_clear(&this->key);
+ chunk_clear(&this->value);
+ free(this);
+ }
}
/*
@@ -238,6 +252,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
.get_strength = _get_strength,
.reseed = _reseed,
.generate = _generate,
+ .get_ref = _get_ref,
.destroy = _destroy,
},
.strength = strength,
@@ -247,6 +262,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
.value = chunk_alloc(hmac->get_block_size(hmac)),
.max_requests = max_requests,
.reseed_counter = 1,
+ .ref = 1,
);
memset(this->key.ptr, 0x00, this->key.len);
diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h
index 38ac718..83cef11 100644
--- a/src/libstrongswan/plugins/ntru/ntru_drbg.h
+++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h
@@ -58,6 +58,13 @@ struct ntru_drbg_t {
u_int8_t *out);
/**
+ * Get a reference on an ntru_drbg_t object increasing the count by one
+ *
+ * @return reference to the ntru_drbg_t object
+ */
+ ntru_drbg_t* (*get_ref)(ntru_drbg_t *this);
+
+ /**
* Uninstantiate and destroy the DRBG object
*/
void (*destroy)(ntru_drbg_t *this);
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index 39fb261..abaa223 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,54 +15,33 @@
#include "ntru_ke.h"
#include "ntru_drbg.h"
-
-#include "ntru_crypto/ntru_crypto.h"
+#include "ntru_param_set.h"
+#include "ntru_private_key.h"
+#include "ntru_public_key.h"
#include <crypto/diffie_hellman.h>
#include <utils/debug.h>
typedef struct private_ntru_ke_t private_ntru_ke_t;
-typedef struct param_set_t param_set_t;
-
-/**
- * Defines an NTRU parameter set by ID or OID
- */
-struct param_set_t {
- NTRU_ENCRYPT_PARAM_SET_ID id;
- char oid[3];
- char *name;
-};
/* Best bandwidth and speed, no X9.98 compatibility */
-static param_set_t param_sets_optimum[] = {
- { NTRU_EES401EP2, {0x00, 0x02, 0x10}, "ees401ep2" },
- { NTRU_EES439EP1, {0x00, 0x03, 0x10}, "ees439ep1" },
- { NTRU_EES593EP1, {0x00, 0x05, 0x10}, "ees593ep1" },
- { NTRU_EES743EP1, {0x00, 0x06, 0x10}, "ees743ep1" }
+static ntru_param_set_id_t param_sets_optimum[] = {
+ NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1
};
/* X9.98/IEEE 1363.1 parameter sets for best speed */
-static param_set_t param_sets_x9_98_speed[] = {
- { NTRU_EES659EP1, {0x00, 0x02, 0x06}, "ees659ep1" },
- { NTRU_EES761EP1, {0x00, 0x03, 0x05}, "ees761ep1" },
- { NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" },
- { NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" }
+static ntru_param_set_id_t param_sets_x9_98_speed[] = {
+ NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1
};
/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
-static param_set_t param_sets_x9_98_bandwidth[] = {
- { NTRU_EES401EP1, {0x00, 0x02, 0x04}, "ees401ep1" },
- { NTRU_EES449EP1, {0x00, 0x03, 0x03}, "ees449ep1" },
- { NTRU_EES677EP1, {0x00, 0x05, 0x03}, "ees677ep1" },
- { NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" }
+static ntru_param_set_id_t param_sets_x9_98_bandwidth[] = {
+ NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP2
};
/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
-static param_set_t param_sets_x9_98_balance[] = {
- { NTRU_EES541EP1, {0x00, 0x02, 0x05}, "ees541ep1" },
- { NTRU_EES613EP1, {0x00, 0x03, 0x04}, "ees613ep1" },
- { NTRU_EES887EP1, {0x00, 0x05, 0x04}, "ees887ep1" },
- { NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" }
+static ntru_param_set_id_t param_sets_x9_98_balance[] = {
+ NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1
};
/**
@@ -82,7 +61,7 @@ struct private_ntru_ke_t {
/**
* NTRU Parameter Set
*/
- param_set_t *param_set;
+ ntru_param_set_t *param_set;
/**
* Cryptographical strength in bits of the NTRU Parameter Set
@@ -92,12 +71,12 @@ struct private_ntru_ke_t {
/**
* NTRU Public Key
*/
- chunk_t pub_key;
+ ntru_public_key_t *pubkey;
/**
* NTRU Private Key
*/
- chunk_t priv_key;
+ ntru_private_key_t *privkey;
/**
* NTRU encrypted shared secret
@@ -133,8 +112,6 @@ struct private_ntru_ke_t {
METHOD(diffie_hellman_t, get_my_public_value, void,
private_ntru_ke_t *this, chunk_t *value)
{
- uint16_t pub_key_len, priv_key_len;
-
*value = chunk_empty;
if (this->responder)
@@ -146,34 +123,19 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
}
else
{
- if (this->pub_key.len == 0)
+ if (!this->pubkey)
{
- /* determine the NTRU public and private key sizes */
- if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
- &pub_key_len, NULL,
- &priv_key_len, NULL) != NTRU_OK)
- {
- DBG1(DBG_LIB, "error determining NTRU public and private key "
- "sizes");
- return;
- }
- this->pub_key = chunk_alloc(pub_key_len);
- this->priv_key = chunk_alloc(priv_key_len);
-
/* generate a random NTRU public/private key pair */
- if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
- &pub_key_len, this->pub_key.ptr,
- &priv_key_len, this->priv_key.ptr) != NTRU_OK)
+ this->privkey = ntru_private_key_create(this->drbg, this->param_set);
+ if (!this->privkey)
{
DBG1(DBG_LIB, "NTRU keypair generation failed");
- chunk_free(&this->priv_key);
- chunk_free(&this->pub_key);
return;
}
- DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
- DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+ this->pubkey = this->privkey->get_public_key(this->privkey);
}
- *value = chunk_clone(this->pub_key);
+ *value = chunk_clone(this->pubkey->get_encoding(this->pubkey));
+ DBG3(DBG_LIB, "NTRU public key: %B", value);
}
}
@@ -194,9 +156,7 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t,
METHOD(diffie_hellman_t, set_other_public_value, void,
private_ntru_ke_t *this, chunk_t value)
{
- u_int16_t plaintext_len, ciphertext_len;
-
- if (this->priv_key.len)
+ if (this->privkey)
{
/* initiator decrypting shared secret */
if (value.len == 0)
@@ -204,48 +164,36 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
DBG1(DBG_LIB, "empty NTRU ciphertext");
return;
}
- this->ciphertext = chunk_clone(value);
- DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
-
- /* determine the size of the maximum plaintext */
- if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
- this->ciphertext.len, this->ciphertext.ptr,
- &plaintext_len, NULL) != NTRU_OK)
- {
- DBG1(DBG_LIB, "error determining maximum plaintext size");
- return;
- }
- this->shared_secret = chunk_alloc(plaintext_len);
+ DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
/* decrypt the shared secret */
- if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
- this->ciphertext.len, this->ciphertext.ptr,
- &plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+ if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
{
DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
- chunk_free(&this->shared_secret);
return;
}
- this->shared_secret.len = plaintext_len;
this->computed = TRUE;
}
else
{
+ ntru_public_key_t *pubkey;
+
/* responder generating and encrypting the shared secret */
this->responder = TRUE;
- /* check the NTRU public key format */
- if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+ DBG3(DBG_LIB, "NTRU public key: %B", &value);
+ pubkey = ntru_public_key_create_from_data(this->drbg, value);
+ if (!pubkey)
{
- DBG1(DBG_LIB, "received NTRU public key with invalid header");
return;
}
- if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+ if (pubkey->get_id(pubkey) != this->param_set->id)
{
- DBG1(DBG_LIB, "received NTRU public key with wrong OID");
+ DBG1(DBG_LIB, "received NTRU public key with wrong OUI");
+ pubkey->destroy(pubkey);
return;
}
- this->pub_key = chunk_clone(value);
+ this->pubkey = pubkey;
/* shared secret size is chosen as twice the cryptographical strength */
this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
@@ -260,25 +208,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
}
this->computed = TRUE;
- /* determine the size of the ciphertext */
- if (ntru_crypto_ntru_encrypt(this->drbg,
- this->pub_key.len, this->pub_key.ptr,
- this->shared_secret.len, this->shared_secret.ptr,
- &ciphertext_len, NULL) != NTRU_OK)
- {
- DBG1(DBG_LIB, "error determining ciphertext size");
- return;
- }
- this->ciphertext = chunk_alloc(ciphertext_len);
-
/* encrypt the shared secret */
- if (ntru_crypto_ntru_encrypt(this->drbg,
- this->pub_key.len, this->pub_key.ptr,
- this->shared_secret.len, this->shared_secret.ptr,
- &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
+ if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext))
{
DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
- chunk_free(&this->ciphertext);
return;
}
DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
@@ -294,11 +227,11 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
METHOD(diffie_hellman_t, destroy, void,
private_ntru_ke_t *this)
{
+ DESTROY_IF(this->privkey);
+ DESTROY_IF(this->pubkey);
this->drbg->destroy(this->drbg);
this->entropy->destroy(this->entropy);
- chunk_free(&this->pub_key);
chunk_free(&this->ciphertext);
- chunk_clear(&this->priv_key);
chunk_clear(&this->shared_secret);
free(this);
}
@@ -309,7 +242,7 @@ METHOD(diffie_hellman_t, destroy, void,
ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
{
private_ntru_ke_t *this;
- param_set_t *param_sets, *param_set;
+ ntru_param_set_id_t *param_sets, param_set_id;
rng_t *entropy;
ntru_drbg_t *drbg;
char *parameter_set;
@@ -339,25 +272,25 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
{
case NTRU_112_BIT:
strength = 112;
- param_set = ¶m_sets[0];
+ param_set_id = param_sets[0];
break;
case NTRU_128_BIT:
strength = 128;
- param_set = ¶m_sets[1];
+ param_set_id = param_sets[1];
break;
case NTRU_192_BIT:
strength = 192;
- param_set = ¶m_sets[2];
+ param_set_id = param_sets[2];
break;
case NTRU_256_BIT:
strength = 256;
- param_set = ¶m_sets[3];
+ param_set_id = param_sets[3];
break;
default:
return NULL;
}
- DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength,
- parameter_set, param_set->name);
+ DBG1(DBG_LIB, "%u bit %s NTRU parameter set %N selected", strength,
+ parameter_set, ntru_param_set_id_names, param_set_id);
entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
if (!entropy)
@@ -385,7 +318,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
},
},
.group = group,
- .param_set = param_set,
+ .param_set = ntru_param_set_get_by_id(param_set_id),
.strength = strength,
.entropy = entropy,
.drbg = drbg,
diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c
similarity index 83%
rename from src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
rename to src/libstrongswan/plugins/ntru/ntru_param_set.c
index 5ddf91d..4af1e30 100644
--- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c
@@ -1,44 +1,49 @@
-/******************************************************************************
- * NTRU Cryptography Reference Source Code
- * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
- *
- * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto.
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2009-2013 Security Innovation
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- *****************************************************************************/
-
-/******************************************************************************
- *
- * File: ntru_crypto_ntru_encrypt_param_sets.c
*
- * Contents: Defines the NTRUEncrypt parameter sets.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <string.h>
-#include "ntru_crypto_ntru_encrypt_param_sets.h"
-
-
-/* parameter sets */
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
-static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
+#include "ntru_param_set.h"
+
+#include <utils/test.h>
+
+ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1,
+ "ees401ep1",
+ "ees449ep1",
+ "ees677ep1",
+ "ees1087ep2",
+ "ees541ep1",
+ "ees613ep1",
+ "ees887ep1",
+ "ees1171ep1",
+ "ees659ep1",
+ "ees761ep1",
+ "ees1087ep1",
+ "ees1499ep1",
+ "ees401ep2",
+ "ees439ep1",
+ "ees593ep1",
+ "ees743ep1"
+);
+
+/**
+ * NTRU encryption parameter set definitions
+ */
+static ntru_param_set_t ntru_param_sets[] = {
+ /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
{
NTRU_EES401EP1, /* parameter-set id */
{0x00, 0x02, 0x04}, /* OID */
@@ -97,7 +102,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
NTRU_EES1087EP2, /* parameter-set id */
{0x00, 0x06, 0x03}, /* OID */
0x25, /* DER id */
- 10, /* no. of bits in N (i.e., in an index) */
+ 11, /* no. of bits in N (i.e., in an index) */
1087, /* N */
32, /* security strength in octets */
2048, /* q */
@@ -111,6 +116,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
1, /* lLen */
},
+ /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
{
NTRU_EES541EP1, /* parameter-set id */
{0x00, 0x02, 0x05}, /* OID */
@@ -183,6 +189,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
1, /* lLen */
},
+ /* X9.98/IEEE 1363.1 parameter sets for best speed */
{
NTRU_EES659EP1, /* parameter-set id */
{0x00, 0x02, 0x06}, /* OID */
@@ -255,6 +262,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
1, /* lLen */
},
+ /* Best bandwidth and speed, no X9.98 compatibility */
{
NTRU_EES401EP2, /* parameter-set id */
{0x00, 0x02, 0x10}, /* OID */
@@ -329,56 +337,39 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = {
};
-static size_t numParamSets =
- sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET);
-
-
-/* functions */
-
-/* ntru_encrypt_get_params_with_id
- *
- * Looks up a set of NTRUEncrypt parameters based on the id of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
+/**
+ * See header.
*/
-
-NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_id(
- NTRU_ENCRYPT_PARAM_SET_ID id) /* in - parameter-set id */
+ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id)
{
- size_t i;
-
- for (i = 0; i < numParamSets; i++) {
- if (ntruParamSets[i].id == id) {
- return &(ntruParamSets[i]);
- }
- }
- return NULL;
+ int i;
+
+ for (i = 0; i < countof(ntru_param_sets); i++)
+ {
+ if (ntru_param_sets[i].id == id)
+ {
+ return &ntru_param_sets[i];
+ }
+ }
+ return NULL;
}
-/* ntru_encrypt_get_params_with_OID
- *
- * Looks up a set of NTRUEncrypt parameters based on the OID of the
- * parameter set.
- *
- * Returns a pointer to the parameter set parameters if successful.
- * Returns NULL if the parameter set cannot be found.
+/**
+ * See header.
*/
-
-NTRU_ENCRYPT_PARAM_SET *
-ntru_encrypt_get_params_with_OID(
- uint8_t const *oid) /* in - pointer to parameter-set OID */
+ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid)
{
- size_t i;
-
- for (i = 0; i < numParamSets; i++) {
- if (!memcmp(ntruParamSets[i].OID, oid, 3)) {
- return &(ntruParamSets[i]);
- }
- }
- return NULL;
+ int i;
+
+ for (i = 0; i < countof(ntru_param_sets); i++)
+ {
+ if (memeq(ntru_param_sets[i].oid, oid, 3))
+ {
+ return &ntru_param_sets[i];
+ }
+ }
+ return NULL;
}
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id);
diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h
new file mode 100644
index 0000000..df4e553
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_param_set ntru_param_set
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PARAM_SET_H_
+#define NTRU_PARAM_SET_H_
+
+typedef enum ntru_param_set_id_t ntru_param_set_id_t;
+typedef struct ntru_param_set_t ntru_param_set_t;
+
+#include <library.h>
+
+/**
+ * Encoding types for NTRU encryption public/private key blobs
+ */
+#define NTRU_PUBKEY_TAG 0x01
+#define NTRU_PRIVKEY_DEFAULT_TAG 0x02
+#define NTRU_PRIVKEY_TRITS_TAG 0xfe
+#define NTRU_PRIVKEY_INDICES_TAG 0xff
+
+/**
+ * Size in octets of the OID designating the NTRU encryption parameter set
+ */
+#define NTRU_OID_LEN 3
+
+/**
+ * Packing types for NTRU encryption public/private keys
+ */
+#define NTRU_KEY_PACKED_COEFFICIENTS 0x01
+#define NTRU_KEY_PACKED_INDICES 0x02
+#define NTRU_KEY_PACKED_TRITS 0x03
+
+/**
+ * NTRU encryption parameter set ID list
+ */
+enum ntru_param_set_id_t {
+ /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */
+ NTRU_EES401EP1,
+ NTRU_EES449EP1,
+ NTRU_EES677EP1,
+ NTRU_EES1087EP2,
+ /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */
+ NTRU_EES541EP1,
+ NTRU_EES613EP1,
+ NTRU_EES887EP1,
+ NTRU_EES1171EP1,
+ /* X9.98/IEEE 1363.1 parameter sets for best speed */
+ NTRU_EES659EP1,
+ NTRU_EES761EP1,
+ NTRU_EES1087EP1,
+ NTRU_EES1499EP1,
+ /* Best bandwidth and speed, no X9.98 compatibility */
+ NTRU_EES401EP2,
+ NTRU_EES439EP1,
+ NTRU_EES593EP1,
+ NTRU_EES743EP1,
+};
+
+extern enum_name_t *ntru_param_set_id_names;
+
+/**
+ * NTRU encryption parameter set definitions
+ */
+struct ntru_param_set_t {
+ ntru_param_set_id_t id; /* NTRU parameter set ID */
+ uint8_t oid[NTRU_OID_LEN]; /* pointer to OID */
+ uint8_t der_id; /* parameter-set DER id */
+ uint8_t N_bits; /* no. of bits in N (i.e. in an index */
+ uint16_t N; /* ring dimension */
+ uint16_t sec_strength_len; /* no. of octets of security strength */
+ uint16_t q; /* big modulus */
+ uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */
+ bool is_product_form; /* if product form used */
+ uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements
+ F, r */
+ uint16_t dg; /* no. - 1 of +1 coefficients or
+ no. of -1 coefficients in ring element g */
+ uint16_t m_len_max; /* max no. of plaintext octets */
+ uint16_t min_msg_rep_wt; /* min. message representative weight */
+ uint8_t c_bits; /* no. bits in candidate for deriving an index */
+ uint8_t m_len_len; /* no. of octets to hold mLenOctets */
+};
+
+/**
+ * Get NTRU encryption parameter set by NTRU parameter set ID
+ *
+ * @param id NTRU parameter set ID
+ * @return NTRU parameter set
+*/
+ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id);
+
+/**
+ * Get NTRU encryption parameter set by NTRU parameter set OID
+ *
+ * @param oid NTRU parameter set OID
+ * @return NTRU parameter set
+*/
+ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid);
+
+#endif /** NTRU_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
index 3f754f2..77ab54a 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.c
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -239,11 +239,29 @@ METHOD(ntru_poly_t, destroy, void,
free(this);
}
-static void init_indices(private_ntru_poly_t *this, bool is_product_form,
- uint32_t indices_len_p, uint32_t indices_len_m)
+/**
+ * Creates an empty ntru_poly_t object with space allocated for indices
+ */
+static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q,
+ uint32_t indices_len_p,
+ uint32_t indices_len_m,
+ bool is_product_form)
{
+ private_ntru_poly_t *this;
int n;
+ INIT(this,
+ .public = {
+ .get_size = _get_size,
+ .get_indices = _get_indices,
+ .get_array = _get_array,
+ .ring_mult = _ring_mult,
+ .destroy = _destroy,
+ },
+ .N = N,
+ .q = q,
+ );
+
if (is_product_form)
{
this->num_polynomials = 3;
@@ -265,6 +283,8 @@ static void init_indices(private_ntru_poly_t *this, bool is_product_form,
this->num_indices = indices_len_p + indices_len_m;
}
this->indices = malloc(sizeof(uint16_t) * this->num_indices);
+
+ return this;
}
/*
@@ -291,19 +311,8 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
}
i = hash_len = mgf1->get_hash_size(mgf1);
- INIT(this,
- .public = {
- .get_size = _get_size,
- .get_indices = _get_indices,
- .get_array = _get_array,
- .ring_mult = _ring_mult,
- .destroy = _destroy,
- },
- .N = N,
- .q = q,
- );
+ this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
- init_indices(this, is_product_form, indices_len_p, indices_len_m);
used = malloc(N);
limit = N * ((1 << c_bits) / N);
@@ -390,19 +399,8 @@ ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q,
private_ntru_poly_t *this;
int i;
- INIT(this,
- .public = {
- .get_size = _get_size,
- .get_indices = _get_indices,
- .get_array = _get_array,
- .ring_mult = _ring_mult,
- .destroy = _destroy,
- },
- .N = N,
- .q = q,
- );
+ this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
- init_indices(this, is_product_form, indices_len_p, indices_len_m);
for (i = 0; i < this->num_indices; i++)
{
this->indices[i] = data[i];
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c
new file mode 100644
index 0000000..fa87fe9
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c
@@ -0,0 +1,892 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_private_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+#include "ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_private_key_t private_ntru_private_key_t;
+
+/**
+ * Private data of an ntru_private_key_t object.
+ */
+struct private_ntru_private_key_t {
+
+ /**
+ * Public ntru_private_key_t interface.
+ */
+ ntru_private_key_t public;
+
+ /**
+ * NTRU Parameter Set
+ */
+ ntru_param_set_t *params;
+
+ /**
+ * Polynomial F which is the private key
+ */
+ ntru_poly_t *privkey;
+
+ /**
+ * Polynomial h which is the public key
+ */
+ uint16_t *pubkey;
+
+ /**
+ * Encoding of the private key
+ */
+ chunk_t encoding;
+
+ /**
+ * Deterministic Random Bit Generator
+ */
+ ntru_drbg_t *drbg;
+
+};
+
+METHOD(ntru_private_key_t, get_id, ntru_param_set_id_t,
+ private_ntru_private_key_t *this)
+{
+ return this->params->id;
+}
+
+METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*,
+ private_ntru_private_key_t *this)
+{
+ return ntru_public_key_create(this->drbg, this->params, this->pubkey);
+}
+
+/**
+ * Generate NTRU encryption private key encoding
+ */
+static void generate_encoding(private_ntru_private_key_t *this)
+{
+ size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len;
+ int privkey_pack_type;
+ uint16_t *indices;
+ uint8_t *trits;
+ u_char *enc;
+
+ /* compute public key length encoded as packed coefficients */
+ pubkey_len = (this->params->N * this->params->q_bits + 7) / 8;
+
+ /* compute private key length encoded as packed trits coefficients */
+ privkey_trits_len = (this->params->N + 4) / 5;
+
+ /* compute private key length encoded as packed indices */
+ privkey_indices_len = (this->privkey->get_size(this->privkey) *
+ this->params->N_bits + 7) / 8;
+
+ if (this->params->is_product_form ||
+ privkey_indices_len <= privkey_trits_len)
+ {
+ privkey_pack_type = NTRU_KEY_PACKED_INDICES;
+ privkey_len = privkey_indices_len;
+ }
+ else
+ {
+ privkey_pack_type = NTRU_KEY_PACKED_TRITS;
+ privkey_len = privkey_trits_len;
+ }
+
+ /* allocate memory for private key encoding */
+ this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len);
+ enc = this->encoding.ptr;
+
+ /* format header and packed public key */
+ *enc++ = NTRU_PRIVKEY_DEFAULT_TAG;
+ *enc++ = NTRU_OID_LEN;
+ memcpy(enc, this->params->oid, NTRU_OID_LEN);
+ enc += NTRU_OID_LEN;
+ ntru_elements_2_octets(this->params->N, this->pubkey,
+ this->params->q_bits, enc);
+ enc += pubkey_len;
+
+ /* add packed private key */
+ indices = this->privkey->get_indices(this->privkey);
+
+ if (privkey_pack_type == NTRU_KEY_PACKED_TRITS)
+ {
+ /* encode private key as packed trits */
+ trits = malloc(this->params->N);
+ ntru_indices_2_packed_trits(indices, this->params->dF_r,
+ this->params->dF_r, this->params->N, trits, enc);
+ memwipe(trits, this->params->N);
+ free(trits);
+ }
+ else
+ {
+ /* encode private key as packed indices */
+ ntru_elements_2_octets(this->privkey->get_size(this->privkey),
+ indices, this->params->N_bits, enc);
+ }
+}
+
+METHOD(ntru_private_key_t, get_encoding, chunk_t,
+ private_ntru_private_key_t *this)
+{
+ return this->encoding;
+}
+
+/**
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ *
+ * @param N degree of polynomial
+ * @param t array of trinary ring elements
+ * @param min_wt minimum weight
+ * @return TRUE if minimum weight met or exceeded
+ */
+bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt)
+{
+ uint16_t wt[3];
+ bool success;
+ int i;
+
+ wt[0] = wt[1] = wt[2] = 0;
+
+ for (i = 0; i < N; i++)
+ {
+ ++wt[t[i]];
+ }
+ success = (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt);
+
+ DBG2(DBG_LIB, "minimum weight = %u, so -1: %u, 0: %u, +1: %u is %sok",
+ min_wt, wt[2], wt[0], wt[1], success ? "" : "not ");
+
+ return success;
+}
+
+METHOD(ntru_private_key_t, decrypt, bool,
+ private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
+{
+ hash_algorithm_t hash_algid;
+ size_t t_len, seed1_len, seed2_len;
+ uint16_t *t1, *t2, *t = NULL;
+ uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
+ uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr;
+ int16_t m1 = 0;
+ chunk_t seed = chunk_empty;
+ ntru_trits_t *mask;
+ ntru_poly_t *r_poly;
+ bool msg_rep_good, success = TRUE;
+ int i;
+
+ *plaintext = chunk_empty;
+
+ if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8)
+ {
+ DBG1(DBG_LIB, "wrong NTRU ciphertext length");
+ return FALSE;
+ }
+
+ /* allocate temporary array t */
+ t_len = 2 * this->params->N * sizeof(uint16_t);
+ t = malloc(t_len);
+ t1 = t;
+ t2 = t + this->params->N;
+ Mtrin = (uint8_t *)t1;
+ M = Mtrin + this->params->N;
+
+ /* set hash algorithm based on security strength */
+ hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+ HASH_SHA256;
+
+ /* set constants */
+ mod_q_mask = this->params->q - 1;
+ q_mod_p = this->params->q % 3;
+
+ /* unpack the ciphertext */
+ ntru_octets_2_elements(ciphertext.len, ciphertext.ptr,
+ this->params->q_bits, t2);
+
+ /* form cm':
+ * F * e
+ * A = e * (1 + pF) mod q = e + pFe mod q
+ * a = A in the range [-q/2, q/2)
+ * cm' = a mod p
+ */
+ this->privkey->ring_mult(this->privkey, t2, t1);
+
+ cmprime_len = this->params->N;
+ if (this->params->is_product_form)
+ {
+ --cmprime_len;
+ for (i = 0; i < cmprime_len; i++)
+ {
+ t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+ if (t1[i] >= (this->params->q / 2))
+ {
+ t1[i] -= q_mod_p;
+ }
+ Mtrin[i] = (uint8_t)(t1[i] % 3);
+ if (Mtrin[i] == 1)
+ {
+ ++m1;
+ }
+ else if (Mtrin[i] == 2)
+ {
+ --m1;
+ }
+ }
+ }
+ else
+ {
+ for (i = 0; i < cmprime_len; i++)
+ {
+ t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+ if (t1[i] >= (this->params->q / 2))
+ {
+ t1[i] -= q_mod_p;
+ }
+ Mtrin[i] = (uint8_t)(t1[i] % 3);
+ }
+ }
+
+ /**
+ * check that the candidate message representative meets
+ * minimum weight requirements
+ */
+ if (this->params->is_product_form)
+ {
+ msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt);
+ }
+ else
+ {
+ msg_rep_good = ntru_check_min_weight(cmprime_len, Mtrin,
+ this->params->min_msg_rep_wt);
+ }
+ if (!msg_rep_good)
+ {
+ DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight");
+ success = FALSE;
+ }
+
+ /* form cR = e - cm' mod q */
+ for (i = 0; i < cmprime_len; i++)
+ {
+ if (Mtrin[i] == 1)
+ {
+ t2[i] = (t2[i] - 1) & mod_q_mask;
+ }
+ else if (Mtrin[i] == 2)
+ {
+ t2[i] = (t2[i] + 1) & mod_q_mask;
+ }
+ }
+ if (this->params->is_product_form)
+ {
+ t2[i] = (t2[i] + m1) & mod_q_mask;
+ }
+
+ /* allocate memory for the larger of the two seeds */
+ seed1_len = (this->params->N + 3)/4;
+ seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max;
+ seed = chunk_alloc(max(seed1_len, seed2_len));
+ seed.len = seed1_len;
+
+ /* form cR mod 4 */
+ ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
+
+ /* form mask */
+ mask = ntru_trits_create(this->params->N, hash_algid, seed);
+ if (!mask)
+ {
+ DBG1(DBG_LIB, "mask creation failed");
+ success = FALSE;
+ goto err;
+ }
+
+ mask_trits = mask->get_trits(mask);
+
+ /* form cMtrin by subtracting mask from cm', mod p */
+ for (i = 0; i < cmprime_len; i++)
+ {
+ Mtrin[i] -= mask_trits[i];
+ if (Mtrin[i] >= 3)
+ {
+ Mtrin[i] += 3;
+ }
+ }
+ mask->destroy(mask);
+
+ if (this->params->is_product_form)
+ {
+ /* set the last trit to zero since that's what it was, and
+ * because it can't be calculated from (cm' - mask) since
+ * we don't have the correct value for the last cm' trit
+ */
+ Mtrin[i] = 0;
+ }
+
+ /* convert cMtrin to cM (Mtrin to Mbin) */
+ if (!ntru_trits_2_bits(Mtrin, this->params->N, M))
+ {
+ success = FALSE;
+ goto err;
+ }
+
+ /* skip the random padding */
+ ptr = M + this->params->sec_strength_len;
+
+ /* validate the padded message cM and copy cm to m_buf */
+ if (this->params->m_len_len == 2)
+ {
+ cm_len = (uint16_t)(*ptr++) << 16;
+ }
+ cm_len |= (uint16_t)(*ptr++);
+
+ if (cm_len > this->params->m_len_max)
+ {
+ cm_len = this->params->m_len_max;
+ DBG1(DBG_LIB, "NTRU message length is larger than maximum length");
+ success = FALSE;
+ }
+ cm = ptr;
+ ptr += cm_len;
+
+ /* check if the remaining padding consists of zeros */
+ num_zeros = this->params->m_len_max - cm_len + 1;
+ for (i = 0; i < num_zeros; i++)
+ {
+ if (ptr[i] != 0)
+ {
+ DBG1(DBG_LIB, "non-zero trailing padding detected");
+ success = FALSE;
+ break;
+ }
+ }
+
+ /* form sData (OID || m || b || hTrunc) */
+ ptr = seed.ptr;
+ memcpy(ptr, this->params->oid, 3);
+ ptr += 3;
+ memcpy(ptr, cm, cm_len);
+ ptr += cm_len;
+ memcpy(ptr, M, this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+ this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ seed.len = ptr - seed.ptr;
+
+ /* generate cr */
+ DBG2(DBG_LIB, "generate polynomial r");
+ r_poly = ntru_poly_create_from_seed(hash_algid, seed,
+ this->params->c_bits, this->params->N,
+ this->params->q, this->params->dF_r,
+ this->params->dF_r, this->params->is_product_form);
+ if (!r_poly)
+ {
+ success = FALSE;
+ goto err;
+ }
+
+ /* output plaintext in allocated chunk */
+ *plaintext = chunk_clone(chunk_create(cm, cm_len));
+
+ /* form cR' = h * cr */
+ r_poly->ring_mult(r_poly, this->pubkey, t1);
+ r_poly->destroy(r_poly);
+
+ /* compare cR' to cR */
+ for (i = 0; i < this->params->N; i++)
+ {
+ if (t[i] != t2[i])
+ {
+ DBG1(DBG_LIB, "cR' does not equal cR'");
+ chunk_clear(plaintext);
+ success = FALSE;
+ break;
+ }
+ }
+ memwipe(t, t_len);
+
+err:
+ /* cleanup */
+ chunk_clear(&seed);
+ free(t);
+
+ return success;
+}
+
+METHOD(ntru_private_key_t, destroy, void,
+ private_ntru_private_key_t *this)
+{
+ DESTROY_IF(this->privkey);
+ this->drbg->destroy(this->drbg);
+ chunk_clear(&this->encoding);
+ free(this->pubkey);
+ free(this);
+}
+
+/**
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ *
+ * @param a polynomial a
+ * @param b polynomial b
+ * @param N no. of coefficients in a, b, c
+ * @param q large modulus
+ * @param c polynomial c = a * b
+ */
+static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q,
+ uint16_t *c)
+{
+ uint16_t *bptr = b;
+ uint16_t mod_q_mask = q - 1;
+ int i, k;
+
+ /* c[k] = sum(a[i] * b[k-i]) mod q */
+ memset(c, 0, N * sizeof(uint16_t));
+ for (k = 0; k < N; k++)
+ {
+ i = 0;
+ while (i <= k)
+ {
+ c[k] += a[i++] * *bptr--;
+ }
+ bptr += N;
+ while (i < N)
+ {
+ c[k] += a[i++] * *bptr--;
+ }
+ c[k] &= mod_q_mask;
+ ++bptr;
+ }
+}
+
+/**
+ * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ *
+ * @param a polynomial a
+ * @param N no. of coefficients in a
+ * @param q large modulus
+ * @param t temporary buffer of size 2N elements
+ * @param a_inv polynomial for inverse of a
+ */
+static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t,
+ uint16_t *a_inv)
+{
+ uint8_t *b = (uint8_t *)t;
+ uint8_t *c = b + N;
+ uint8_t *f = c + N;
+ uint8_t *g = (uint8_t *)a_inv;
+ uint16_t *t2 = t + N;
+ uint16_t deg_b, deg_c, deg_f, deg_g;
+ bool done = FALSE;
+ int i, j, k = 0;
+
+ /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+ memset(b, 0, 2 * N); /* clear to init b, c */
+
+ /* b(X) = 1 */
+ b[0] = 1;
+ deg_b = 0;
+
+ /* c(X) = 0 (cleared above) */
+ deg_c = 0;
+
+ /* f(X) = a(X) mod 2 */
+ for (i = 0; i < N; i++)
+ {
+ f[i] = (uint8_t)(a[i] & 1);
+ }
+ deg_f = N - 1;
+
+ /* g(X) = X^N - 1 */
+ g[0] = 1;
+ memset(g + 1, 0, N - 1);
+ g[N] = 1;
+ deg_g = N;
+
+ /* until f(X) = 1 */
+ while (!done)
+ {
+ /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+ for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+
+ if (i > deg_f)
+ {
+ return FALSE;
+ }
+ if (i)
+ {
+ f = f + i;
+ deg_f = deg_f - i;
+ deg_c = deg_c + i;
+ for (j = deg_c; j >= i; j--)
+ {
+ c[j] = c[j-i];
+ }
+ for (j = 0; j < i; j++)
+ {
+ c[j] = 0;
+ }
+ k = k + i;
+ }
+
+ /* adjust degree of f(X) if the highest coefficients are zero
+ * Note: f[0] = 1 from above so the loop will terminate.
+ */
+ while (f[deg_f] == 0)
+ {
+ --deg_f;
+ }
+
+ /* if f(X) = 1, done
+ * Note: f[0] = 1 from above, so only check the x term and up
+ */
+ for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+
+ if (i > deg_f)
+ {
+ done = TRUE;
+ break;
+ }
+
+ /* if deg_f < deg_g, f <-> g, b <-> c */
+ if (deg_f < deg_g)
+ {
+ uint8_t *x;
+
+ x = f;
+ f = g;
+ g = x;
+ deg_f ^= deg_g;
+ deg_g ^= deg_f;
+ deg_f ^= deg_g;
+ x = b;
+ b = c;
+ c = x;
+ deg_b ^= deg_c;
+ deg_c ^= deg_b;
+ deg_b ^= deg_c;
+ }
+
+ /* f(X) += g(X), b(X) += c(X) */
+ for (i = 0; i <= deg_g; i++)
+ {
+ f[i] ^= g[i];
+ }
+ if (deg_c > deg_b)
+ {
+ deg_b = deg_c;
+ }
+ for (i = 0; i <= deg_c; i++)
+ {
+ b[i] ^= c[i];
+ }
+ }
+
+ /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+ j = 0;
+ if (k >= N)
+ {
+ k = k - N;
+ }
+ for (i = k; i < N; i++)
+ {
+ a_inv[j++] = (uint16_t)(b[i]);
+ }
+ for (i = 0; i < k; i++)
+ {
+ a_inv[j++] = (uint16_t)(b[i]);
+ }
+
+ /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+ for (j = 0; j < 4; ++j) /* assumes 256 < q <= 65536 */
+ {
+ /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+ memcpy(t2, a_inv, N * sizeof(uint16_t));
+ ring_mult_c(a, t2, N, q, t);
+ for (i = 0; i < N; ++i)
+ {
+ t[i] = q - t[i];
+ }
+ t[0] = t[0] + 2;
+ ring_mult_c(t2, t, N, q, a_inv);
+ }
+
+ return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg,
+ ntru_param_set_t *params)
+{
+ private_ntru_private_key_t *this;
+ size_t t_len;
+ uint16_t *t1, *t2, *t = NULL;
+ uint16_t mod_q_mask;
+ hash_algorithm_t hash_algid;
+ ntru_poly_t *g_poly;
+ chunk_t seed;
+ int i;
+
+ INIT(this,
+ .public = {
+ .get_id = _get_id,
+ .get_public_key = _get_public_key,
+ .get_encoding = _get_encoding,
+ .decrypt = _decrypt,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ .drbg = drbg->get_ref(drbg),
+ );
+
+ /* set hash algorithm and seed length based on security strength */
+ if (params->sec_strength_len <= 20)
+ {
+ hash_algid = HASH_SHA1;
+ }
+ else
+ {
+ hash_algid = HASH_SHA256;
+ }
+ seed =chunk_alloc(params->sec_strength_len + 8);
+
+ /* get random seed for generating trinary F as a list of indices */
+ if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+ seed.len, seed.ptr))
+ {
+ goto err;
+ }
+
+ DBG2(DBG_LIB, "generate polynomial F");
+ this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+ params->N, params->q,
+ params->dF_r, params->dF_r,
+ params->is_product_form);
+ if (!this->privkey)
+ {
+ goto err;
+ }
+
+ /* allocate temporary array t */
+ t_len = 3 * params->N * sizeof(uint16_t);
+ t = malloc(t_len);
+ t1 = t + 2 * params->N;
+
+ /* extend sparse private key polynomial f to N array elements */
+ this->privkey->get_array(this->privkey, t1);
+
+ /* set mask for large modulus */
+ mod_q_mask = params->q - 1;
+
+ /* form f = 1 + pF */
+ for (i = 0; i < params->N; i++)
+ {
+ t1[i] = (t1[i] * 3) & mod_q_mask;
+ }
+ t1[0] = (t1[0] + 1) & mod_q_mask;
+
+ /* use the public key array as a temporary buffer */
+ t2 = this->pubkey;
+
+ /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+ if (!ring_inv(t1, params->N, params->q, t, t2))
+ {
+ goto err;
+ }
+
+ /* get random seed for generating trinary g as a list of indices */
+ if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+ seed.len, seed.ptr))
+ {
+ goto err;
+ }
+
+ DBG2(DBG_LIB, "generate polynomial g");
+ g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+ params->N, params->q, params->dg + 1,
+ params->dg, FALSE);
+ if (!g_poly)
+ {
+ goto err;
+ }
+
+ /* compute public key polynomial h = p * (f^-1 * g) mod q */
+ g_poly->ring_mult(g_poly, t2, t2);
+ g_poly->destroy(g_poly);
+
+ for (i = 0; i < params->N; i++)
+ {
+ this->pubkey[i] = (t2[i] * 3) & mod_q_mask;
+ }
+
+ /* cleanup temporary storage */
+ chunk_clear(&seed);
+ memwipe(t, t_len);
+ free(t);
+
+ /* generate private key encoding */
+ generate_encoding(this);
+
+ return &this->public;
+
+err:
+ chunk_free(&seed);
+ free(t);
+ destroy(this);
+
+ return NULL;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg,
+ chunk_t data)
+{
+ private_ntru_private_key_t *this;
+ size_t header_len, pubkey_packed_len, privkey_packed_len;
+ size_t privkey_packed_trits_len, privkey_packed_indices_len;
+ uint8_t *privkey_packed, tag;
+ uint16_t *indices, dF;
+ ntru_param_set_t *params;
+
+ header_len = 2 + NTRU_OID_LEN;
+
+ /* check the NTRU public key header format */
+ if (data.len < header_len ||
+ !(data.ptr[0] == NTRU_PRIVKEY_DEFAULT_TAG ||
+ data.ptr[0] == NTRU_PRIVKEY_TRITS_TAG ||
+ data.ptr[0] == NTRU_PRIVKEY_INDICES_TAG) ||
+ data.ptr[1] != NTRU_OID_LEN)
+ {
+ DBG1(DBG_LIB, "loaded NTRU private key with invalid header");
+ return NULL;
+ }
+ tag = data.ptr[0];
+ params = ntru_param_set_get_by_oid(data.ptr + 2);
+
+ if (!params)
+ {
+ DBG1(DBG_LIB, "loaded NTRU private key with unknown OID");
+ return NULL;
+ }
+
+ pubkey_packed_len = (params->N * params->q_bits + 7) / 8;
+ privkey_packed_trits_len = (params->N + 4) / 5;
+
+ /* check packing type for product-form private keys */
+ if (params->is_product_form && tag == NTRU_PRIVKEY_TRITS_TAG)
+ {
+ DBG1(DBG_LIB, "a product-form NTRU private key cannot be trits-encoded");
+ return NULL;
+ }
+
+ /* set packed-key length for packed indices */
+ if (params->is_product_form)
+ {
+ dF = (uint16_t)((params->dF_r & 0xff) + /* df1 */
+ ((params->dF_r >> 8) & 0xff) + /* df2 */
+ ((params->dF_r >> 16) & 0xff)); /* df3 */
+ }
+ else
+ {
+ dF = (uint16_t)params->dF_r;
+ }
+ privkey_packed_indices_len = (2 * dF * params->N_bits + 7) / 8;
+
+ /* set private-key packing type if defaulted */
+ if (tag == NTRU_PRIVKEY_DEFAULT_TAG)
+ {
+ if (params->is_product_form ||
+ privkey_packed_indices_len <= privkey_packed_trits_len)
+ {
+ tag = NTRU_PRIVKEY_INDICES_TAG;
+ }
+ else
+ {
+ tag = NTRU_PRIVKEY_TRITS_TAG;
+ }
+ }
+ privkey_packed_len = (tag == NTRU_PRIVKEY_TRITS_TAG) ?
