[Pkg-swan-devel] [strongswan] 01/01: Imported Upstream version 5.3.4
Yves-Alexis Perez
corsac at moszumanska.debian.org
Wed Nov 18 13:56:11 UTC 2015
This is an automated email from the git hooks/post-receive script.
corsac pushed a commit to branch upstream
in repository strongswan.
commit 1e980d6be0ef0e243c6fe82b5e855454b97e24a4
Author: Yves-Alexis Perez <corsac at debian.org>
Date: Wed Nov 18 14:49:27 2015 +0100
Imported Upstream version 5.3.4
---
Android.common.mk | 2 +-
NEWS | 16 +-
conf/options/charon-logging.conf | 5 +
conf/options/charon-logging.opt | 4 +
conf/options/charon.conf | 8 +
conf/options/charon.opt | 8 +
conf/strongswan.conf.5.main | 17 +
config.h.in | 