+ privkey_packed_trits_len : privkey_packed_indices_len;
+
+ if (data.len < header_len + pubkey_packed_len + privkey_packed_len)
+ {
+ DBG1(DBG_LIB, "loaded NTRU private key with wrong packed key size");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .get_id = _get_id,
+ .get_public_key = _get_public_key,
+ .get_encoding = _get_encoding,
+ .decrypt = _decrypt,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ .encoding = chunk_clone(data),
+ .drbg = drbg->get_ref(drbg),
+ );
+
+ /* unpack the encoded public key */
+ ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len,
+ params->q_bits, this->pubkey);
+
+ /* allocate temporary memory for indices */
+ indices = malloc(2 * dF * sizeof(uint16_t));
+
+ /* unpack the private key */
+ privkey_packed = data.ptr + header_len + pubkey_packed_len;
+ if (tag == NTRU_PRIVKEY_TRITS_TAG)
+ {
+ ntru_packed_trits_2_indices(privkey_packed, params->N,
+ indices, indices + dF);
+ }
+ else
+ {
+ ntru_octets_2_elements(privkey_packed_indices_len, privkey_packed,
+ params->N_bits, indices);
+ }
+ this->privkey = ntru_poly_create_from_data(indices, params->N, params->q,
+ params->dF_r, params->dF_r,
+ params->is_product_form);
+
+ /* cleanup */
+ memwipe(indices, 2 * dF * sizeof(uint16_t));
+ free(indices);
+
+ return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create);
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h
new file mode 100644
index 0000000..c6f0844
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_private_key ntru_private_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PRIVATE_KEY_H_
+#define NTRU_PRIVATE_KEY_H_
+
+typedef struct ntru_private_key_t ntru_private_key_t;
+
+#include "ntru_drbg.h"
+#include "ntru_param_set.h"
+#include "ntru_public_key.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public/private key pair
+ */
+struct ntru_private_key_t {
+
+ /**
+ * Returns NTRU parameter set ID of the private key
+ *
+ * @return NTRU parameter set ID
+ */
+ ntru_param_set_id_t (*get_id)(ntru_private_key_t *this);
+
+ /**
+ * Returns the NTRU encryption public key as an encoded binary blob
+ *
+ * @return NTRU encryption public key (must be freed after use)
+ */
+ ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this);
+
+ /**
+ * Returns the packed encoding of the NTRU encryption private key
+ *
+ * @return Packed encoding of NTRU encryption private key
+ */
+ chunk_t (*get_encoding)(ntru_private_key_t *this);
+
+ /**
+ * Decrypts an NTRU ciphertext
+ *
+ * @param ciphertext NTRU Ciphertext
+ * @param plaintext Plaintext
+ * @return TRUE if decryption was successful
+ */
+ bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext,
+ chunk_t *plaintext);
+
+ /**
+ * Destroy ntru_private_key_t object
+ */
+ void (*destroy)(ntru_private_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public/private key pair using a NIST DRBG
+ *
+ * @param drbg Digital Random Bit Generator used for key generation
+ * @param params NTRU encryption parameter set to be used
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params);
+
+/**
+ * Creates an NTRU encryption private key from encoding
+ *
+ * @param drbg Deterministic random bit generator
+ * @param data Encoded NTRU private key
+ */
+ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg,
+ chunk_t data);
+
+#endif /** NTRU_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c
new file mode 100644
index 0000000..a2ff1b2
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c
@@ -0,0 +1,408 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_public_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+#include "ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_public_key_t private_ntru_public_key_t;
+
+/**
+ * Private data of an ntru_public_key_t object.
+ */
+struct private_ntru_public_key_t {
+ /**
+ * Public ntru_public_key_t interface.
+ */
+ ntru_public_key_t public;
+
+ /**
+ * NTRU Parameter Set
+ */
+ ntru_param_set_t *params;
+
+ /**
+ * Polynomial h which is the public key
+ */
+ uint16_t *pubkey;
+
+ /**
+ * Encoding of the public key
+ */
+ chunk_t encoding;
+
+ /**
+ * Deterministic Random Bit Generator
+ */
+ ntru_drbg_t *drbg;
+
+};
+
+METHOD(ntru_public_key_t, get_id, ntru_param_set_id_t,
+ private_ntru_public_key_t *this)
+{
+ return this->params->id;
+}
+
+/**
+ * Generate NTRU encryption public key encoding
+ */
+static void generate_encoding(private_ntru_public_key_t *this)
+{
+ size_t pubkey_len;
+ u_char *enc;
+
+ /* compute public key length encoded as packed coefficients */
+ pubkey_len = (this->params->N * this->params->q_bits + 7) / 8;
+
+ /* allocate memory for public key encoding */
+ this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len);
+ enc = this->encoding.ptr;
+
+ /* format header and packed public key */
+ *enc++ = NTRU_PUBKEY_TAG;
+ *enc++ = NTRU_OID_LEN;
+ memcpy(enc, this->params->oid, NTRU_OID_LEN);
+ enc += NTRU_OID_LEN;
+ ntru_elements_2_octets(this->params->N, this->pubkey,
+ this->params->q_bits, enc);
+}
+
+METHOD(ntru_public_key_t, get_encoding, chunk_t,
+ private_ntru_public_key_t *this)
+{
+ return this->encoding;
+}
+
+#define MAX_SEC_STRENGTH_LEN 32 /* bytes */
+
+/**
+ * Shared with ntru_private_key.c
+ */
+extern bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt);
+
+METHOD(ntru_public_key_t, encrypt, bool,
+ private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext)
+{
+ hash_algorithm_t hash_algid;
+ size_t t_len, seed1_len, seed2_len;
+ uint16_t *t1, *t = NULL;
+ uint8_t b[MAX_SEC_STRENGTH_LEN];
+ uint8_t *t2, *Mtrin, *M, *mask_trits, *ptr;
+ uint16_t mod_q_mask, mprime_len = 0;
+ int16_t m1 = 0;
+ chunk_t seed = chunk_empty;
+ ntru_trits_t *mask;
+ ntru_poly_t *r_poly;
+ bool msg_rep_good, success = FALSE;
+ int i;
+
+ *ciphertext = chunk_empty;
+
+ if (plaintext.len > this->params->m_len_max)
+ {
+ DBG1(DBG_LIB, "plaintext exceeds maximum size");
+ return FALSE;
+ }
+
+ if (this->params->sec_strength_len > MAX_SEC_STRENGTH_LEN)
+ {
+ DBG1(DBG_LIB, "required security strength exceeds %d bits",
+ MAX_SEC_STRENGTH_LEN * BITS_PER_BYTE);
+ return FALSE;
+ }
+
+ /* allocate temporary array t */
+ t_len = (sizeof(uint16_t) + 3*sizeof(uint8_t)) * this->params->N;
+ t = malloc(t_len);
+ t1 = t;
+ t2 = (uint8_t *)(t1 + this->params->N);
+ Mtrin = t2 + this->params->N;
+ M = Mtrin + this->params->N;
+
+ /* set hash algorithm based on security strength */
+ hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+ HASH_SHA256;
+ /* set constants */
+ mod_q_mask = this->params->q - 1;
+
+ /* allocate memory for the larger of the two seeds */
+ seed1_len = (this->params->N + 3)/4;
+ seed2_len = 3 + 2*this->params->sec_strength_len + plaintext.len;
+ seed = chunk_alloc(max(seed1_len, seed2_len));
+
+ /* loop until a message representative with proper weight is achieved */
+ do
+ {
+ if (!this->drbg->generate(this->drbg,
+ this->params->sec_strength_len * BITS_PER_BYTE,
+ this->params->sec_strength_len, b))
+ {
+ goto err;
+ }
+
+ /* form sData (OID || m || b || hTrunc) */
+ ptr = seed.ptr;
+ memcpy(ptr, this->params->oid, NTRU_OID_LEN);
+ ptr += NTRU_OID_LEN;
+ memcpy(ptr, plaintext.ptr, plaintext.len);
+ ptr += plaintext.len;
+ memcpy(ptr, b, this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+ this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ seed.len = seed2_len;
+
+ DBG2(DBG_LIB, "generate polynomial r");
+ r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits,
+ this->params->N, this->params->q,
+ this->params->dF_r, this->params->dF_r,
+ this->params->is_product_form);
+ if (!r_poly)
+ {
+ goto err;
+ }
+
+ /* form R = h * r */
+ r_poly->ring_mult(r_poly, this->pubkey, t1);
+ r_poly->destroy(r_poly);
+
+ /* form R mod 4 */
+ ntru_coeffs_mod4_2_octets(this->params->N, t1, seed.ptr);
+ seed.len = seed1_len;
+
+ /* form mask */
+ mask = ntru_trits_create(this->params->N, hash_algid, seed);
+ if (!mask)
+ {
+ DBG1(DBG_LIB, "mask creation failed");
+ goto err;
+ }
+
+ /* form the padded message M */
+ ptr = M;
+ memcpy(ptr, b, this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ if (this->params->m_len_len == 2)
+ {
+ *ptr++ = (uint8_t)((plaintext.len >> 8) & 0xff);
+ }
+ *ptr++ = (uint8_t)(plaintext.len & 0xff);
+ memcpy(ptr, plaintext.ptr, plaintext.len);
+ ptr += plaintext.len;
+
+ /* add an extra zero byte in case without it the bit string
+ * is not a multiple of 3 bits and therefore might not be
+ * able to produce enough trits
+ */
+ memset(ptr, 0, this->params->m_len_max - plaintext.len + 2);
+
+ /* convert M to trits (Mbin to Mtrin) */
+ mprime_len = this->params->N;
+ if (this->params->is_product_form)
+ {
+ --mprime_len;
+ }
+ ntru_bits_2_trits(M, mprime_len, Mtrin);
+ mask_trits = mask->get_trits(mask);
+
+
+ /* form the msg representative m' by adding Mtrin to mask, mod p */
+ if (this->params->is_product_form)
+ {
+ m1 = 0;
+ for (i = 0; i < mprime_len; i++)
+ {
+ t2[i] = mask_trits[i] + Mtrin[i];
+ if (t2[i] >= 3)
+ {
+ t2[i] -= 3;
+ }
+ if (t2[i] == 1)
+ {
+ ++m1;
+ }
+ else if (t2[i] == 2)
+ {
+ --m1;
+ }
+ }
+ }
+ else
+ {
+ for (i = 0; i < mprime_len; i++)
+ {
+ t2[i] = mask_trits[i] + Mtrin[i];
+ if (t2[i] >= 3)
+ {
+ t2[i] -= 3;
+ }
+ }
+ }
+ mask->destroy(mask);
+
+ /* check that message representative meets minimum weight
+ * requirements
+ */
+ if (this->params->is_product_form)
+ {
+ msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt);
+ }
+ else
+ {
+ msg_rep_good = ntru_check_min_weight(mprime_len, t2,
+ this->params->min_msg_rep_wt);
+ }
+ }
+ while (!msg_rep_good);
+
+ /* form ciphertext e by adding m' to R mod q */
+ for (i = 0; i < mprime_len; i++)
+ {
+ if (t2[i] == 1)
+ {
+ t1[i] = (t1[i] + 1) & mod_q_mask;
+ }
+ else if (t2[i] == 2)
+ {
+ t1[i] = (t1[i] - 1) & mod_q_mask;
+ }
+ }
+ if (this->params->is_product_form)
+ {
+ t1[i] = (t1[i] - m1) & mod_q_mask;
+ }
+
+ /* pack ciphertext */
+ *ciphertext = chunk_alloc((this->params->N * this->params->q_bits + 7) / 8);
+ ntru_elements_2_octets(this->params->N, t1, this->params->q_bits,
+ ciphertext->ptr);
+
+ memwipe(t, t_len);
+ success = TRUE;
+
+err:
+ /* cleanup */
+ chunk_clear(&seed);
+ free(t);
+
+ return success;
+}
+METHOD(ntru_public_key_t, destroy, void,
+ private_ntru_public_key_t *this)
+{
+ this->drbg->destroy(this->drbg);
+ chunk_clear(&this->encoding);
+ free(this->pubkey);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
+ ntru_param_set_t *params,
+ uint16_t *pubkey)
+{
+ private_ntru_public_key_t *this;
+ int i;
+
+ INIT(this,
+ .public = {
+ .get_id = _get_id,
+ .get_encoding = _get_encoding,
+ .encrypt = _encrypt,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ .drbg = drbg->get_ref(drbg),
+ );
+
+ for (i = 0; i < params->N; i++)
+ {
+ this->pubkey[i] = pubkey[i];
+ }
+
+ /* generate public key encoding */
+ generate_encoding(this);
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg,
+ chunk_t data)
+{
+ private_ntru_public_key_t *this;
+ size_t header_len, pubkey_packed_len;
+ ntru_param_set_t *params;
+
+ header_len = 2 + NTRU_OID_LEN;
+
+ /* check the NTRU public key header format */
+ if (data.len < header_len ||
+ data.ptr[0] != NTRU_PUBKEY_TAG ||
+ data.ptr[1] != NTRU_OID_LEN)
+ {
+ DBG1(DBG_LIB, "received NTRU public key with invalid header");
+ return NULL;
+ }
+ params = ntru_param_set_get_by_oid(data.ptr + 2);
+
+ if (!params)
+ {
+ DBG1(DBG_LIB, "received NTRU public key with unknown OID");
+ return NULL;
+ }
+
+ pubkey_packed_len = (params->N * params->q_bits + 7) / 8;
+
+ if (data.len < header_len + pubkey_packed_len)
+ {
+ DBG1(DBG_LIB, "received NTRU public key with wrong packed key size");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .get_id = _get_id,
+ .get_encoding = _get_encoding,
+ .encrypt = _encrypt,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ .encoding = chunk_clone(data),
+ .drbg = drbg->get_ref(drbg),
+ );
+
+ /* unpack the encoded public key */
+ ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len,
+ params->q_bits, this->pubkey);
+
+ return &this->public;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data);
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h
new file mode 100644
index 0000000..baa8eab
--- /dev/null
+++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_public_key ntru_public_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PUBLIC_KEY_H_
+#define NTRU_PUBLIC_KEY_H_
+
+typedef struct ntru_public_key_t ntru_public_key_t;
+
+#include "ntru_param_set.h"
+#include "ntru_drbg.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public key
+ */
+struct ntru_public_key_t {
+
+ /**
+ * Returns NTRU parameter set ID of the public key
+ *
+ * @return NTRU parameter set ID
+ */
+ ntru_param_set_id_t (*get_id)(ntru_public_key_t *this);
+
+ /**
+ * Returns the packed encoding of the NTRU encryption public key
+ *
+ * @return Packed encoding of NTRU encryption public key
+ */
+ chunk_t (*get_encoding)(ntru_public_key_t *this);
+
+ /**
+ * Encrypts a plaintext with the NTRU public key
+ *
+ * @param ciphertext Plaintext
+ * @param plaintext Ciphertext
+ * @return TRUE if encryption was successful
+ */
+ bool (*encrypt)(ntru_public_key_t *this, chunk_t plaintext,
+ chunk_t *ciphertext);
+
+ /**
+ * Destroy ntru_public_key_t object
+ */
+ void (*destroy)(ntru_public_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public key from coefficients
+ *
+ * @param drbg Deterministic random bit generator
+ * @param params NTRU encryption parameter set to be used
+ * @param pubkey Coefficients of public key polynomial h
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg,
+ ntru_param_set_t *params,
+ uint16_t *pubkey);
+
+/**
+ * Creates an NTRU encryption public key from encoding
+ *
+ * @param drbg Deterministic random bit generator
+ * @param data Encoded NTRU public key
+ */
+ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg,
+ chunk_t data);
+
+
+#endif /** NTRU_PUBLIC_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
index f825016..1abb767 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.c
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -15,8 +15,7 @@
#include "ntru_trits.h"
#include "ntru_mgf1.h"
-
-#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+#include "ntru_convert.h"
#include <utils/debug.h>
#include <utils/test.h>
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index f073529..5d8ada2 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
index 842111b..147e4af 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.c
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -202,7 +202,8 @@ METHOD(aead_t, destroy, void,
/*
* Described in header
*/
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+aead_t *openssl_gcm_create(encryption_algorithm_t algo,
+ size_t key_size, size_t salt_size)
{
private_aead_t *this;
@@ -236,6 +237,13 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
return NULL;
}
+ if (salt_size && salt_size != SALT_LEN)
+ {
+ /* currently not supported */
+ free(this);
+ return NULL;
+ }
+
switch (algo)
{
case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
index 12d2e8a..4ae268b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.h
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -30,8 +30,10 @@
*
* @param algo algorithm to implement
* @param key_size key size in bytes
+ * @param salt_size size of implicit salt length
* @return aead_t object, NULL if not supported
*/
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size,
+ size_t salt_size);
#endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index f0c1726..9748e28 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -222,7 +222,21 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
i2d_RSA_PUBKEY(rsa, &p);
break;
default:
- return FALSE;
+ {
+ chunk_t n = chunk_empty, e = chunk_empty;
+ bool success = FALSE;
+
+ if (openssl_bn2chunk(rsa->n, &n) &&
+ openssl_bn2chunk(rsa->e, &e))
+ {
+ success = lib->encoding->encode(lib->encoding, type, rsa, fp,
+ CRED_PART_RSA_MODULUS, n,
+ CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+ }
+ chunk_free(&n);
+ chunk_free(&e);
+ return success;
+ }
}
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher || !hasher->allocate_hash(hasher, key, fp))
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 55c0271..0450ab0 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 22c33b0..300615e 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index 9c8237e..df4b77c 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -106,6 +106,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
label = "CERTIFICATE REQUEST";
break;
}
+ if (cred_encoding_args(args, CRED_PART_X509_AC_ASN1_DER,
+ &asn1, CRED_PART_END))
+ {
+ label = "ATTRIBUTE CERTIFICATE";
+ break;
+ }
default:
return FALSE;
}
@@ -154,4 +160,3 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
encoding->len = pos - encoding->ptr;
return TRUE;
}
-
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index e2491f5..ca8743b 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index d3f3fdf..c563806 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index b304a51..eb0903d 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -46,6 +46,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+ PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+ PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+ PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
};
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index c8cec37..5d2f39c 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 67b1f4f..f398652 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index feff6e5..7d1c655 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 35a5c9a..fca8fd1 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 8a1958b..65cdbe9 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -73,25 +73,55 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature)
data = chunk_empty;
break;
case FEATURE_CRYPTER:
+ data = chunk_from_thing(feature->arg.crypter);
+ break;
case FEATURE_AEAD:
+ data = chunk_from_thing(feature->arg.aead);
+ break;
case FEATURE_SIGNER:
+ data = chunk_from_thing(feature->arg.signer);
+ break;
case FEATURE_HASHER:
+ data = chunk_from_thing(feature->arg.hasher);
+ break;
case FEATURE_PRF:
+ data = chunk_from_thing(feature->arg.prf);
+ break;
case FEATURE_DH:
+ data = chunk_from_thing(feature->arg.dh_group);
+ break;
case FEATURE_PRIVKEY:
+ data = chunk_from_thing(feature->arg.privkey);
+ break;
case FEATURE_PRIVKEY_GEN:
+ data = chunk_from_thing(feature->arg.privkey_gen);
+ break;
case FEATURE_PUBKEY:
+ data = chunk_from_thing(feature->arg.pubkey);
+ break;
case FEATURE_PRIVKEY_SIGN:
+ data = chunk_from_thing(feature->arg.privkey_sign);
+ break;
case FEATURE_PUBKEY_VERIFY:
+ data = chunk_from_thing(feature->arg.pubkey_verify);
+ break;
case FEATURE_PRIVKEY_DECRYPT:
+ data = chunk_from_thing(feature->arg.privkey_decrypt);
+ break;
case FEATURE_PUBKEY_ENCRYPT:
+ data = chunk_from_thing(feature->arg.pubkey_encrypt);
+ break;
case FEATURE_CERT_DECODE:
case FEATURE_CERT_ENCODE:
+ data = chunk_from_thing(feature->arg.cert);
+ break;
case FEATURE_CONTAINER_DECODE:
case FEATURE_CONTAINER_ENCODE:
+ data = chunk_from_thing(feature->arg.container);
+ break;
case FEATURE_EAP_SERVER:
case FEATURE_EAP_PEER:
- data = chunk_from_thing(feature->arg);
+ data = chunk_from_thing(feature->arg.eap);
break;
case FEATURE_CUSTOM:
data = chunk_create(feature->arg.custom,
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 08a8442..487fafa 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1047,6 +1047,7 @@ static char *modular_pluginlist(char *list)
array_sort(final, (void*)plugin_priority_cmp, NULL);
+ plugins = strdup("");
enumerator = array_create_enumerator(final);
while (enumerator->enumerate(enumerator, ¤t))
{
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 803eeab..6f00e7e 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 0efe24c..59f062d 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index afcbc07..b820d12 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 88b283e..db926c5 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 745ee83..cfdd7e8 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index c8ec3f7..9fd5b2a 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -93,40 +93,92 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
/**
* check the signature of an OCSP response
*/
-static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
+static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
{
certificate_t *issuer, *subject;
identification_t *responder;
ocsp_response_wrapper_t *wrapper;
enumerator_t *enumerator;
- auth_cfg_t *current;
- bool verified = FALSE;
+ x509_t *x509;
+ bool verified = FALSE, found = FALSE;
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
subject = &response->certificate;
responder = subject->get_issuer(subject);
- enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+
+ /* check OCSP response using CA or directly delegated OCSP signer */
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509,
KEY_ANY, responder, FALSE);
- while (enumerator->enumerate(enumerator, &issuer, ¤t))
+ while (enumerator->enumerate(enumerator, &issuer))
{
+ x509 = (x509_t*)issuer;
+ if (!issuer->get_validity(issuer, NULL, NULL, NULL))
+ { /* OCSP signer currently invalid */
+ continue;
+ }
+ if (!ca->equals(ca, issuer))
+ { /* delegated OCSP signer? */
+ if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL))
+ { /* OCSP response not signed by CA, nor delegated OCSP signer */
+ continue;
+ }
+ if (!(x509->get_flags(x509) & X509_OCSP_SIGNER))
+ { /* delegated OCSP signer does not have OCSP signer flag */
+ continue;
+ }
+ }
+ found = TRUE;
if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
{
DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
- issuer->get_subject(issuer));
- if (auth)
- {
- auth->merge(auth, current, FALSE);
- }
+ issuer->get_subject(issuer));
verified = TRUE;
break;
}
+ DBG1(DBG_CFG, "ocsp response verification failed, "
+ "invalid signature");
}
enumerator->destroy(enumerator);
+ if (!verified)
+ {
+ /* as fallback, use any locally installed OCSP signer certificate */
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_X509, KEY_ANY, responder, TRUE);
+ while (enumerator->enumerate(enumerator, &issuer))
+ {
+ x509 = (x509_t*)issuer;
+ /* while issued_by() accepts both OCSP signer or CA basic
+ * constraint flags to verify OCSP responses, unrelated but trusted
+ * OCSP signers must explicitly have the OCSP signer flag set. */
+ if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
+ issuer->get_validity(issuer, NULL, NULL, NULL))
+ {
+ found = TRUE;
+ if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
+ {
+ DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
+ issuer->get_subject(issuer));
+ verified = TRUE;
+ break;
+ }
+ DBG1(DBG_CFG, "ocsp response verification failed, "
+ "invalid signature");
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+
lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
wrapper->destroy(wrapper);
+
+ if (!found)
+ {
+ DBG1(DBG_CFG, "ocsp response verification failed, "
+ "no signer certificate '%Y' found", responder);
+ }
return verified;
}
@@ -134,8 +186,8 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
* Get the better of two OCSP responses, and check for usable OCSP info
*/
static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
- x509_t *subject, x509_t *issuer, cert_validation_t *valid,
- auth_cfg_t *auth, bool cache)
+ x509_t *subject, x509_t *issuer,
+ cert_validation_t *valid, bool cache)
{
ocsp_response_t *response;
time_t revocation, this_update, next_update, valid_until;
@@ -145,9 +197,8 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
response = (ocsp_response_t*)cand;
/* check ocsp signature */
- if (!verify_ocsp(response, auth))
+ if (!verify_ocsp(response, &issuer->interface))
{
- DBG1(DBG_CFG, "ocsp response verification failed");
cand->destroy(cand);
return best;
}
@@ -226,8 +277,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
while (enumerator->enumerate(enumerator, ¤t))
{
current->get_ref(current);
- best = get_better_ocsp(current, best, subject, issuer,
- &valid, auth, FALSE);
+ best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
if (best && valid != VALIDATION_STALE)
{
DBG1(DBG_CFG, " using cached ocsp response");
@@ -254,7 +304,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, auth, TRUE);
+ &valid, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -276,7 +326,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
if (current)
{
best = get_better_ocsp(current, best, subject, issuer,
- &valid, auth, TRUE);
+ &valid, TRUE);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -330,25 +380,20 @@ static certificate_t* fetch_crl(char *url)
/**
* check the signature of an CRL
*/
-static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
+static bool verify_crl(certificate_t *crl)
{
certificate_t *issuer;
enumerator_t *enumerator;
bool verified = FALSE;
- auth_cfg_t *current;
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
KEY_ANY, crl->get_issuer(crl), FALSE);
- while (enumerator->enumerate(enumerator, &issuer, ¤t))
+ while (enumerator->enumerate(enumerator, &issuer, NULL))
{
if (lib->credmgr->issued_by(lib->credmgr, crl, issuer, NULL))
{
DBG1(DBG_CFG, " crl correctly signed by \"%Y\"",
issuer->get_subject(issuer));
- if (auth)
- {
- auth->merge(auth, current, FALSE);
- }
verified = TRUE;
break;
}
@@ -362,7 +407,7 @@ static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
* Get the better of two CRLs, and check for usable CRL info
*/
static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
- x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth,
+ x509_t *subject, cert_validation_t *valid,
bool cache, crl_t *base)
{
enumerator_t *enumerator;
@@ -390,7 +435,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
}
/* check CRL signature */
- if (!verify_crl(cand, auth))
+ if (!verify_crl(cand))
{
DBG1(DBG_CFG, "crl response verification failed");
cand->destroy(cand);
@@ -452,8 +497,8 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
* Find or fetch a certificate for a given crlIssuer
*/
static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
- auth_cfg_t *auth, crl_t *base,
- certificate_t **best, bool *uri_found)
+ crl_t *base, certificate_t **best,
+ bool *uri_found)
{
cert_validation_t valid = VALIDATION_SKIPPED;
enumerator_t *enumerator;
@@ -466,8 +511,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
while (enumerator->enumerate(enumerator, ¤t))
{
current->get_ref(current);
- *best = get_better_crl(current, *best, subject, &valid,
- auth, FALSE, base);
+ *best = get_better_crl(current, *best, subject, &valid, FALSE, base);
if (*best && valid != VALIDATION_STALE)
{
DBG1(DBG_CFG, " using cached crl");
@@ -495,7 +539,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
continue;
}
*best = get_better_crl(current, *best, subject,
- &valid, auth, TRUE, base);
+ &valid, TRUE, base);
if (*best && valid != VALIDATION_STALE)
{
break;
@@ -511,7 +555,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer,
* Look for a delta CRL for a given base CRL
*/
static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
- crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth)
+ crl_t *base, cert_validation_t base_valid)
{
cert_validation_t valid = VALIDATION_SKIPPED;
certificate_t *best = NULL, *current;
@@ -526,7 +570,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
if (chunk.len)
{
id = identification_create_from_encoding(ID_KEY_ID, chunk);
- valid = find_crl(subject, id, auth, base, &best, &uri);
+ valid = find_crl(subject, id, base, &best, &uri);
id->destroy(id);
}
@@ -537,7 +581,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
{
if (cdp->issuer)
{
- valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri);
+ valid = find_crl(subject, cdp->issuer, base, &best, &uri);
}
}
enumerator->destroy(enumerator);
@@ -558,8 +602,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
current->destroy(current);
continue;
}
- best = get_better_crl(current, best, subject, &valid,
- auth, TRUE, base);
+ best = get_better_crl(current, best, subject, &valid, TRUE, base);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -576,7 +619,6 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer,
return base_valid;
}
-
/**
* validate a x509 certificate using CRL
*/
@@ -597,7 +639,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
if (chunk.len)
{
id = identification_create_from_encoding(ID_KEY_ID, chunk);
- valid = find_crl(subject, id, auth, NULL, &best, &uri_found);
+ valid = find_crl(subject, id, NULL, &best, &uri_found);
id->destroy(id);
}
@@ -608,8 +650,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
{
if (cdp->issuer)
{
- valid = find_crl(subject, cdp->issuer, auth, NULL,
- &best, &uri_found);
+ valid = find_crl(subject, cdp->issuer, NULL, &best, &uri_found);
}
}
enumerator->destroy(enumerator);
@@ -633,7 +674,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
continue;
}
best = get_better_crl(current, best, subject, &valid,
- auth, TRUE, NULL);
+ TRUE, NULL);
if (best && valid != VALIDATION_STALE)
{
break;
@@ -646,7 +687,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
/* look for delta CRLs */
if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE))
{
- valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth);
+ valid = check_delta_crl(subject, issuer, (crl_t*)best, valid);
}
/* an uri was found, but no result. switch validation state to failed */
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index e57eb78..4f9d24a 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index c044178..ddc2875 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index cc16ef5..2ba05f7 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index c428b88..2cbacdd 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index 3c9926a..6bd8250 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index a1439f6..7443f53 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -387,7 +387,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 788baae..33c13d9 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -88,11 +88,18 @@ TEST_VECTOR_AEAD(aes_ccm10)
TEST_VECTOR_AEAD(aes_ccm11)
TEST_VECTOR_AEAD(aes_gcm1)
TEST_VECTOR_AEAD(aes_gcm2)
-TEST_VECTOR_AEAD(aes_gcm3)
+TEST_VECTOR_AEAD(aes_gcm3_1)
+TEST_VECTOR_AEAD(aes_gcm3_2)
+TEST_VECTOR_AEAD(aes_gcm3_3)
TEST_VECTOR_AEAD(aes_gcm4)
-TEST_VECTOR_AEAD(aes_gcm5)
-TEST_VECTOR_AEAD(aes_gcm6)
TEST_VECTOR_AEAD(aes_gcm7)
+TEST_VECTOR_AEAD(aes_gcm8)
+TEST_VECTOR_AEAD(aes_gcm9)
+TEST_VECTOR_AEAD(aes_gcm10)
+TEST_VECTOR_AEAD(aes_gcm13)
+TEST_VECTOR_AEAD(aes_gcm14)
+TEST_VECTOR_AEAD(aes_gcm15)
+TEST_VECTOR_AEAD(aes_gcm16)
TEST_VECTOR_SIGNER(aes_xcbc_s1)
TEST_VECTOR_SIGNER(aes_xcbc_s2)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
index 8de180a..95c41ec 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -21,7 +21,8 @@
* originally from "fips cavs fax files on hand at Red Hat".
*/
aead_test_vector_t aes_ccm1 = {
- .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+ .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+ .len = 32, .alen = 0,
.key = "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
"\x96\xac\x59",
.iv = "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
@@ -33,7 +34,8 @@ aead_test_vector_t aes_ccm1 = {
};
aead_test_vector_t aes_ccm2 = {
- .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
"\x4f\xa3\x19",
.iv = "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
@@ -47,7 +49,8 @@ aead_test_vector_t aes_ccm2 = {
};
aead_test_vector_t aes_ccm3 = {
- .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+ .len = 0, .alen = 32,
.key = "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
"\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
.iv = "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
@@ -57,7 +60,8 @@ aead_test_vector_t aes_ccm3 = {
};
aead_test_vector_t aes_ccm4 = {
- .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
"\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
.iv = "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
@@ -71,7 +75,8 @@ aead_test_vector_t aes_ccm4 = {
};
aead_test_vector_t aes_ccm5 = {
- .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
"\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
"\x1e\x29\x91",
@@ -86,7 +91,8 @@ aead_test_vector_t aes_ccm5 = {
};
aead_test_vector_t aes_ccm6 = {
- .alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV12, .key_size = 32, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
"\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
"\xf9\xd9\x4e",
@@ -101,7 +107,8 @@ aead_test_vector_t aes_ccm6 = {
};
aead_test_vector_t aes_ccm7 = {
- .alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV16, .key_size = 32, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
"\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
"\x24\xa7\x8b",
@@ -116,7 +123,8 @@ aead_test_vector_t aes_ccm7 = {
};
aead_test_vector_t aes_ccm8 = {
- .alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+ .alg = ENCR_AES_CCM_ICV8, .key_size = 16, .salt_size = 3,
+ .len = 0, .alen = 0,
.key = "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
"\xaf\x94\x87",
.iv = "\x78\x35\x82\x81\x7f\x88\x94\x68",
@@ -124,7 +132,8 @@ aead_test_vector_t aes_ccm8 = {
};
aead_test_vector_t aes_ccm9 = {
- .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+ .len = 0, .alen = 32,
.key = "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
"\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
.iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
@@ -134,7 +143,8 @@ aead_test_vector_t aes_ccm9 = {
};
aead_test_vector_t aes_ccm10 = {
- .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+ .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+ .len = 0, .alen = 0,
.key = "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
"\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
"\xee\x49\x83",
@@ -143,7 +153,8 @@ aead_test_vector_t aes_ccm10 = {
};
aead_test_vector_t aes_ccm11 = {
- .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+ .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+ .len = 32, .alen = 32,
.key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
"\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
.iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
index 7534633..1f33bcb 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -16,11 +16,37 @@
#include <crypto/crypto_tester.h>
/**
- * From the Linux kernel, those with an IV. Originally from
- * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
+ * From McGrew & Viega
+ * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ * Formatted to match our API which expects the first four bytes (salt) of the
+ * IV as part of the key and writes/expects the ICV at the end of the cipher
+ * text.
+ * Since our implementations are currently limited to IV lengths of 12 (IV=8,
+ * SALT=4 as per RFC 4106/5282) the test cases 5/6, 11/12 and 17/18 aren't
+ * compatible.
*/
aead_test_vector_t aes_gcm1 = {
- .alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+ .len = 0, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "",
+ .cipher = "\x58\xe2\xfc\xce\xfa\x7e\x30\x61\x36\x7f\x1d\x57\xa4\xe7\x45\x5a",
+};
+aead_test_vector_t aes_gcm2 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+ .len = 16, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+ .cipher = "\x03\x88\xda\xce\x60\xb6\xa3\x92\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
+ "\xab\x6e\x47\xd4\x2c\xec\x13\xbd\xf5\x3a\x67\xb2\x12\x57\xbd\xdf",
+};
+aead_test_vector_t aes_gcm3_1 = {
+ .alg = ENCR_AES_GCM_ICV8, .key_size = 16, .salt_size = 4,
+ .len = 64, .alen = 0,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
.iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -34,9 +60,9 @@ aead_test_vector_t aes_gcm1 = {
"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
"\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6",
};
-
-aead_test_vector_t aes_gcm2 = {
- .alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm3_2 = {
+ .alg = ENCR_AES_GCM_ICV12, .key_size = 16, .salt_size = 4,
+ .len = 64, .alen = 0,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
.iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -50,9 +76,9 @@ aead_test_vector_t aes_gcm2 = {
"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
"\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd",
};
-
-aead_test_vector_t aes_gcm3 = {
- .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm3_3 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+ .len = 64, .alen = 0,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
.iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -66,9 +92,9 @@ aead_test_vector_t aes_gcm3 = {
"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
"\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4",
};
-
aead_test_vector_t aes_gcm4 = {
- .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+ .len = 60, .alen = 20,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
.iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -84,9 +110,28 @@ aead_test_vector_t aes_gcm4 = {
"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc"
"\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47",
};
-
-aead_test_vector_t aes_gcm5 = {
- .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm7 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+ .len = 0, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "",
+ .cipher = "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b\xa0\x0e\xd1\xf3\x12\x57\x24\x35",
+};
+aead_test_vector_t aes_gcm8 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+ .len = 16, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+ .cipher = "\x98\xe7\x24\x7c\x07\xf0\xfe\x41\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
+ "\x2f\xf5\x8d\x80\x03\x39\x27\xab\x8e\xf4\xd4\x58\x75\x14\xf0\xfb",
+};
+aead_test_vector_t aes_gcm9 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+ .len = 64, .alen = 0,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
.iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -100,9 +145,48 @@ aead_test_vector_t aes_gcm5 = {
"\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56"
"\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14",
};
-
-aead_test_vector_t aes_gcm6 = {
- .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+aead_test_vector_t aes_gcm10 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+ .len = 60, .alen = 20,
+ .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+ "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
+ .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+ .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+ "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+ "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+ "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+ .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+ "\xab\xad\xda\xd2",
+ .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
+ "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
+ "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
+ "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\x25\x19\x49\x8e"
+ "\x80\xf1\x47\x8f\x37\xba\x55\xbd\x6d\x27\x61\x8c",
+};
+aead_test_vector_t aes_gcm13 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+ .len = 0, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "",
+ .cipher = "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b",
+};
+aead_test_vector_t aes_gcm14 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+ .len = 16, .alen = 0,
+ .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00",
+ .iv = "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+ .cipher = "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
+ "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0\x26\x5b\x98\xb5\xd4\x8a\xb9\x19",
+};
+aead_test_vector_t aes_gcm15 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+ .len = 64, .alen = 0,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
@@ -117,9 +201,9 @@ aead_test_vector_t aes_gcm6 = {
"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad"
"\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c",
};
-
-aead_test_vector_t aes_gcm7 = {
- .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+aead_test_vector_t aes_gcm16 = {
+ .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+ .len = 60, .alen = 20,
.key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
"\xca\xfe\xba\xbe",
@@ -136,4 +220,3 @@ aead_test_vector_t aes_gcm7 = {
"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
"\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
};
-
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 961311e..c3c6ed6 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 74552e0..154fc5c 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index 7d83e48..30b871d 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -29,7 +29,6 @@
#include <utils/identification.h>
#include <collections/linked_list.h>
#include <credentials/certificates/x509.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
#include <credentials/keys/private_key.h>
extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
@@ -75,7 +74,7 @@ struct private_x509_ac_t {
/**
* Serial number of the holder certificate
*/
- chunk_t holderSerial;
+ identification_t *holderSerial;
/**
* ID representing the holder
@@ -98,14 +97,9 @@ struct private_x509_ac_t {
time_t notAfter;
/**
- * List of charging attributes
+ * List of group attributes, as group_t
*/
- ietf_attributes_t *charging;
-
- /**
- * List of groub attributes
- */
- ietf_attributes_t *groups;
+ linked_list_t *groups;
/**
* Authority Key Identifier
@@ -153,6 +147,25 @@ struct private_x509_ac_t {
refcount_t ref;
};
+/**
+ * Group definition, an IETF attribute
+ */
+typedef struct {
+ /** Attribute type */
+ ac_group_type_t type;
+ /* attribute value */
+ chunk_t value;
+} group_t;
+
+/**
+ * Clean up a group entry
+ */
+static void group_destroy(group_t *group)
+{
+ free(group->value.ptr);
+ free(group);
+}
+
static chunk_t ASN1_noRevAvail_ext = chunk_from_chars(
0x30, 0x09,
0x06, 0x03,
@@ -169,42 +182,41 @@ extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit,
/**
* parses a directoryName
*/
-static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
+static bool parse_directoryName(chunk_t blob, int level, bool implicit,
+ identification_t **name)
{
- bool has_directoryName;
- linked_list_t *list = linked_list_create();
+ identification_t *directoryName;
+ enumerator_t *enumerator;
+ bool first = TRUE;
+ linked_list_t *list;
+ list = linked_list_create();
x509_parse_generalNames(blob, level, implicit, list);
- has_directoryName = list->get_count(list) > 0;
- if (has_directoryName)
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &directoryName))
{
- enumerator_t *enumerator = list->create_enumerator(list);
- identification_t *directoryName;
- bool first = TRUE;
-
- while (enumerator->enumerate(enumerator, (void**)&directoryName))
+ if (first)
{
- if (first)
- {
- *name = directoryName;
- first = FALSE;
- }
- else
- {
- DBG1(DBG_ASN, "more than one directory name - first selected");
- directoryName->destroy(directoryName);
- }
+ *name = directoryName;
+ first = FALSE;
+ }
+ else
+ {
+ DBG1(DBG_ASN, "more than one directory name - first selected");
+ directoryName->destroy(directoryName);
+ break;
}
- enumerator->destroy(enumerator);
}
- else
+ enumerator->destroy(enumerator);
+ list->destroy(list);
+
+ if (first)
{
DBG1(DBG_ASN, "no directoryName found");
+ return FALSE;
}
-
- list->destroy(list);
- return has_directoryName;
+ return TRUE;
}
/**
@@ -244,63 +256,131 @@ static void parse_roleSyntax(chunk_t blob, int level0)
}
/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+ { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_BODY }, /* 1 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
+ { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */
+ { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT |
+ ASN1_BODY }, /* 4 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
+ { 2, "oid", ASN1_OID, ASN1_OPT |
+ ASN1_BODY }, /* 6 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+ { 2, "string", ASN1_UTF8STRING, ASN1_OPT |
+ ASN1_BODY }, /* 8 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define IETF_ATTR_OCTETS 4
+#define IETF_ATTR_OID 6
+#define IETF_ATTR_STRING 8
+
+/**
+ * Parse group memberships, IETF attributes
+ */
+static bool parse_groups(private_x509_ac_t *this, chunk_t encoded, int level0)
+{
+ ac_group_type_t type;
+ group_t *group;
+ asn1_parser_t *parser;
+ chunk_t object;
+ int objectID;
+ bool success;
+
+ parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded);
+ parser->set_top_level(parser, level0);
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case IETF_ATTR_OCTETS:
+ type = AC_GROUP_TYPE_OCTETS;
+ break;
+ case IETF_ATTR_OID:
+ type = AC_GROUP_TYPE_OID;
+ break;
+ case IETF_ATTR_STRING:
+ type = AC_GROUP_TYPE_STRING;
+ break;
+ default:
+ continue;
+ }
+ INIT(group,
+ .type = type,
+ .value = chunk_clone(object),
+ );
+ this->groups->insert_last(this->groups, group);
+ }
+ success = parser->success(parser);
+ parser->destroy(parser);
+
+ return success;
+}
+
+/**
* ASN.1 definition of an X509 attribute certificate
*/
static const asn1Object_t acObjects[] =
{
{ 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
{ 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
- { 2, "version", ASN1_INTEGER, ASN1_DEF |
+ { 2, "version", ASN1_INTEGER, ASN1_DEF |
ASN1_BODY }, /* 2 */
- { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
- { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
- { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
- { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
+ { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
+ { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
+ { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
+ { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
{ 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
ASN1_BODY }, /* 7 */
{ 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
- { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
+ { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
ASN1_OBJ }, /* 10 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
- { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
- { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */
- { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
+ { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
+ { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */
+ { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
ASN1_BODY }, /* 14 */
{ 4, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
{ 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
- { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
- { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
+ { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
+ { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
ASN1_OBJ }, /* 19 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
- { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
- { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
- { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
- { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
+ { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
+ { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
+ { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
+ { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
{ 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
ASN1_BODY }, /* 25 */
{ 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
{ 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
- { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
- { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
- { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
+ { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
+ { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
+ { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
ASN1_BODY }, /* 31 */
{ 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
{ 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
{ 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
- { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
- { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
- { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
- { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
- { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
- { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
+ { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
+ { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
+ { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+ { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+ { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
{ 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
{ 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
{ 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
{ 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
- { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
+ { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
{ 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
{ 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
{ 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
@@ -368,22 +448,26 @@ static bool parse_certificate(private_x509_ac_t *this)
}
break;
case AC_OBJ_HOLDER_ISSUER:
- if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
+ if (!parse_directoryName(object, level, FALSE,
+ &this->holderIssuer))
{
goto end;
}
break;
case AC_OBJ_HOLDER_SERIAL:
- this->holderSerial = object;
+ this->holderSerial = identification_create_from_encoding(
+ ID_KEY_ID, object);
break;
case AC_OBJ_ENTITY_NAME:
- if (!parse_directoryName(object, level, TRUE, &this->entityName))
+ if (!parse_directoryName(object, level, TRUE,
+ &this->entityName))
{
goto end;
}
break;
case AC_OBJ_ISSUER_NAME:
- if (!parse_directoryName(object, level, FALSE, &this->issuerName))
+ if (!parse_directoryName(object, level, FALSE,
+ &this->issuerName))
{
goto end;
}
@@ -414,13 +498,14 @@ static bool parse_certificate(private_x509_ac_t *this)
DBG2(DBG_ASN, " need to parse accessIdentity");
break;
case OID_CHARGING_IDENTITY:
- DBG2(DBG_ASN, "-- > --");
- this->charging = ietf_attributes_create_from_encoding(object);
- DBG2(DBG_ASN, "-- < --");
+ DBG2(DBG_ASN, " need to parse chargingIdentity");
break;
case OID_GROUP:
DBG2(DBG_ASN, "-- > --");
- this->groups = ietf_attributes_create_from_encoding(object);
+ if (!parse_groups(this, object, level))
+ {
+ goto end;
+ }
DBG2(DBG_ASN, "-- < --");
break;
case OID_ROLE:
@@ -446,8 +531,9 @@ static bool parse_certificate(private_x509_ac_t *this)
DBG2(DBG_ASN, " need to parse crlDistributionPoints");
break;
case OID_AUTHORITY_KEY_ID:
- this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
- level, &this->authKeySerialNumber);
+ this->authKeyIdentifier =
+ x509_parse_authorityKeyIdentifier(object,
+ level, &this->authKeySerialNumber);
break;
case OID_TARGET_INFORMATION:
DBG2(DBG_ASN, " need to parse targetInformation");
@@ -490,7 +576,7 @@ end:
static chunk_t build_directoryName(asn1_t tag, chunk_t name)
{
return asn1_wrap(tag, "m",
- asn1_simple_object(ASN1_CONTEXT_C_4, name));
+ asn1_simple_object(ASN1_CONTEXT_C_4, name));
}
/**
@@ -499,14 +585,15 @@ static chunk_t build_directoryName(asn1_t tag, chunk_t name)
static chunk_t build_holder(private_x509_ac_t *this)
{
x509_t* x509 = (x509_t*)this->holderCert;
- identification_t *issuer = this->holderCert->get_issuer(this->holderCert);
- identification_t *subject = this->holderCert->get_subject(this->holderCert);
+ identification_t *issuer, *subject;
+
+ issuer = this->holderCert->get_issuer(this->holderCert);
+ subject = this->holderCert->get_subject(this->holderCert);
return asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_CONTEXT_C_0, "mm",
build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
- asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))
- ),
+ asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))),
build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
}
@@ -515,10 +602,12 @@ static chunk_t build_holder(private_x509_ac_t *this)
*/
static chunk_t build_v2_form(private_x509_ac_t *this)
{
- identification_t *subject = this->signerCert->get_subject(this->signerCert);
+ identification_t *subject;
+ subject = this->signerCert->get_subject(this->signerCert);
return asn1_wrap(ASN1_CONTEXT_C_0, "m",
- build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
+ build_directoryName(ASN1_SEQUENCE,
+ subject->get_encoding(subject)));
}
/**
@@ -531,7 +620,6 @@ static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
}
-
/**
* build attribute type
*/
@@ -547,8 +635,55 @@ static chunk_t build_attribute_type(int type, chunk_t content)
*/
static chunk_t build_attributes(private_x509_ac_t *this)
{
+ enumerator_t *enumerator;
+ group_t *group;
+ chunk_t values;
+ size_t size = 0, len;
+ u_char *pos;
+
+ /* precalculate the total size of all values */
+ enumerator = this->groups->create_enumerator(this->groups);
+ while (enumerator->enumerate(enumerator, &group))
+ {
+ len = group->value.len;
+ size += 1 + (len > 0) + (len >= 128) +
+ (len >= 256) + (len >= 65536) + len;
+ }
+ enumerator->destroy(enumerator);
+
+ pos = asn1_build_object(&values, ASN1_SEQUENCE, size);
+
+ enumerator = this->groups->create_enumerator(this->groups);
+ while (enumerator->enumerate(enumerator, &group))
+ {
+ chunk_t attr;
+ asn1_t type;
+
+ switch (group->type)
+ {
+ case AC_GROUP_TYPE_OCTETS:
+ type = ASN1_OCTET_STRING;
+ break;
+ case AC_GROUP_TYPE_STRING:
+ type = ASN1_UTF8STRING;
+ break;
+ case AC_GROUP_TYPE_OID:
+ type = ASN1_OID;
+ break;
+ default:
+ continue;
+ }
+ attr = asn1_simple_object(type, group->value);
+
+ memcpy(pos, attr.ptr, attr.len);
+ pos += attr.len;
+ free(attr.ptr);
+ }
+ enumerator->destroy(enumerator);
+
return asn1_wrap(ASN1_SEQUENCE, "m",
- build_attribute_type(OID_GROUP, this->groups->get_encoding(this->groups)));
+ build_attribute_type(OID_GROUP,
+ asn1_wrap(ASN1_SEQUENCE, "m", values)));
}
/**
@@ -621,14 +756,11 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this)
*/
static chunk_t build_ac(private_x509_ac_t *this)
{
- chunk_t signatureValue;
- chunk_t attributeCertificateInfo;
+ chunk_t signatureValue, attributeCertificateInfo;
attributeCertificateInfo = build_attr_cert_info(this);
-
this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1,
attributeCertificateInfo, &signatureValue);
-
return asn1_wrap(ASN1_SEQUENCE, "mmm",
attributeCertificateInfo,
asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
@@ -644,7 +776,11 @@ METHOD(ac_t, get_serial, chunk_t,
METHOD(ac_t, get_holderSerial, chunk_t,
private_x509_ac_t *this)
{
- return this->holderSerial;
+ if (this->holderSerial)
+ {
+ return this->holderSerial->get_encoding(this->holderSerial);
+ }
+ return chunk_empty;
}
METHOD(ac_t, get_holderIssuer, identification_t*,
@@ -659,10 +795,28 @@ METHOD(ac_t, get_authKeyIdentifier, chunk_t,
return this->authKeyIdentifier;
}
-METHOD(ac_t, get_groups, ietf_attributes_t*,
+/**
+ * Filter function for attribute enumeration
+ */
+static bool attr_filter(void *null, group_t **in, ac_group_type_t *type,
+ void *in2, chunk_t *out)
+{
+ if ((*in)->type == AC_GROUP_TYPE_STRING &&
+ !chunk_printable((*in)->value, NULL, 0))
+ { /* skip non-printable strings */
+ return FALSE;
+ }
+ *type = (*in)->type;
+ *out = (*in)->value;
+ return TRUE;
+}
+
+METHOD(ac_t, create_group_enumerator, enumerator_t*,
private_x509_ac_t *this)
{
- return this->groups ? this->groups->get_ref(this->groups) : NULL;
+ return enumerator_create_filter(
+ this->groups->create_enumerator(this->groups),
+ (void*)attr_filter, NULL, NULL);
}
METHOD(certificate_t, get_type, certificate_type_t,
@@ -674,7 +828,11 @@ METHOD(certificate_t, get_type, certificate_type_t,
METHOD(certificate_t, get_subject, identification_t*,
private_x509_ac_t *this)
{
- return this->entityName;
+ if (this->entityName)
+ {
+ return this->entityName;
+ }
+ return this->holderSerial;
}
METHOD(certificate_t, get_issuer, identification_t*,
@@ -686,13 +844,24 @@ METHOD(certificate_t, get_issuer, identification_t*,
METHOD(certificate_t, has_subject, id_match_t,
private_x509_ac_t *this, identification_t *subject)
{
- return ID_MATCH_NONE;
+ id_match_t entity = ID_MATCH_NONE, serial = ID_MATCH_NONE;
+
+ if (this->entityName)
+ {
+ entity = this->entityName->matches(this->entityName, subject);
+ }
+ if (this->holderSerial)
+ {
+ serial = this->holderSerial->matches(this->holderSerial, subject);
+ }
+ return max(entity, serial);
}
METHOD(certificate_t, has_issuer, id_match_t,
private_x509_ac_t *this, identification_t *issuer)
{
- if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+ if (issuer->get_type(issuer) == ID_KEY_ID &&
+ this->authKeyIdentifier.ptr &&
chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
{
return ID_MATCH_PERFECT;
@@ -808,9 +977,10 @@ METHOD(certificate_t, equals, bool,
{
return TRUE;
}
- if (other->equals == (void*)equals)
+ if (other->equals == _equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
+ return chunk_equals(this->encoding,
+ ((private_x509_ac_t*)other)->encoding);
}
if (!other->get_encoding(other, CERT_ASN1_DER, &encoding))
{
@@ -827,13 +997,13 @@ METHOD(certificate_t, destroy, void,
if (ref_put(&this->ref))
{
DESTROY_IF(this->holderIssuer);
+ DESTROY_IF(this->holderSerial);
DESTROY_IF(this->entityName);
DESTROY_IF(this->issuerName);
DESTROY_IF(this->holderCert);
DESTROY_IF(this->signerCert);
DESTROY_IF(this->signerKey);
- DESTROY_IF(this->charging);
- DESTROY_IF(this->groups);
+ this->groups->destroy_function(this->groups, (void*)group_destroy);
free(this->serialNumber.ptr);
free(this->authKeyIdentifier.ptr);
free(this->encoding.ptr);
@@ -869,9 +1039,10 @@ static private_x509_ac_t *create_empty(void)
.get_holderSerial = _get_holderSerial,
.get_holderIssuer = _get_holderIssuer,
.get_authKeyIdentifier = _get_authKeyIdentifier,
- .get_groups = _get_groups,
+ .create_group_enumerator = _create_group_enumerator,
},
},
+ .groups = linked_list_create(),
.ref = 1,
);
@@ -914,6 +1085,27 @@ x509_ac_t *x509_ac_load(certificate_type_t type, va_list args)
}
/**
+ * Add groups from a list into AC group memberships
+ */
+static void add_groups_from_list(private_x509_ac_t *this, linked_list_t *list)
+{
+ enumerator_t *enumerator;
+ group_t *group;
+ char *name;
+
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ INIT(group,
+ .type = AC_GROUP_TYPE_STRING,
+ .value = chunk_clone(chunk_from_str(name)),
+ );
+ this->groups->insert_last(this->groups, group);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
* See header.
*/
x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
@@ -934,8 +1126,8 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
case BUILD_SERIAL:
ac->serialNumber = chunk_clone(va_arg(args, chunk_t));
continue;
- case BUILD_IETF_GROUP_ATTR:
- ac->groups = ietf_attributes_create_from_string(va_arg(args, char*));
+ case BUILD_AC_GROUP_STRINGS:
+ add_groups_from_list(ac, va_arg(args, linked_list_t*));
continue;
case BUILD_CERT:
ac->holderCert = va_arg(args, certificate_t*);
@@ -968,4 +1160,3 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args)
destroy(ac);
return NULL;
}
-
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index ed850e8..9fd869e 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -758,6 +758,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
case OID_OCSP_SIGNING:
this->flags |= X509_OCSP_SIGNER;
break;
+ case OID_MS_SMARTCARD_LOGON:
+ this->flags |= X509_MS_SMARTCARD_LOGON;
+ break;
default:
break;
}
@@ -2008,7 +2011,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
- chunk_t ikeIntermediate = chunk_empty;
+ chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
signature_scheme_t scheme;
@@ -2139,6 +2142,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
{
ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
}
+ if (cert->flags & X509_MS_SMARTCARD_LOGON)
+ {
+ msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
+ }
if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
ocspSigning.ptr)
@@ -2146,9 +2153,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmm",
serverAuth, clientAuth, ikeIntermediate,
- ocspSigning)));
+ ocspSigning, msSmartcardLogon)));
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
@@ -2167,7 +2174,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
}
/* add the keyid authKeyIdentifier for non self-signed certificates */
- if (sign_key)
+ if (sign_cert)
{
chunk_t keyid;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 09c5a85..ff0f023 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -252,7 +252,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
{
int oid;
signature_scheme_t scheme;
- chunk_t certs, signature, encoding;
+ chunk_t certs = chunk_empty, signature, encoding;
switch (this->key->get_type(this->key))
{
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 15fea7e..54bef73 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -52,9 +52,7 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(CERT_DECODE, x509_cert_load, TRUE),
PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
PLUGIN_DEPENDS(HASHER, HASH_SHA1),
- PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
- PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
- PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
+ PLUGIN_DEPENDS(PUBKEY, KEY_ANY),
PLUGIN_REGISTER(CERT_ENCODE, x509_ac_gen, FALSE),
PLUGIN_PROVIDE(CERT_ENCODE, CERT_X509_AC),
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index c8f886c..ca61643 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 656be4e..e58831c 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -402,7 +402,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index e373fbd..34ace28 100644
--- a/src/libstrongswan/tests/suites/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -117,10 +117,13 @@ START_TEST(test_chunk_clear)
}
chunk_clear(&chunk);
/* check memory area of freed chunk. We can't use ck_assert() for this
- * test directly, as it might allocate data at the freed area. */
- for (i = 0; i < 64; i++)
+ * test directly, as it might allocate data at the freed area. comparing
+ * two bytes at once reduces the chances of conflicts if memory got
+ * overwritten already */
+ for (i = 0; i < 64; i += 2)
{
- if (ptr[i] != 0 && ptr[i] == i)
+ if (ptr[i] != 0 && ptr[i] == i &&
+ ptr[i+1] != 0 && ptr[i+1] == i+1)
{
cleared = FALSE;
break;
diff --git a/src/libstrongswan/tests/suites/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c
index b5dde46..9bd6d24 100644
--- a/src/libstrongswan/tests/suites/test_enumerator.c
+++ b/src/libstrongswan/tests/suites/test_enumerator.c
@@ -104,10 +104,10 @@ static void destroy_data(void *data)
* filtered test
*/
-static bool filter(void *data, int *v, int *vo, int *w, int *wo,
- int *x, int *xo, int *y, int *yo, int *z, int *zo)
+static bool filter(int *data, int **v, int *vo, int **w, int *wo,
+ int **x, int *xo, int **y, int *yo, int **z, int *zo)
{
- int val = *v;
+ int val = **v;
*vo = val++;
*wo = val++;
@@ -118,21 +118,21 @@ static bool filter(void *data, int *v, int *vo, int *w, int *wo,
return TRUE;
}
-static bool filter_odd(void *data, int *item, int *out)
+static bool filter_odd(void *data, int **item, int *out)
{
fail_if(data != (void*)101, "data does not match '101' in filter function");
- *out = *item;
- return *item % 2 == 0;
+ *out = **item;
+ return **item % 2 == 0;
}
START_TEST(test_filtered)
{
- int round, v, w, x, y, z;
+ int data[5] = {1,2,3,4,5}, round, v, w, x, y, z;
linked_list_t *list;
enumerator_t *enumerator;
- list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
- (void*)5, NULL);
+ list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3],
+ &data[4], NULL);
round = 1;
enumerator = enumerator_create_filter(list->create_enumerator(list),
@@ -155,12 +155,12 @@ END_TEST
START_TEST(test_filtered_filter)
{
- int count, x;
+ int data[5] = {1,2,3,4,5}, count, x;
linked_list_t *list;
enumerator_t *enumerator;
- list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
- (void*)5, NULL);
+ list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3],
+ &data[4], NULL);
count = 0;
/* should also work without destructor, so set this manually */
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index a46f574..7c0cb81 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -20,6 +20,8 @@
#include <plugins/ntru/ntru_mgf1.h>
#include <plugins/ntru/ntru_trits.h>
#include <plugins/ntru/ntru_poly.h>
+#include <plugins/ntru/ntru_param_set.h>
+#include <plugins/ntru/ntru_private_key.h>
#include <utils/test.h>
IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
@@ -41,6 +43,18 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*,
uint32_t indices_len_p, uint32_t indices_len_m,
bool is_product_form)
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id, ntru_param_set_t* ,
+ ntru_param_set_id_t id)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*,
+ ntru_drbg_t *drbg, ntru_param_set_t *params)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data, ntru_private_key_t*,
+ ntru_drbg_t *drbg, chunk_t data)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data, ntru_public_key_t*,
+ ntru_drbg_t *drbg, chunk_t data)
+
/**
* NTRU parameter sets to test
*/
@@ -86,7 +100,8 @@ START_TEST(test_ntru_drbg_strength)
entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
ck_assert(entropy != NULL);
- drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strengths[_i].requested,
+ chunk_empty, entropy);
if (strengths[_i].standard)
{
ck_assert(drbg != NULL);
@@ -243,7 +258,8 @@ START_TEST(test_ntru_drbg)
out = chunk_alloc(128);
entropy = test_rng_create(drbg_tests[_i].entropy);
- drbg = ntru_drbg_create(256, drbg_tests[_i].pers_str, entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, drbg_tests[_i].pers_str,
+ entropy);
ck_assert(drbg != NULL);
ck_assert(drbg->reseed(drbg));
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
@@ -265,7 +281,7 @@ START_TEST(test_ntru_drbg_reseed)
"libstrongswan.plugins.ntru.max_drbg_requests", 2);
out = chunk_alloc(128);
entropy = test_rng_create(drbg_tests[0].entropy);
- drbg = ntru_drbg_create(256, chunk_empty, entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
/* bad output parameters */
ck_assert(!drbg->generate(drbg, 256, 0, out.ptr));
@@ -283,13 +299,13 @@ START_TEST(test_ntru_drbg_reseed)
drbg->destroy(drbg);
/* no entropy available for DRBG instantiation */
- drbg = ntru_drbg_create(256, chunk_empty, entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
ck_assert(drbg == NULL);
entropy->destroy(entropy);
/* one automatic reseeding occurs */
entropy = test_rng_create(drbg_tests[0].entropy);
- drbg = ntru_drbg_create(256, chunk_empty, entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy);
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
ck_assert(drbg->generate(drbg, 256, 128, out.ptr));
@@ -374,7 +390,7 @@ uint16_t indices_ees1171ep1[] = {
*/
mgf1_test_t mgf1_tests[] = {
{ HASH_SHA1, 20, 60, 20, 15, 24,
- chunk_from_chars(
+ chunk_from_chars(
0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
@@ -408,7 +424,7 @@ mgf1_test_t mgf1_tests[] = {
0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
- 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
+ 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
chunk_from_chars(
1, 2, 1, 0, 0, 1, 1, 1, 2, 0, 1, 0, 1, 1, 1, 0, 2, 0, 1, 1,
0, 0, 0, 1, 1, 0, 2, 0, 2, 2, 1, 2, 2, 2, 1, 2, 1, 1, 0, 0,
@@ -466,7 +482,7 @@ mgf1_test_t mgf1_tests[] = {
0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
- 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
+ 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
chunk_from_chars(
0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
@@ -542,14 +558,17 @@ START_TEST(test_ntru_mgf1)
mask2.len = mgf1_tests[_i].ml2;
mask3.len = mgf1_tests[_i].ml3;
- mgf1 = ntru_mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+ mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN,
+ mgf1_tests[_i].seed, TRUE);
ck_assert(mgf1 == NULL);
- mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+ mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+ chunk_empty, TRUE);
ck_assert(mgf1 == NULL);
/* return mask in allocated chunk */
- mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+ mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+ mgf1_tests[_i].seed, TRUE);
ck_assert(mgf1);
/* check hash size */
@@ -565,14 +584,16 @@ START_TEST(test_ntru_mgf1)
mgf1->destroy(mgf1);
/* copy mask to pre-allocated buffer */
- mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+ mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+ mgf1_tests[_i].seed, TRUE);
ck_assert(mgf1);
ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
mgf1->destroy(mgf1);
/* get mask in batches without hashing the seed */
- mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+ mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
+ mgf1_tests[_i].hashed_seed, FALSE);
ck_assert(mgf1);
/* first batch */
@@ -600,16 +621,16 @@ START_TEST(test_ntru_trits)
ntru_trits_t *mask;
chunk_t trits;
- mask = ntru_trits_create(mgf1_tests[_i].trits.len, HASH_UNKNOWN,
- mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+ HASH_UNKNOWN, mgf1_tests[_i].seed);
ck_assert(mask == NULL);
- mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
- chunk_empty);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+ mgf1_tests[_i].alg, chunk_empty);
ck_assert(mask == NULL);
- mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg,
- mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
+ mgf1_tests[_i].alg, mgf1_tests[_i].seed);
ck_assert(mask);
trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
@@ -617,7 +638,8 @@ START_TEST(test_ntru_trits)
mask->destroy(mask);
/* generate a multiple of 5 trits */
- mask = ntru_trits_create(10, mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg,
+ mgf1_tests[_i].seed);
ck_assert(mask);
trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
@@ -638,17 +660,17 @@ START_TEST(test_ntru_poly)
seed.len = mgf1_tests[_i].seed_len;
p = &mgf1_tests[_i].poly_test[0];
- poly = ntru_poly_create_from_seed(HASH_UNKNOWN, seed, p->c_bits, p->N, p->q,
- p->indices_len, p->indices_len,
- p->is_product_form);
+ poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
+ p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
+ p->is_product_form);
ck_assert(poly == NULL);
for (n = 0; n < 2; n++)
{
p = &mgf1_tests[_i].poly_test[n];
- poly = ntru_poly_create_from_seed(mgf1_tests[_i].alg, seed, p->c_bits,
- p->N, p->q, p->indices_len,
- p->indices_len, p->is_product_form);
+ poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed,
+ mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q,
+ p->indices_len, p->indices_len, p->is_product_form);
ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
indices = poly->get_indices(poly);
@@ -748,8 +770,9 @@ START_TEST(test_ntru_ring_mult)
int i;
t = &ring_mult_tests[_i];
- poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
- t->indices_len_m, t->is_product_form);
+ poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N,
+ t->q, t->indices_len_p, t->indices_len_m,
+ t->is_product_form);
ck_assert(poly != NULL);
c = malloc(t->N * sizeof(uint16_t));
@@ -776,8 +799,9 @@ START_TEST(test_ntru_array)
t = &ring_mult_tests[array_tests[_i]];
- poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p,
- t->indices_len_m, t->is_product_form);
+ poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N,
+ t->q, t->indices_len_p, t->indices_len_m,
+ t->is_product_form);
ck_assert(poly != NULL);
c = malloc(t->N * sizeof(uint16_t));
@@ -793,62 +817,413 @@ START_TEST(test_ntru_array)
}
END_TEST
+START_TEST(test_ntru_param_set)
+{
+ ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, -1) == NULL);
+ ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, 16) == NULL);
+}
+END_TEST
+
+typedef struct {
+ ntru_param_set_id_t id;
+ chunk_t entropy;
+ chunk_t encoding;
+} privkey_test_t;
+
+privkey_test_t privkey_tests[] = {
+ {
+ NTRU_EES401EP1,
+ chunk_from_chars(
+ 0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2,
+ 0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF,
+ 0xEA, 0xAE, 0xC3, 0x0D, 0xC1),
+ chunk_from_chars(
+ 0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB,
+ 0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF,
+ 0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85,
+ 0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03,
+ 0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5,
+ 0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2,
+ 0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F,
+ 0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF,
+ 0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B,
+ 0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB,
+ 0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2,
+ 0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC,
+ 0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18,
+ 0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16,
+ 0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E,
+ 0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69,
+ 0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A,
+ 0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45,
+ 0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88,
+ 0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C,
+ 0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89,
+ 0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9,
+ 0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6,
+ 0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52,
+ 0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25,
+ 0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62,
+ 0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72,
+ 0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D,
+ 0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1,
+ 0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0,
+ 0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA,
+ 0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A,
+ 0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5,
+ 0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75,
+ 0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95,
+ 0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E,
+ 0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C,
+ 0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83,
+ 0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5,
+ 0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F,
+ 0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31,
+ 0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0,
+ 0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8,
+ 0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA,
+ 0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA,
+ 0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36,
+ 0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD,
+ 0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50,
+ 0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E,
+ 0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC,
+ 0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77,
+ 0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6,
+ 0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A,
+ 0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D,
+ 0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15,
+ 0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92,
+ 0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28,
+ 0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF,
+ 0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC,
+ 0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9,
+ 0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8,
+ 0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77,
+ 0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48,
+ 0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D,
+ 0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02,
+ 0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A,
+ 0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59,
+ 0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2,
+ 0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1,
+ 0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55,
+ 0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA,
+ 0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00,
+ 0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87,
+ 0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71,
+ 0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75,
+ 0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71,
+ 0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71,
+ 0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89,
+ 0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17,
+ 0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02)
+ },
+ {
+ NTRU_EES743EP1,
+ chunk_from_chars(
+ 0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48,
+ 0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB,
+ 0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3,
+ 0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70,
+ 0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB,
+ 0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D),
+ chunk_from_chars(
+ 0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73,
+ 0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46,
+ 0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF,
+ 0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02,
+ 0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26,
+ 0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3,
+ 0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F,
+ 0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2,
+ 0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE,
+ 0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF,
+ 0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59,
+ 0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47,
+ 0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7,
+ 0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8,
+ 0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08,
+ 0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF,
+ 0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15,
+ 0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9,
+ 0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C,
+ 0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7,
+ 0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B,
+ 0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18,
+ 0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86,
+ 0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3,
+ 0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72,
+ 0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC,
+ 0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A,
+ 0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75,
+ 0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85,
+ 0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59,
+ 0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8,
+ 0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79,
+ 0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C,
+ 0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49,
+ 0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C,
+ 0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A,
+ 0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E,
+ 0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA,
+ 0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2,
+ 0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02,
+ 0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F,
+ 0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6,
+ 0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6,
+ 0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A,
+ 0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1,
+ 0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD,
+ 0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39,
+ 0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD,
+ 0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6,
+ 0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31,
+ 0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC,
+ 0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20,
+ 0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95,
+ 0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4,
+ 0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D,
+ 0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63,
+ 0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F,
+ 0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65,
+ 0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7,
+ 0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6,
+ 0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD,
+ 0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82,
+ 0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD,
+ 0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6,
+ 0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D,
+ 0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D,
+ 0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E,
+ 0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C,
+ 0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0,
+ 0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B,
+ 0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13,
+ 0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF,
+ 0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45,
+ 0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72,
+ 0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8,
+ 0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0,
+ 0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B,
+ 0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46,
+ 0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85,
+ 0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F,
+ 0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D,
+ 0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00,
+ 0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01,
+ 0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79,
+ 0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D,
+ 0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63,
+ 0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2,
+ 0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6,
+ 0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA,
+ 0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A,
+ 0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2,
+ 0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14,
+ 0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22,
+ 0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99,
+ 0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95,
+ 0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0,
+ 0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B,
+ 0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE,
+ 0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16,
+ 0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B,
+ 0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D,
+ 0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45,
+ 0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51,
+ 0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4,
+ 0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0,
+ 0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B,
+ 0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4,
+ 0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31,
+ 0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78,
+ 0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC,
+ 0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4,
+ 0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4,
+ 0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB,
+ 0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB,
+ 0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E,
+ 0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4,
+ 0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB,
+ 0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2,
+ 0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC,
+ 0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6,
+ 0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41,
+ 0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9,
+ 0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99,
+ 0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35,
+ 0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82,
+ 0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF,
+ 0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E,
+ 0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14,
+ 0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8,
+ 0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55,
+ 0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15,
+ 0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78,
+ 0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90,
+ 0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0,
+ 0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28,
+ 0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E,
+ 0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5,
+ 0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8,
+ 0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56,
+ 0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20)
+ }
+};
+
+START_TEST(test_ntru_privkey)
+{
+ rng_t *entropy;
+ ntru_drbg_t *drbg;
+ ntru_private_key_t *privkey;
+ ntru_public_key_t *pubkey;
+ ntru_param_set_t *params;
+ uint32_t strength;
+ chunk_t encoding, privkey_encoding, pubkey_encoding;
+
+ params = TEST_FUNCTION(ntru, ntru_param_set_get_by_id,
+ privkey_tests[_i].id);
+ strength = params->sec_strength_len * BITS_PER_BYTE;
+ entropy = test_rng_create(privkey_tests[_i].entropy);
+ drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strength,
+ chunk_from_str("IKE NTRU-KE"), entropy);
+ ck_assert(drbg != NULL);
+
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create, drbg, params);
+ ck_assert(privkey);
+ ck_assert(privkey->get_id(privkey) == privkey_tests[_i].id);
+
+ privkey_encoding = privkey->get_encoding(privkey);
+ encoding = privkey_tests[_i].encoding;
+ ck_assert(chunk_equals(privkey_encoding, encoding));
+
+ /* load private key as a packed blob */
+ privkey->destroy(privkey);
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, chunk_empty);
+ ck_assert(privkey == NULL);
+
+ encoding = chunk_clone(encoding);
+ encoding.ptr[0] = NTRU_PUBKEY_TAG;
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ ck_assert(privkey == NULL);
+
+ encoding.ptr[0] = NTRU_PRIVKEY_TRITS_TAG;
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ if (params->is_product_form)
+ {
+ ck_assert(privkey == NULL);
+ }
+ else
+ {
+ ck_assert(privkey != NULL);
+ privkey->destroy(privkey);
+ }
+
+ encoding.ptr[0] = NTRU_PRIVKEY_INDICES_TAG;
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ if (params->is_product_form)
+ {
+ ck_assert(privkey != NULL);
+ privkey->destroy(privkey);
+ }
+ else
+ {
+ ck_assert(privkey == NULL);
+ }
+
+ encoding.ptr[0] = NTRU_PRIVKEY_DEFAULT_TAG;
+ encoding.ptr[1] = NTRU_OID_LEN - 1;
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ ck_assert(privkey == NULL);
+
+ encoding.ptr[1] = NTRU_OID_LEN;
+ encoding.ptr[2] = 0xff;
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ ck_assert(privkey == NULL);
+
+ encoding.ptr[2] = params->oid[0];
+ privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data,
+ drbg, encoding);
+ privkey_encoding = privkey->get_encoding(privkey);
+ ck_assert(chunk_equals(privkey_encoding, encoding));
+
+ pubkey = privkey->get_public_key(privkey);
+ pubkey_encoding = pubkey->get_encoding(pubkey);
+
+ encoding.ptr[0] = NTRU_PUBKEY_TAG;
+ encoding.len = pubkey_encoding.len;
+ ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+ /* load public key as a packed blob */
+ pubkey->destroy(pubkey);
+ pubkey = TEST_FUNCTION(ntru, ntru_public_key_create_from_data,
+ drbg, encoding);
+ pubkey_encoding = pubkey->get_encoding(pubkey);
+ ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+ chunk_free(&encoding);
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+ drbg->destroy(drbg);
+ entropy->destroy(entropy);
+}
+END_TEST
+
START_TEST(test_ntru_ke)
{
chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
diffie_hellman_t *i_ntru, *r_ntru;
char buf[10];
- int n, len;
+ int k, n, len;
status_t status;
+ k = (_i) / countof(parameter_sets);
+ n = (_i) % countof(parameter_sets);
+
len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
- params[_i].group);
+ params[k].group);
ck_assert(len == 8);
- ck_assert(streq(buf, params[_i].group_name));
-
- for (n = 0; n < countof(parameter_sets); n++)
- {
- lib->settings->set_str(lib->settings,
- "libstrongswan.plugins.ntru.parameter_set",
- parameter_sets[n]);
+ ck_assert(streq(buf, params[k].group_name));
- i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
- ck_assert(i_ntru != NULL);
- ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+ lib->settings->set_str(lib->settings,
+ "libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]);
- i_ntru->get_my_public_value(i_ntru, &pub_key);
- ck_assert(pub_key.len > 0);
+ i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+ ck_assert(i_ntru != NULL);
+ ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
- r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
- ck_assert(r_ntru != NULL);
+ i_ntru->get_my_public_value(i_ntru, &pub_key);
+ ck_assert(pub_key.len > 0);
- r_ntru->set_other_public_value(r_ntru, pub_key);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
- ck_assert(cipher_text.len > 0);
+ r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+ ck_assert(r_ntru != NULL);
- status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
- ck_assert(status == SUCCESS);
- ck_assert(r_shared_secret.len > 0);
+ r_ntru->set_other_public_value(r_ntru, pub_key);
+ r_ntru->get_my_public_value(r_ntru, &cipher_text);
+ ck_assert(cipher_text.len > 0);
- i_ntru->set_other_public_value(i_ntru, cipher_text);
- status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+ status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+ ck_assert(status == SUCCESS);
+ ck_assert(r_shared_secret.len > 0);
- if (status == SUCCESS)
- {
- ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
- }
- else
- {
- ck_assert(i_shared_secret.len == 0);
- }
+ i_ntru->set_other_public_value(i_ntru, cipher_text);
+ status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+ ck_assert(status == SUCCESS);
+ ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
- chunk_clear(&i_shared_secret);
- chunk_clear(&r_shared_secret);
- chunk_free(&pub_key);
- chunk_free(&cipher_text);
- i_ntru->destroy(i_ntru);
- r_ntru->destroy(r_ntru);
- }
+ chunk_clear(&i_shared_secret);
+ chunk_clear(&r_shared_secret);
+ chunk_free(&pub_key);
+ chunk_free(&cipher_text);
+ i_ntru->destroy(i_ntru);
+ r_ntru->destroy(r_ntru);
}
END_TEST
@@ -1015,8 +1390,17 @@ Suite *ntru_suite_create()
tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
suite_add_tcase(s, tc);
+ tc = tcase_create("param_set");
+ tcase_add_test(tc, test_ntru_param_set);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("privkey");
+ tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests));
+ suite_add_tcase(s, tc);
+
tc = tcase_create("ke");
- tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+ tcase_add_loop_test(tc, test_ntru_ke, 0,
+ countof(params) * countof(parameter_sets));
suite_add_tcase(s, tc);
tc = tcase_create("retransmission");
diff --git a/src/libstrongswan/tests/suites/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c
index 242ac9d..a1205d0 100644
--- a/src/libstrongswan/tests/suites/test_vectors.c
+++ b/src/libstrongswan/tests/suites/test_vectors.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2013 Martin Willi
* Copyright (C) 2013 revosec AG
*
@@ -15,13 +18,15 @@
#include "test_suite.h"
-/*******************************************************************************
- * Check if test vectors have been successful during transform registration
- */
+#include <utils/test.h>
+
+IMPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms, u_int,
+ crypto_factory_t *factory);
START_TEST(test_vectors)
{
- u_int failed = lib->crypto->get_test_vector_failures(lib->crypto);
+ u_int failed = TEST_FUNCTION(crypto, verify_registered_algorithms,
+ lib->crypto);
fail_if(failed > 0, "%u test vectors failed", failed);
}
END_TEST
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
index 0b26ee1..5ec4198 100644
--- a/src/libstrongswan/tests/test_runner.c
+++ b/src/libstrongswan/tests/test_runner.c
@@ -22,6 +22,7 @@
#include <collections/array.h>
#include <utils/test.h>
+#include <stdlib.h>
#include <dirent.h>
#include <unistd.h>
#include <limits.h>
@@ -32,31 +33,85 @@
#define TTY(color) tty_escape_get(2, TTY_FG_##color)
/**
- * Initialize the lookup table for testable functions (defined in libstrongswan)
+ * Initialize the lookup table for testable functions (defined in
+ * libstrongswan). We don't use the constructor attribute as the order can't
+ * really be defined (clang does not support it and gcc does not adhere to it in
+ * the monolithic build). The function here is a weak symbol in libstrongswan.
*/
-static void testable_functions_create() __attribute__ ((constructor(1000)));
-static void testable_functions_create()
+void testable_functions_create()
{
- testable_functions = hashtable_create(hashtable_hash_str,
- hashtable_equals_str, 8);
+ if (!testable_functions)
+ {
+ testable_functions = hashtable_create(hashtable_hash_str,
+ hashtable_equals_str, 8);
+ }
}
/**
* Destroy the lookup table for testable functions
*/
-static void testable_functions_destroy() __attribute__ ((destructor(1000)));
+static void testable_functions_destroy() __attribute__ ((destructor));
static void testable_functions_destroy()
{
- testable_functions->destroy(testable_functions);
+ DESTROY_IF(testable_functions);
/* if leak detective is enabled plugins are not actually unloaded, which
* means their destructor is called AFTER this one when the process
- * terminates, even though the priority says differently, make sure this
- * does not crash */
+ * terminates, make sure this does not crash */
testable_functions = NULL;
}
/**
- * Load all available test suites
+ * Destroy a single test suite and associated data
+ */
+static void destroy_suite(test_suite_t *suite)
+{
+ test_case_t *tcase;
+
+ while (array_remove(suite->tcases, 0, &tcase))
+ {
+ array_destroy(tcase->functions);
+ array_destroy(tcase->fixtures);
+ }
+ free(suite);
+}
+
+/**
+ * Removes and destroys test suites that are not selected.
+ */
+static void filter_suites(array_t *loaded)
+{
+ enumerator_t *enumerator, *names;
+ hashtable_t *selected;
+ test_suite_t *suite;
+ char *suites, *name;
+
+ suites = getenv("TESTS_SUITES");
+ if (!suites)
+ {
+ return;
+ }
+ selected = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8);
+ names = enumerator_create_token(suites, ",", " ");
+ while (names->enumerate(names, &name))
+ {
+ selected->put(selected, name, name);
+ }
+ enumerator = array_create_enumerator(loaded);
+ while (enumerator->enumerate(enumerator, &suite))
+ {
+ if (!selected->get(selected, suite->name))
+ {
+ array_remove_at(loaded, enumerator);
+ destroy_suite(suite);
+ }
+ }
+ enumerator->destroy(enumerator);
+ selected->destroy(selected);
+ names->destroy(names);
+}
+
+/**
+ * Load all available test suites, or optionally only selected ones.
*/
static array_t *load_suites(test_configuration_t configs[],
test_runner_init_t init)
@@ -91,6 +146,7 @@ static array_t *load_suites(test_configuration_t configs[],
array_insert(suites, -1, configs[i].suite());
}
}
+ filter_suites(suites);
if (lib->leak_detective)
{
@@ -112,16 +168,10 @@ static array_t *load_suites(test_configuration_t configs[],
static void unload_suites(array_t *suites)
{
test_suite_t *suite;
- test_case_t *tcase;
while (array_remove(suites, 0, &suite))
{
- while (array_remove(suite->tcases, 0, &tcase))
- {
- array_destroy(tcase->functions);
- array_destroy(tcase->fixtures);
- }
- free(suite);
+ destroy_suite(suite);
}
array_destroy(suites);
}
@@ -178,6 +228,9 @@ static bool call_fixture(test_case_t *tcase, bool up)
*/
static bool pre_test(test_runner_init_t init)
{
+ level_t level = LEVEL_SILENT;
+ char *verbosity;
+
library_init(NULL, "test-runner");
/* use non-blocking RNG to generate keys fast */
@@ -185,6 +238,9 @@ static bool pre_test(test_runner_init_t init)
"libstrongswan.plugins.random.random",
lib->settings->get_str(lib->settings,
"libstrongswan.plugins.random.urandom", "/dev/urandom"));
+ /* same for the gcrypt plugin */
+ lib->settings->set_default_str(lib->settings,
+ "libstrongswan.plugins.gcrypt.quick_random", "yes");
if (lib->leak_detective)
{
@@ -197,7 +253,12 @@ static bool pre_test(test_runner_init_t init)
library_deinit();
return FALSE;
}
- dbg_default_set_level(LEVEL_SILENT);
+ verbosity = getenv("TESTS_VERBOSITY");
+ if (verbosity)
+ {
+ level = atoi(verbosity);
+ }
+ dbg_default_set_level(level);
return TRUE;
}
@@ -254,7 +315,7 @@ static void sum_leaks(report_data_t *data, int count, size_t bytes,
* Do library cleanup and optionally check for memory leaks
*/
static bool post_test(test_runner_init_t init, bool check_leaks,
- array_t *failures, char *name, int i)
+ array_t *failures, char *name, int i, int *leaks)
{
report_data_t data = {
.failures = failures,
@@ -264,7 +325,15 @@ static bool post_test(test_runner_init_t init, bool check_leaks,
if (init)
{
- init(FALSE);
+ if (test_restore_point())
+ {
+ init(FALSE);
+ }
+ else
+ {
+ library_deinit();
+ return FALSE;
+ }
}
if (check_leaks && lib->leak_detective)
{
@@ -274,7 +343,8 @@ static bool post_test(test_runner_init_t init, bool check_leaks,
}
library_deinit();
- return data.leaks != 0;
+ *leaks = data.leaks;
+ return TRUE;
}
/**
@@ -346,7 +416,8 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init)
{
if (pre_test(init))
{
- bool ok = FALSE, leaks = FALSE;
+ bool ok = FALSE;
+ int leaks = 0;
test_setup_timeout(tcase->timeout);
@@ -363,9 +434,11 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init)
{
call_fixture(tcase, FALSE);
}
-
}
- leaks = post_test(init, ok, failures, tfun->name, i);
+ if (!post_test(init, ok, failures, tfun->name, i, &leaks))
+ {
+ ok = FALSE;
+ }
test_setup_timeout(0);
diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c
index 0f2e74b..fb40b05 100644
--- a/src/libstrongswan/tests/test_suite.c
+++ b/src/libstrongswan/tests/test_suite.c
@@ -136,7 +136,8 @@ static inline void test_failure()
else
{
pthread_kill(main_thread, SIGUSR1);
- /* how can we stop just the thread? longjmp to a restore point? */
+ /* terminate thread to prevent it from going wild */
+ pthread_exit(NULL);
}
}
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index eb167d6..0adfb31 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -496,6 +496,8 @@ void threads_deinit()
dummy1->destroy(dummy1);
main_thread->mutex->lock(main_thread->mutex);
+ main_thread->terminated = TRUE;
+ main_thread->detached_or_joined = TRUE;
thread_destroy(main_thread);
current_thread->destroy(current_thread);
id_mutex->destroy(id_mutex);
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 82eadcb..af29e21 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2014 Tobias Brunner
* Copyright (C) 2006-2013 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -973,17 +973,20 @@ leak_detective_t *leak_detective_create()
},
);
+ if (getenv("LEAK_DETECTIVE_DISABLE") != NULL)
+ {
+ free(this);
+ return NULL;
+ }
+
lock = spinlock_create();
thread_disabled = thread_value_create(NULL);
init_static_allocations();
- if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+ if (register_hooks())
{
- if (register_hooks())
- {
- enable_leak_detective();
- }
+ enable_leak_detective();
}
return &this->public;
}
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 3fd0b8c..ca70067 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -50,9 +50,7 @@ typedef void (*leak_detective_summary_cb_t)(void* user, int count, size_t bytes,
int whitelisted);
/**
- * Leak detective finds leaks and bad frees using malloc hooks.
- *
- * Currently leaks are reported to stderr on destruction.
+ * Leak detective finds leaks and invalid frees using malloc hooks.
*
* @todo Build an API for leak detective, allowing leak enumeration, statistics
* and dynamic whitelisting.
@@ -62,13 +60,12 @@ struct leak_detective_t {
/**
* Report leaks to the registered callback functions.
*
- * @param detailed TRUE to resolve line/filename of leak (slow)
+ * @param detailed TRUE to resolve line/filename of leaks (slow)
*/
void (*report)(leak_detective_t *this, bool detailed);
/**
- * Report current memory usage to out.
- * Set callback functions invoked during a report().
+ * Set callback functions invoked when report() is called.
*
* @param cb callback invoked for each detected leak
* @param scb summary callback invoked at end of report
@@ -78,11 +75,11 @@ struct leak_detective_t {
leak_detective_summary_cb_t scb, void *user);
/**
- * Report current memory usage using a callbacks.
+ * Report current memory usage using callback functions.
*
* @param cb callback invoked for each allocation
* @param scb summary callback invoked at end of usage report
- * @param user user data supplied to callbacks
+ * @param user user data to supply to callbacks
*/
void (*usage)(leak_detective_t *this, leak_detective_report_cb_t cb,
leak_detective_summary_cb_t scb, void *user);
@@ -109,7 +106,10 @@ struct leak_detective_t {
};
/**
- * Create a leak_detective instance.
+ * Create a leak_detective instance, unless the LEAK_DETECTIVE_DISABLE
+ * environment variable is set.
+ *
+ * @return leak detective instance
*/
leak_detective_t *leak_detective_create();
diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c
index 490490a..cf34fd1 100644
--- a/src/libstrongswan/utils/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -1224,7 +1224,16 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
{
if (errno == ENOENT)
{
- DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+#ifdef STRONGSWAN_CONF
+ if (streq(file, STRONGSWAN_CONF))
+ {
+ DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
+ }
+ else
+#endif
+ {
+ DBG1(DBG_LIB, "'%s' does not exist, ignored", file);
+ }
return TRUE;
}
DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
@@ -1244,8 +1253,8 @@ static bool parse_file(linked_list_t *contents, char *file, int level,
fseek(fd, 0, SEEK_END);
len = ftell(fd);
rewind(fd);
- text = malloc(len + 1);
- text[len] = '\0';
+ text = malloc(len + 2);
+ text[len] = text[len + 1] = '\0';
if (fread(text, 1, len, fd) != len)
{
free(text);
@@ -1287,7 +1296,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
if (!strlen(pattern))
{
- DBG2(DBG_LIB, "empty include pattern, ignored");
+ DBG1(DBG_LIB, "empty include pattern, ignored");
return TRUE;
}
@@ -1318,7 +1327,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level,
status = glob(pat, GLOB_ERR, NULL, &buf);
if (status == GLOB_NOMATCH)
{
- DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
+ DBG1(DBG_LIB, "no files found matching '%s', ignored", pat);
}
else if (status != 0)
{
@@ -1509,4 +1518,3 @@ settings_t *settings_create(char *file)
return &this->public;
}
-
diff --git a/src/libstrongswan/utils/test.c b/src/libstrongswan/utils/test.c
index 7de5a76..624ac4b 100644
--- a/src/libstrongswan/utils/test.c
+++ b/src/libstrongswan/utils/test.c
@@ -22,29 +22,46 @@
*/
hashtable_t *testable_functions;
+/**
+ * The function that actually initializes the hash table above. Provided
+ * by the test runner.
+ */
+void testable_functions_create() __attribute__((weak));
+
/*
* Described in header.
*/
void testable_function_register(char *name, void *fn)
{
- if (testable_functions)
+ bool old = FALSE;
+
+ if (!testable_functions_create)
+ { /* not linked to the test runner */
+ return;
+ }
+ else if (!fn && !testable_functions)
+ { /* ignore as testable_functions has already been destroyed */
+ return;
+ }
+
+ if (lib && lib->leak_detective)
+ {
+ old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+ }
+ if (!testable_functions)
+ {
+ testable_functions_create();
+ }
+ if (fn)
+ {
+ testable_functions->put(testable_functions, name, fn);
+ }
+ else
+ {
+ testable_functions->remove(testable_functions, name);
+ }
+ if (lib && lib->leak_detective)
{
- bool old = FALSE;
- if (lib->leak_detective)
- {
- old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
- }
- if (fn)
- {
- testable_functions->put(testable_functions, name, fn);
- }
- else
- {
- testable_functions->remove(testable_functions, name);
- }
- if (lib->leak_detective)
- {
- lib->leak_detective->set_state(lib->leak_detective, old);
- }
+ lib->leak_detective->set_state(lib->leak_detective, old);
}
}
diff --git a/src/libstrongswan/utils/test.h b/src/libstrongswan/utils/test.h
index 5b72892..a1b2a2d 100644
--- a/src/libstrongswan/utils/test.h
+++ b/src/libstrongswan/utils/test.h
@@ -51,7 +51,7 @@ void testable_function_register(char *name, void *fn);
* @param fn function to register
*/
#define EXPORT_FUNCTION_FOR_TESTS(ns, fn) \
-static void testable_function_register_##fn() __attribute__ ((constructor(2000))); \
+static void testable_function_register_##fn() __attribute__ ((constructor)); \
static void testable_function_register_##fn() \
{ \
testable_function_register(#ns "/" #fn, fn); \
@@ -65,32 +65,32 @@ static void testable_function_unregister_##fn() \
/**
* Import a registered function so that it can be called from tests.
*
- * @note If the imported function is static (or no conflicting header files
- * are included) ret can be prefixed with static to declare the function static.
- *
- * @note We allocate an arbitrary amount of stack space, hopefully enough for
- * all arguments.
- *
* @param ns namespace of the function
* @param name name of the function
* @param ret return type of the function
* @param ... arguments of the function
*/
#define IMPORT_FUNCTION_FOR_TESTS(ns, name, ret, ...) \
-ret name(__VA_ARGS__) \
-{ \
- void (*fn)() = NULL; \
+static ret (*TEST_##ns##name)(__VA_ARGS__);
+
+/**
+ * Call a registered function from tests.
+ *
+ * @param ns namespace of the function
+ * @param name name of the function
+ * @param ... arguments for the function
+ */
+#define TEST_FUNCTION(ns, name, ...) \
+({ \
if (testable_functions) \
{ \
- fn = testable_functions->get(testable_functions, #ns "/" #name); \
+ TEST_##ns##name = testable_functions->get(testable_functions, #ns "/" #name); \
} \
- if (fn) \
+ if (!TEST_##ns##name) \
{ \
- void *args = __builtin_apply_args(); \
- __builtin_return(__builtin_apply(fn, args, 16*sizeof(void*))); \
+ test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
} \
- test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \
- __builtin_return(NULL); \
-}
+ TEST_##ns##name(__VA_ARGS__); \
+})
#endif /** TEST_H_ @}*/
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index b83ea8e..d565a14 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -8,6 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la
libtls_la_SOURCES = \
tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+ tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
tls_server.c tls.c
libtls_la_LIBADD = \
@@ -18,5 +19,7 @@ tls_includedir = ${dev_headers}/tls
nobase_tls_include_HEADERS = \
tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
- tls_server.h tls_handshake.h tls_application.h tls.h
+ tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
endif
+
+SUBDIRS = . tests
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 87ae2a6..b6abd1e 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -134,6 +134,7 @@ libtls_la_DEPENDENCIES = \
am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \
tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \
+ tls_aead_expl.lo tls_aead_impl.lo tls_aead_null.lo tls_aead.lo \
tls_server.lo tls.lo
libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
@@ -176,6 +177,14 @@ am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(libtls_la_SOURCES)
DIST_SOURCES = $(libtls_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+ ctags-recursive dvi-recursive html-recursive info-recursive \
+ install-data-recursive install-dvi-recursive \
+ install-exec-recursive install-html-recursive \
+ install-info-recursive install-pdf-recursive \
+ install-ps-recursive install-recursive installcheck-recursive \
+ installdirs-recursive pdf-recursive ps-recursive \
+ tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -184,8 +193,17 @@ am__can_run_installinfo = \
am__nobase_tls_include_HEADERS_DIST = tls_protection.h \
tls_compression.h tls_fragmentation.h tls_alert.h tls_crypto.h \
tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
- tls_server.h tls_handshake.h tls_application.h tls.h
+ tls_server.h tls_handshake.h tls_application.h tls_aead.h \
+ tls.h
HEADERS = $(nobase_tls_include_HEADERS)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
+ distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+ $(RECURSIVE_TARGETS) \
+ $(RECURSIVE_CLEAN_TARGETS) \
+ $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+ distdir
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -205,7 +223,33 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+ dir0=`pwd`; \
+ sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+ sed_rest='s,^[^/]*/*,,'; \
+ sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+ sed_butlast='s,/*[^/]*$$,,'; \
+ while test -n "$$dir1"; do \
+ first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+ if test "$$first" != "."; then \
+ if test "$$first" = ".."; then \
+ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+ else \
+ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+ if test "$$first2" = "$$first"; then \
+ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+ else \
+ dir2="../$$dir2"; \
+ fi; \
+ dir0="$$dir0"/"$$first"; \
+ fi; \
+ fi; \
+ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+ done; \
+ reldir="$$dir2"
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
@@ -375,7 +419,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -425,6 +468,7 @@ ipseclib_LTLIBRARIES = libtls.la
libtls_la_SOURCES = \
tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+ tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
tls_server.c tls.c
libtls_la_LIBADD = \
@@ -434,9 +478,10 @@ libtls_la_LIBADD = \
@USE_DEV_HEADERS_TRUE at nobase_tls_include_HEADERS = \
@USE_DEV_HEADERS_TRUE@ tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
@USE_DEV_HEADERS_TRUE@ tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
- at USE_DEV_HEADERS_TRUE@ tls_server.h tls_handshake.h tls_application.h tls.h
+ at USE_DEV_HEADERS_TRUE@ tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
-all: all-am
+SUBDIRS = . tests
+all: all-recursive
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
@@ -516,6 +561,10 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_aead.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_aead_expl.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_aead_impl.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_aead_null.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_alert.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_cache.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_compression.Plo at am__quote@
@@ -582,14 +631,61 @@ uninstall-nobase_tls_includeHEADERS:
$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir)
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+# (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+ @fail=; \
+ if $(am__make_keepgoing); then \
+ failcom='fail=yes'; \
+ else \
+ failcom='exit 1'; \
+ fi; \
+ dot_seen=no; \
+ target=`echo $@ | sed s/-recursive//`; \
+ case "$@" in \
+ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+ *) list='$(SUBDIRS)' ;; \
+ esac; \
+ for subdir in $$list; do \
+ echo "Making $$target in $$subdir"; \
+ if test "$$subdir" = "."; then \
+ dot_seen=yes; \
+ local_target="$$target-am"; \
+ else \
+ local_target="$$target"; \
+ fi; \
+ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+ || eval $$failcom; \
+ done; \
+ if test "$$dot_seen" = "no"; then \
+ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+ fi; test -z "$$fail"
+
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
+tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
+ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+ include_option=--etags-include; \
+ empty_fix=.; \
+ else \
+ include_option=--include; \
+ empty_fix=; \
+ fi; \
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ test ! -f $$subdir/TAGS || \
+ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+ fi; \
+ done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
@@ -602,7 +698,7 @@ tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$$unique; \
fi; \
fi
-ctags: ctags-am
+ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
@@ -615,7 +711,7 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
+cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
@@ -664,22 +760,48 @@ distdir: $(DISTFILES)
|| exit 1; \
fi; \
done
+ @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ $(am__make_dryrun) \
+ || test -d "$(distdir)/$$subdir" \
+ || $(MKDIR_P) "$(distdir)/$$subdir" \
+ || exit 1; \
+ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+ $(am__relativize); \
+ new_distdir=$$reldir; \
+ dir1=$$subdir; dir2="$(top_distdir)"; \
+ $(am__relativize); \
+ new_top_distdir=$$reldir; \
+ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+ ($(am__cd) $$subdir && \
+ $(MAKE) $(AM_MAKEFLAGS) \
+ top_distdir="$$new_top_distdir" \
+ distdir="$$new_distdir" \
+ am__remove_distdir=: \
+ am__skip_length_check=: \
+ am__skip_mode_fix=: \
+ distdir) \
+ || exit 1; \
+ fi; \
+ done
check-am: all-am
-check: check-am
+check: check-recursive
all-am: Makefile $(LTLIBRARIES) $(HEADERS)
-installdirs:
+installdirs: installdirs-recursive
+installdirs-am:
for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(tls_includedir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-installcheck: installcheck-am
+installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
@@ -701,92 +823,93 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
-distclean: distclean-am
+distclean: distclean-recursive
-rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
-dvi: dvi-am
+dvi: dvi-recursive
dvi-am:
-html: html-am
+html: html-recursive
html-am:
-info: info-am
+info: info-recursive
info-am:
install-data-am: install-ipseclibLTLIBRARIES \
install-nobase_tls_includeHEADERS
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
-install-html: install-html-am
+install-html: install-html-recursive
install-html-am:
-install-info: install-info-am
+install-info: install-info-recursive
install-info-am:
install-man:
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
install-pdf-am:
-install-ps: install-ps-am
+install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
-maintainer-clean: maintainer-clean-am
+maintainer-clean: maintainer-clean-recursive
-rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
-pdf: pdf-am
+pdf: pdf-recursive
pdf-am:
-ps: ps-am
+ps: ps-recursive
ps-am:
uninstall-am: uninstall-ipseclibLTLIBRARIES \
uninstall-nobase_tls_includeHEADERS
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
- clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \
- ctags-am distclean distclean-compile distclean-generic \
- distclean-libtool distclean-tags distdir dvi dvi-am html \
- html-am info info-am install install-am install-data \
- install-data-am install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am install-info \
- install-info-am install-ipseclibLTLIBRARIES install-man \
+.MAKE: $(am__recursive_targets) install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+ check-am clean clean-generic clean-ipseclibLTLIBRARIES \
+ clean-libtool cscopelist-am ctags ctags-am distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am \
+ install-ipseclibLTLIBRARIES install-man \
install-nobase_tls_includeHEADERS install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
- installcheck-am installdirs maintainer-clean \
+ installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am uninstall uninstall-am \
diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am
new file mode 100644
index 0000000..1c0e2f9
--- /dev/null
+++ b/src/libtls/tests/Makefile.am
@@ -0,0 +1,22 @@
+TESTS = tls_tests
+
+check_PROGRAMS = $(TESTS)
+
+tls_tests_SOURCES = \
+ suites/test_socket.c \
+ suites/test_suites.c \
+ tls_tests.h tls_tests.c
+
+tls_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libtls \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINS=\""${s_plugins}\"" \
+ @COVERAGE_CFLAGS@
+
+tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tls_tests_LDADD = \
+ $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/scripts/Makefile.in b/src/libtls/tests/Makefile.in
similarity index 61%
copy from scripts/Makefile.in
copy to src/libtls/tests/Makefile.in
index 40001f8..0b8ba33 100644
--- a/scripts/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -13,7 +13,6 @@
# PARTICULAR PURPOSE.
@SET_MAKE@
-
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
@@ -78,14 +77,9 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
- key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \
- thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
- pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \
- fetch$(EXEEXT) dnssec$(EXEEXT) malloc_speed$(EXEEXT) \
- aes-test$(EXEEXT) $(am__EXEEXT_1)
- at USE_TLS_TRUE@am__append_1 = tls_test
-subdir = scripts
+TESTS = tls_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libtls/tests
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -105,78 +99,22 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
- at USE_TLS_TRUE@am__EXEEXT_1 = tls_test$(EXEEXT)
-PROGRAMS = $(noinst_PROGRAMS)
-aes_test_SOURCES = aes-test.c
-aes_test_OBJECTS = aes-test.$(OBJEXT)
-aes_test_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+am__EXEEXT_1 = tls_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_tls_tests_OBJECTS = suites/tls_tests-test_socket.$(OBJEXT) \
+ suites/tls_tests-test_suites.$(OBJEXT) \
+ tls_tests-tls_tests.$(OBJEXT)
+tls_tests_OBJECTS = $(am_tls_tests_OBJECTS)
+tls_tests_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
AM_V_lt = $(am__v_lt_ at AM_V@)
am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
-am_bin2array_OBJECTS = bin2array.$(OBJEXT)
-bin2array_OBJECTS = $(am_bin2array_OBJECTS)
-bin2array_LDADD = $(LDADD)
-am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
-bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
-bin2sql_LDADD = $(LDADD)
-am_crypt_burn_OBJECTS = crypt_burn.$(OBJEXT)
-crypt_burn_OBJECTS = $(am_crypt_burn_OBJECTS)
-crypt_burn_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
-dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
-am__DEPENDENCIES_1 =
-dh_speed_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1)
-am_dnssec_OBJECTS = dnssec.$(OBJEXT)
-dnssec_OBJECTS = $(am_dnssec_OBJECTS)
-dnssec_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_fetch_OBJECTS = fetch.$(OBJEXT)
-fetch_OBJECTS = $(am_fetch_OBJECTS)
-fetch_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_hash_burn_OBJECTS = hash_burn.$(OBJEXT)
-hash_burn_OBJECTS = $(am_hash_burn_OBJECTS)
-hash_burn_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_id2sql_OBJECTS = id2sql.$(OBJEXT)
-id2sql_OBJECTS = $(am_id2sql_OBJECTS)
-id2sql_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_key2keyid_OBJECTS = key2keyid.$(OBJEXT)
-key2keyid_OBJECTS = $(am_key2keyid_OBJECTS)
-key2keyid_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
-keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
-keyid2sql_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_malloc_speed_OBJECTS = malloc_speed.$(OBJEXT)
-malloc_speed_OBJECTS = $(am_malloc_speed_OBJECTS)
-malloc_speed_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1)
-am_oid2der_OBJECTS = oid2der.$(OBJEXT)
-oid2der_OBJECTS = $(am_oid2der_OBJECTS)
-oid2der_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT)
-pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS)
-pubkey_speed_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1)
-am_thread_analysis_OBJECTS = thread_analysis.$(OBJEXT)
-thread_analysis_OBJECTS = $(am_thread_analysis_OBJECTS)
-thread_analysis_LDADD = $(LDADD)
-am__tls_test_SOURCES_DIST = tls_test.c
- at USE_TLS_TRUE@am_tls_test_OBJECTS = tls_test.$(OBJEXT)
-tls_test_OBJECTS = $(am_tls_test_OBJECTS)
- at USE_TLS_TRUE@tls_test_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
- at USE_TLS_TRUE@ $(top_builddir)/src/libtls/libtls.la
+tls_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tls_tests_CFLAGS) \
+ $(CFLAGS) $(tls_tests_LDFLAGS) $(LDFLAGS) -o $@
AM_V_P = $(am__v_P_ at AM_V@)
am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
am__v_P_0 = false
@@ -211,20 +149,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \
- $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
- $(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
- $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
- $(malloc_speed_SOURCES) $(oid2der_SOURCES) \
- $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
- $(tls_test_SOURCES)
-DIST_SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \
- $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
- $(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
- $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
- $(malloc_speed_SOURCES) $(oid2der_SOURCES) \
- $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
- $(am__tls_test_SOURCES_DIST)
+SOURCES = $(tls_tests_SOURCES)
+DIST_SOURCES = $(tls_tests_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -249,6 +175,28 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red='�[0;31m'; \
+ grn='�[0;32m'; \
+ lgn='�[1;32m'; \
+ blu='�[1;34m'; \
+ mgn='�[0;35m'; \
+ brg='�[1m'; \
+ std='�[m'; \
+ fi; \
+}
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
@@ -419,7 +367,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -459,41 +406,25 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
+tls_tests_SOURCES = \
+ suites/test_socket.c \
+ suites/test_suites.c \
+ tls_tests.h tls_tests.c
+
+tls_tests_CFLAGS = \
-I$(top_srcdir)/src/libtls \
- -DPLUGINS="\"${scripts_plugins}\""
-
- at USE_TLS_TRUE@tls_test_SOURCES = tls_test.c
- at USE_TLS_TRUE@tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
- at USE_TLS_TRUE@ $(top_builddir)/src/libtls/libtls.la
-
-bin2array_SOURCES = bin2array.c
-bin2sql_SOURCES = bin2sql.c
-id2sql_SOURCES = id2sql.c
-key2keyid_SOURCES = key2keyid.c
-keyid2sql_SOURCES = keyid2sql.c
-oid2der_SOURCES = oid2der.c
-thread_analysis_SOURCES = thread_analysis.c
-dh_speed_SOURCES = dh_speed.c
-pubkey_speed_SOURCES = pubkey_speed.c
-crypt_burn_SOURCES = crypt_burn.c
-hash_burn_SOURCES = hash_burn.c
-malloc_speed_SOURCES = malloc_speed.c
-fetch_SOURCES = fetch.c
-dnssec_SOURCES = dnssec.c
-id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
-pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
-crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
-fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINS=\""${s_plugins}\"" \
+ @COVERAGE_CFLAGS@
+
+tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tls_tests_LDADD = \
+ $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+
all: all-am
.SUFFIXES:
@@ -507,9 +438,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu scripts/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/tests/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu scripts/Makefile
+ $(AUTOMAKE) --gnu src/libtls/tests/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -529,101 +460,39 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
-clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
-
-aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) $(EXTRA_aes_test_DEPENDENCIES)
- @rm -f aes-test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
-
-bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) $(EXTRA_bin2array_DEPENDENCIES)
- @rm -f bin2array$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
-
-bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) $(EXTRA_bin2sql_DEPENDENCIES)
- @rm -f bin2sql$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
-
-crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_crypt_burn_DEPENDENCIES)
- @rm -f crypt_burn$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
-
-dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES)
- @rm -f dh_speed$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
-
-dnssec$(EXEEXT): $(dnssec_OBJECTS) $(dnssec_DEPENDENCIES) $(EXTRA_dnssec_DEPENDENCIES)
- @rm -f dnssec$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(dnssec_OBJECTS) $(dnssec_LDADD) $(LIBS)
-
-fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES)
- @rm -f fetch$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
-
-hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) $(EXTRA_hash_burn_DEPENDENCIES)
- @rm -f hash_burn$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
-
-id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) $(EXTRA_id2sql_DEPENDENCIES)
- @rm -f id2sql$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
-
-key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) $(EXTRA_key2keyid_DEPENDENCIES)
- @rm -f key2keyid$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
-
-keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) $(EXTRA_keyid2sql_DEPENDENCIES)
- @rm -f keyid2sql$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
-
-malloc_speed$(EXEEXT): $(malloc_speed_OBJECTS) $(malloc_speed_DEPENDENCIES) $(EXTRA_malloc_speed_DEPENDENCIES)
- @rm -f malloc_speed$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(malloc_speed_OBJECTS) $(malloc_speed_LDADD) $(LIBS)
-
-oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) $(EXTRA_oid2der_DEPENDENCIES)
- @rm -f oid2der$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
-
-pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EXTRA_pubkey_speed_DEPENDENCIES)
- @rm -f pubkey_speed$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
-
-thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES)
- @rm -f thread_analysis$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
-
-tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES)
- @rm -f tls_test$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
+suites/$(am__dirstamp):
+ @$(MKDIR_P) suites
+ @: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) suites/$(DEPDIR)
+ @: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tls_tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+suites/tls_tests-test_suites.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+
+tls_tests$(EXEEXT): $(tls_tests_OBJECTS) $(tls_tests_DEPENDENCIES) $(EXTRA_tls_tests_DEPENDENCIES)
+ @rm -f tls_tests$(EXEEXT)
+ $(AM_V_CCLD)$(tls_tests_LINK) $(tls_tests_OBJECTS) $(tls_tests_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
+ -rm -f suites/*.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/aes-test.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bin2array.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bin2sql.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/crypt_burn.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/dh_speed.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/dnssec.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/fetch.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/hash_burn.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/id2sql.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/key2keyid.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/keyid2sql.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/malloc_speed.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/oid2der.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/pubkey_speed.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/thread_analysis.Po at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_test.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_tests-tls_tests.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tls_tests-test_socket.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tls_tests-test_suites.Po at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -649,6 +518,48 @@ distclean-compile:
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+suites/tls_tests-test_socket.o: suites/test_socket.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+
+suites/tls_tests-test_socket.obj: suites/test_socket.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+
+suites/tls_tests-test_suites.o: suites/test_suites.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c
+
+suites/tls_tests-test_suites.obj: suites/test_suites.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi`
+
+tls_tests-tls_tests.o: tls_tests.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.o -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c
+
+tls_tests-tls_tests.obj: tls_tests.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.obj -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi`
+
mostlyclean-libtool:
-rm -f *.lo
@@ -707,6 +618,99 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -738,8 +742,10 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
-all-am: Makefile $(PROGRAMS)
+all-am: Makefile
installdirs:
install: install-am
install-exec: install-exec-am
@@ -767,17 +773,19 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f suites/$(DEPDIR)/$(am__dirstamp)
+ -rm -f suites/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR)
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -823,7 +831,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -842,11 +850,11 @@ ps-am:
uninstall-am:
-.MAKE: install-am install-strip
+.MAKE: check-am install-am install-strip
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
- clean-libtool clean-noinstPROGRAMS cscopelist-am ctags \
- ctags-am distclean distclean-compile distclean-generic \
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
@@ -859,10 +867,6 @@ uninstall-am:
tags tags-am uninstall uninstall-am
-key2keyid.o : $(top_builddir)/config.status
-
-keyid2sql.o : $(top_builddir)/config.status
-
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
new file mode 100644
index 0000000..42a4607
--- /dev/null
+++ b/src/libtls/tests/suites/test_socket.c
@@ -0,0 +1,524 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <processing/jobs/callback_job.h>
+#include <credentials/sets/mem_cred.h>
+
+#include "tls_socket.h"
+
+/**
+ * Credentials for authentication
+ */
+static mem_cred_t *creds;
+
+/**
+ * RSA private key, 2048 bit
+ */
+static char rsa[] = {
+ 0x30,0x82,0x04,0xa4,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,
+ 0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,
+ 0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,
+ 0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,
+ 0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,
+ 0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,
+ 0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,
+ 0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,
+ 0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,
+ 0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,
+ 0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,
+ 0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,
+ 0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,
+ 0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,
+ 0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,
+ 0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,
+ 0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,
+ 0x01,0x02,0x82,0x01,0x01,0x00,0xd9,0x5b,0x99,0x74,0x80,0xb4,0x57,0xcc,0x82,0x2a,
+ 0x17,0x66,0x1d,0x3c,0xde,0xea,0xbd,0x11,0x40,0x03,0x62,0x47,0xe3,0xe5,0x2c,0x6b,
+ 0x65,0x67,0x0f,0x0b,0x96,0x13,0x83,0x4c,0x71,0x58,0xfa,0xfe,0xe6,0xe9,0x37,0xeb,
+ 0x98,0x51,0x73,0x48,0xcc,0xf9,0xe1,0x46,0x5b,0xfe,0x16,0xe1,0xc0,0xa5,0x75,0xf3,
+ 0x4d,0x30,0x84,0x14,0x15,0x04,0x6f,0x3e,0xa3,0x03,0xbd,0xba,0x4f,0x5a,0x71,0xe9,
+ 0x26,0xbf,0x5d,0x7a,0x93,0x22,0x98,0xb5,0xcf,0x51,0xc3,0xc7,0x51,0xb8,0x59,0x0a,
+ 0xfb,0xd7,0xe5,0xa8,0x1d,0x0f,0x5c,0xfd,0x30,0x0e,0x71,0xd7,0x79,0xc4,0x60,0x55,
+ 0x9e,0x1e,0x1c,0x0b,0x9a,0x40,0xb8,0x7a,0x8d,0xb2,0xec,0xb0,0x70,0x8a,0x19,0x5f,
+ 0x1d,0x2e,0xde,0x90,0x8f,0x68,0x56,0x08,0xce,0x0c,0x08,0xde,0xc7,0xf8,0x13,0xef,
+ 0xd2,0xbc,0x92,0xb6,0xfb,0xec,0xb6,0x04,0xf6,0x8f,0x7d,0x95,0xe9,0xeb,0xc7,0xfb,
+ 0xcc,0x4f,0xad,0x41,0xf1,0x4c,0x79,0x07,0xdd,0x4b,0x40,0xb4,0x74,0x44,0x9a,0x06,
+ 0x0a,0x0f,0xb2,0xda,0x12,0x46,0xe5,0xee,0x01,0x64,0xe5,0xf0,0x82,0x69,0xf9,0xf1,
+ 0xe9,0x41,0x13,0x5a,0xee,0xc0,0x37,0x9a,0xbe,0x9a,0x9a,0x06,0x4b,0x52,0xd6,0xf3,
+ 0x1b,0x30,0x64,0x93,0x3a,0x97,0xe1,0xdc,0x50,0x1f,0x46,0xc4,0x81,0x6a,0x17,0x52,
+ 0x49,0x85,0xc6,0x85,0xb7,0x60,0xd4,0xf0,0xd1,0x6a,0xeb,0x50,0x8c,0xb7,0xeb,0x1f,
+ 0x17,0x0e,0xf0,0xfd,0x67,0x03,0x7c,0x74,0x1a,0xac,0x66,0x81,0x00,0x45,0x5e,0xf3,
+ 0xd9,0x9d,0x22,0x99,0xc4,0x11,0x02,0x81,0x81,0x00,0xfa,0x44,0x32,0x14,0xb2,0x82,
+ 0x28,0x02,0x46,0x05,0xdd,0x8d,0xb1,0x9f,0x9e,0x6f,0x61,0xf2,0x01,0xa0,0x2b,0x76,
+ 0xee,0x46,0xaa,0x2d,0x2d,0x5b,0xd2,0x67,0x90,0x36,0xbb,0xa0,0x07,0xdf,0x9b,0xad,
+ 0x18,0x1e,0xa7,0xe6,0x36,0xc6,0x49,0xda,0xc5,0x0d,0x52,0x29,0x5a,0x40,0xcf,0xdf,
+ 0x8d,0xd0,0xa3,0xc2,0x34,0x17,0x9f,0xb5,0xf1,0x67,0xac,0x29,0x10,0xc2,0x5c,0x62,
+ 0xe3,0xe2,0x5c,0x9f,0x93,0xcc,0xb5,0xeb,0x16,0x64,0x44,0x9f,0x6b,0x5a,0xac,0x19,
+ 0x09,0xff,0x4b,0x78,0x7f,0xec,0x5a,0xbd,0xe9,0xcb,0x74,0xbb,0x30,0x13,0xc5,0x25,
+ 0x8b,0xac,0x8d,0xf9,0xa9,0x99,0x25,0xf5,0xce,0x07,0xb6,0x2b,0x1b,0x42,0xed,0x3a,
+ 0x30,0x4a,0xfc,0x5f,0xf0,0xe2,0x26,0xa6,0x60,0x5d,0x02,0x81,0x81,0x00,0xf4,0x1a,
+ 0xc2,0x7e,0xa0,0xa0,0xad,0x20,0x65,0x04,0xe8,0xf7,0xb0,0xb1,0x76,0x79,0x08,0x18,
+ 0x58,0x93,0x21,0xf1,0x56,0x58,0x58,0x18,0x4a,0x5c,0x59,0x08,0x27,0x64,0x09,0xcb,
+ 0x0b,0x0b,0x4e,0x26,0xc8,0x0b,0x87,0x67,0x40,0xc1,0xab,0x31,0x60,0xa6,0x78,0xdd,
+ 0x78,0xc8,0x86,0x38,0xbd,0x19,0xde,0x0b,0x70,0x72,0xec,0x36,0x88,0x39,0x69,0x70,
+ 0xda,0xa6,0x2e,0xf9,0x5c,0xd8,0x17,0xc5,0xfa,0xf8,0xa5,0xc9,0x9b,0xf0,0xfe,0x03,
+ 0x71,0x57,0xfa,0x58,0x0f,0x33,0xc3,0xab,0xce,0xb0,0x5d,0xd0,0x40,0x07,0x9a,0x0b,
+ 0xff,0xb9,0xaa,0x9d,0xc5,0x33,0x7f,0x5f,0x48,0x7e,0x54,0x82,0xd1,0xdf,0x75,0x69,
+ 0xee,0xe5,0xf5,0x80,0x44,0xce,0x52,0x72,0x14,0x2c,0xe6,0xa7,0xd5,0x8d,0x02,0x81,
+ 0x81,0x00,0xb8,0xf7,0x70,0x20,0x35,0xf2,0xd6,0x89,0x1f,0xa1,0xb4,0x26,0xc6,0x51,
+ 0xd7,0xb2,0x30,0xac,0xc1,0xa0,0xd4,0x9e,0xf8,0xea,0x87,0x5a,0x0e,0x7d,0x1f,0xdb,
+ 0xe5,0x0d,0x5e,0xcc,0x9f,0x25,0x18,0x14,0xed,0x8f,0xb2,0xbe,0x06,0x5b,0xb5,0x38,
+ 0x18,0x8d,0x88,0xdd,0x01,0x54,0x87,0x8e,0x8d,0x6c,0xd7,0xab,0x6f,0xfe,0xc9,0xce,
+ 0x9a,0x15,0xea,0x7b,0x0b,0x64,0xeb,0x0d,0x37,0xaa,0x14,0x94,0xe8,0x92,0xd3,0x1d,
+ 0x66,0x16,0x43,0x55,0xa3,0xed,0x86,0xe6,0x96,0xa9,0xf5,0xe8,0xa0,0x7b,0x5a,0x71,
+ 0xa4,0x7a,0xf7,0xd2,0x65,0x6d,0x27,0x37,0x61,0xac,0xed,0xdd,0xc9,0x08,0x64,0xb2,
+ 0xf0,0x4c,0x68,0xca,0x21,0x42,0xec,0xbc,0x25,0xf7,0x35,0xe1,0xde,0xd1,0xf6,0x88,
+ 0xdf,0x0d,0x02,0x81,0x80,0x44,0xb0,0xcb,0x0e,0x6b,0x11,0x0b,0xe6,0xd3,0xc6,0x7f,
+ 0xf0,0x43,0x6e,0x8c,0xd2,0x1e,0x2f,0x0b,0xad,0xcb,0x9d,0x68,0x18,0xd0,0x21,0x75,
+ 0xbb,0x6a,0xea,0x5a,0x7b,0x52,0x2e,0x2a,0xdb,0x71,0x90,0x84,0x36,0x8a,0x51,0xc9,
+ 0xed,0x35,0xc9,0x5d,0x53,0x3b,0x2b,0xc7,0x73,0x56,0x21,0xdd,0x44,0xcc,0x31,0x17,
+ 0xe1,0x9f,0x0a,0xf1,0x66,0x86,0x7f,0x55,0x67,0xf2,0x4c,0x05,0x8e,0x61,0x92,0x3a,
+ 0xbf,0x81,0x97,0xac,0x24,0x32,0xb6,0xb1,0x4c,0x7a,0x8c,0x11,0x2b,0x15,0xe2,0xe0,
+ 0xf4,0xcc,0x51,0x6f,0xd3,0x33,0xcc,0x30,0x98,0x04,0xa5,0x04,0xfb,0x2a,0xda,0x9b,
+ 0x41,0xc1,0x72,0x56,0xb0,0xb5,0x0f,0xac,0x44,0x55,0xc3,0x54,0x99,0x62,0xa5,0xeb,
+ 0x7b,0x7f,0x24,0xb7,0x79,0x02,0x81,0x80,0x0a,0x3b,0x9b,0x91,0x1d,0x9b,0x04,0x4e,
+ 0xdf,0xd9,0xe6,0x47,0xf3,0x79,0xb7,0x17,0xcf,0x42,0xa5,0xde,0x94,0xf0,0xfe,0xed,
+ 0x46,0xf6,0xaf,0x3e,0x6c,0x91,0x01,0x89,0x79,0x81,0xea,0x2b,0x82,0x68,0x0e,0xd8,
+ 0x25,0xaf,0x79,0x8b,0x14,0xfd,0xf2,0x29,0x20,0x34,0x2d,0x0b,0x08,0x8c,0x3b,0x2b,
+ 0xfc,0x75,0xe9,0x4e,0x21,0xa6,0xb2,0x35,0x67,0x8d,0x4c,0x90,0x94,0x02,0xd5,0x32,
+ 0x23,0xc6,0xa0,0x92,0x2e,0xfa,0x97,0x48,0x5b,0x95,0xc3,0xf1,0xbc,0x6b,0xe8,0x4c,
+ 0x92,0x6f,0x5e,0x3d,0xf9,0xbd,0x2c,0xf0,0x83,0x1c,0xe6,0xb3,0x45,0x68,0x32,0x8d,
+ 0x85,0x20,0xcb,0x9d,0xd2,0x30,0x5a,0x57,0xa4,0x6e,0x27,0xb5,0x29,0x14,0xdb,0xf1,
+ 0x4b,0x9a,0xc3,0xc1,0xc5,0x37,0x6d,0x1b,
+};
+
+/**
+ * ECDSA private key
+ */
+static char ecdsa[] = {
+ 0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0xc0,0x1f,0xfd,0x65,0xc6,0xc4,0x4c,0xb8,
+ 0xff,0x56,0x08,0xb5,0xbd,0xb8,0xf5,0x93,0xf7,0x51,0x0e,0x92,0x1f,0x06,0xbf,0xa6,
+ 0xd9,0x1d,0xae,0xa3,0x16,0x0d,0x0f,0xc9,0xd5,0x97,0x90,0x46,0xf1,0x98,0xa8,0x18,
+ 0x07,0xba,0xcf,0x91,0x8e,0x07,0xed,0x88,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00,
+ 0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,0x22,0x21,0x12,0x69,
+ 0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,0xdb,0xb9,0xb1,0xee,
+ 0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,0x4e,0xe3,0xdd,0xf4,
+ 0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,0x5b,0xe6,0xde,0x0a,
+ 0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,0x5b,0x57,0xb0,0x01,
+ 0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,0x9a,0x1c,0x52,0x09,
+ 0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,
+};
+
+/**
+ * TLS certificate for RSA key
+ */
+static char rsa_crt[] = {
+ 0x30,0x82,0x03,0x1f,0x30,0x82,0x02,0x07,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xf0,0xbb,0xac,0xc3,0xa1,0x6b,0xf3,0x1c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+ 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,
+ 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06,
+ 0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17,
+ 0x0d,0x31,0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x17,0x0d,
+ 0x31,0x37,0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x30,0x34,0x31,
+ 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
+ 0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,
+ 0x72,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
+ 0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,
+ 0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,
+ 0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,
+ 0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,
+ 0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,
+ 0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,
+ 0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,
+ 0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,
+ 0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,
+ 0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,
+ 0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,
+ 0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,
+ 0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,
+ 0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,
+ 0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,
+ 0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,
+ 0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,
+ 0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x34,0x30,0x32,0x30,0x1f,0x06,
+ 0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x96,0x0e,0xc8,0xd3,0xb3,0x3f,
+ 0xd1,0x11,0xb6,0x36,0x70,0xdb,0x37,0x98,0x3c,0xab,0x69,0x03,0x69,0x56,0x30,0x0f,
+ 0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30,
+ 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+ 0x01,0x01,0x00,0x94,0x1d,0x08,0xda,0x7b,0xc4,0xa3,0xf4,0x40,0x54,0xae,0x45,0x6a,
+ 0xb3,0x62,0xb6,0x0b,0x35,0xc7,0x5f,0xed,0xb9,0x42,0x33,0xd5,0x32,0x80,0x23,0x76,
+ 0x87,0xae,0x59,0xbb,0x77,0x00,0xc4,0xbf,0x60,0x3b,0x9b,0x04,0x46,0x52,0xde,0x9f,
+ 0x16,0xc6,0x96,0x5e,0x7a,0xb5,0xbb,0x49,0x6a,0x89,0x4a,0x60,0x0b,0x85,0x15,0xec,
+ 0xbb,0x83,0x79,0x01,0xfa,0x3c,0xd5,0x1e,0x6a,0x75,0xe7,0x93,0xc9,0xc4,0xbb,0xea,
+ 0xad,0xa2,0x23,0x32,0xc5,0x57,0x4c,0x41,0xb2,0x41,0x91,0x53,0x5e,0xaf,0x98,0x83,
+ 0xcb,0x6b,0xa8,0x2f,0xc8,0x06,0x16,0x18,0x5a,0x75,0xe1,0xee,0xac,0xc0,0x28,0x08,
+ 0x0a,0x09,0xd1,0x03,0xba,0x65,0xf1,0x89,0xcc,0x63,0x6f,0xb2,0x70,0xdc,0x46,0x2b,
+ 0x62,0x5b,0x64,0xd4,0x7a,0xc4,0x12,0xe2,0x88,0x3a,0x54,0x0a,0xf5,0x1e,0x1c,0x9e,
+ 0x9a,0xb2,0x62,0xf9,0xd3,0x02,0xf0,0xc1,0xf0,0x7b,0x4d,0xf3,0x44,0xd8,0x3c,0x13,
+ 0x1d,0xfc,0x78,0xa3,0x54,0x68,0xce,0x43,0x31,0x78,0x58,0x2f,0x5d,0xb8,0xa7,0xff,
+ 0x54,0xae,0x6e,0x25,0xd7,0x40,0x6c,0x59,0x7b,0x5f,0x18,0x31,0xe9,0xfc,0x53,0x34,
+ 0xb2,0xb0,0x18,0xd4,0x2c,0x85,0x9d,0xad,0x2d,0xd2,0x05,0x5d,0x2e,0x47,0xee,0x09,
+ 0x3d,0x05,0x2e,0x46,0x66,0xea,0x09,0xb2,0x81,0xd3,0x9b,0x28,0xbf,0xf9,0x9c,0x54,
+ 0x98,0xb7,0x2d,0x38,0xd8,0xae,0x03,0x70,0xae,0x1e,0xd4,0xa9,0xb7,0x2e,0xdb,0x02,
+ 0x6a,0x84,0x0f,0x6c,0xe8,0xb8,0x25,0x73,0x84,0x13,0x9f,0x34,0x24,0xb8,0xfc,0x96,
+ 0x4c,0x91,0xfa,
+};
+
+/**
+ * TLS certificate for ECDSA key
+ */
+static char ecdsa_crt[] = {
+ 0x30,0x82,0x01,0xd3,0x30,0x82,0x01,0x59,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xaa,0x92,0xf5,0x39,0x85,0xf5,0xd5,0xa3,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,
+ 0x3d,0x04,0x01,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+ 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,
+ 0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,
+ 0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x31,
+ 0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x17,0x0d,0x31,0x37,
+ 0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30,
+ 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,
+ 0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,
+ 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,
+ 0x64,0x73,0x61,0x30,0x76,0x30,0x10,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,0x01,
+ 0x06,0x05,0x2b,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,
+ 0x22,0x21,0x12,0x69,0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,
+ 0xdb,0xb9,0xb1,0xee,0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,
+ 0x4e,0xe3,0xdd,0xf4,0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,
+ 0x5b,0xe6,0xde,0x0a,0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,
+ 0x5b,0x57,0xb0,0x01,0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,
+ 0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x34,0x30,0x32,0x30,
+ 0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4f,0x1e,0x5d,0x94,
+ 0x85,0xe2,0xbc,0x86,0x0e,0x80,0xce,0x17,0x92,0x42,0xb4,0xb8,0x19,0x67,0xb8,0xfe,
+ 0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,
+ 0x01,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x04,0x01,0x03,0x69,0x00,0x30,
+ 0x66,0x02,0x31,0x00,0xdc,0x6e,0x3b,0xe4,0x9f,0x36,0xa5,0xa8,0x88,0x8d,0xcf,0x2d,
+ 0xa1,0x6e,0x33,0x68,0x73,0xd6,0x6a,0xd6,0x1d,0x00,0xe5,0x5c,0x76,0x09,0x5e,0xe9,
+ 0x7a,0x3a,0x00,0x5e,0xbc,0xef,0x0d,0x8d,0x95,0x5c,0x2b,0xfc,0xa4,0xe3,0xe3,0xcf,
+ 0x74,0x95,0x00,0x21,0x02,0x31,0x00,0x8f,0x40,0x3e,0xfc,0xe9,0xae,0x17,0x9b,0x36,
+ 0x39,0xe2,0x79,0xa5,0x7b,0x5d,0xe3,0xe0,0x84,0x68,0x7e,0x00,0x57,0xbe,0x4d,0xe3,
+ 0x0e,0xff,0x20,0x9c,0xce,0xd1,0x43,0x76,0x00,0x6e,0x59,0x7b,0xac,0x94,0x05,0xef,
+ 0xed,0xca,0x8b,0xe5,0x7f,0xa5,0xd7,
+};
+
+START_SETUP(setup_creds)
+{
+ private_key_t *key;
+ certificate_t *cert;
+
+ creds = mem_cred_create();
+
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_BLOB, chunk_from_thing(rsa), BUILD_END);
+ if (key)
+ {
+ creds->add_key(creds, key);
+ }
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+ BUILD_BLOB, chunk_from_thing(ecdsa), BUILD_END);
+ if (key)
+ {
+ creds->add_key(creds, key);
+ }
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB, chunk_from_thing(rsa_crt), BUILD_END);
+ if (cert)
+ {
+ creds->add_cert(creds, TRUE, cert);
+ }
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB, chunk_from_thing(ecdsa_crt), BUILD_END);
+ if (cert)
+ {
+ creds->add_cert(creds, TRUE, cert);
+ }
+
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_creds)
+{
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+}
+END_TEARDOWN
+
+/**
+ * Configuration for an echo server
+ */
+typedef struct {
+ tls_version_t version;
+ u_int16_t port;
+ char *addr;
+ chunk_t data;
+ int fd;
+ bool cauth;
+} echo_server_config_t;
+
+/**
+ * Run an echo server
+ */
+static job_requeue_t serve_echo(echo_server_config_t *config)
+{
+ tls_socket_t *tls;
+ int sfd, cfd;
+ identification_t *server, *client = NULL;
+ ssize_t len, total, done;
+ char buf[128];
+
+ server = identification_create_from_string(config->addr);
+ if (config->cauth)
+ {
+ client = server;
+ }
+ sfd = config->fd;
+ while (TRUE)
+ {
+ cfd = accept(sfd, NULL, NULL);
+ if (cfd < 0)
+ {
+ break;
+ }
+
+ tls = tls_socket_create(TRUE, server, client, cfd, NULL,
+ config->version, TRUE);
+ ck_assert(tls != NULL);
+
+ while (TRUE)
+ {
+ len = tls->read(tls, buf, sizeof(buf), TRUE);
+ if (len <= 0)
+ {
+ break;
+ }
+ total = 0;
+ while (total < len)
+ {
+ done = tls->write(tls, buf + total, len - total);
+ ck_assert_msg(done > 0, "%s", strerror(errno));
+ total += done;
+ }
+ }
+
+ tls->destroy(tls);
+ close(cfd);
+ }
+ server->destroy(server);
+
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Start a echo server using config
+ */
+static void start_echo_server(echo_server_config_t *config)
+{
+ host_t *host;
+ int on = 1;
+
+ host = host_create_from_string(config->addr, config->port);
+
+ config->fd = socket(AF_INET, SOCK_STREAM, 0);
+ ck_assert(config->fd != -1);
+ ck_assert(setsockopt(config->fd, SOL_SOCKET, SO_REUSEADDR,
+ (void*)&on, sizeof(on)) != -1);
+ ck_assert_msg(bind(config->fd, host->get_sockaddr(host),
+ *host->get_sockaddr_len(host)) != -1, "%s", strerror(errno));
+ host->destroy(host);
+ ck_assert(listen(config->fd, 1) != -1);
+
+ lib->processor->set_threads(lib->processor, 8);
+
+ lib->processor->queue_job(lib->processor, (job_t*)
+ callback_job_create((void*)serve_echo, config, NULL, NULL));
+}
+
+/**
+ * Run client to perform echo test
+ */
+static void run_echo_client(echo_server_config_t *config)
+{
+ tls_socket_t *tls;
+ ssize_t len, rd, wr;
+ int fd;
+ host_t *host;
+ identification_t *server, *client = NULL;
+ char buf[128];
+
+ host = host_create_from_string(config->addr, config->port);
+ server = identification_create_from_string(config->addr);
+ if (config->cauth)
+ {
+ client = server;
+ }
+
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ ck_assert(fd != -1);
+ ck_assert(connect(fd, host->get_sockaddr(host),
+ *host->get_sockaddr_len(host)) != -1);
+ tls = tls_socket_create(FALSE, server, client, fd, NULL,
+ config->version, TRUE);
+ ck_assert(tls != NULL);
+
+ wr = rd = 0;
+ while (rd < config->data.len)
+ {
+ len = tls->write(tls, config->data.ptr + wr, config->data.len - wr);
+ ck_assert(len >= 0);
+ wr += len;
+
+ len = tls->read(tls, buf, sizeof(buf), FALSE);
+ if (len == -1 && errno == EWOULDBLOCK)
+ {
+ continue;
+ }
+ if (len == 0)
+ {
+ ck_assert_int_eq(rd, config->data.len);
+ break;
+ }
+ ck_assert(len > 0);
+ ck_assert(rd + len <= config->data.len);
+ ck_assert(memeq(buf, config->data.ptr + rd, len));
+ rd += len;
+ }
+
+ tls->destroy(tls);
+ close(fd);
+ host->destroy(host);
+ server->destroy(server);
+}
+
+/**
+ * Common test wrapper function for different test variants
+ */
+static void test_tls(tls_version_t version, u_int16_t port, bool cauth, u_int i)
+{
+ echo_server_config_t *config;
+ tls_cipher_suite_t *suites;
+ char suite[128];
+ int count;
+
+ INIT(config,
+ .version = version,
+ .addr = "127.0.0.1",
+ .port = port,
+ .cauth = cauth,
+ .data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08),
+ );
+
+ start_echo_server(config);
+
+ count = tls_crypto_get_supported_suites(TRUE, &suites);
+
+ ck_assert(i < count);
+ snprintf(suite, sizeof(suite), "%N", tls_cipher_suite_names, suites[i]);
+ lib->settings->set_str(lib->settings, "%s.tls.suites", suite, lib->ns);
+
+ run_echo_client(config);
+
+ free(suites);
+
+ shutdown(config->fd, SHUT_RDWR);
+ close(config->fd);
+
+ free(config);
+}
+
+START_TEST(test_tls12)
+{
+ test_tls(TLS_1_2, 5671, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls12_mutual)
+{
+ test_tls(TLS_1_2, 5672, TRUE, _i);
+}
+END_TEST
+
+START_TEST(test_tls11)
+{
+ test_tls(TLS_1_1, 5673, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls11_mutual)
+{
+ test_tls(TLS_1_1, 5674, TRUE, _i);
+}
+END_TEST
+
+START_TEST(test_tls10)
+{
+ test_tls(TLS_1_0, 5675, FALSE, _i);
+}
+END_TEST
+
+START_TEST(test_tls10_mutual)
+{
+ test_tls(TLS_1_0, 5676, TRUE, _i);
+}
+END_TEST
+
+Suite *socket_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+ int count;
+
+ count = tls_crypto_get_supported_suites(TRUE, NULL);
+
+ s = suite_create("socket");
+
+ tc = tcase_create("TLS 1.2/anon");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls12, 0, count);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("TLS 1.2/mutl");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls12_mutual, 0, count);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("TLS 1.1/anon");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls11, 0, count);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("TLS 1.1/mutl");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls11_mutual, 0, count);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("TLS 1.0/anon");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls10, 0, count);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("TLS 1.0/mutl");
+ tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ tcase_add_loop_test(tc, test_tls10_mutual, 0, count);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libtls/tests/suites/test_suites.c b/src/libtls/tests/suites/test_suites.c
new file mode 100644
index 0000000..f8ae12e
--- /dev/null
+++ b/src/libtls/tests/suites/test_suites.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <unistd.h>
+
+#include "tls_crypto.h"
+
+START_TEST(test_cipher_names)
+{
+ char buf[128];
+
+#define CHECK_NAME(x) { \
+ snprintf(buf, sizeof(buf), "%N", tls_cipher_suite_names, x); \
+ ck_assert_str_eq(#x, buf); }
+
+ CHECK_NAME(TLS_NULL_WITH_NULL_NULL);
+ CHECK_NAME(TLS_RSA_WITH_NULL_MD5);
+ CHECK_NAME(TLS_RSA_WITH_NULL_SHA);
+ CHECK_NAME(TLS_RSA_EXPORT_WITH_RC4_40_MD5);
+ CHECK_NAME(TLS_RSA_WITH_RC4_128_MD5);
+ CHECK_NAME(TLS_RSA_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5);
+ CHECK_NAME(TLS_RSA_WITH_IDEA_CBC_SHA);
+ CHECK_NAME(TLS_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_EXPORT_WITH_RC4_40_MD5);
+ CHECK_NAME(TLS_DH_anon_WITH_RC4_128_MD5);
+ CHECK_NAME(TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_KRB5_WITH_DES_CBC_SHA);
+ CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_KRB5_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_SHA);
+ CHECK_NAME(TLS_KRB5_WITH_DES_CBC_MD5);
+ CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_MD5);
+ CHECK_NAME(TLS_KRB5_WITH_RC4_128_MD5);
+ CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_MD5);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_SHA);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5);
+ CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_MD5);
+ CHECK_NAME(TLS_PSK_WITH_NULL_SHA);
+ CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA);
+ CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA);
+ CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_NULL_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA);
+ CHECK_NAME(TLS_PSK_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_PSK_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_DHE_PSK_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_RSA_PSK_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_DH_DSS_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_DH_RSA_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_DHE_DSS_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_DHE_RSA_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_DH_anon_WITH_SEED_CBC_SHA);
+ CHECK_NAME(TLS_RSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DH_RSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DH_DSS_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DH_anon_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_PSK_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_PSK_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_PSK_WITH_NULL_SHA256);
+ CHECK_NAME(TLS_PSK_WITH_NULL_SHA384);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA256);
+ CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA384);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA256);
+ CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA384);
+ CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256);
+ CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256);
+ CHECK_NAME(TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_anon_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDH_anon_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_anon_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDH_anon_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+ CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_RC4_128_SHA);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA256);
+ CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA384);
+}
+END_TEST
+
+Suite *suites_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("suites");
+
+ tc = tcase_create("cipher-names");
+ tcase_add_test(tc, test_cipher_names);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libtls/tests/tls_tests.c b/src/libtls/tests/tls_tests.c
new file mode 100644
index 0000000..2c2c5ba
--- /dev/null
+++ b/src/libtls/tests/tls_tests.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "tls_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+ { .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+ { .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "tls_tests.h"
+ { .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+ if (init)
+ {
+ plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+ if (!lib->plugins->load(lib->plugins, PLUGINS))
+ {
+ return FALSE;
+ }
+ }
+ else
+ {
+ lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+ lib->processor->set_threads(lib->processor, 0);
+ lib->processor->cancel(lib->processor);
+ lib->plugins->unload(lib->plugins);
+ }
+ return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+ return test_runner_run("libtls", tests, test_runner_init);
+}
diff --git a/src/pki/pki.h b/src/libtls/tests/tls_tests.h
similarity index 58%
copy from src/pki/pki.h
copy to src/libtls/tests/tls_tests.h
index 09c50c6..489b2dd 100644
--- a/src/pki/pki.h
+++ b/src/libtls/tests/tls_tests.h
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -13,24 +13,5 @@
* for more details.
*/
-/**
- * @defgroup pki pki
- *
- * @addtogroup pki
- * @{
- */
-
-#ifndef PKI_H_
-#define PKI_H_
-
-#include "command.h"
-
-#include <library.h>
-#include <credentials/keys/private_key.h>
-
-/**
- * Convert a form string to a encoding type
- */
-bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
-
-#endif /** PKI_H_ @}*/
+TEST_SUITE(socket_suite_create)
+TEST_SUITE(suites_suite_create)
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6b51e75..6e29558 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -218,14 +218,7 @@ METHOD(tls_t, process, status_t,
{
if (this->input.len == 0)
{
- if (buflen < sizeof(tls_record_t))
- {
- DBG2(DBG_TLS, "received incomplete TLS record header");
- memcpy(&this->head, buf, buflen);
- this->headpos = buflen;
- break;
- }
- while (TRUE)
+ while (buflen >= sizeof(tls_record_t))
{
/* try to process records inline */
record = buf;
@@ -252,6 +245,13 @@ METHOD(tls_t, process, status_t,
return NEED_MORE;
}
}
+ if (buflen < sizeof(tls_record_t))
+ {
+ DBG2(DBG_TLS, "received incomplete TLS record header");
+ memcpy(&this->head, buf, buflen);
+ this->headpos = buflen;
+ break;
+ }
}
len = min(buflen, this->input.len - this->inpos);
memcpy(this->input.ptr + this->inpos, buf, len);
@@ -447,6 +447,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
case TLS_PURPOSE_EAP_TTLS:
case TLS_PURPOSE_EAP_PEAP:
case TLS_PURPOSE_GENERIC:
+ case TLS_PURPOSE_GENERIC_NULLOK:
break;
default:
return NULL;
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index db332fb..fc1d9b9 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -107,6 +107,8 @@ enum tls_purpose_t {
TLS_PURPOSE_EAP_PEAP,
/** non-EAP TLS */
TLS_PURPOSE_GENERIC,
+ /** non-EAP TLS accepting NULL encryption */
+ TLS_PURPOSE_GENERIC_NULLOK,
/** EAP binding for TNC */
TLS_PURPOSE_EAP_TNC
};
diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c
new file mode 100644
index 0000000..1d0779d
--- /dev/null
+++ b/src/libtls/tls_aead.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+ /**
+ * Public tls_aead_t interface.
+ */
+ tls_aead_t public;
+
+ /**
+ * AEAD transform
+ */
+ aead_t *aead;
+
+ /**
+ * Size of salt, the implicit nonce
+ */
+ size_t salt;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+ u_int64_t seq;
+ u_int8_t type;
+ u_int16_t version;
+ u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+ private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+ u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, encrypted, iv, plain;
+ u_int8_t icvlen;
+ sigheader_t hdr;
+ iv_gen_t *gen;
+
+ gen = this->aead->get_iv_gen(this->aead);
+ iv.len = this->aead->get_iv_size(this->aead);
+ icvlen = this->aead->get_icv_size(this->aead);
+
+ encrypted = chunk_alloc(iv.len + data->len + icvlen);
+ iv.ptr = encrypted.ptr;
+ if (!gen->get_iv(gen, seq, iv.len, iv.ptr))
+ {
+ chunk_free(&encrypted);
+ return FALSE;
+ }
+ memcpy(encrypted.ptr + iv.len, data->ptr, data->len);
+ plain = chunk_skip(encrypted, iv.len);
+ plain.len -= icvlen;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, plain.len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL))
+ {
+ return FALSE;
+ }
+ chunk_free(data);
+ *data = encrypted;
+ return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+ private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+ u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, iv;
+ u_int8_t icvlen;
+ sigheader_t hdr;
+
+ iv.len = this->aead->get_iv_size(this->aead);
+ if (data->len < iv.len)
+ {
+ return FALSE;
+ }
+ iv.ptr = data->ptr;
+ *data = chunk_skip(*data, iv.len);
+ icvlen = this->aead->get_icv_size(this->aead);
+ if (data->len < icvlen)
+ {
+ return FALSE;
+ }
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len - icvlen);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL))
+ {
+ return FALSE;
+ }
+ data->len -= icvlen;
+ return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return 0;
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->aead->get_key_size(this->aead) - this->salt;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->salt;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+ private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+ chunk_t key;
+
+ if (mac.len)
+ {
+ return FALSE;
+ }
+ key = chunk_cata("cc", encr, iv);
+ return this->aead->set_key(this->aead, key);
+}
+
+METHOD(tls_aead_t, destroy, void,
+ private_tls_aead_t *this)
+{
+ this->aead->destroy(this->aead);
+ free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size)
+{
+ private_tls_aead_t *this;
+ size_t salt;
+
+ switch (encr)
+ {
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ salt = 4;
+ break;
+ default:
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_mac_key_size = _get_mac_key_size,
+ .get_encr_key_size = _get_encr_key_size,
+ .get_iv_size = _get_iv_size,
+ .set_keys = _set_keys,
+ .destroy = _destroy,
+ },
+ .aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt),
+ .salt = salt,
+ );
+
+ if (!this->aead)
+ {
+ free(this);
+ return NULL;
+ }
+
+ if (this->aead->get_block_size(this->aead) != 1)
+ { /* TLS does not define any padding scheme for AEAD */
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h
new file mode 100644
index 0000000..1d5ba92
--- /dev/null
+++ b/src/libtls/tls_aead.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_aead tls_aead
+ * @{ @ingroup tls
+ */
+
+#ifndef TLS_AEAD_H_
+#define TLS_AEAD_H_
+
+typedef struct tls_aead_t tls_aead_t;
+
+#include "tls.h"
+
+/**
+ * TLS specific AEAD interface, includes padding.
+ *
+ * As TLS uses sign-then-encrypt instead of the more modern encrypt-then-sign,
+ * we can't directly abstract traditional transforms using our aead_t interface.
+ * With traditional transforms, the AEAD operation has to manage padding, as
+ * the MAC is calculated over unpadded data.
+ */
+struct tls_aead_t {
+
+ /**
+ * Encrypt and sign a TLS record.
+ *
+ * The plain data chunk gets freed on success, and the data chunk
+ * gets updated with a new allocation of the encrypted data.
+ * If next_iv is given, it must contain the IV for this operation. It
+ * gets updated to the IV for the next record.
+ *
+ * @param version TLS version
+ * @param type TLS content type
+ * @param seq record sequence number
+ * @param data data to encrypt, encryption result
+ * @return TRUE if successfully encrypted
+ */
+ bool (*encrypt)(tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+ /**
+ * Decrypt and verify a TLS record.
+ *
+ * The passed encrypted data chunk gets updated to the decrypted record
+ * length, decryption is done inline.
+ *
+ * @param version TLS version
+ * @param type TLS content type
+ * @param seq record sequence number
+ * @param data data to decrypt, decrypted result
+ * @return TRUE if successfully decrypted
+ */
+ bool (*decrypt)(tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+ /**
+ * Get the authentication key size.
+ *
+ * @return key size, in bytes, 0 if not used
+ */
+ size_t (*get_mac_key_size)(tls_aead_t *this);
+
+ /**
+ * Get the encrytion key size, if used.
+ *
+ * @return key size, in bytes, 0 if not used
+ */
+ size_t (*get_encr_key_size)(tls_aead_t *this);
+
+ /**
+ * Get the size of implicit IV (or AEAD salt), if used.
+ *
+ * @return IV/salt size, in bytes, 0 if not used
+ */
+ size_t (*get_iv_size)(tls_aead_t *this);
+
+ /**
+ * Set the keys used by an AEAD transform.
+ *
+ * @param mac authentication key, if used
+ * @param encr encryption key, if used
+ * @param iv initial implicit IV or AEAD salt, if any
+ * @return TRUE if key valid and set
+ */
+ bool (*set_keys)(tls_aead_t *this, chunk_t mac, chunk_t ecnr, chunk_t iv);
+
+ /**
+ * Destroy a tls_aead_t.
+ */
+ void (*destroy)(tls_aead_t *this);
+};
+
+/**
+ * Create a tls_aead instance using traditional transforms, explicit IV.
+ *
+ * An explicit IV means that the IV is prepended to each TLS record. This is
+ * the mechanism used in TLS 1.1 and newer.
+ *
+ * @param mac integrity protection algorithm
+ * @param encr encryption algorithm
+ * @param encr_size encryption key size, in bytes
+ * @return TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+ encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using traditional transforms, implicit IV.
+ *
+ * An implicit IV uses a first IV derived from the TLS keymat, which then
+ * gets replaced by the last encrypted records tail. This is the mechanism
+ * used for TLS 1.0 and older.
+ *
+ * @param mac integrity protection algorithm
+ * @param encr encryption algorithm
+ * @param encr_size encryption key size, in bytes
+ * @return TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+ encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using NULL encryption.
+ *
+ * As no IV is involved with null encryption, this AEAD works with any
+ * version of TLS.
+ *
+ * @param mac integrity protection algorithm
+ * @return TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac);
+
+/**
+ * Create a tls_aead instance using real a AEAD cipher.
+ *
+ * @param encr AEAD encryption algorithm
+ * @param encr_size encryption key size, in bytes
+ * @return TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size);
+
+#endif /** TLS_AEAD_H_ @}*/
diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c
new file mode 100644
index 0000000..5e4d33e
--- /dev/null
+++ b/src/libtls/tls_aead_expl.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+ /**
+ * Public tls_aead_t interface.
+ */
+ tls_aead_t public;
+
+ /**
+ * traditional crypter
+ */
+ crypter_t *crypter;
+
+ /**
+ * traditional signer
+ */
+ signer_t *signer;
+
+ /**
+ * IV generator
+ */
+ iv_gen_t *iv_gen;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+ u_int64_t seq;
+ u_int8_t type;
+ u_int16_t version;
+ u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+ private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+ u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac, padding, iv;
+ u_int8_t bs, padlen;
+ sigheader_t hdr;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->allocate_signature(this->signer, *data, &mac))
+ {
+ return FALSE;
+ }
+ bs = this->crypter->get_block_size(this->crypter);
+ padlen = pad_len(data->len + mac.len + 1, bs);
+
+ padding = chunk_alloca(padlen);
+ memset(padding.ptr, padlen, padding.len);
+
+ /* TLSv1.1 uses random IVs, prepended to record */
+ iv.len = this->crypter->get_iv_size(this->crypter);
+ iv = chunk_alloca(iv.len);
+ if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
+ {
+ return FALSE;
+ }
+ *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+ /* encrypt inline */
+ if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
+ {
+ free(data->ptr);
+ return FALSE;
+ }
+ /* prepend IV */
+ *data = chunk_cat("cm", iv, *data);
+ return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+ private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+ u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac, iv;
+ u_int8_t bs, padlen;
+ sigheader_t hdr;
+
+ iv.len = this->crypter->get_iv_size(this->crypter);
+ if (data->len < iv.len)
+ {
+ return FALSE;
+ }
+ iv.ptr = data->ptr;
+ *data = chunk_skip(*data, iv.len);
+ bs = this->crypter->get_block_size(this->crypter);
+ if (data->len < bs || data->len % bs)
+ {
+ return FALSE;
+ }
+ if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+ {
+ return FALSE;
+ }
+ padlen = data->ptr[data->len - 1];
+ if (padlen < data->len)
+ { /* If padding looks valid, remove it */
+ data->len -= padlen + 1;
+ }
+
+ bs = this->signer->get_block_size(this->signer);
+ if (data->len < bs)
+ {
+ return FALSE;
+ }
+ mac = chunk_skip(*data, data->len - bs);
+ data->len -= bs;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->verify_signature(this->signer, *data, mac))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+ private_tls_aead_t *this)
+{
+ return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+ private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+ if (iv.len)
+ {
+ return FALSE;
+ }
+ return this->signer->set_key(this->signer, mac) &&
+ this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+ private_tls_aead_t *this)
+{
+ this->iv_gen->destroy(this->iv_gen);
+ DESTROY_IF(this->crypter);
+ DESTROY_IF(this->signer);
+ free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+ encryption_algorithm_t encr, size_t encr_size)
+{
+ private_tls_aead_t *this;
+
+ INIT(this,
+ .public = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_mac_key_size = _get_mac_key_size,
+ .get_encr_key_size = _get_encr_key_size,
+ .get_iv_size = _get_iv_size,
+ .set_keys = _set_keys,
+ .destroy = _destroy,
+ },
+ .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+ .signer = lib->crypto->create_signer(lib->crypto, mac),
+ .iv_gen = iv_gen_rand_create(),
+ );
+
+ if (!this->crypter || !this->signer)
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c
new file mode 100644
index 0000000..fb14026
--- /dev/null
+++ b/src/libtls/tls_aead_impl.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+ /**
+ * Public tls_aead_t interface.
+ */
+ tls_aead_t public;
+
+ /**
+ * traditional crypter
+ */
+ crypter_t *crypter;
+
+ /**
+ * traditional signer
+ */
+ signer_t *signer;
+
+ /**
+ * Next implicit IV
+ */
+ chunk_t iv;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+ u_int64_t seq;
+ u_int8_t type;
+ u_int16_t version;
+ u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+ private_tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac, padding;
+ u_int8_t bs, padlen;
+ sigheader_t hdr;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->allocate_signature(this->signer, *data, &mac))
+ {
+ return FALSE;
+ }
+ bs = this->crypter->get_block_size(this->crypter);
+ padlen = pad_len(data->len + mac.len + 1, bs);
+
+ padding = chunk_alloca(padlen);
+ memset(padding.ptr, padlen, padding.len);
+
+ *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+ /* encrypt inline */
+ if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
+ {
+ return FALSE;
+ }
+ if (data->len < this->iv.len)
+ {
+ return FALSE;
+ }
+ /* next record IV is last ciphertext block of this record */
+ memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+ return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+ private_tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac, iv;
+ u_int8_t bs, padlen;
+ sigheader_t hdr;
+
+ bs = this->crypter->get_block_size(this->crypter);
+ if (data->len < bs || data->len < this->iv.len || data->len % bs)
+ {
+ return FALSE;
+ }
+ iv = chunk_alloca(this->iv.len);
+ memcpy(iv.ptr, this->iv.ptr, this->iv.len);
+ memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+ if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+ {
+ return FALSE;
+ }
+ padlen = data->ptr[data->len - 1];
+ if (padlen < data->len)
+ { /* If padding looks valid, remove it */
+ data->len -= padlen + 1;
+ }
+
+ bs = this->signer->get_block_size(this->signer);
+ if (data->len < bs)
+ {
+ return FALSE;
+ }
+ mac = chunk_skip(*data, data->len - bs);
+ data->len -= bs;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->verify_signature(this->signer, *data, mac))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->iv.len;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+ private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+ if (iv.len != this->iv.len)
+ {
+ return FALSE;
+ }
+ memcpy(this->iv.ptr, iv.ptr, this->iv.len);
+ return this->signer->set_key(this->signer, mac) &&
+ this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+ private_tls_aead_t *this)
+{
+ DESTROY_IF(this->crypter);
+ DESTROY_IF(this->signer);
+ chunk_free(&this->iv);
+ free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+ encryption_algorithm_t encr, size_t encr_size)
+{
+ private_tls_aead_t *this;
+
+ INIT(this,
+ .public = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_mac_key_size = _get_mac_key_size,
+ .get_encr_key_size = _get_encr_key_size,
+ .get_iv_size = _get_iv_size,
+ .set_keys = _set_keys,
+ .destroy = _destroy,
+ },
+ .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+ .signer = lib->crypto->create_signer(lib->crypto, mac),
+ );
+
+ if (!this->crypter || !this->signer)
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));
+
+ return &this->public;
+}
diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c
new file mode 100644
index 0000000..595b640
--- /dev/null
+++ b/src/libtls/tls_aead_null.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+ /**
+ * Public tls_aead_t interface.
+ */
+ tls_aead_t public;
+
+ /**
+ * traditional signer
+ */
+ signer_t *signer;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+ u_int64_t seq;
+ u_int8_t type;
+ u_int16_t version;
+ u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+ private_tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac;
+ sigheader_t hdr;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->allocate_signature(this->signer, *data, &mac))
+ {
+ return FALSE;
+ }
+ *data = chunk_cat("mm", *data, mac);
+ return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+ private_tls_aead_t *this, tls_version_t version,
+ tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+ chunk_t assoc, mac;
+ sigheader_t hdr;
+
+ mac.len = this->signer->get_block_size(this->signer);
+ if (data->len < mac.len)
+ {
+ return FALSE;
+ }
+ mac = chunk_skip(*data, data->len - mac.len);
+ data->len -= mac.len;
+
+ hdr.type = type;
+ htoun64(&hdr.seq, seq);
+ htoun16(&hdr.version, version);
+ htoun16(&hdr.length, data->len);
+
+ assoc = chunk_from_thing(hdr);
+ if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+ !this->signer->verify_signature(this->signer, *data, mac))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+ private_tls_aead_t *this)
+{
+ return 0;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+ private_tls_aead_t *this)
+{
+ return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+ private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+ if (iv.len || encr.len)
+ {
+ return FALSE;
+ }
+ return this->signer->set_key(this->signer, mac);
+}
+
+METHOD(tls_aead_t, destroy, void,
+ private_tls_aead_t *this)
+{
+ this->signer->destroy(this->signer);
+ free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg)
+{
+ private_tls_aead_t *this;
+
+ INIT(this,
+ .public = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_mac_key_size = _get_mac_key_size,
+ .get_encr_key_size = _get_encr_key_size,
+ .get_iv_size = _get_iv_size,
+ .set_keys = _set_keys,
+ .destroy = _destroy,
+ },
+ .signer = lib->crypto->create_signer(lib->crypto, alg),
+ );
+
+ if (!this->signer)
+ {
+ free(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index cc73eba..4f67b20 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -16,6 +16,7 @@
#include "tls_crypto.h"
#include <utils/debug.h>
+#include <plugins/plugin_feature.h>
ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
@@ -80,7 +81,7 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_NULL_SHA256",
- "TLS_RSA_WITH_AES_128_CBC_SHA256 ",
+ "TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
@@ -111,13 +112,13 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
"TLS_PSK_WITH_RC4_128_SHA",
- "TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
+ "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_PSK_WITH_AES_128_CBC_SHA",
"TLS_PSK_WITH_AES_256_CBC_SHA",
"TLS_DHE_PSK_WITH_RC4_128_SHA",
"TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
- "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
+ "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
"TLS_RSA_PSK_WITH_RC4_128_SHA",
"TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
@@ -385,34 +386,14 @@ struct private_tls_crypto_t {
tls_prf_t *prf;
/**
- * Signer instance for inbound traffic
+ * AEAD transform for inbound traffic
*/
- signer_t *signer_in;
+ tls_aead_t *aead_in;
/**
- * Signer instance for outbound traffic
+ * AEAD transform for outbound traffic
*/
- signer_t *signer_out;
-
- /**
- * Crypter instance for inbound traffic
- */
- crypter_t *crypter_in;
-
- /**
- * Crypter instance for outbound traffic
- */
- crypter_t *crypter_out;
-
- /**
- * IV for input decryption, if < TLSv1.2
- */
- chunk_t iv_in;
-
- /**
- * IV for output decryption, if < TLSv1.2
- */
- chunk_t iv_out;
+ tls_aead_t *aead_out;
/**
* EAP-[T]TLS MSK
@@ -460,6 +441,16 @@ static suite_algs_t suite_algs[] = {
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ KEY_ECDSA, ECP_256_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+ },
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ KEY_ECDSA, ECP_384_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+ },
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -480,6 +471,16 @@ static suite_algs_t suite_algs[] = {
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ KEY_RSA, ECP_256_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+ },
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ KEY_RSA, ECP_384_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+ },
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256,PRF_HMAC_SHA2_256,
@@ -500,6 +501,16 @@ static suite_algs_t suite_algs[] = {
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
},
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ KEY_RSA, MODP_3072_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+ },
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ KEY_RSA, MODP_4096_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+ },
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -545,6 +556,16 @@ static suite_algs_t suite_algs[] = {
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
},
+ { TLS_RSA_WITH_AES_128_GCM_SHA256,
+ KEY_RSA, MODP_NONE,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16
+ },
+ { TLS_RSA_WITH_AES_256_GCM_SHA384,
+ KEY_RSA, MODP_NONE,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32
+ },
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
@@ -627,8 +648,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite)
/**
* Filter a suite list using a transform enumerator
*/
-static void filter_suite(private_tls_crypto_t *this,
- suite_algs_t suites[], int *count, int offset,
+static void filter_suite(suite_algs_t suites[], int *count, int offset,
enumerator_t*(*create_enumerator)(crypto_factory_t*))
{
const char *plugin_name;
@@ -641,21 +661,56 @@ static void filter_suite(private_tls_crypto_t *this,
for (i = 0; i < *count; i++)
{
+ if (create_enumerator == lib->crypto->create_crypter_enumerator &&
+ encryption_algorithm_is_aead(suites[i].encr))
+ { /* filtering crypters, but current suite uses an AEAD, apply */
+ suites[remaining] = suites[i];
+ remaining++;
+ continue;
+ }
+ if (create_enumerator == lib->crypto->create_aead_enumerator &&
+ !encryption_algorithm_is_aead(suites[i].encr))
+ { /* filtering AEADs, but current suite doesn't use one, apply */
+ suites[remaining] = suites[i];
+ remaining++;
+ continue;
+ }
enumerator = create_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
{
- if ((suites[i].encr == ENCR_NULL ||
- !current.encr || current.encr == suites[i].encr) &&
- (!current.mac || current.mac == suites[i].mac) &&
- (!current.prf || current.prf == suites[i].prf) &&
- (!current.hash || current.hash == suites[i].hash) &&
- (suites[i].dh == MODP_NONE ||
- !current.dh || current.dh == suites[i].dh))
+ if (current.encr && current.encr != suites[i].encr)
{
- suites[remaining] = suites[i];
- remaining++;
- break;
+ if (suites[i].encr != ENCR_NULL)
+ { /* skip, ENCR does not match nor is NULL */
+ continue;
+ }
}
+ if (current.mac && current.mac != suites[i].mac)
+ {
+ if (suites[i].mac != AUTH_UNDEFINED)
+ { /* skip, MAC does not match nor is it undefined */
+ continue;
+ }
+ }
+ if (current.prf && current.prf != suites[i].prf)
+ { /* skip, PRF does not match */
+ continue;
+ }
+ if (current.hash && current.hash != suites[i].hash)
+ { /* skip, hash does not match */
+ continue;
+ }
+ if (current.dh && current.dh != suites[i].dh)
+ {
+ if (suites[i].dh != MODP_NONE)
+ { /* skip DH group, does not match nor NONE */
+ continue;
+ }
+ }
+ /* suite supported, apply */
+ suites[remaining] = suites[i];
+ remaining++;
+ break;
}
enumerator->destroy(enumerator);
}
@@ -665,8 +720,7 @@ static void filter_suite(private_tls_crypto_t *this,
/**
* Purge NULL encryption cipher suites from list
*/
-static void filter_null_suites(private_tls_crypto_t *this,
- suite_algs_t suites[], int *count)
+static void filter_null_suites(suite_algs_t suites[], int *count)
{
int i, remaining = 0;
@@ -789,6 +843,20 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
suites[remaining++] = suites[i];
break;
}
+ if (strcaseeq(token, "aes128gcm") &&
+ suites[i].encr == ENCR_AES_GCM_ICV16 &&
+ suites[i].encr_size == 16)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
+ if (strcaseeq(token, "aes256gcm") &&
+ suites[i].encr == ENCR_AES_GCM_ICV16 &&
+ suites[i].encr_size == 32)
+ {
+ suites[remaining++] = suites[i];
+ break;
+ }
if (strcaseeq(token, "camellia128") &&
suites[i].encr == ENCR_CAMELLIA_CBC &&
suites[i].encr_size == 16)
@@ -905,6 +973,26 @@ static void filter_specific_config_suites(private_tls_crypto_t *this,
}
/**
+ * Filter out unsupported suites on given suite array
+ */
+static void filter_unsupported_suites(suite_algs_t suites[], int *count)
+{
+ /* filter suite list by each algorithm */
+ filter_suite(suites, count, offsetof(suite_algs_t, encr),
+ lib->crypto->create_crypter_enumerator);
+ filter_suite(suites, count, offsetof(suite_algs_t, encr),
+ lib->crypto->create_aead_enumerator);
+ filter_suite(suites, count, offsetof(suite_algs_t, mac),
+ lib->crypto->create_signer_enumerator);
+ filter_suite(suites, count, offsetof(suite_algs_t, prf),
+ lib->crypto->create_prf_enumerator);
+ filter_suite(suites, count, offsetof(suite_algs_t, hash),
+ lib->crypto->create_hasher_enumerator);
+ filter_suite(suites, count, offsetof(suite_algs_t, dh),
+ lib->crypto->create_dh_enumerator);
+}
+
+/**
* Initialize the cipher suite list
*/
static void build_cipher_suite_list(private_tls_crypto_t *this,
@@ -918,9 +1006,10 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
{
suites[i] = suite_algs[i];
}
+
if (require_encryption)
{
- filter_null_suites(this, suites, &count);
+ filter_null_suites(suites, &count);
}
if (!this->rsa)
{
@@ -931,17 +1020,7 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
filter_key_suites(this, suites, &count, KEY_ECDSA);
}
- /* filter suite list by each algorithm */
- filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
- lib->crypto->create_crypter_enumerator);
- filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
- lib->crypto->create_signer_enumerator);
- filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
- lib->crypto->create_prf_enumerator);
- filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
- lib->crypto->create_hasher_enumerator);
- filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
- lib->crypto->create_dh_enumerator);
+ filter_unsupported_suites(suites, &count);
/* filter suites with strongswan.conf options */
filter_key_exchange_config_suites(this, suites, &count);
@@ -969,10 +1048,82 @@ METHOD(tls_crypto_t, get_cipher_suites, int,
}
/**
+ * Create NULL encryption transforms
+ */
+static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+ this->aead_in = tls_aead_create_null(algs->mac);
+ this->aead_out = tls_aead_create_null(algs->mac);
+ if (!this->aead_in || !this->aead_out)
+ {
+ DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+ integrity_algorithm_names, algs->mac);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Create traditional transforms
+ */
+static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+ if (this->tls->get_version(this->tls) < TLS_1_1)
+ {
+ this->aead_in = tls_aead_create_implicit(algs->mac,
+ algs->encr, algs->encr_size);
+ this->aead_out = tls_aead_create_implicit(algs->mac,
+ algs->encr, algs->encr_size);
+ }
+ else
+ {
+ this->aead_in = tls_aead_create_explicit(algs->mac,
+ algs->encr, algs->encr_size);
+ this->aead_out = tls_aead_create_explicit(algs->mac,
+ algs->encr, algs->encr_size);
+ }
+ if (!this->aead_in || !this->aead_out)
+ {
+ DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
+ encryption_algorithm_names, algs->encr, algs->encr_size * 8,
+ integrity_algorithm_names, algs->mac);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Create AEAD transforms
+ */
+static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+ this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
+ this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
+ if (!this->aead_in || !this->aead_out)
+ {
+ DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
+ encryption_algorithm_names, algs->encr, algs->encr_size * 8);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Clean up and unset AEAD transforms
+ */
+static void destroy_aeads(private_tls_crypto_t *this)
+{
+ DESTROY_IF(this->aead_in);
+ DESTROY_IF(this->aead_out);
+ this->aead_in = this->aead_out = NULL;
+}
+
+/**
* Create crypto primitives
*/
static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
{
+ destroy_aeads(this);
DESTROY_IF(this->prf);
if (this->tls->get_version(this->tls) < TLS_1_2)
{
@@ -987,38 +1138,29 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
DBG1(DBG_TLS, "selected TLS PRF not supported");
return FALSE;
}
-
- DESTROY_IF(this->signer_in);
- DESTROY_IF(this->signer_out);
- this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
- this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
- if (!this->signer_in || !this->signer_out)
+ if (algs->encr == ENCR_NULL)
{
- DBG1(DBG_TLS, "selected TLS MAC %N not supported",
- integrity_algorithm_names, algs->mac);
- return FALSE;
+ if (create_null(this, algs))
+ {
+ return TRUE;
+ }
}
-
- DESTROY_IF(this->crypter_in);
- DESTROY_IF(this->crypter_out);
- if (algs->encr == ENCR_NULL)
+ else if (encryption_algorithm_is_aead(algs->encr))
{
- this->crypter_in = this->crypter_out = NULL;
+ if (create_aead(this, algs))
+ {
+ return TRUE;
+ }
}
else
{
- this->crypter_in = lib->crypto->create_crypter(lib->crypto,
- algs->encr, algs->encr_size);
- this->crypter_out = lib->crypto->create_crypter(lib->crypto,
- algs->encr, algs->encr_size);
- if (!this->crypter_in || !this->crypter_out)
+ if (create_traditional(this, algs))
{
- DBG1(DBG_TLS, "selected TLS crypter %N not supported",
- encryption_algorithm_names, algs->encr);
- return FALSE;
+ return TRUE;
}
}
- return TRUE;
+ destroy_aeads(this);
+ return FALSE;
}
METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
@@ -1065,54 +1207,52 @@ METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
return MODP_NONE;
}
+/**
+ * Map signature schemes to TLS key types and hashes, ordered by preference
+ */
+static struct {
+ tls_signature_algorithm_t sig;
+ tls_hash_algorithm_t hash;
+ signature_scheme_t scheme;
+} schemes[] = {
+ { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER },
+ { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER },
+ { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER },
+ { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER },
+ { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA256 },
+ { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA384 },
+ { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA512 },
+ { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA224 },
+ { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 },
+ { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 },
+};
+
METHOD(tls_crypto_t, get_signature_algorithms, void,
private_tls_crypto_t *this, bio_writer_t *writer)
{
bio_writer_t *supported;
- enumerator_t *enumerator;
- hash_algorithm_t alg;
- tls_hash_algorithm_t hash;
- const char *plugin_name;
+ int i;
supported = bio_writer_create(32);
- enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
- while (enumerator->enumerate(enumerator, &alg, &plugin_name))
+
+ for (i = 0; i < countof(schemes); i++)
{
- switch (alg)
+ if (schemes[i].sig == TLS_SIG_RSA && !this->rsa)
{
- case HASH_MD5:
- hash = TLS_HASH_MD5;
- break;
- case HASH_SHA1:
- hash = TLS_HASH_SHA1;
- break;
- case HASH_SHA224:
- hash = TLS_HASH_SHA224;
- break;
- case HASH_SHA256:
- hash = TLS_HASH_SHA256;
- break;
- case HASH_SHA384:
- hash = TLS_HASH_SHA384;
- break;
- case HASH_SHA512:
- hash = TLS_HASH_SHA512;
- break;
- default:
- continue;
+ continue;
}
- if (this->rsa)
+ if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa)
{
- supported->write_uint8(supported, hash);
- supported->write_uint8(supported, TLS_SIG_RSA);
+ continue;
}
- if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
- { /* currently we have no signature scheme for MD5/SHA224 */
- supported->write_uint8(supported, hash);
- supported->write_uint8(supported, TLS_SIG_ECDSA);
+ if (!lib->plugins->has_feature(lib->plugins,
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)))
+ {
+ continue;
}
+ supported->write_uint8(supported, schemes[i].hash);
+ supported->write_uint8(supported, schemes[i].sig);
}
- enumerator->destroy(enumerator);
supported->wrap16(supported);
writer->write_data16(writer, supported->get_buf(supported));
@@ -1120,6 +1260,29 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
}
/**
+ * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
+ */
+static signature_scheme_t hashsig_to_scheme(key_type_t type,
+ tls_hash_algorithm_t hash,
+ tls_signature_algorithm_t sig)
+{
+ int i;
+
+ if ((sig == TLS_SIG_RSA && type == KEY_RSA) ||
+ (sig == TLS_SIG_ECDSA && type == KEY_ECDSA))
+ {
+ for (i = 0; i < countof(schemes); i++)
+ {
+ if (schemes[i].sig == sig && schemes[i].hash == hash)
+ {
+ return schemes[i].scheme;
+ }
+ }
+ }
+ return SIGN_UNKNOWN;
+}
+
+/**
* Mapping groups to TLS named curves
*/
static struct {
@@ -1236,59 +1399,6 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
return TRUE;
}
-/**
- * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
- */
-static signature_scheme_t hashsig_to_scheme(key_type_t type,
- tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
-{
- switch (sig)
- {
- case TLS_SIG_RSA:
- if (type != KEY_RSA)
- {
- return SIGN_UNKNOWN;
- }
- switch (hash)
- {
- case TLS_HASH_MD5:
- return SIGN_RSA_EMSA_PKCS1_MD5;
- case TLS_HASH_SHA1:
- return SIGN_RSA_EMSA_PKCS1_SHA1;
- case TLS_HASH_SHA224:
- return SIGN_RSA_EMSA_PKCS1_SHA224;
- case TLS_HASH_SHA256:
- return SIGN_RSA_EMSA_PKCS1_SHA256;
- case TLS_HASH_SHA384:
- return SIGN_RSA_EMSA_PKCS1_SHA384;
- case TLS_HASH_SHA512:
- return SIGN_RSA_EMSA_PKCS1_SHA512;
- default:
- return SIGN_UNKNOWN;
- }
- case TLS_SIG_ECDSA:
- if (type != KEY_ECDSA)
- {
- return SIGN_UNKNOWN;
- }
- switch (hash)
- {
- case TLS_HASH_SHA224:
- return SIGN_ECDSA_WITH_SHA1_DER;
- case TLS_HASH_SHA256:
- return SIGN_ECDSA_WITH_SHA256_DER;
- case TLS_HASH_SHA384:
- return SIGN_ECDSA_WITH_SHA384_DER;
- case TLS_HASH_SHA512:
- return SIGN_ECDSA_WITH_SHA512_DER;
- default:
- return SIGN_UNKNOWN;
- }
- default:
- return SIGN_UNKNOWN;
- }
-}
-
METHOD(tls_crypto_t, sign, bool,
private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer,
chunk_t data, chunk_t hashsig)
@@ -1512,93 +1622,63 @@ static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
static bool expand_keys(private_tls_crypto_t *this,
chunk_t client_random, chunk_t server_random)
{
- chunk_t seed, block, client_write, server_write;
- int mks, eks = 0, ivs = 0;
+ chunk_t seed, block;
+ chunk_t cw_mac, cw, cw_iv;
+ chunk_t sw_mac, sw, sw_iv;
+ int mklen, eklen, ivlen;
- /* derive key block for key expansion */
- mks = this->signer_out->get_key_size(this->signer_out);
- if (this->crypter_out)
+ if (!this->aead_in || !this->aead_out)
{
- eks = this->crypter_out->get_key_size(this->crypter_out);
- if (this->tls->get_version(this->tls) < TLS_1_1)
- {
- ivs = this->crypter_out->get_iv_size(this->crypter_out);
- }
+ return FALSE;
}
+
+ /* derive key block for key expansion */
+ mklen = this->aead_in->get_mac_key_size(this->aead_in);
+ eklen = this->aead_in->get_encr_key_size(this->aead_in);
+ ivlen = this->aead_in->get_iv_size(this->aead_in);
seed = chunk_cata("cc", server_random, client_random);
- block = chunk_alloca((mks + eks + ivs) * 2);
+ block = chunk_alloca((mklen + eklen + ivlen) * 2);
if (!this->prf->get_bytes(this->prf, "key expansion", seed,
block.len, block.ptr))
{
return FALSE;
}
- /* signer keys */
- client_write = chunk_create(block.ptr, mks);
- block = chunk_skip(block, mks);
- server_write = chunk_create(block.ptr, mks);
- block = chunk_skip(block, mks);
+ /* client/server write signer keys */
+ cw_mac = chunk_create(block.ptr, mklen);
+ block = chunk_skip(block, mklen);
+ sw_mac = chunk_create(block.ptr, mklen);
+ block = chunk_skip(block, mklen);
+
+ /* client/server write encryption keys */
+ cw = chunk_create(block.ptr, eklen);
+ block = chunk_skip(block, eklen);
+ sw = chunk_create(block.ptr, eklen);
+ block = chunk_skip(block, eklen);
+
+ /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
+ cw_iv = chunk_create(block.ptr, ivlen);
+ block = chunk_skip(block, ivlen);
+ sw_iv = chunk_create(block.ptr, ivlen);
+ block = chunk_skip(block, ivlen);
+
if (this->tls->is_server(this->tls))
{
- if (!this->signer_in->set_key(this->signer_in, client_write) ||
- !this->signer_out->set_key(this->signer_out, server_write))
+ if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
+ !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
{
return FALSE;
}
}
else
{
- if (!this->signer_out->set_key(this->signer_out, client_write) ||
- !this->signer_in->set_key(this->signer_in, server_write))
+ if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
+ !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
{
return FALSE;
}
}
- /* crypter keys, and IVs if < TLSv1.2 */
- if (this->crypter_out && this->crypter_in)
- {
- client_write = chunk_create(block.ptr, eks);
- block = chunk_skip(block, eks);
- server_write = chunk_create(block.ptr, eks);
- block = chunk_skip(block, eks);
-
- if (this->tls->is_server(this->tls))
- {
- if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
- !this->crypter_out->set_key(this->crypter_out, server_write))
- {
- return FALSE;
- }
- }
- else
- {
- if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
- !this->crypter_in->set_key(this->crypter_in, server_write))
- {
- return FALSE;
- }
- }
- if (ivs)
- {
- client_write = chunk_create(block.ptr, ivs);
- block = chunk_skip(block, ivs);
- server_write = chunk_create(block.ptr, ivs);
- block = chunk_skip(block, ivs);
-
- if (this->tls->is_server(this->tls))
- {
- this->iv_in = chunk_clone(client_write);
- this->iv_out = chunk_clone(server_write);
- }
- else
- {
- this->iv_out = chunk_clone(client_write);
- this->iv_in = chunk_clone(server_write);
- }
- }
- }
-
/* EAP-MSK */
if (this->msk_label)
{
@@ -1666,13 +1746,11 @@ METHOD(tls_crypto_t, change_cipher, void,
{
if (inbound)
{
- this->protection->set_cipher(this->protection, TRUE,
- this->signer_in, this->crypter_in, this->iv_in);
+ this->protection->set_cipher(this->protection, TRUE, this->aead_in);
}
else
{
- this->protection->set_cipher(this->protection, FALSE,
- this->signer_out, this->crypter_out, this->iv_out);
+ this->protection->set_cipher(this->protection, FALSE, this->aead_out);
}
}
}
@@ -1686,12 +1764,7 @@ METHOD(tls_crypto_t, get_eap_msk, chunk_t,
METHOD(tls_crypto_t, destroy, void,
private_tls_crypto_t *this)
{
- DESTROY_IF(this->signer_in);
- DESTROY_IF(this->signer_out);
- DESTROY_IF(this->crypter_in);
- DESTROY_IF(this->crypter_out);
- free(this->iv_in.ptr);
- free(this->iv_out.ptr);
+ destroy_aeads(this);
free(this->handshake.ptr);
free(this->msk.ptr);
DESTROY_IF(this->prf);
@@ -1773,8 +1846,43 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
case TLS_PURPOSE_GENERIC:
build_cipher_suite_list(this, TRUE);
break;
+ case TLS_PURPOSE_GENERIC_NULLOK:
+ build_cipher_suite_list(this, FALSE);
+ break;
default:
break;
}
return &this->public;
}
+
+/**
+ * See header.
+ */
+int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
+{
+ suite_algs_t suites[countof(suite_algs)];
+ int count = countof(suite_algs), i;
+
+ /* initialize copy of suite list */
+ for (i = 0; i < count; i++)
+ {
+ suites[i] = suite_algs[i];
+ }
+
+ filter_unsupported_suites(suites, &count);
+
+ if (!null)
+ {
+ filter_null_suites(suites, &count);
+ }
+
+ if (out)
+ {
+ *out = calloc(count, sizeof(tls_cipher_suite_t));
+ for (i = 0; i < count; i++)
+ {
+ (*out)[i] = suites[i].suite;
+ }
+ }
+ return count;
+}
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h
index 5512b1f..a42e07b 100644
--- a/src/libtls/tls_crypto.h
+++ b/src/libtls/tls_crypto.h
@@ -572,4 +572,13 @@ struct tls_crypto_t {
*/
tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache);
+/**
+ * Get a list of all supported TLS cipher suites.
+ *
+ * @param null include supported NULL encryption suites
+ * @param suites pointer to allocated suites array, to free(), or NULL
+ * @return number of suites supported
+ */
+int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **suites);
+
#endif /** TLS_CRYPTO_H_ @}*/
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index b429da3..a95b40f 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -80,6 +80,11 @@ struct private_tls_peer_t {
peer_state_t state;
/**
+ * TLS version we offered in hello
+ */
+ tls_version_t hello_version;
+
+ /**
* Hello random data selected by client
*/
char client_random[32];
@@ -724,6 +729,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
/* TLS version */
version = this->tls->get_version(this->tls);
+ this->hello_version = version;
writer->write_uint16(writer, version);
writer->write_data(writer, chunk_from_thing(this->client_random));
@@ -917,7 +923,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
return NEED_MORE;
}
rng->destroy(rng);
- htoun16(premaster, TLS_1_2);
+ htoun16(premaster, this->hello_version);
if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
this->session, this->server,
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 0d5df18..b016db2 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -45,74 +45,26 @@ struct private_tls_protection_t {
tls_alert_t *alert;
/**
- * RNG if we generate IVs ourself
- */
- rng_t *rng;
-
- /**
* Sequence number of incoming records
*/
- u_int32_t seq_in;
+ u_int64_t seq_in;
/**
* Sequence number for outgoing records
*/
- u_int32_t seq_out;
-
- /**
- * Signer instance for inbound traffic
- */
- signer_t *signer_in;
-
- /**
- * Signer instance for outbound traffic
- */
- signer_t *signer_out;
+ u_int64_t seq_out;
/**
- * Crypter instance for inbound traffic
+ * AEAD transform for inbound traffic
*/
- crypter_t *crypter_in;
+ tls_aead_t *aead_in;
/**
- * Crypter instance for outbound traffic
+ * AEAD transform for outbound traffic
*/
- crypter_t *crypter_out;
-
- /**
- * Current IV for input decryption
- */
- chunk_t iv_in;
-
- /**
- * Current IV for output decryption
- */
- chunk_t iv_out;
+ tls_aead_t *aead_out;
};
-/**
- * Create the header and feed it into a signer for MAC verification
- */
-static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
- u_int16_t version, u_int16_t length)
-{
- /* we only support 32 bit sequence numbers, but TLS uses 64 bit */
- struct __attribute__((__packed__)) {
- u_int32_t seq_high;
- u_int32_t seq_low;
- u_int8_t type;
- u_int16_t version;
- u_int16_t length;
- } header = {
- .type = type,
- };
- htoun32(&header.seq_low, seq);
- htoun16(&header.version, version);
- htoun16(&header.length, length);
-
- return signer->get_signature(signer, chunk_from_thing(header), NULL);
-}
-
METHOD(tls_protection_t, process, status_t,
private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
{
@@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t,
return NEED_MORE;
}
- if (this->crypter_in)
- {
- chunk_t iv, next_iv = chunk_empty;
- u_int8_t bs, padding_length;
-
- bs = this->crypter_in->get_block_size(this->crypter_in);
- if (this->iv_in.len)
- { /* < TLSv1.1 uses IV from key derivation/last block */
- if (data.len < bs || data.len % bs)
- {
- DBG1(DBG_TLS, "encrypted TLS record length invalid");
- this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
- return NEED_MORE;
- }
- iv = this->iv_in;
- next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
- }
- else
- { /* TLSv1.1 uses random IVs, prepended to record */
- iv.len = this->crypter_in->get_iv_size(this->crypter_in);
- iv = chunk_create(data.ptr, iv.len);
- data = chunk_skip(data, iv.len);
- if (data.len < bs || data.len % bs)
- {
- DBG1(DBG_TLS, "encrypted TLS record length invalid");
- this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
- return NEED_MORE;
- }
- }
- if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
- {
- free(next_iv.ptr);
- this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
- return NEED_MORE;
- }
-
- if (next_iv.len)
- { /* next record IV is last ciphertext block of this record */
- memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
- free(next_iv.ptr);
- }
-
- padding_length = data.ptr[data.len - 1];
- if (padding_length < data.len)
- { /* remove padding if it looks valid. Continue with no padding, try
- * to prevent timing attacks. */
- data.len -= padding_length + 1;
- }
- }
- if (this->signer_in)
+ if (this->aead_in)
{
- chunk_t mac;
- u_int8_t bs;
-
- bs = this->signer_in->get_block_size(this->signer_in);
- if (data.len < bs)
+ if (!this->aead_in->decrypt(this->aead_in, this->version,
+ type, this->seq_in, &data))
{
- DBG1(DBG_TLS, "TLS record too short to verify MAC");
- this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
- return NEED_MORE;
- }
- mac = chunk_skip(data, data.len - bs);
- data.len -= bs;
-
- if (!sigheader(this->signer_in, this->seq_in, type,
- this->version, data.len) ||
- !this->signer_in->verify_signature(this->signer_in, data, mac))
- {
- DBG1(DBG_TLS, "TLS record MAC verification failed");
+ DBG1(DBG_TLS, "TLS record decryption failed");
this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
return NEED_MORE;
}
@@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t,
if (status == NEED_MORE)
{
- if (this->signer_out)
+ if (this->aead_out)
{
- chunk_t mac;
-
- if (!sigheader(this->signer_out, this->seq_out, *type,
- this->version, data->len) ||
- !this->signer_out->allocate_signature(this->signer_out,
- *data, &mac))
+ if (!this->aead_out->encrypt(this->aead_out, this->version,
+ *type, this->seq_out, data))
{
+ DBG1(DBG_TLS, "TLS record encryption failed");
+ chunk_free(data);
return FAILED;
}
- if (this->crypter_out)
- {
- chunk_t padding, iv;
- u_int8_t bs, padding_length;
-
- bs = this->crypter_out->get_block_size(this->crypter_out);
- padding_length = bs - ((data->len + mac.len + 1) % bs);
-
- padding = chunk_alloca(padding_length);
- memset(padding.ptr, padding_length, padding.len);
-
- if (this->iv_out.len)
- { /* < TLSv1.1 uses IV from key derivation/last block */
- iv = this->iv_out;
- }
- else
- { /* TLSv1.1 uses random IVs, prepended to record */
- iv.len = this->crypter_out->get_iv_size(this->crypter_out);
- if (!this->rng ||
- !this->rng->allocate_bytes(this->rng, iv.len, &iv))
- {
- DBG1(DBG_TLS, "failed to generate TLS IV");
- free(data->ptr);
- return FAILED;
- }
- }
-
- *data = chunk_cat("mmcc", *data, mac, padding,
- chunk_from_thing(padding_length));
- /* encrypt inline */
- if (!this->crypter_out->encrypt(this->crypter_out, *data,
- iv, NULL))
- {
- if (!this->iv_out.len)
- {
- free(iv.ptr);
- }
- free(data->ptr);
- return FAILED;
- }
-
- if (this->iv_out.len)
- { /* next record IV is last ciphertext block of this record */
- memcpy(this->iv_out.ptr, data->ptr + data->len -
- this->iv_out.len, this->iv_out.len);
- }
- else
- { /* prepend IV */
- *data = chunk_cat("mm", iv, *data);
- }
- }
- else
- { /* NULL encryption */
- *data = chunk_cat("mm", *data, mac);
- }
}
this->seq_out++;
}
@@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t,
}
METHOD(tls_protection_t, set_cipher, void,
- private_tls_protection_t *this, bool inbound, signer_t *signer,
- crypter_t *crypter, chunk_t iv)
+ private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
{
if (inbound)
{
- this->signer_in = signer;
- this->crypter_in = crypter;
- this->iv_in = iv;
+ this->aead_in = aead;
}
else
{
- this->signer_out = signer;
- this->crypter_out = crypter;
- this->iv_out = iv;
- if (!iv.len)
- { /* generate IVs if none given */
- this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- }
+ this->aead_out = aead;
}
}
@@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void,
METHOD(tls_protection_t, destroy, void,
private_tls_protection_t *this)
{
- DESTROY_IF(this->rng);
free(this);
}
diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h
index 05cf3df..3280fb5 100644
--- a/src/libtls/tls_protection.h
+++ b/src/libtls/tls_protection.h
@@ -26,6 +26,7 @@
typedef struct tls_protection_t tls_protection_t;
#include "tls.h"
+#include "tls_aead.h"
#include "tls_alert.h"
#include "tls_compression.h"
@@ -62,15 +63,12 @@ struct tls_protection_t {
tls_content_type_t *type, chunk_t *data);
/**
- * Set a new cipher, including encryption and integrity algorithms.
+ * Set a new transforms to use at protection layer
*
* @param inbound TRUE to use cipher for inbound data, FALSE for outbound
- * @param signer new signer to use, gets owned by protection layer
- * @param crypter new crypter to use, gets owned by protection layer
- * @param iv initial IV for crypter, gets owned by protection layer
+ * @param aead new AEAD transform
*/
- void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
- crypter_t *crypter, chunk_t iv);
+ void (*set_cipher)(tls_protection_t *this, bool inbound, tls_aead_t *aead);
/**
* Set the TLS version negotiated, used for MAC calculation.
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 1923275..648771e 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -406,9 +406,11 @@ METHOD(tls_socket_t, destroy, void,
* See header
*/
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
- identification_t *peer, int fd, tls_cache_t *cache)
+ identification_t *peer, int fd, tls_cache_t *cache,
+ tls_version_t max_version, bool nullok)
{
private_tls_socket_t *this;
+ tls_purpose_t purpose;
INIT(this,
.public = {
@@ -430,13 +432,23 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
.fd = fd,
);
- this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+ if (nullok)
+ {
+ purpose = TLS_PURPOSE_GENERIC_NULLOK;
+ }
+ else
+ {
+ purpose = TLS_PURPOSE_GENERIC;
+ }
+
+ this->tls = tls_create(is_server, server, peer, purpose,
&this->app.application, cache);
if (!this->tls)
{
free(this);
return NULL;
}
+ this->tls->set_version(this->tls, max_version);
return &this->public;
}
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 75130a4..0d4db3b 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -104,9 +104,12 @@ struct tls_socket_t {
* @param peer client identity, NULL for no client authentication
* @param fd socket to read/write from
* @param cache session cache to use, or NULL
+ * @param max_version maximun TLS version to negotiate
+ * @param nullok accept NULL encryption ciphers
* @return TLS socket wrapper
*/
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
- identification_t *peer, int fd, tls_cache_t *cache);
+ identification_t *peer, int fd, tls_cache_t *cache,
+ tls_version_t max_version, bool nullok);
#endif /** TLS_SOCKET_H_ @}*/
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 745850a..bf37bc6 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -425,7 +425,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 1f83985..11a3952 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 45c3569..cef45ab 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 21ed94d..bba53f5 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 7b4d53e..182d1dd 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -385,7 +385,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 63010c3..468f217 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -386,7 +386,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 6a99188..7327202 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 66ac311..de76a6e 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -337,7 +337,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 08033c4..04db569 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -389,7 +389,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 5452a41..d26237b 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
deleted file mode 100644
index 78a466b..0000000
--- a/src/openac/Makefile.am
+++ /dev/null
@@ -1,11 +0,0 @@
-ipsec_PROGRAMS = openac
-openac_SOURCES = openac.c
-dist_man_MANS = openac.8
-
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -DIPSEC_CONFDIR=\"${sysconfdir}\" \
- -DPLUGINS=\""${openac_plugins}\""
-
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-openac.o : $(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
deleted file mode 100644
index b5e00be..0000000
--- a/src/openac/Makefile.in
+++ /dev/null
@@ -1,802 +0,0 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
- at SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
-am__make_running_with_option = \
- case $${target_option-} in \
- ?) ;; \
- *) echo "am__make_running_with_option: internal error: invalid" \
- "target option '$${target_option-}' specified" >&2; \
- exit 1;; \
- esac; \
- has_opt=no; \
- sane_makeflags=$$MAKEFLAGS; \
- if $(am__is_gnu_make); then \
- sane_makeflags=$$MFLAGS; \
- else \
- case $$MAKEFLAGS in \
- *\\[\ \ ]*) \
- bs=\\; \
- sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
- | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
- esac; \
- fi; \
- skip_next=no; \
- strip_trailopt () \
- { \
- flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
- }; \
- for flg in $$sane_makeflags; do \
- test $$skip_next = yes && { skip_next=no; continue; }; \
- case $$flg in \
- *=*|--*) continue;; \
- -*I) strip_trailopt 'I'; skip_next=yes;; \
- -*I?*) strip_trailopt 'I';; \
- -*O) strip_trailopt 'O'; skip_next=yes;; \
- -*O?*) strip_trailopt 'O';; \
- -*l) strip_trailopt 'l'; skip_next=yes;; \
- -*l?*) strip_trailopt 'l';; \
- -[dEDm]) skip_next=yes;; \
- -[JT]) skip_next=yes;; \
- esac; \
- case $$flg in \
- *$$target_option*) has_opt=yes; break;; \
- esac; \
- done; \
- test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-ipsec_PROGRAMS = openac$(EXEEXT)
-subdir = src/openac
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/depcomp $(dist_man_MANS)
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
- $(top_srcdir)/m4/config/ltoptions.m4 \
- $(top_srcdir)/m4/config/ltsugar.m4 \
- $(top_srcdir)/m4/config/ltversion.m4 \
- $(top_srcdir)/m4/config/lt~obsolete.m4 \
- $(top_srcdir)/m4/macros/split-package-version.m4 \
- $(top_srcdir)/m4/macros/with.m4 \
- $(top_srcdir)/m4/macros/enable-disable.m4 \
- $(top_srcdir)/m4/macros/add-plugin.m4 \
- $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-PROGRAMS = $(ipsec_PROGRAMS)
-am_openac_OBJECTS = openac.$(OBJEXT)
-openac_OBJECTS = $(am_openac_OBJECTS)
-openac_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-AM_V_lt = $(am__v_lt_ at AM_V@)
-am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 =
-AM_V_P = $(am__v_P_ at AM_V@)
-am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_ at AM_V@)
-am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
-am__v_GEN_1 =
-AM_V_at = $(am__v_at_ at AM_V@)
-am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 =
-DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
- $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
- $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_ at AM_V@)
-am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
-am__v_CC_0 = @echo " CC " $@;
-am__v_CC_1 =
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo " CCLD " $@;
-am__v_CCLD_1 =
-SOURCES = $(openac_SOURCES)
-DIST_SOURCES = $(openac_SOURCES)
-am__can_run_installinfo = \
- case $$AM_UPDATE_INFO_DIR in \
- n|no|NO) false;; \
- *) (install-info --version) >/dev/null 2>&1;; \
- esac
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
- $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
- *) f=$$p;; \
- esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
- srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
- for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
- for p in $$list; do echo "$$p $$p"; done | \
- sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
- $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
- if (++n[$$2] == $(am__install_max)) \
- { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
- END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
- sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
- sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
- test -z "$$files" \
- || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
- || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
- $(am__cd) "$$dir" && rm -f $$files; }; \
- }
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man_MANS)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates. Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
- BEGIN { nonempty = 0; } \
- { items[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique. This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
- list='$(am__tagged_files)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-openac_SOURCES = openac.c
-dist_man_MANS = openac.8
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -DIPSEC_CONFDIR=\"${sysconfdir}\" \
- -DPLUGINS=\""${openac_plugins}\""
-
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
- && { if test -f $@; then exit 0; else break; fi; }; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \
- $(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/openac/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
- esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
- @$(NORMAL_INSTALL)
- @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
- fi; \
- for p in $$list; do echo "$$p $$p"; done | \
- sed 's/$(EXEEXT)$$//' | \
- while read p p1; do if test -f $$p \
- || test -f $$p1 \
- ; then echo "$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n;h' \
- -e 's|.*|.|' \
- -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
- sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) files[d] = files[d] " " $$1; \
- else { print "f", $$3 "/" $$4, $$1; } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-ipsecPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
- -e 's/$$/$(EXEEXT)/' \
- `; \
- test -n "$$list" || exit 0; \
- echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
-
-clean-ipsecPROGRAMS:
- @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES)
- @rm -f openac$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/openac.Po at am__quote@
-
-.c.o:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
- at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
- at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
- at am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-install-man8: $(dist_man_MANS)
- @$(NORMAL_INSTALL)
- @list1=''; \
- list2='$(dist_man_MANS)'; \
- test -n "$(man8dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.8[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
- done; }
-
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list=''; test -n "$(man8dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.8[a-z]*$$/p'; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
- $(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- set x; \
- here=`pwd`; \
- $(am__define_uniq_tagged_files); \
- shift; \
- if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- if test $$# -gt 0; then \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- "$$@" $$unique; \
- else \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$unique; \
- fi; \
- fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- $(am__define_uniq_tagged_files); \
- test -z "$(CTAGS_ARGS)$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && $(am__cd) $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
- list='$(am__tagged_files)'; \
- case "$(srcdir)" in \
- [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
- *) sdir=$(subdir)/$(srcdir) ;; \
- esac; \
- for i in $$list; do \
- if test -f "$$i"; then \
- echo "$(subdir)/$$i"; \
- else \
- echo "$$sdir/$$i"; \
- fi; \
- done >> $(top_builddir)/cscope.files
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d "$(distdir)/$$file"; then \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
- else \
- test -f "$(distdir)/$$file" \
- || cp -p $$d/$$file "$(distdir)/$$file" \
- || exit 1; \
- fi; \
- done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS)
-installdirs:
- for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- if test -z '$(STRIP)'; then \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- install; \
- else \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
- fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
- -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
- mostlyclean-am
-
-distclean: distclean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-ipsecPROGRAMS install-man
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man: install-man8
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
-
-uninstall-man: uninstall-man8
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
- clean-ipsecPROGRAMS clean-libtool cscopelist-am ctags ctags-am \
- distclean distclean-compile distclean-generic \
- distclean-libtool distclean-tags distdir dvi dvi-am html \
- html-am info info-am install install-am install-data \
- install-data-am install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am install-info \
- install-info-am install-ipsecPROGRAMS install-man install-man8 \
- install-pdf install-pdf-am install-ps install-ps-am \
- install-strip installcheck installcheck-am installdirs \
- maintainer-clean maintainer-clean-generic mostlyclean \
- mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
- pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
- uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
-
-openac.o : $(top_builddir)/config.status
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/openac/openac.8 b/src/openac/openac.8
deleted file mode 100644
index ed1b8ed..0000000
--- a/src/openac/openac.8
+++ /dev/null
@@ -1,165 +0,0 @@
-.TH IPSEC_OPENAC 8 "22 September 2007"
-.SH NAME
-ipsec openac \- Generation of X.509 attribute certificates
-.SH SYNOPSIS
-.B ipsec
-.B openac
-[
-.B \-\-help
-] [
-.B \-\-version
-] [
-.B \-\-optionsfrom
-\fIfilename\fP
-]
-.br
-\ \ \ [
-.B \-\-quiet
-] [
-.B \-\-debug
-\fIlevel\fP
-]
-.br
-\ \ \ [
-.B \-\-days
-\fIdays\fP
-] [
-.B \-\-hours
-\fIhours\fP
-]
-.br
-\ \ \ [
-.B \-\-startdate
-\fIYYYYMMDDHHMMSSZ\fP
-] [
-.B \-\-stopdate
-\fIYYYYMMDDHHMMSSZ\fP
-]
-.br
-.B \ \ \ \-\-cert
-\fIcertfile\fP
-.B \-\-key
-\fIkeyfile\fP
-[
-.B \-\-password
-\fIpassword\fP
-]
-.br
-.B \ \ \ \-\-usercert
-\fIcertfile\fP
-.B \-\-groups
-\fIattr1,attr2,...\fP
-.B \-\-out
-\fIfilename\fP
-.SH DESCRIPTION
-.BR openac
-is intended to be used by an Authorization Authority (AA) to generate and sign
-X.509 attribute certificates. Currently only the inclusion of one ore several group
-attributes is supported. An attribute certificate is linked to a holder by
-including the issuer and serial number of the holder's X.509 certificate.
-.SH OPTIONS
-.TP
-\fB\-\-help\fP
-display the usage message.
-.TP
-\fB\-\-version\fP
-display the version of \fBopenac\fP.
-.TP
-\fB\-\-optionsfrom\fP\ \fIfilename\fP
-adds the contents of the file to the argument list.
-If \fIfilename\fP is a relative path then the file is searched in the directory
-\fI/etc/openac\fP.
-.TP
-\fB\-\-quiet\fP
-By default \fBopenac\fP logs all control output both to syslog and stderr.
-With the \fB\-\-quiet\fP option no output is written to stderr.
-.TP
-\fB\-\-days\fP\ \fIdays\fP
-Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor
-the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed.
-The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option.
-.TP
-\fB\-\-hours\fP\ \fIhours\fP
-Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor
-the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed.
-The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option.
-.TP
-\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default.
-
-.TP
-\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed
-by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options
-to the \fBnotBefore\fP date.
-.TP
-\fB\-\-cert\fP\ \fIcertfile\fP
-specifies the file containing the X.509 certificate of the Authorization Authority.
-The certificate is stored either in PEM or DER format.
-.TP
-\fB\-\-key\fP\ \fIkeyfile\fP
-specifies the encrypted file containing the private RSA key of the Authoritzation
-Authority. The private key is stored in PKCS#1 format.
-.TP
-\fB\-\-password\fP\ \fIpassword\fP
-specifies the password with which the private RSA keyfile defined by the
-\fB\-\-key\fP option has been protected. If the option is missing then the
-password is prompted for on the command line.
-.TP
-\fB\-\-usercert\fP\ \fIcertfile\fP
-specifies file containing the X.509 certificate of the user to which the generated attribute
-certificate will apply. The certificate file is stored either in PEM or DER format.
-.TP
-\fB\-\-groups\fP\ \fIattr1,attr2\fP
-specifies a comma-separated list of group attributes that will go into the
-X.509 attribute certificate.
-.TP
-\fB\-\-out\fP\ \fIfilename\fP
-specifies the file where the generated X.509 attribute certificate will be stored to.
-.SS Debugging
-.LP
-\fBopenac\fP produces a prodigious amount of debugging information. To do so,
-it must be compiled with \-DDEBUG. There are several classes of debugging output,
-and \fBopenac\fP may be directed to produce a selection of them. All lines of
-debugging output are prefixed with ``|\ '' to distinguish them from error messages.
-.LP
-When \fBopenac\fP is invoked, it may be given arguments to specify
-which classes to output. The current options are:
-.TP
-\fB\-\-debug\fP\ \fIlevel\fP
-sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private),
-the default level being 1.
-.SH EXIT STATUS
-.LP
-The execution of \fBopenac\fP terminates with one of the following two exit codes:
-.TP
-0
-means that the attribute certificate was successfully generated and stored.
-.TP
-1
-means that something went wrong.
-.SH FILES
-\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate
-.SH SEE ALSO
-.LP
-The X.509 attribute certificates generated with \fBopenac\fP can be used to
-enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8)
-to load and list X.509 attribute certificates.
-.LP
-For more information on X.509 attribute certificates, refer to the following
-IETF RFC:
-.IP
-RFC 3281 An Internet Attribute Certificate Profile for Authorization
-.SH HISTORY
-The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi.
-The software was recoded by Andreas Steffen using strongSwan's X.509 library and
-the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen.
-All authors were with the Zurich University of Applied Sciences in Winterthur,
-Switzerland.
-.LP
-.SH BUGS
-Bugs should be reported to the <users at lists.strongswan.org> mailing list.
diff --git a/src/openac/openac.c b/src/openac/openac.c
deleted file mode 100644
index 8862e9a..0000000
--- a/src/openac/openac.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/**
- * @file openac.c
- *
- * @brief Generation of X.509 attribute certificates.
- *
- */
-
-/*
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2004,2007 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <time.h>
-#include <errno.h>
-
-#include <library.h>
-#include <utils/debug.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/sets/mem_cred.h>
-#include <utils/optionsfrom.h>
-
-#define OPENAC_PATH IPSEC_CONFDIR "/openac"
-#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
-
-#define DEFAULT_VALIDITY 24*3600 /* seconds */
-
-/**
- * @brief prints the usage of the program to the stderr
- */
-static void usage(const char *message)
-{
- if (message != NULL && *message != '\0')
- {
- fprintf(stderr, "%s\n", message);
- }
- fprintf(stderr, "Usage: openac"
- " [--help]"
- " [--version]"
- " [--optionsfrom <filename>]"
- " [--quiet]"
- " \\\n\t"
- " [--debug <level 0..4>]"
- " \\\n\t"
- " [--days <days>]"
- " [--hours <hours>]"
- " \\\n\t"
- " [--startdate <YYYYMMDDHHMMSSZ>]"
- " [--enddate <YYYYMMDDHHMMSSZ>]"
- " \\\n\t"
- " --cert <certfile>"
- " --key <keyfile>"
- " [--password <password>]"
- " \\\n\t"
- " --usercert <certfile>"
- " --groups <attr1,attr2,..>"
- " --out <filename>"
- "\n"
- );
-}
-
-/**
- * read the last serial number from file
- */
-static chunk_t read_serial(void)
-{
- chunk_t hex, serial = chunk_empty;
- char one[] = {0x01};
- FILE *fd;
-
- fd = fopen(OPENAC_SERIAL, "r");
- if (fd)
- {
- hex = chunk_alloca(64);
- hex.len = fread(hex.ptr, 1, hex.len, fd);
- if (hex.len)
- {
- /* remove any terminating newline character */
- if (hex.ptr[hex.len-1] == '\n')
- {
- hex.len--;
- }
- serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
- serial = chunk_from_hex(hex, serial.ptr);
- }
- fclose(fd);
- }
- else
- {
- DBG1(DBG_LIB, " file '%s' does not exist yet - serial number "
- "set to 01", OPENAC_SERIAL);
- }
- if (!serial.len)
- {
- return chunk_clone(chunk_create(one, 1));
- }
- if (chunk_increment(serial))
- { /* overflow, prepend 0x01 */
- return chunk_cat("cc", chunk_create(one, 1), serial);
- }
- return chunk_clone(serial);
-}
-
-/**
- * write back the last serial number to file
- */
-static void write_serial(chunk_t serial)
-{
- FILE *fd = fopen(OPENAC_SERIAL, "w");
-
- if (fd)
- {
- chunk_t hex_serial;
-
- DBG1(DBG_LIB, " serial number is %#B", &serial);
- hex_serial = chunk_to_hex(serial, NULL, FALSE);
- fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr);
- fclose(fd);
- free(hex_serial.ptr);
- }
- else
- {
- DBG1(DBG_LIB, " could not open file '%s' for writing", OPENAC_SERIAL);
- }
-}
-
-/**
- * global variables accessible by both main() and build.c
- */
-
-static int debug_level = 1;
-static bool stderr_quiet = FALSE;
-
-/**
- * openac dbg function
- */
-static void openac_dbg(debug_t group, level_t level, char *fmt, ...)
-{
- int priority = LOG_INFO;
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= debug_level)
- {
- if (!stderr_quiet)
- {
- va_start(args, fmt);
- vfprintf(stderr, fmt, args);
- fprintf(stderr, "\n");
- va_end(args);
- }
-
- /* write in memory buffer first */
- va_start(args, fmt);
- vsnprintf(buffer, sizeof(buffer), fmt, args);
- va_end(args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
- }
- syslog(priority, "%s\n", current);
- current = next;
- }
- }
-}
-
-/**
- * @brief openac main program
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char **argv)
-{
- certificate_t *attr_cert = NULL;
- certificate_t *userCert = NULL;
- certificate_t *signerCert = NULL;
- private_key_t *signerKey = NULL;
-
- time_t notBefore = UNDEFINED_TIME;
- time_t notAfter = UNDEFINED_TIME;
- time_t validity = 0;
-
- char *keyfile = NULL;
- char *certfile = NULL;
- char *usercertfile = NULL;
- char *outfile = NULL;
- char *groups = "";
- char buf[BUF_LEN];
-
- chunk_t passphrase = { buf, 0 };
- chunk_t serial = chunk_empty;
- chunk_t attr_chunk = chunk_empty;
-
- int status = 1;
-
- /* enable openac debugging hook */
- dbg = openac_dbg;
-
- passphrase.ptr[0] = '\0';
-
- openlog("openac", 0, LOG_AUTHPRIV);
-
- /* initialize library */
- atexit(library_deinit);
- if (!library_init(NULL, "openac"))
- {
- exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
- }
- if (lib->integrity &&
- !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
- {
- fprintf(stderr, "integrity check of openac failed\n");
- exit(SS_RC_DAEMON_INTEGRITY);
- }
- if (!lib->plugins->load(lib->plugins,
- lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
- {
- exit(SS_RC_INITIALIZATION_FAILED);
- }
-
- /* initialize optionsfrom */
- options_t *options = options_create();
-
- /* handle arguments */
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, 'v' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "quiet", no_argument, NULL, 'q' },
- { "cert", required_argument, NULL, 'c' },
- { "key", required_argument, NULL, 'k' },
- { "password", required_argument, NULL, 'p' },
- { "usercert", required_argument, NULL, 'u' },
- { "groups", required_argument, NULL, 'g' },
- { "days", required_argument, NULL, 'D' },
- { "hours", required_argument, NULL, 'H' },
- { "startdate", required_argument, NULL, 'S' },
- { "enddate", required_argument, NULL, 'E' },
- { "out", required_argument, NULL, 'o' },
- { "debug", required_argument, NULL, 'd' },
- { 0,0,0,0 }
- };
-
- int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
-
- /* Note: "breaking" from case terminates loop */
- switch (c)
- {
- case EOF: /* end of flags */
- break;
-
- case 0: /* long option already handled */
- continue;
-
- case ':': /* diagnostic already printed by getopt_long */
- case '?': /* diagnostic already printed by getopt_long */
- case 'h': /* --help */
- usage(NULL);
- status = 1;
- goto end;
-
- case 'v': /* --version */
- printf("openac (strongSwan %s)\n", VERSION);
- status = 0;
- goto end;
-
- case '+': /* --optionsfrom <filename> */
- {
- char path[BUF_LEN];
-
- if (*optarg == '/') /* absolute pathname */
- {
- strncpy(path, optarg, BUF_LEN);
- path[BUF_LEN-1] = '\0';
- }
- else /* relative pathname */
- {
- snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
- }
- if (!options->from(options, path, &argc, &argv, optind))
- {
- status = 1;
- goto end;
- }
- }
- continue;
-
- case 'q': /* --quiet */
- stderr_quiet = TRUE;
- continue;
-
- case 'c': /* --cert */
- certfile = optarg;
- continue;
-
- case 'k': /* --key */
- keyfile = optarg;
- continue;
-
- case 'p': /* --key */
- if (strlen(optarg) >= BUF_LEN)
- {
- usage("passphrase too long");
- goto end;
- }
- strncpy(passphrase.ptr, optarg, BUF_LEN);
- passphrase.len = min(strlen(optarg), BUF_LEN);
- continue;
-
- case 'u': /* --usercert */
- usercertfile = optarg;
- continue;
-
- case 'g': /* --groups */
- groups = optarg;
- continue;
-
- case 'D': /* --days */
- if (optarg == NULL || !isdigit(optarg[0]))
- {
- usage("missing number of days");
- goto end;
- }
- else
- {
- char *endptr;
- long days = strtol(optarg, &endptr, 0);
-
- if (*endptr != '\0' || endptr == optarg || days <= 0)
- {
- usage("<days> must be a positive number");
- goto end;
- }
- validity += 24*3600*days;
- }
- continue;
-
- case 'H': /* --hours */
- if (optarg == NULL || !isdigit(optarg[0]))
- {
- usage("missing number of hours");
- goto end;
- }
- else
- {
- char *endptr;
- long hours = strtol(optarg, &endptr, 0);
-
- if (*endptr != '\0' || endptr == optarg || hours <= 0)
- {
- usage("<hours> must be a positive number");
- goto end;
- }
- validity += 3600*hours;
- }
- continue;
-
- case 'S': /* --startdate */
- if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
- {
- usage("date format must be YYYYMMDDHHMMSSZ");
- goto end;
- }
- else
- {
- chunk_t date = { optarg, 15 };
-
- notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
- }
- continue;
-
- case 'E': /* --enddate */
- if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
- {
- usage("date format must be YYYYMMDDHHMMSSZ");
- goto end;
- }
- else
- {
- chunk_t date = { optarg, 15 };
- notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
- }
- continue;
-
- case 'o': /* --out */
- outfile = optarg;
- continue;
-
- case 'd': /* --debug */
- debug_level = atoi(optarg);
- continue;
-
- default:
- usage("");
- status = 0;
- goto end;
- }
- /* break from loop */
- break;
- }
-
- if (optind != argc)
- {
- usage("unexpected argument");
- goto end;
- }
-
- DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION);
-
- /* load the signer's RSA private key */
- if (keyfile != NULL)
- {
- mem_cred_t *mem;
- shared_key_t *shared;
-
- mem = mem_cred_create();
- lib->credmgr->add_set(lib->credmgr, &mem->set);
- shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
- chunk_clone(passphrase));
- mem->add_shared(mem, shared, NULL);
- signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_FROM_FILE, keyfile,
- BUILD_END);
- lib->credmgr->remove_set(lib->credmgr, &mem->set);
- mem->destroy(mem);
- if (signerKey == NULL)
- {
- goto end;
- }
- DBG1(DBG_LIB, " loaded private key file '%s'", keyfile);
- }
-
- /* load the signer's X.509 certificate */
- if (certfile != NULL)
- {
- signerCert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, certfile,
- BUILD_END);
- if (signerCert == NULL)
- {
- goto end;
- }
- }
-
- /* load the users's X.509 certificate */
- if (usercertfile != NULL)
- {
- userCert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, usercertfile,
- BUILD_END);
- if (userCert == NULL)
- {
- goto end;
- }
- }
-
- /* compute validity interval */
- validity = (validity)? validity : DEFAULT_VALIDITY;
- notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
- notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
-
- /* build and parse attribute certificate */
- if (userCert != NULL && signerCert != NULL && signerKey != NULL &&
- outfile != NULL)
- {
- /* read the serial number and increment it by one */
- serial = read_serial();
-
- attr_cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509_AC,
- BUILD_CERT, userCert,
- BUILD_NOT_BEFORE_TIME, notBefore,
- BUILD_NOT_AFTER_TIME, notAfter,
- BUILD_SERIAL, serial,
- BUILD_IETF_GROUP_ATTR, groups,
- BUILD_SIGNING_CERT, signerCert,
- BUILD_SIGNING_KEY, signerKey,
- BUILD_END);
- if (!attr_cert)
- {
- goto end;
- }
-
- /* write the attribute certificate to file */
- if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
- {
- if (chunk_write(attr_chunk, outfile, 0022, TRUE))
- {
- DBG1(DBG_APP, " written attribute cert file '%s' (%d bytes)",
- outfile, attr_chunk.len);
- write_serial(serial);
- status = 0;
- }
- else
- {
- DBG1(DBG_APP, " writing attribute cert file '%s' failed: %s",
- outfile, strerror(errno));
- }
- }
- }
- else
- {
- usage("some of the mandatory parameters --usercert --cert --key --out "
- "are missing");
- }
-
-end:
- /* delete all dynamically allocated objects */
- DESTROY_IF(signerKey);
- DESTROY_IF(signerCert);
- DESTROY_IF(userCert);
- DESTROY_IF(attr_cert);
- free(attr_chunk.ptr);
- free(serial.ptr);
- closelog();
- dbg = dbg_default;
- options->destroy(options);
- exit(status);
-}
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index efbed9b..266802c 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -11,6 +11,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
commands/self.c \
commands/print.c \
commands/signcrl.c \
+ commands/acert.c \
commands/pkcs7.c \
commands/verify.c
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 461d958..2dd91e8 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -107,7 +107,8 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
commands/keyid.$(OBJEXT) commands/pub.$(OBJEXT) \
commands/req.$(OBJEXT) commands/self.$(OBJEXT) \
commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \
- commands/pkcs7.$(OBJEXT) commands/verify.$(OBJEXT)
+ commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \
+ commands/verify.$(OBJEXT)
pki_OBJECTS = $(am_pki_OBJECTS)
pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
AM_V_lt = $(am__v_lt_ at AM_V@)
@@ -386,7 +387,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -436,6 +436,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
commands/self.c \
commands/print.c \
commands/signcrl.c \
+ commands/acert.c \
commands/pkcs7.c \
commands/verify.c
@@ -549,6 +550,8 @@ commands/print.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
+commands/acert.$(OBJEXT): commands/$(am__dirstamp) \
+ commands/$(DEPDIR)/$(am__dirstamp)
commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
commands/verify.$(OBJEXT): commands/$(am__dirstamp) \
@@ -567,6 +570,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/command.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/pki.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/acert.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/gen.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/issue.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/keyid.Po at am__quote@
diff --git a/src/pki/command.c b/src/pki/command.c
index b6966ee..075a227 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -200,7 +200,7 @@ int command_usage(char *error)
fprintf(out, "usage:\n");
if (active == help_idx)
{
- for (i = 0; cmds[i].cmd; i++)
+ for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++)
{
fprintf(out, " pki --%-7s (-%c) %s\n",
cmds[i].cmd, cmds[i].op, cmds[i].description);
@@ -263,7 +263,7 @@ int command_dispatch(int c, char *v[])
build_opts();
op = getopt_long(c, v, command_optstring, command_opts, NULL);
- for (i = 0; cmds[i].cmd; i++)
+ for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++)
{
if (cmds[i].op == op)
{
diff --git a/src/pki/command.h b/src/pki/command.h
index 737f465..9cf036b 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -24,12 +24,12 @@
/**
* Maximum number of commands (+1).
*/
-#define MAX_COMMANDS 11
+#define MAX_COMMANDS 12
/**
* Maximum number of options in a command (+3)
*/
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 36
/**
* Maximum number of usage summary lines (+1)
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
new file mode 100644
index 0000000..d49365d
--- /dev/null
+++ b/src/pki/commands/acert.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+#include <errno.h>
+
+#include "pki.h"
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <collections/linked_list.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
+
+/**
+ * Issue an attribute certificate
+ */
+static int acert()
+{
+ cred_encoding_type_t form = CERT_ASN1_DER;
+ hash_algorithm_t digest = HASH_SHA1;
+ certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
+ private_key_t *private = NULL;
+ public_key_t *public = NULL;
+ char *file = NULL, *hex = NULL, *issuercert = NULL, *issuerkey = NULL;
+ char *error = NULL, *keyid = NULL;
+ linked_list_t *groups;
+ chunk_t serial = chunk_empty, encoding = chunk_empty;
+ time_t not_before, not_after, lifetime = 24 * 60 * 60;
+ char *datenb = NULL, *datena = NULL, *dateform = NULL;
+ rng_t *rng;
+ char *arg;
+
+ groups = linked_list_create();
+
+ while (TRUE)
+ {
+ switch (command_getopt(&arg))
+ {
+ case 'h':
+ goto usage;
+ case 'g':
+ digest = enum_from_name(hash_algorithm_short_names, arg);
+ if (digest == -1)
+ {
+ error = "invalid --digest type";
+ goto usage;
+ }
+ continue;
+ case 'i':
+ file = arg;
+ continue;
+ case 'm':
+ groups->insert_last(groups, arg);
+ continue;
+ case 'c':
+ issuercert = arg;
+ continue;
+ case 'k':
+ issuerkey = arg;
+ continue;
+ case 'x':
+ keyid = arg;
+ continue;
+ case 'l':
+ lifetime = atoi(arg) * 60 * 60;
+ if (!lifetime)
+ {
+ error = "invalid --lifetime value";
+ goto usage;
+ }
+ continue;
+ case 'D':
+ dateform = arg;
+ continue;
+ case 'F':
+ datenb = arg;
+ continue;
+ case 'T':
+ datena = arg;
+ continue;
+ case 's':
+ hex = arg;
+ continue;
+ case 'f':
+ if (!get_form(arg, &form, CRED_CERTIFICATE))
+ {
+ error = "invalid output format";
+ goto usage;
+ }
+ continue;
+ case EOF:
+ break;
+ default:
+ error = "invalid --acert option";
+ goto usage;
+ }
+ break;
+ }
+
+ if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+ ¬_before, ¬_after))
+ {
+ error = "invalid --not-before/after datetime";
+ goto usage;
+ }
+
+ if (!issuercert)
+ {
+ error = "--issuercert is required";
+ goto usage;
+ }
+ if (!issuerkey && !keyid)
+ {
+ error = "--issuerkey or --issuerkeyid is required";
+ goto usage;
+ }
+
+ issuer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, issuercert, BUILD_END);
+ if (!issuer)
+ {
+ error = "parsing issuer certificate failed";
+ goto end;
+ }
+ public = issuer->get_public_key(issuer);
+ if (!public)
+ {
+ error = "extracting issuer certificate public key failed";
+ goto end;
+ }
+ if (issuerkey)
+ {
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ public->get_type(public),
+ BUILD_FROM_FILE, issuerkey, BUILD_END);
+ }
+ else
+ {
+ chunk_t chunk;
+
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
+ if (!private)
+ {
+ error = "loading issuer private key failed";
+ goto end;
+ }
+ if (!private->belongs_to(private, public))
+ {
+ error = "issuer private key does not match issuer certificate";
+ goto end;
+ }
+
+ if (hex)
+ {
+ serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
+ }
+ else
+ {
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ if (!rng)
+ {
+ error = "no random number generator found";
+ goto end;
+ }
+ if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
+ {
+ error = "failed to generate serial number";
+ rng->destroy(rng);
+ goto end;
+ }
+ serial.ptr[0] &= 0x7F;
+ rng->destroy(rng);
+ }
+
+ if (file)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file, BUILD_END);
+ }
+ else
+ {
+ if (!chunk_from_fd(0, &encoding))
+ {
+ fprintf(stderr, "%s: ", strerror(errno));
+ error = "reading public key failed";
+ goto end;
+ }
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_BLOB, encoding, BUILD_END);
+ chunk_free(&encoding);
+ }
+ if (!cert)
+ {
+ error = "parsing user certificate failed";
+ goto end;
+ }
+
+ ac = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509_AC,
+ BUILD_CERT, cert,
+ BUILD_NOT_BEFORE_TIME, not_before,
+ BUILD_NOT_AFTER_TIME, not_after,
+ BUILD_SERIAL, serial,
+ BUILD_AC_GROUP_STRINGS, groups,
+ BUILD_SIGNING_CERT, issuer,
+ BUILD_SIGNING_KEY, private,
+ BUILD_END);
+ if (!ac)
+ {
+ error = "generating attribute certificate failed";
+ goto end;
+ }
+ if (!ac->get_encoding(ac, form, &encoding))
+ {
+ error = "encoding attribute certificate failed";
+ goto end;
+ }
+ if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
+ {
+ error = "writing attribute certificate key failed";
+ goto end;
+ }
+
+end:
+ DESTROY_IF(ac);
+ DESTROY_IF(cert);
+ DESTROY_IF(issuer);
+ DESTROY_IF(public);
+ DESTROY_IF(private);
+ groups->destroy(groups);
+ free(encoding.ptr);
+ free(serial.ptr);
+
+ if (error)
+ {
+ fprintf(stderr, "%s\n", error);
+ return 1;
+ }
+ return 0;
+
+usage:
+ groups->destroy(groups);
+ return command_usage(error);
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+ command_register((command_t) {
+ acert, 'z', "acert",
+ "issue an attribute certificate",
+ {"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
+ " --issuercert file [--serial hex] [--lifetime hours]",
+ " [--not-before datetime] [--not-after datetime] [--dateform form]",
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ {
+ {"help", 'h', 0, "show usage information"},
+ {"in", 'i', 1, "holder certificate, default: stdin"},
+ {"group", 'm', 1, "group membership string to include"},
+ {"issuercert", 'c', 1, "issuer certificate file"},
+ {"issuerkey", 'k', 1, "issuer private key file"},
+ {"issuerkeyid", 'x', 1, "keyid on smartcard of issuer private key"},
+ {"serial", 's', 1, "serial number in hex, default: random"},
+ {"lifetime", 'l', 1, "hours the acert is valid, default: 24"},
+ {"not-before", 'F', 1, "date/time the validity of the AC starts"},
+ {"not-after", 'T', 1, "date/time the validity of the AC ends"},
+ {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"outform", 'f', 1, "encoding of generated cert, default: der"},
+ }
+ });
+}
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b8..d03326e 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -72,8 +72,8 @@ static int issue()
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
- time_t lifetime = 1095;
- time_t not_before, not_after;
+ time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+ char *datenb = NULL, *datena = NULL, *dateform = NULL;
x509_flag_t flags = 0;
x509_t *x509;
x509_cdp_t *cdp = NULL;
@@ -132,13 +132,22 @@ static int issue()
san->insert_last(san, identification_create_from_string(arg));
continue;
case 'l':
- lifetime = atoi(arg);
+ lifetime = atoi(arg) * 24 * 60 * 60;
if (!lifetime)
{
error = "invalid --lifetime value";
goto usage;
}
continue;
+ case 'D':
+ dateform = arg;
+ continue;
+ case 'F':
+ datenb = arg;
+ continue;
+ case 'T':
+ datena = arg;
+ continue;
case 's':
hex = arg;
continue;
@@ -242,6 +251,10 @@ static int issue()
{
flags |= X509_OCSP_SIGNER;
}
+ else if (streq(arg, "msSmartcardLogon"))
+ {
+ flags |= X509_MS_SMARTCARD_LOGON;
+ }
continue;
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -285,6 +298,12 @@ static int issue()
error = "--cakey or --keyid is required";
goto usage;
}
+ if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+ ¬_before, ¬_after))
+ {
+ error = "invalid --not-before/after datetime";
+ goto usage;
+ }
if (dn && *dn)
{
id = identification_create_from_string(dn);
@@ -363,6 +382,7 @@ static int issue()
rng->destroy(rng);
goto end;
}
+ serial.ptr[0] &= 0x7F;
rng->destroy(rng);
}
@@ -454,9 +474,6 @@ static int issue()
chunk_from_chars(ASN1_SEQUENCE, 0));
}
- not_before = time(NULL);
- not_after = not_before + lifetime * 24 * 60 * 60;
-
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
@@ -536,7 +553,7 @@ static void __attribute__ ((constructor))reg()
{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
- "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
"[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
"[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
@@ -552,6 +569,9 @@ static void __attribute__ ((constructor))reg()
{"dn", 'd', 1, "distinguished name to include as subject"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
+ {"not-before", 'F', 1, "date/time the validity of the cert starts"},
+ {"not-after", 'T', 1, "date/time the validity of the cert ends"},
+ {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
{"pathlen", 'p', 1, "set path length constraint"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 077c1ef..15ace03 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -16,9 +16,11 @@
#include "pki.h"
#include <asn1/asn1.h>
+#include <asn1/oid.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
+#include <credentials/certificates/ac.h>
#include <selectors/traffic_selector.h>
#include <time.h>
@@ -138,6 +140,10 @@ static void print_x509(x509_t *x509)
{
printf("iKEIntermediate ");
}
+ if (flags & X509_MS_SMARTCARD_LOGON)
+ {
+ printf("msSmartcardLogon ");
+ }
if (flags & X509_SELF_SIGNED)
{
printf("self-signed ");
@@ -388,6 +394,85 @@ static void print_crl(crl_t *crl)
}
/**
+ * Print AC specific information
+ */
+static void print_ac(ac_t *ac)
+{
+ ac_group_type_t type;
+ identification_t *id;
+ enumerator_t *groups;
+ chunk_t chunk;
+ bool first = TRUE;
+
+ chunk = chunk_skip_zero(ac->get_serial(ac));
+ printf("serial: %#B\n", &chunk);
+
+ id = ac->get_holderIssuer(ac);
+ if (id)
+ {
+ printf("hissuer: \"%Y\"\n", id);
+ }
+ chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+ if (chunk.ptr)
+ {
+ printf("hserial: %#B\n", &chunk);
+ }
+ groups = ac->create_group_enumerator(ac);
+ while (groups->enumerate(groups, &type, &chunk))
+ {
+ int oid;
+ char *str;
+
+ if (first)
+ {
+ printf("groups: ");
+ first = FALSE;
+ }
+ else
+ {
+ printf(" ");
+ }
+ switch (type)
+ {
+ case AC_GROUP_TYPE_STRING:
+ printf("%.*s", (int)chunk.len, chunk.ptr);
+ break;
+ case AC_GROUP_TYPE_OID:
+ oid = asn1_known_oid(chunk);
+ if (oid == OID_UNKNOWN)
+ {
+ str = asn1_oid_to_string(chunk);
+ if (str)
+ {
+ printf("%s", str);
+ free(str);
+ }
+ else
+ {
+ printf("OID:%#B", &chunk);
+ }
+ }
+ else
+ {
+ printf("%s", oid_names[oid].name);
+ }
+ break;
+ case AC_GROUP_TYPE_OCTETS:
+ printf("%#B", &chunk);
+ break;
+ }
+ printf("\n");
+ }
+ groups->destroy(groups);
+
+ chunk = ac->get_authKeyIdentifier(ac);
+ if (chunk.ptr)
+ {
+ printf("authkey: %#B\n", &chunk);
+ }
+}
+
+/**
* Print certificate information
*/
static void print_cert(certificate_t *cert)
@@ -432,6 +517,9 @@ static void print_cert(certificate_t *cert)
case CERT_X509_CRL:
print_crl((crl_t*)cert);
break;
+ case CERT_X509_AC:
+ print_ac((ac_t*)cert);
+ break;
default:
printf("parsing certificate subtype %N not implemented\n",
certificate_type_names, cert->get_type(cert));
@@ -472,6 +560,11 @@ static int print()
type = CRED_CERTIFICATE;
subtype = CERT_X509_CRL;
}
+ else if (streq(arg, "ac"))
+ {
+ type = CRED_CERTIFICATE;
+ subtype = CERT_X509_AC;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -558,7 +651,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"},
+ {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c2..a35a42b 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -60,8 +60,8 @@ static int self()
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
- time_t lifetime = 1095;
- time_t not_before, not_after;
+ time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+ char *datenb = NULL, *datena = NULL, *dateform = NULL;
x509_flag_t flags = 0;
x509_cert_policy_t *policy = NULL;
char *arg;
@@ -115,13 +115,22 @@ static int self()
san->insert_last(san, identification_create_from_string(arg));
continue;
case 'l':
- lifetime = atoi(arg);
+ lifetime = atoi(arg) * 24 * 60 * 60;
if (!lifetime)
{
error = "invalid --lifetime value";
goto usage;
}
continue;
+ case 'D':
+ dateform = arg;
+ continue;
+ case 'F':
+ datenb = arg;
+ continue;
+ case 'T':
+ datena = arg;
+ continue;
case 's':
hex = arg;
continue;
@@ -225,6 +234,10 @@ static int self()
{
flags |= X509_OCSP_SIGNER;
}
+ else if (streq(arg, "msSmartcardLogon"))
+ {
+ flags |= X509_MS_SMARTCARD_LOGON;
+ }
continue;
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -250,6 +263,12 @@ static int self()
error = "--dn is required";
goto usage;
}
+ if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+ ¬_before, ¬_after))
+ {
+ error = "invalid --not-before/after datetime";
+ goto usage;
+ }
id = identification_create_from_string(dn);
if (id->get_type(id) != ID_DER_ASN1_DN)
{
@@ -314,10 +333,9 @@ static int self()
rng->destroy(rng);
goto end;
}
+ serial.ptr[0] &= 0x7F;
rng->destroy(rng);
}
- not_before = time(NULL);
- not_after = not_before + lifetime * 24 * 60 * 60;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
@@ -391,7 +409,7 @@ static void __attribute__ ((constructor))reg()
{" [--in file|--keyid hex] [--type rsa|ecdsa]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
- "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
"[--nc-permitted name] [--nc-excluded name]",
"[--policy-map issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
@@ -405,6 +423,9 @@ static void __attribute__ ((constructor))reg()
{"dn", 'd', 1, "subject and issuer distinguished name"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
+ {"not-before", 'F', 1, "date/time the validity of the cert starts"},
+ {"not-after", 'T', 1, "date/time the validity of the cert ends"},
+ {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
{"pathlen", 'p', 1, "set path length constraint"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4f9dd29..c9eebbf 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -124,7 +124,8 @@ static int sign_crl()
int serial_len = 0;
crl_reason_t reason = CRL_REASON_UNSPECIFIED;
time_t thisUpdate, nextUpdate, date = time(NULL);
- time_t lifetime = 15;
+ time_t lifetime = 15 * 24 * 60 * 60;
+ char *datetu = NULL, *datenu = NULL, *dateform = NULL;
linked_list_t *list, *cdps;
enumerator_t *enumerator, *lastenum = NULL;
x509_cdp_t *cdp;
@@ -161,13 +162,22 @@ static int sign_crl()
lastupdate = arg;
continue;
case 'l':
- lifetime = atoi(arg);
+ lifetime = atoi(arg) * 24 * 60 * 60;
if (!lifetime)
{
- error = "invalid lifetime";
+ error = "invalid --lifetime value";
goto usage;
}
continue;
+ case 'D':
+ dateform = arg;
+ continue;
+ case 'F':
+ datetu = arg;
+ continue;
+ case 'T':
+ datenu = arg;
+ continue;
case 'z':
serial_len = read_serial(arg, serial, sizeof(serial));
if (serial_len < 0)
@@ -275,6 +285,12 @@ static int sign_crl()
error = "--cakey or --keyid is required";
goto usage;
}
+ if (!calculate_lifetime(dateform, datetu, datenu, lifetime,
+ &thisUpdate, &nextUpdate))
+ {
+ error = "invalid --this/next-update datetime";
+ goto usage;
+ }
ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, cacert, BUILD_END);
@@ -321,9 +337,6 @@ static int sign_crl()
goto error;
}
- thisUpdate = time(NULL);
- nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
-
if (basecrl)
{
lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -442,6 +455,9 @@ static void __attribute__ ((constructor))reg()
{"cakey", 'k', 1, "CA private key file"},
{"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
{"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+ {"this-update", 'F', 1, "date/time the validity of the CRL starts"},
+ {"next-update", 'T', 1, "date/time the validity of the CRL ends"},
+ {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
{"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"},
{"basecrl", 'b', 1, "base CRL to create a delta CRL for"},
{"crluri", 'u', 1, "freshest delta CRL URI to include"},
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
index 618bd40..4c901ae 100644
--- a/src/pki/man/Makefile.am
+++ b/src/pki/man/Makefile.am
@@ -4,6 +4,7 @@ man1_MANS = \
pki---self.1 \
pki---issue.1 \
pki---signcrl.1 \
+ pki---acert.1 \
pki---req.1 \
pki---pkcs7.1 \
pki---keyid.1 \
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index edbde85..5d901a8 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -84,7 +84,7 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
$(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
$(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
- $(srcdir)/pki---verify.1.in
+ $(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -102,7 +102,7 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
- pki---self.1 pki---signcrl.1 pki---verify.1
+ pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_ at AM_V@)
am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
@@ -325,7 +325,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -371,6 +370,7 @@ man1_MANS = \
pki---self.1 \
pki---issue.1 \
pki---signcrl.1 \
+ pki---acert.1 \
pki---req.1 \
pki---pkcs7.1 \
pki---keyid.1 \
@@ -432,6 +432,8 @@ pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
new file mode 100644
index 0000000..ec1d8be
--- /dev/null
+++ b/src/pki/man/pki---acert.1.in
@@ -0,0 +1,130 @@
+.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-acert \- Issue an attribute certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-acert
+.OP \-\-in file
+.OP \-\-group membership
+.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex
+.BI \-\-issuercert\~ file
+.OP \-\-lifetime hours
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
+.OP \-\-serial hex
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-acert
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-acert"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue an attribute certificate using an issuer certificate with its
+private key and the holder certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Holder certificate to issue an attribute certificate for. If not given the
+certificate is read from \fISTDIN\fR.
+.TP
+.BI "\-m, \-\-group " membership
+Group membership the attribute certificate shall certify. The specified group
+is included as a string. To include multiple groups, the option can be repeated.
+.TP
+.BI "\-k, \-\-issuerkey " file
+Issuer private key file. Either this or
+.B \-\-issuerkeyid
+is required.
+.TP
+.BI "\-x, \-\-issuerkeyid " hex
+Key ID of a issuer private key on a smartcard. Either this or
+.B \-\-issuerkey
+is required.
+.TP
+.BI "\-c, \-\-issuercert " file
+Issuer certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " hours
+Hours the attribute certificate is valid, default: 24. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the AC begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the AC ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I acert.opt
+contains the following contents:
+.PP
+.EX
+ --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
+.EE
+.PP
+Then the following command can be used to issue an attribute certificate based
+on a holder certificate and the options above:
+.PP
+.EX
+ pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 3fad1ae..375cb2f 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -14,6 +14,8 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
.OP \-\-dn subject-dn
.OP \-\-san subjectAltName
.OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-flag flag
.OP \-\-digest digest
@@ -88,7 +90,28 @@ Subject distinguished name (DN) of the issued certificate.
subjectAltName extension to include in certificate. Can be used multiple times.
.TP
.BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
@@ -176,4 +199,4 @@ given PKCS#10 certificate request and the options above:
.
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 8d3345e..434d4ea 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -46,8 +46,9 @@ Input file. If not given the input is read from \fISTDIN\fR.
.BI "\-t, \-\-type " type
Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
+defaults to \fIx509\fR.
.
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index ee42cf9..5e6e78b 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -14,6 +14,8 @@ pki \-\-self \- Create a self-signed certificate
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
.OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-flag flag
.OP \-\-digest digest
@@ -75,7 +77,28 @@ Subject and issuer distinguished name (DN). Required.
subjectAltName extension to include in certificate. Can be used multiple times.
.TP
.BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
@@ -145,4 +168,4 @@ Generate a self-signed certificate using the given RSA key:
.
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index 6ba96f6..bd6cba5 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -10,6 +10,8 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific
.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
.BI \-\-cacert\~ file
.OP \-\-lifetime days
+.OP \-\-this-update datetime
+.OP \-\-next-update datetime
.OP \-\-lastcrl crl
.OP \-\-basecrl crl
.OP \-\-crluri uri
@@ -62,7 +64,28 @@ is required.
CA certificate file. Required.
.TP
.BI "\-l, \-\-lifetime " days
-Days until the CRL gets a nextUpdate, default: 15.
+Days until the CRL gets a nextUpdate, default: 15. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-this-update " datetime
+Absolute time when the validity of the CRL begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-next-update " datetime
+Absolute time when the validity of the CRL end. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-this\-update
+and
+.B \-\-next\-update
+options, default:
+.B %d.%m.%y %T
.TP
.BI "\-a, \-\-lastcrl " crl
CRL of lastUpdate to copy revocations from.
@@ -121,4 +144,4 @@ number, but no reason:
.PP
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
index 8dfc53a..f347031 100644
--- a/src/pki/man/pki.1.in
+++ b/src/pki/man/pki.1.in
@@ -49,6 +49,9 @@ Issue a certificate using a CA certificate and key.
.B "\-c, \-\-signcrl"
Issue a CRL using a CA certificate and key.
.TP
+.B "\-z, \-\-acert"
+Issue an attribute certificate.
+.TP
.B "\-r, \-\-req"
Create a PKCS#10 certificate request.
.TP
@@ -148,6 +151,7 @@ certificates with the \-\-crl option.
.BR pki\ \-\-self (1),
.BR pki\ \-\-issue (1),
.BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-acert (1),
.BR pki\ \-\-req (1),
.BR pki\ \-\-pkcs7 (1),
.BR pki\ \-\-keyid (1),
diff --git a/src/pki/pki.c b/src/pki/pki.c
index eb614dd..ae4ef1c 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -13,9 +13,11 @@
* for more details.
*/
+#define _GNU_SOURCE
#include "command.h"
#include "pki.h"
+#include <time.h>
#include <unistd.h>
#include <utils/debug.h>
@@ -102,6 +104,56 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
}
/**
+ * See header
+ */
+bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
+ time_t *nb, time_t *na)
+{
+ struct tm tm;
+ time_t now;
+ char *end;
+
+ if (!format)
+ {
+ format = "%d.%m.%y %T";
+ }
+
+ now = time(NULL);
+
+ localtime_r(&now, &tm);
+ if (nbstr)
+ {
+ end = strptime(nbstr, format, &tm);
+ if (end == NULL || *end != '\0')
+ {
+ return FALSE;
+ }
+ }
+ *nb = mktime(&tm);
+
+ localtime_r(&now, &tm);
+ if (nastr)
+ {
+ end = strptime(nastr, format, &tm);
+ if (end == NULL || *end != '\0')
+ {
+ return FALSE;
+ }
+ }
+ *na = mktime(&tm);
+
+ if (!nbstr && nastr)
+ {
+ *nb = *na - span;
+ }
+ else if (!nastr)
+ {
+ *na = *nb + span;
+ }
+ return TRUE;
+}
+
+/**
* Callback credential set pki uses
*/
static callback_cred_t *cb_set;
@@ -188,4 +240,3 @@ int main(int argc, char *argv[])
atexit(remove_callback);
return command_dispatch(argc, argv);
}
-
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 09c50c6..616fac4 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -33,4 +33,21 @@
*/
bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
+/**
+ * Calculate start/end lifetime for certificates.
+ *
+ * If both nbstr and nastr are given, span is ignored. Otherwise missing
+ * arguments are calculated, or assumed to be now.
+ *
+ * @param format strptime() format, NULL for default: %d.%m.%y %T
+ * @param nbstr string describing notBefore datetime, or NULL
+ * @param nastr string describing notAfter datetime, or NULL
+ * @param span lifetime span, from notBefore to notAfter
+ * @param nb calculated notBefore time
+ * @param na calculated notAfter time
+ * @return TRUE of nb/na calculated successfully
+ */
+bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
+ time_t *nb, time_t *na);
+
#endif /** PKI_H_ @}*/
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 6348903..e8caddc 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index 61dff90..d9a8259 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -342,7 +342,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 06354da..524e05b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 7a9154d..3f3200d 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 0b28528..61136e8 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -341,7 +341,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 2185867..f9acc24 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/testing/do-tests b/testing/do-tests
index 979cb48..becb7f1 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -373,6 +373,15 @@ do
done
fi
+ ##########################################################################
+ # flush conntrack table on all hosts
+ #
+
+ for host in $STRONGSWANHOSTS
+ do
+ ssh $SSHCONF root@`eval echo \\\$ipv4_$host` 'conntrack -F' >/dev/null 2>&1
+ done
+
##########################################################################
# execute pre-test commands
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 728c18c..5958a13 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -37,3 +37,4 @@ V 161015124507Z 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongsw
V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
+R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index b9ab05a..a6d5a08 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -36,3 +36,5 @@ V 151119165922Z 23 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=m
V 161015124507Z 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
+V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
+V 190321135622Z 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem
similarity index 61%
copy from testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
copy to testing/hosts/winnetou/etc/openssl/newcerts/28.pem
index c380a51..4d9fed0 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC
+wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7
+Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ
+Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG
+6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN
+d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC
+mk13kTA=
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
index 77f5bde..dd6ed8e 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index a614ff6..3939efc 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -165,10 +165,12 @@ crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
[ ca_ext ]
-basicConstraints = critical, CA:TRUE, pathlen:1
+basicConstraints = critical, CA:TRUE #, pathlen:1
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
+#subjectAltName = DNS:$ENV::COMMON_NAME
+#extendedKeyUsage = OCSPSigning
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 844e001..0565c76 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,7 +1,9 @@
R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol at strongswan.org
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
-V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol at strongswan.org
+R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol at strongswan.org
V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol at strongswan.org
V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 3ebf4b1..8a0231b 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,6 +1,8 @@
R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol at strongswan.org
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
-V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol at strongswan.org
+R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol at strongswan.org
V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol at strongswan.org
+V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem
new file mode 100644
index 0000000..8f7b7cc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz
+M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv
+0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH
+cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR
+GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje
+N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7
+mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9
+GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX
+AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+
++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT
+ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy
+cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f
+t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem
new file mode 100644
index 0000000..94bf123
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1
+MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
+6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
+yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
+JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
+ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
+u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
+bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3
+Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz
+bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh
+6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv
+ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK
+OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB
+iQNoCoi+dBX92ol4
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
index 279b419..8f7b7cc 100644
--- a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
@@ -1,26 +1,26 @@
-----BEGIN CERTIFICATE-----
-MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
-MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz
+M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
-ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
-TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
-qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
-h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
-HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
-HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
-5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv
+0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH
+cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR
+GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje
+N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7
+mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9
+GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
-9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
-l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
-4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
-d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
-1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
-qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX
+AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+
++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT
+ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy
+cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f
+t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w==
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
index adbfe0f..1355fc3 100644
--- a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr
-/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s
-yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX
-BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG
-xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I
-h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH
-GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp
-zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS
-VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu
-KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M
-SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF
-KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13
-PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI
-4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3
-ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t
-WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e
-Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p
-pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj
-T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie
-eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA
-UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5
-CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0
-8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm
-SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM
-p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58
+MIIEowIBAAKCAQEAuiavQ3Ij7UeYgu91EZXPanKhZfkBnkQ8QywrZy6hY5Llr9Lp
+de6mR9IjMMW20VNVGaNmwDTcAJlsQXE+lTX/OFfQ4/ZvVMFE0n3oK5DdkVQRB3B5
+uYYoHicwtuQuOkvlQk0JKvEMUtpN+LANrCur8rNVw4M8Jg30/xmMh3955dG5URpK
+6LZoFQLMHlFUO2uU4XFlX+HdOhd5jeccRljcYDaFcWeSoumvXTLkEazYeeKo3jda
+bpadH2VsbIVitGK0EqT4SoM+ZAH5UpyMK3coxXRUvFiqSzgJF1fzcmWurq1MO5s9
+6MDQmSagq2IwtiXU0t8FKkWYcdccmNgzvpWiyQIDAQABAoIBAQCqbIBI31bFBac7
+OL+VOfKLIidhlHdGznHdjbKu5KIc54AhWJckwTi6yEgvftPBEOn4bwDDN6GzasMR
+pvwE30qp6rvz+Mo0bjzz+RF10UsIok504SSQFaLk+DxBNOaduJ5L9PtPtR/zOqnn
+5EagOdtSd50tQhjvPhfu9RUTeEHBhJDILUIZeJ4pCkM6/+agsgnDP2/4PucCXHkD
+8k6FLw2eoYMY3e9UKuiWUGXiCVopIZmZcG33ipQ3VFUzrP9JmE7ji4/p40VfShvV
+/fKWPEGe11IOQf8VJfcTYjluCbq8+UkIO4HgZxa36sxtYTjC+4MR9MDfMNIM+GzH
+mh+qd84BAoGBANx2v3tCY0zVAkqhoilOTYAixeTJjzsFRjR/9XkxfkrGJt8kl7jk
+s3hl4VUlblT1FWytk2vN8mE2MfT73mie0TpsNCefrWN9Xd9Yi7xjpJDfyMs8spD4
+8snmLK5euFNMNqbu9tyi2sfUR41FBi8kUzA7WAMx+M/pHUug6i/Xn4XlAoGBANgo
+DPF7M+BCsls8OibT49+K4nF3rQWY4axojcCb5UZQRMDysg0ji0nwYqQktDjBk74w
+3uIITVlB6UaG5dZ9O6C3ZP1+yi9Egoj6XYG74YKebgZnH7F1EKEdZnh7BPlTOQsl
+kv9Ccm2r4RrxSsbXpDIel/54s8rdVPHfdfiv1psVAoGAMIWSLza1VDutfW+FmUG6
+nPEKTQhvlbXbdcKT7FCQUzS5aXNMUU1EksMZjPvoBJrMVFb/k0KIjgy3ggvNL4mE
+0y7ta6shJjx5ZKbAWn4zwg7+ynxZcL7Z8MXQH7CJMQwdGzCM9JKDRGfcN6NxcP61
+sG/fNxTQhjHwWKzZ3h2+5mECgYBd254rKO0QnsVlWlSB0ZXr1hmXXXjSqlyriUar
+8MVwb6A7C+cGT33G4EtkrM9Yqa1mc0AEc8hqTnVle2PHa999XMTMUcanGZ94rQX3
+NEaqefKacyLO4l8TJnn9LKWvQVTOo0Ud85NOTcjT8xweFTqlzKUBCRZAqzScRgSq
+tGeCNQKBgE9nGL9anLDb7CD05ya0L3mW0cIkPz42NKCNI7zCs17ujABII6BpDXK1
+ApiZf3JxoTlp8czTvS6hqBZhicd6WxFqSBRhC8nOuq5YKPBPRQssayirzJiEi/JV
+qEZzKbKKRUl33ESWI8ltWz/hg/WE0gSQyJVpyPo3IOI22a+KHvNe
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index adb9de8..d9bb888 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-08
+0A
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 2c7456e..86397e5 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-07
+09
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 314acd7..36b24a6 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,6 +1,8 @@
R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave at strongswan.org
R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
-V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave at strongswan.org
+R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave at strongswan.org
V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave at strongswan.org
V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+V 190323152702Z 08 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index fd54850..1db0072 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1,5 +1,7 @@
R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave at strongswan.org
-R 100615195536Z 100703150410Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
-V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
-V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave at strongswan.org
+R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave at strongswan.org
V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave at strongswan.org
+V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem
new file mode 100644
index 0000000..bd7eb72
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT
+vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U
+QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn
+CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa
+hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m
+iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY
+u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ
+G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben
+utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr
+DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt
+N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI
+kuR4vkO8gStiKA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem
new file mode 100644
index 0000000..c464df5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
+DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
+E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
+8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
+8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
+AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
+nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
+QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
+AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK
+yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe
+amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua
+vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0
+3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M
+zqpIrvuM6lklZb8gUl4pPwc=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
index ce2ff7b..bd7eb72 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
@@ -1,26 +1,26 @@
-----BEGIN CERTIFICATE-----
-MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
-AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
-K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
-yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
-N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
-oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
-DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT
+vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U
+QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn
+CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa
+hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m
+iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw
ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
-DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
-csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
-pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
-XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
-is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
-kiJdzc42Apd8uw==
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY
+u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ
+G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben
+utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr
+DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt
+N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI
+kuR4vkO8gStiKA==
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
index 5d10a34..288aecb 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4
-O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP
-dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz
-4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq
-4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb
-aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw
-mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s
-gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4
-qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T
-v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE
-SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD
-BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc
-CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U
-NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC
-E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz
-07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB
-Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ
-s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr
-NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z
-IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be
-GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp
-DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e
-nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4
-xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx
-EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ==
+MIIEowIBAAKCAQEAus8HFYq1bt/4bCUUGNfRjjvUcNQWwhnd7fnUmH5AhRbd5eCX
+gMALz5VwdX2307wia8pf8SHH4KufGSIKowtLRDimlWGtMkr3ZZiOx3ak1qxceXak
+KbEolNeFPMW+VEAK/YWtAIUXOXrdnr7HYOGxTcJWzna3Cn0PNhfoEVIur+J+Dyyy
+g4R//y/j5lDQZwk5JlXA1cZUZE748CoVqUm4ffZRUYUdgbgfdX6whl7mVJ8rntBT
+l0KxS3mNW4MyWoQvqbwDH8ez9F2P91fh/rzJSTn2DNntvp6fQmuJepqZgN3b7ogx
+zXvMRpePBCk+ZomN8JN8JbgZebxM89VAae4uEQIDAQABAoIBAB8kFe08Y0RpZ7M3
+dyMxDwjj5mUspeKTh1B9fjgxi7Xj+vewOfFHknB3W/jqDTPpv98yLE45MGW+llYN
+O7K0Vka4HuT2FHY20wkHpn2PxKjYsM26vmEI3Ff7mYVo/XJz/qEGoLFefmGhnsIw
+0XHQDcuFowzl81t3P4rn71K73XaKRUjS8EMnuyqN2vKIsOyoexslRRfab01Iypb1
+IIpWgL4ZGy1KSaymT+F6KfblAR3W6txsHyLKz39YzwMAVC5tL1zFlWMr2oUkjCn5
+DphKGSF/rUOLN82VwXj3+vKdp+8FG7KyxS5yI208srwuHi3PiPNZj8Mjo2rqZ7Aq
+iT+MDrECgYEA3XjNNSBg0aJMv894K3eQTFG879iByQBHv5zIuuaJwRPTAAkKAcBe
+XEZyvf72CAzkQJdUGkxhaNPI2S9+euzitlGwTp4XWC6/N1pZWVWpu4daiihBgw1j
+hsOpvnJCR0SCSWQXTF+G4cJ6L8JF4nECfRpmZKRkY/pfWg5x2VqlLj0CgYEA1+7H
+UTD+dng7hD9Amn/yl5d/5utUW5hTzeTDGm16Xrzhszi/Lj62/OcnnF3FVSgqcLoi
+jti32P7XeeZYe8BcwF5rrk1/xEfs0HtRDL3Fw3ZatJNL+MqkWmTOftbvZq0vJqmA
+Y03Gwc4Wk8u+s88m4Yd0Uu/fQoZTochlpHNtsGUCgYAKXwbVDxAZoQ0RCmkpN+8k
+88ryPGRPgljZy0DHJ9aZmREPdlzmmhiRH6dt6EujMt9ZevywQpVpMEm+ie/VV9SC
+Dy8/bz3OnlnMAMogWdeZ9Yuy3pG6zlyzyePgDD+4UKf9Qdepduu9FLteEy3snbgt
+HZhf7CbbW7UtZXHFaO5FTQKBgEMucSjbm2/0fF/q5giroihz5EFOGlLdE8XNVL5W
+LWpoTbhbAXA75ubMbFCEBC84bevgnXvgBWMn9pZgiksGUFUxi0MRrZy92/oJQ/A4
+4tyraBEietKPCY9uKajg6l8BptfaiK1ct2f43KFjFJQQ8UHdyN088DNcY4zEMot1
+tjzZAoGBAMtLZ5chaulGceF9B4EOFlAfZ73Wnd3okLkmVNr1pV2m4JM43lMtyBVk
+lsrzNDyj7mqpdbdTk9L93SMzuN710+uV8m3Km+nszW0OkzLshR6QUrn8guXFu6a7
+B2bbVtgUDGt+mMuwrgVFPLStmNAUfbIAFp03+sQxD29Oy0Dvv3xv
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index 0e3a452..8511c54 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -157,6 +157,7 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName = email:$ENV::COMMON_NAME
crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882
####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index 2c7456e..86397e5 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-07
+09
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index cd672a5..adb9de8 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-06
+08
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 9902f17..f04c001 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-28
+29
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index f64f5d8..9902f17 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-27
+28
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 438e666..c414208 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -76,6 +76,7 @@ CONFIG_OPTS = \
--enable-unbound \
--enable-ipseckey \
--enable-dnscert \
+ --enable-acert \
--enable-cmd \
--enable-libipsec \
--enable-kernel-libipsec \
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
index e276854..2d08b38 100644
--- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
index 3ddd02f..037d434 100644
--- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
required = yes
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
index e276854..2d08b38 100644
--- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index 969a5f5..1dcaed4 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -3,8 +3,6 @@
charon {
load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
send_vendor_id = yes
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index 969a5f5..1dcaed4 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -3,8 +3,6 @@
charon {
load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
send_vendor_id = yes
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index 969a5f5..1dcaed4 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -3,8 +3,6 @@
charon {
load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
send_vendor_id = yes
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index 969a5f5..1dcaed4 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -3,8 +3,6 @@
charon {
load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
send_vendor_id = yes
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 671d973..2b4da74 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 3ddd02f..037d434 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
required = yes
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 671d973..2b4da74 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index e4ffe8e..867016d 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -13,5 +13,3 @@ alice::ip addr del 10.1.0.5/16 dev eth0
alice::ifdown eth1
venus::ip route del default via 10.1.0.5 dev eth0
venus::ip route add default via 10.1.0.1 dev eth0
-moon::conntrack -F
-alice::conntrack -F
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 63d4f98..ec663e7 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index aa806bf..f434b33 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
index 4643a3a..bc7d237 100644
--- a/testing/tests/ikev1/nat-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
index 11bd19d..b9fbde7 100644
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -2,5 +2,4 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
index eb0c28c..8945d87 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -1,8 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::sleep 1
moon::ipsec up net-net
moon::sleep 1
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
index 9caf4fa..8cc4192 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -4,8 +4,5 @@ charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
-}
-
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
index 9caf4fa..8cc4192 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -4,8 +4,5 @@ charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
-}
-
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index f4fd948..4de997a 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
multiple_authentication = no
send_vendor_id = yes
-}
-libstrongswan {
plugins {
ntru {
parameter_set = optimum
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 238ec24..2486425 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 238ec24..2486425 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
index c032d82..eb8b140 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
index c032d82..eb8b140 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
index c032d82..eb8b140 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
index 14e0614..38bfed0 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity
+
cisco_unity = yes
-}
-
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
index cbc51d3..dbf1bee 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,13 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
+
cisco_unity = yes
+ dh_exponent_ansi_x9_42 = no
+
plugins {
attr {
split-exclude = 192.168.0.0/24
}
}
}
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 8822cae..0792a3f 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = yes
+
crypto_test {
on_add = yes
}
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 8822cae..0792a3f 100644
--- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = yes
+
crypto_test {
on_add = yes
}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 8822cae..0792a3f 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = yes
+
crypto_test {
on_add = yes
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
index 1fb5d14..c08fab8 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
index 1fb5d14..66054d0 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-}
-
-libstrongswan {
+
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
index 422538c..02e7618 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -2,10 +2,8 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
+
dns1 = 192.168.0.150
dns2 = 10.1.0.20
-}
-
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index 61260f8..f65197b 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index 61260f8..f65197b 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index 61260f8..f65197b 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf
new file mode 100644
index 0000000..e79fe2c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf
@@ -0,0 +1 @@
+# /etc/strongswan.conf - strongSwan configuration file
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
index e2e2164..ba37a47 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,9 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown
+
+ dh_exponent_ansi_x9_42 = no
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf
new file mode 100644
index 0000000..e79fe2c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf
@@ -0,0 +1 @@
+# /etc/strongswan.conf - strongSwan configuration file
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
index 77266cf..7114a3f 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,9 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
+
+ dh_exponent_ansi_x9_42 = no
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index 5cd9bf1..ca3372f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/acert-cached/description.txt b/testing/tests/ikev2/acert-cached/description.txt
new file mode 100644
index 0000000..42f7432
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/description.txt
@@ -0,0 +1,11 @@
+<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+To authorize clients, <b>moon</b> uses locally cached attribute certificates.
+While for <b>carol</b> a valid attribute certificate for the group <i>sales</i>
+is available, <b>dave</b>'s attribute certificates are either expired or
+do not grant permissions for the <i>sales</i> group.</p>
+<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
+to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
+to do so.</p>
diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat
new file mode 100644
index 0000000..682c55c
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave at strongswan.org.*moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
+dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
similarity index 72%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
index 4272d98..e72f787 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf
@@ -7,16 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
- leftauth=eap
+ leftid=carol at strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
similarity index 86%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
index 8e685c8..dc93764 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf
similarity index 61%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf
index 4272d98..65c9819 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf
@@ -7,16 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave at strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
similarity index 86%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
index 8e685c8..dc93764 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
similarity index 79%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
copy to testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
index b9a58e9..fbffbad 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf
@@ -7,15 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
-conn rw-eap
+conn rw
left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
- leftauth=eap-tls
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
right=%any
+ rightgroups=sales
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
similarity index 56%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
index 8e685c8..cd836a2 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat
new file mode 100644
index 0000000..e5b8d29
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/posttest.dat
@@ -0,0 +1,11 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem
+moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem
+moon::rm /etc/ipsec.d/acerts/dave-marketing.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat
new file mode 100644
index 0000000..8bbea14
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-cached/test.conf b/testing/tests/ikev2/acert-cached/test.conf
new file mode 100644
index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2/acert-cached/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/acert-fallback/description.txt b/testing/tests/ikev2/acert-fallback/description.txt
new file mode 100644
index 0000000..0008b10
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/description.txt
@@ -0,0 +1,12 @@
+<p>The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b>. To authorize clients,
+<b>moon</b> expects attribute certificates sent inline in IKEv2 CERT payloads.
+<b>Carol</b> has attribute certificates for both the <i>sales</i> and
+the <i>finance</i> groups. The attribute certificate for <i>finance</i> is not
+valid anymore, hence <b>carol</b> gets access to the <i>sales</i> connection
+only.</p>
+<p>Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> tries to ping both
+<b>alice</b> and <b>venus</b>, but only the ping for the <i>sales</i> related
+host <b>venus</b> succeeds.</p>
diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat
new file mode 100644
index 0000000..985f320
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
+moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
similarity index 72%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
index 4272d98..e72f787 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf
@@ -7,16 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
- leftauth=eap
+ leftid=carol at strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
similarity index 86%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
index 8e685c8..dc93764 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf
new file mode 100644
index 0000000..37e779f
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn finance
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.10/32
+ leftfirewall=yes
+ right=%any
+ rightid=*@strongswan.org
+ rightgroups=finance
+ keyexchange=ikev2
+ auto=add
+
+conn sales
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.20/32
+ leftfirewall=yes
+ right=%any
+ rightgroups=sales
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
similarity index 56%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
index 8e685c8..cd836a2 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat
new file mode 100644
index 0000000..2ccb86a
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+carol::rm /etc/ipsec.d/acerts/carol-sales.pem
+carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat
new file mode 100644
index 0000000..baacc16
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/acert-fallback/test.conf b/testing/tests/ikev2/acert-fallback/test.conf
new file mode 100644
index 0000000..a6c21de
--- /dev/null
+++ b/testing/tests/ikev2/acert-fallback/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/acert-inline/description.txt b/testing/tests/ikev2/acert-inline/description.txt
new file mode 100644
index 0000000..948b847
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/description.txt
@@ -0,0 +1,12 @@
+<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+To authorize clients, <b>moon</b> expects attribute certificates sent inline in
+IKEv2 CERT payloads. <b>Carol</b> provides a valid attribute certificate for
+the group <i>sales</i>, but <b>dave</b> offers two invalid attribute
+certificates: One is not for the <i>sales</i> group, and the other is issued by
+an AA that has been expired.</p>
+<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try
+to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails
+to do so.</p>
diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat
new file mode 100644
index 0000000..ba448f8
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave at strongswan.org.*moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
+moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
+carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES
+dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES
+dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
similarity index 72%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
index 4272d98..e72f787 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf
@@ -7,16 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
- leftauth=eap
+ leftid=carol at strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
similarity index 86%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
index 8e685c8..dc93764 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
similarity index 61%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
index 4272d98..65c9819 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf
@@ -7,16 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave at strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
similarity index 86%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
index 8e685c8..dc93764 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
similarity index 79%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
copy to testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
index b9a58e9..e3abea5 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf
@@ -7,15 +7,14 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev2
-conn rw-eap
+conn rw
left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
- leftauth=eap-tls
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
right=%any
+ rightgroups="finance, sales"
+ keyexchange=ikev2
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
similarity index 56%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
index 8e685c8..cd836a2 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat
new file mode 100644
index 0000000..a0ef984
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/posttest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::rm /etc/ipsec.d/acerts/carol-sales.pem
+dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem
+dave::rm /etc/ipsec.d/acerts/dave-marketing.pem
+moon::rm /etc/ipsec.d/private/aa-expired.pem
+moon::rm /etc/ipsec.d/private/aa.pem
+moon::rm /etc/ipsec.d/aacerts/aa-expired.pem
+moon::rm /etc/ipsec.d/aacerts/aa.pem
diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat
new file mode 100644
index 0000000..8bbea14
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-inline/test.conf b/testing/tests/ikev2/acert-inline/test.conf
new file mode 100644
index 0000000..f292988
--- /dev/null
+++ b/testing/tests/ikev2/acert-inline/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat
index b8432a8..ddab5f9 100644
--- a/testing/tests/ikev2/compress-nat/posttest.dat
+++ b/testing/tests/ikev2/compress-nat/posttest.dat
@@ -5,6 +5,4 @@ alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-sun::conntrack -F
\ No newline at end of file
+sun::iptables-restore < /etc/iptables.flush
\ No newline at end of file
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index c393b29..2ba42b6 100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -2,10 +2,9 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
- multiple_authentication = no
-}
-libstrongswan {
+ multiple_authentication = no
+
x509 {
enforce_critical = no
}
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index 8e685c8..1e3d118 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 63d4f98..ec663e7 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index aa806bf..f434b33 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
sun::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index bad10ca..73bbf68 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
-}
-libstrongswan {
dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 9c0bb5c..150690e 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -10,7 +10,6 @@ carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::ip route del 10.3.0.0/16 via PH_IP_MOON
moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
-moon::conntrack -F
moon::ipsec pool --del extpool 2> /dev/null
moon::ipsec pool --del intpool 2> /dev/null
moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index a3924b2..57449be 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -4,6 +4,5 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
alice::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
moon::ipsec pool --del intpool 2> /dev/null
moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
index 311e9f2..2e78893 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -1,5 +1,4 @@
alice::ip -6 route del default via fec1:\:1
carol::ipsec stop
moon::ipsec stop
-moon::conntrack -F
moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
index bb20cae..e46195c 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -1,4 +1,3 @@
alice::ip -6 route del default via fec1:\:1
carol::ipsec stop
moon::ipsec stop
-moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index 2fbc2c3..7de2bc9 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -4,5 +4,4 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
alice::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index f4e5316..0754ede 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -3,4 +3,3 @@ sun::ipsec stop
alice::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 86ac6e7..fde195d 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,7 +1,6 @@
alice::ifup eth1
alice::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index c380a51..4d9fed0 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
@@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC
+wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7
+Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ
+Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG
+6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN
+d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC
+mk13kTA=
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
index 72dff4e..343fcc1 100644
--- a/testing/tests/ikev2/nat-rw-mark/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
sun::iptables-restore < /etc/iptables.flush
-sun::conntrack -F
sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
index 4643a3a..bc7d237 100644
--- a/testing/tests/ikev2/nat-rw-psk/posttest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
index 4643a3a..bc7d237 100644
--- a/testing/tests/ikev2/nat-rw/posttest.dat
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index f58e82a..12676f7 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,14 +1,13 @@
alice::iptables-restore < /etc/iptables.rules
venus::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::sleep 2
alice::ipsec up nat-t
-venus::sleep 2
+venus::sleep 2
venus::ipsec up nat-t
venus::sleep 2
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index 11bd19d..b9fbde7 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -2,5 +2,4 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index eb0c28c..8945d87 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,8 +1,7 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::sleep 1
moon::ipsec up net-net
moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
index e9c79b3..d5ac379 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
dnscert {
enable = yes
}
- }
-}
-
-libstrongswan {
- plugins {
unbound {
# trust_anchors = /etc/ipsec.d/dnssec.keys
# resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
index e9c79b3..d5ac379 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
dnscert {
enable = yes
}
- }
-}
-
-libstrongswan {
- plugins {
unbound {
# trust_anchors = /etc/ipsec.d/dnssec.keys
# resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
index 44a54a9..58deb25 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
ipseckey {
enable = yes
}
- }
-}
-
-libstrongswan {
- plugins {
unbound {
# trust_anchors = /etc/ipsec.d/dnssec.keys
# resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
index 44a54a9..58deb25 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -7,11 +7,6 @@ charon {
ipseckey {
enable = yes
}
- }
-}
-
-libstrongswan {
- plugins {
unbound {
# trust_anchors = /etc/ipsec.d/dnssec.keys
# resolv_conf = /etc/resolv.conf
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt
new file mode 100644
index 0000000..aab0c68
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The key exchange is based on NTRU encryption with a security strength of 128 bits.
+The ANSI X9.98 NTRU encryption parameter set used is optimized for bandwidth.
+<p/>
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat
new file mode 100644
index 0000000..69b5ef7
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
similarity index 56%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
copy to testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
index b9a58e9..01d114d 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="ike 4, lib 4"
conn %default
ikelifetime=60m
@@ -8,14 +9,17 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ntru128!
+ esp=aes128-sha256!
+ mobike=no
-conn rw-eap
+conn net-net
left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
- leftauth=eap-tls
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
similarity index 85%
copy from testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
copy to testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
index f4fd948..17f6111 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,13 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
multiple_authentication = no
send_vendor_id = yes
-}
-libstrongswan {
plugins {
ntru {
- parameter_set = optimum
+ parameter_set = x9_98_bandwidth
}
}
}
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf
new file mode 100644
index 0000000..e57bec9
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="ike 4, lib 4"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128!
+ esp=aes128-sha256!
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
similarity index 85%
copy from testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
copy to testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
index f4fd948..0d18555 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
@@ -2,14 +2,13 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
multiple_authentication = no
send_vendor_id = yes
-}
-libstrongswan {
plugins {
ntru {
- parameter_set = optimum
+ parameter_set = x9_98_bandwidth
}
}
}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat
similarity index 73%
copy from testing/tests/ikev1/nat-virtual-ip/posttest.dat
copy to testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat
index 11bd19d..837738f 100644
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat
@@ -2,5 +2,4 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-moon::rm /etc/nat_updown
+
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
similarity index 83%
copy from testing/tests/ikev1/nat-virtual-ip/pretest.dat
copy to testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
index eb0c28c..c724e5d 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
@@ -1,8 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::ipsec start
sun::ipsec start
moon::sleep 1
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf
new file mode 100644
index 0000000..646b8b3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index f4fd948..4de997a 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown
+
multiple_authentication = no
send_vendor_id = yes
-}
-libstrongswan {
plugins {
ntru {
parameter_set = optimum
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index b0225c3..5fca950 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -4,4 +4,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-sun::conntrack -F
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
index 77f5bde..dd6ed8e 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
index 77f5bde..dd6ed8e 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
-Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT
AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
@@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
-4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
-BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
-rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
-GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
-FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
-BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
-9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
-zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
-14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
-lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
-1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G
+A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ
+bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp
+bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y
+aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD
+VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD
+CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret
+YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l
+Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS
+fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ
+T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE
+FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index c41a668..baeccb3 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,6 +1,10 @@
moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES
carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
+dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
moon:: cat /var/log/daemon.log::certificate status is good::YES
carol::cat /var/log/daemon.log::certificate status is good::YES
dave:: cat /var/log/daemon.log::certificate status is good::YES
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a2ce5ad..a6ae74f 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,5 +1,5 @@
moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
-moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES
moon:: cat /var/log/daemon.log::certificate status is not available::YES
moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
index f586a94..94bf123 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
-MIID+DCCAuCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MDMyNDIwMzc0N1oXDTE0MDMyMzIwMzc0
-N1owYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1
+MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW
BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPqE4le5QodSA+
-NXnQ1IFI0XWcBDDwQDNcQ6qMScSCaboPFCLrlC9E70J2eGeX2v/UDTQpEOxQ4fGX
-Efk0/MdJjnWGAO95jEInNJ+DuexfrP5REiryKDfryA0d6xiQb/a2M7UuDgxPgyZf
-VyvU7SHebue4317v5NyGJeRnkN3/onNpdjpWu9Le9DqenBQ2SITgo7NsVsNsqhnT
-1jg2jfxJ8OXzi7/6JvuxxweCoDxr+KeKIViFAqNlyufeyIvowdjHTlJRvN/9Wl+/
-jPiHmFcIyIc1o8EUHzM9AEIWtB2DeHL62e7LVJbjMXsLAkTggc3BkGE2cWFOBY0f
-J4R+AKWDAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFIuo2f3quxaDSQ4lj9zJcPYmmc8iMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA
+6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy
+yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r
+JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl
+ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX
+u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV
+bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
+BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj
zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEPMB8GA1UdEQQY
-MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQBiOKAx
-ePEwlga++nOpkfBg6ESag5/VWfnAp1zRpXHXnRak10OTtCPDjmJiDUzlKBwolwJN
-I6T3S7eg+M04E3r5IHn3i+HtQcENkq02YUPiUXS5cvLtzKMPIm8pYCj7/5pXxAek
-nHGRdBZkQiGDz49H9rPKxLdJDTLCXpj4l9uOFgsbiQ3k5SyWq5oMhtZsf4VKqAd+
-77Mbn9pnjjy53wLuzjaMVX+K5KKotPNeSHH/pWh9RqNROmf6F2B0nZhW5Aryxa9/
-24GRkZEPZ+cqhtwgVjq5aImzdSrARJQ1tu6lZqNB5b9klYSAi+al0FrvUFoG58Qt
-eWeiFXLvAtXTGoax
+b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY
+MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3
+Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz
+bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh
+6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv
+ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK
+OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB
+iQNoCoi+dBX92ol4
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf..f4b0af3 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
-65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
-8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
-VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
-hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
-y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
-0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
-FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
-gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
-PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
-nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
-U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
-mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
-MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
-UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
-G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
-Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
-hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
-PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
-tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
-s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
-uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
-ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
-LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
-Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+MIIEpQIBAAKCAQEA1z1WoM8rxxBswOo1rptFEcdk0jLPHDPfdTlN5/H5AYixGPR/
+A1G4xGZWdJoHMUzkl0psqplvtdEAsshzwbUdJMTWPwZf/kKaZweyKRQkfW7LwOG8
+kmFG3ZUFnSDxk5k9aaJRraBdZj2dqyajfgIuY5xXbifv9fPZfHIanM/CpSdiae9j
+mnmKkKYA36Ot4aku9Ts8mNQrtu7x5WstfOj/h1u+cq+WDMMbWJP62eox0TFxcJiP
+m6tb4KSmB06JmlQht8w1A/tV7BlQV7t8+qoehWscQz4s0/33Am2HGBmyoycNeCTq
+n3XXgB2XvjeNVnr9IAITgiIFIjKMVW28dF5DMwIDAQABAoIBAQC44viRw8OgCAzT
+HZwlMzz+S5/gK0Lav/g38pRoI+M4HRm7DPI5gK5NDnc/S7vX7mwBRS3Y0Voy/Kgz
+6pn8j73MAsTieHBmsQF+dQ7l2GaL1GtzcLSRrLu5xLOAyHaayawGHCc7FKCGHXFd
+PiB8MhV0/Svg9K9cPy3XhxAzGQfi4kF9+a3+3NDWnV4kcQbW6s3ykGBF9xxqZu5K
+gbvDxNhZFrcv65SMBwghjdDldngtjMB3ZbiMRltobbvTRWHwqgd9V1qf2g3at1dZ
+z8ws8UFOhWgCsvT/W+2pPBCJFz0dvfJXCiaWbA4kCmHViJVIoxtdREj5EtmaSQtT
+cENSR0HRAoGBAO9jbCUy/dfqPvFowEfpDu1jBrGFoxL8UY8K8wr+NCjbusmbB7+a
+n5XLkrpyBGlNSYa1zP1eNpsLq+ee5XTwEbXMWDaOfMNlURNiHy9KfHnEZ4UVDKfa
+WW9skfS7adFxwkOxAOM7BynsIrcJ8OgBrP+gKTM4aKvZNRcfGfZAhaj5AoGBAOYs
+7c8z0M9JvN9RDpyXT51Rus24n2ApsupPwMeGZwoz45EJPzK9FUFq+x6abENFCGrp
+xQ4Sg8QSGSAL78j2jEo+d8qRGoUr7o8zJElfsx/ZvELR3cGgv8Aut7vwW6/SNKlz
+MTDiqaf9H9FEEwKV1hbauuJrS1VOMtMAbGG27KSLAoGBAKTozcg2f24tXVz6d3NS
+VskrraG/WN6sWRb8SP+qrI31CJD3rnfM8eDEU3kDMIzGBD+7n9JvA5j9ilfOO226
+L8kYUzCKKeKFOjvrHWZ7npJXvaSNIqHDJlc+6LE6JiR1hIkTN3RR5pZ3qFaFj6KT
+/PRABgHV+y1fPVaHQ2BDhJApAoGAU9PxGBFK7vNv8fTXWXhR6n2lht7CTIdjPaqm
+DwSH6lNTgbLYbWYno5eOtWqQGz+8/RL+TU2452Of+ufeAFaqaS+u+Ps3qWCClWyO
+vpo35lWqFrvQA4DD1P4utCepfLMVstDdDWy/VQr+13vvYHWpbtFiVqu01/CO2gHB
+dyTjslkCgYEAhsDsPqKdlh1DzVZudNUeMRaE2V6yG937Vf9VB/rNphm+gEwwmM3l
+/kfErgTcYzgjV/2csIVZxm9nk17A+ZnPUnIDW2keI1+eIPw/IEWceX+4adKwiv5h
+IL5HsD/O12ZD8Mi5mmkGgNVI4nN8TldxiHvh7tAxQQiMrv/AnHTiA8A=
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
index cae8184..c464df5 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTA5MDMyNDIxMTA1M1oXDTE0MDMyMzIxMTA1M1owXTEL
+BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL
MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT
DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqgEdIrRiLkrf0UfCB4xUyx/5cs
-Ka5h1MNBks2cKP6uABOL+jnlkRtyVFIOOCuNMgcK+873LC87UU32zapbe6Ph46aN
-5M9ADMA6PtVeNkJIetVSVtT9DUL5II4kJ/hJUjINbt7omAiDAIWDGKNmTCsR18Ua
-o1O/QFbiTT96fMFKX8EXiJgMt/5+vOWG0s1nGz6gn40R/2K52EvBmu5v0M3TX67c
-YQFgBqMNfvnk0jLy10pEHro1OjgiTTj1DQd55ydSKGa0JvMDT/GOQeR87zkshRLz
-bhxXOt4Ej2kkYbs9ILm7jKa9XfUYI58vCYLHwhGzpLZSsJ2xXkgfAAIFTI8CAwEA
-AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57r
-UdNRbytUkRGYGjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht
+E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G
+8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy
++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv
+8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh
+AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA
+AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn
+nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT
KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x
-GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZl
+GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl
QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0
-cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQEFBQADggEB
-ADn1ow4aGxckB4HsJQf1Z6LFpiCOExqhqcK/+fsFcl/WM3F0F+1TbEWzwFzDj3Yu
-5gH6DQ/c0Fp+WYCKAbZXdYoKHJDSZY0BsoD7Nglc1r+l1wFRv1UGF5DoYZPryHGA
-FkusMTUQMvWRRmN9PsURQ77DsmAtryKi5aDQ/rAiPIJK67bQ0HmvPAynO8IF2Fd9
-GpqFSc0gZni9NQszVUH33nuLlZP1hFC5MDeqhcqgmUL/GZbs7DZYThF4INBryfOg
-xFE73CpyNQHHmfT23TLsrFD5IXCp3z3oMtCtTphwUnCJrEzZ1H7mJ+xSJoJ3MOqd
-mNs1ygehz0a99cPoX1j/iwo=
+cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB
+AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK
+yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe
+amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua
+vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0
+3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M
+zqpIrvuM6lklZb8gUl4pPwc=
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436d..e4054ae 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
-OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
-1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
-mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
-ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
-pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
-mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
-JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
-0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
-8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
-3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
-U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
-Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
-MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
-sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
-oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
-1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
-bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
-AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
-9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
-3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
-px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
-qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
-/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
-UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+MIIEogIBAAKCAQEAzu2SfWxfOUFHNJUeg+hy3YPSSG0T9N/4uevIyzDv0gEx+I5T
+rWKN3DHaMIvFSHu33Q0Qg3gJ2khirNz/ViL8tZcP34byAHB+3mepMjPxLwt/pCLL
+guMZdXdVakMxkstEkvllab7Rk3xa2n2qCVWHgudBKLL41hOXGdG08HvGTCJrbzvC
+fhpB80mk2GWhxd1KkYgXls0hCbfafzhIMxp9e24D6+/z/vacGLLZJaGQB34KI2rl
+2dmRgacgUvvXxXpm7iSZlCHMzeCL/s85kKQ4J5JlV6EAkl/WYkjtIkfnhdiRktRL
+kQbpp3eQF/WcUZECM+DDFAeF9SU/yeOmOxXtZQIDAQABAoIBAHGuCqBk/RtTRW8Z
+zR3igdg4Jzoq0p/gu6BIbJNUWywgA/ftGQNT9WNW7+tjngpoDWafWscfFyqYQb19
+27jSl8qbJtlCJYkgRFKi2E0ARCv4QTNG+k75vG7QFFjAeWePzCiCYrhpYHGKC8+k
+4dkm579+lElrqVDSilxg3OqQ1SvVcBPn+ADsFBR30Z7xvxU2iJV+A+zw7tV9EQhU
+4t0zGny5lsxNSr57FbJDn5Y+aUoXo7okty2MAjL0jEXM5bwgOsgBYWQass1hhFRb
+EnGk+WJTZUs0o1+WPi+2hrNHFwAKBzfI4ZRigEPa4monRDeCnyOe64qhb+koC/AA
+MNulG4ECgYEA5zIAmtGivoC92ffuQd+uk0mXNYSnKQFIYbs7L/GO8xLX1lzZQeA3
+tRRUM6s3aAmoB1q69x60HFulL/WmMvx+uKGrRIIimXTvRunxt2QFHAcnkAR3C4Vt
+habUbilP9qbj6wWU6GCyopkPC2OQmQgy9bE6f/6E6ArlYafatPMzQAkCgYEA5SEL
+oVbUXfyD9M7dm0q9R4GvzKIyg1l+afdXCCS4VoEhg+Sq94wBDjpezctt/8WhICau
+uoZzTZ9Y1SEsQ9JMQ0XCurV6C9eIR+mNrq4Ik7oqVMe7IbOoaYwuOpY8cJQXRNfR
+6EGthY2wZtzE7a4OyuinWUkfyzQcnwV6nb/6oX0CgYA5bIwF6Ef59VQyjYhaSEq+
+PqsWGerDHpRx4eVjlSYibe26SrmTyTNNAM2hP8e1SaC4ouqJctDdsk2nSeaMB3ca
+ON2nWINrhkXgYT8ug+NZANXsyY8gB3YamkNtUUmRRAacW3iO92WnSUkZVROXTxgJ
+OooDPJ6aXAp5ZQ3HoBh8sQKBgFXT5AxifxhZr4AzQRWbkH1JmfWYSD2ld1HwQZye
+TKKyqkBClrw1qGuQ99Q0wJaPjASEGO1r0aMg7mCflXouOzzz07ampfnrmXP+i4EE
+VdgoYxTw4CsGpi4rQWHWxvsQrgquoUVT3NDrO0m8ptO1YHsnXRB38L3oXlQ+9ChF
+MnftAoGAOVoCOlqqnkUY/u7U3tWu2W5WUnqdsopBxXHhygFKoJS9IcKx5gYoxTTj
+XJBGrKU/PD7TIQevRvdIqZFI+PtinhSF1z3zFMoCoKhaNOnul+hNYMn/IwxJFv1Y
+XqDI8srXac4vcTsKV0OtPnirx3+pnRlrQupNRZLocZciygUY7PM=
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 6ba1be6..0e97d45 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,6 +1,5 @@
moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
-moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
-moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer certificate::YES
moon:: cat /var/log/daemon.log::certificate status is not available::YES
moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 102801a..4e2acef 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 102801a..4e2acef 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 102801a..4e2acef 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 69f9845..bbbafd7 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
-}
-libstrongswan {
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 69f9845..bbbafd7 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
-}
-libstrongswan {
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 8caa11c..66d8fb3 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -2,8 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-}
-libstrongswan {
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 6c8911e..3eda3aa 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-}
-libstrongswan {
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
index 535b372..1a0f836 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
index 535b372..1a0f836 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index a436131..06d4dd9 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,5 +1,6 @@
carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol at strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 4272d98..5e06976 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="tls 2"
conn %default
ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 2eb2adc..d397fe6 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index b9a58e9..37fa2b4 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="tls 2"
conn %default
ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 2eb2adc..ac6642e 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
multiple_authentication=no
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index 283099a..407427a 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::conntrack -F
sun::rm /etc/mark_updown
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/libipsec/net2net-3des/description.txt b/testing/tests/libipsec/net2net-3des/description.txt
new file mode 100644
index 0000000..632162c
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b>
+plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication
+algorithms are <b>3DES</b> and <b>SHA-1</b>, respectively.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat
new file mode 100644
index 0000000..f60fea6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
+sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
similarity index 54%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
copy to testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
index b9a58e9..f1d328f 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
@@ -8,14 +8,17 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=3des-sha1-modp1024!
+ esp=3des-sha1-modp1024!
+ mobike=no
-conn rw-eap
+conn net-net
left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
- leftauth=eap-tls
- leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftupdown=/etc/updown
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
similarity index 66%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
index 8e685c8..97bb34a 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
new file mode 100755
index 0000000..1a68ada
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen at strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
new file mode 100644
index 0000000..3bd31c6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=3des-sha1-modp1024!
+ esp=3des-sha1-modp1024!
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
similarity index 66%
copy from testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
copy to testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
index 8e685c8..97bb34a 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
new file mode 100755
index 0000000..1a68ada
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen at strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat
similarity index 73%
copy from testing/tests/ikev1/nat-virtual-ip/posttest.dat
copy to testing/tests/libipsec/net2net-3des/posttest.dat
index 11bd19d..1f7aa73 100644
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/libipsec/net2net-3des/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat
similarity index 83%
copy from testing/tests/ikev1/nat-virtual-ip/pretest.dat
copy to testing/tests/libipsec/net2net-3des/pretest.dat
index eb0c28c..c724e5d 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/libipsec/net2net-3des/pretest.dat
@@ -1,8 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
moon::ipsec start
sun::ipsec start
moon::sleep 1
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf
new file mode 100644
index 0000000..646b8b3
--- /dev/null
+++ b/testing/tests/libipsec/net2net-3des/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
index 06bcaa1..69c6e32 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -4,9 +4,7 @@ charon {
load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
initiator_only = yes
-}
-libstrongswan {
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
index 06bcaa1..69c6e32 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -4,9 +4,7 @@ charon {
load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
initiator_only = yes
-}
-libstrongswan {
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
index efa0575..fa8dd94 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
-}
-libstrongswan {
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index 6284763..4901462 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -3,9 +3,7 @@
charon {
load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
-}
-libstrongswan {
x509 {
enforce_critical = no
}
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
new file mode 100644
index 0000000..bd680b5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
new file mode 100644
index 0000000..460c659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
similarity index 61%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
copy to testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index b9a58e9..7601113 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -8,14 +8,14 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
-
-conn rw-eap
+
+conn net-net
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftauth=eap-tls
+ leftcert=moonCert.asc
+ leftid=@#71270432cd763a18020ac988c0e75aed
leftfirewall=yes
- rightauth=eap-tls
- rightsendcert=never
- right=%any
+ right=PH_IP_SUN
+ rightsubnet=10.2.0.0/16
+ rightcert=sunCert.asc
auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 0000000..afb1ff9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..aea93d2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
similarity index 59%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index 4272d98..641c3d9 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -8,15 +8,14 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
+
+conn net-net
+ left=PH_IP_SUN
+ leftsubnet=10.2.0.0/16
+ leftcert=sunCert.asc
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
- rightauth=any
rightsubnet=10.1.0.0/16
- rightsendcert=never
+ rightcert=moonCert.asc
+ rightid=@#71270432cd763a18020ac988c0e75aed
auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 0000000..ee98b16
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.asc
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..aea93d2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
similarity index 50%
copy from testing/tests/ikev1/nat-virtual-ip/posttest.dat
copy to testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
index 11bd19d..9a9513d 100644
--- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat
@@ -2,5 +2,7 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-moon::rm /etc/nat_updown
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+sun::rm /etc/ipsec.d/certs/*
+sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
similarity index 65%
copy from testing/tests/ikev1/nat-virtual-ip/pretest.dat
copy to testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
index eb0c28c..0f4ae0f 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
@@ -1,8 +1,8 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::conntrack -F
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::sleep 2
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
new file mode 100644
index 0000000..afa2acc
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 9f31821..a952c81 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 5708510..d9d650c 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
required = yes
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index f065861..065050d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index a2c02f6..7d32c11 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol at strongswan.org' with EAP successful::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 6072bb3..c55b0a9 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 5660f43..af4737f 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,13 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
}
libtls {
- key_exchange = ecdhe-ecdsa
- cipher = aes128
- mac = sha256
+ suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
index 128d4f2..8a8e08e 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
@@ -4,14 +4,13 @@ charon {
load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
initiator_only = yes
-}
-
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
index 958a502..c97a520 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -7,14 +7,13 @@ charon {
retransmit_base = 1.5
retransmit_tries = 3
initiator_only = yes
-}
-
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
index fc49f9f..a234b6c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,14 @@
charon {
load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-}
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
index 128d4f2..8a8e08e 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
@@ -4,14 +4,13 @@ charon {
load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
initiator_only = yes
-}
-
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
index 958a502..c97a520 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -7,14 +7,13 @@ charon {
retransmit_base = 1.5
retransmit_tries = 3
initiator_only = yes
-}
-
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
index fc49f9f..a234b6c 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
@@ -2,14 +2,14 @@
charon {
load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
-}
-libstrongswan {
integrity_test = yes
+
crypto_test {
required = yes
on_add = yes
}
+
plugins {
openssl {
fips_mode = 2
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index a1d5b46..f020957 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index 4b696b9..90a7292 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -6,5 +6,3 @@ carol::iptables-restore < /etc/iptables.flush
bob::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::conntrack -F
-sun::conntrack -F
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
index 4643a3a..bc7d237 100644
--- a/testing/tests/pfkey/nat-rw/posttest.dat
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush
venus::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index 3da60b8..8aa0ef4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index 3da60b8..8aa0ef4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index 3da60b8..8aa0ef4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 7cd88f5..101bd2e 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
}
}
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 7cd88f5..101bd2e 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
}
}
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 7cd88f5..101bd2e 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -7,9 +7,7 @@ charon {
}
}
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
-}
-libstrongswan {
integrity_test = yes
crypto_test {
on_add = yes
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
index f7d86ec..97ff0c1 100644
--- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
@@ -6,7 +6,7 @@ carol::cat /etc/tnc_config
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
dave::cat /etc/tnc_config
-alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
alice::ipsec start
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
new file mode 100644
index 0000000..2997650
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
@@ -0,0 +1,26 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
+the mandatory default being <b>ecp256</b>, with the strongswan.conf option
+<b>mandatory_dh_groups = no</b> no ECC support is required.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
new file mode 100644
index 0000000..5eb9440
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol at strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol at strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave at strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
similarity index 77%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
index 4272d98..d17473d 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
@@ -11,12 +12,12 @@ conn %default
conn home
left=PH_IP_CAROL
- leftcert=carolCert.pem
+ leftid=carol at strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightid=@moon.strongswan.org
rightauth=any
- rightsubnet=10.1.0.0/16
rightsendcert=never
+ rightsubnet=10.1.0.0/16
auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 0000000..74942af
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol at strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000..72bf2c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = yes
+ }
+ imc-attestation {
+ mandatory_dh_groups = no
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config
new file mode 100644
index 0000000..15dc93a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
similarity index 72%
copy from testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
copy to testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
index 4272d98..d459bfc 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
@@ -10,13 +11,13 @@ conn %default
keyexchange=ikev2
conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
+ left=PH_IP_DAVE
+ leftid=dave at strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
- rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightid=@moon.strongswan.org
rightauth=any
- rightsubnet=10.1.0.0/16
rightsendcert=never
+ rightsubnet=10.1.0.0/16
auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 0000000..5496df7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave at strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
new file mode 100644
index 0000000..6f71994
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ tnc-imc {
+ preferred_language = de
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-os {
+ push_info = no
+ }
+ imc-attestation {
+ mandatory_dh_groups = no
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config
new file mode 100644
index 0000000..15dc93a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
new file mode 100644
index 0000000..bc8b2d8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 0000000..2e277cc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol at strongswan.org : EAP "Ar3etTnp"
+dave at strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
new file mode 100644
index 0000000..2bb7e79
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices ( /* 1 */
+ value, product, created
+) VALUES (
+ 'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+ group_id, device_id
+) VALUES (
+ 10, 1
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+ 3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+ policy, group_id, max_age
+) VALUES (
+ 16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..e76598b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,34 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ }
+}
+
+libimcv {
+ database = sqlite:///etc/pts/config.db
+ policy_script = ipsec imv_policy_manager
+ plugins {
+ imv-attestation {
+ hash_algorithm = sha1
+ dh_group = modp2048
+ mandatory_dh_groups = no
+ }
+ }
+}
+
+attest {
+ load = random nonce openssl sqlite
+ database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config
new file mode 100644
index 0000000..6507baa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
new file mode 100644
index 0000000..48514d6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
new file mode 100644
index 0000000..49ea041
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
new file mode 100644
index 0000000..a8a05af
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index e6f5ad3..f4ea047 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -2,20 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
multiple_authentication=no
+ integrity_test = yes
+
plugins {
eap-tnc {
protocol = tnccs-1.1
}
- }
-}
-
-libstrongswan {
- integrity_test = yes
-}
-
-libimcv {
- plugins {
imc-test {
command = allow
}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index db91eac..4c738ce 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -2,20 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
multiple_authentication=no
+ integrity_test = yes
+
plugins {
eap-tnc {
protocol = tnccs-2.0
}
- }
-}
-
-libstrongswan {
- integrity_test = yes
-}
-
-libimcv {
- plugins {
imc-test {
command = isolate
}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index 3fc6c3a..0b1cf10 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+
multiple_authentication=no
+ integrity_test = yes
+
plugins {
eap-ttls {
phase2_method = md5
@@ -14,17 +17,3 @@ charon {
}
}
}
-
-libstrongswan {
- integrity_test = yes
-}
-
-libimcv {
- plugins {
- imv-scanner {
- closed_port_policy = yes
- tcp_ports = 22
- udp_ports = 500 4500
- }
- }
-}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list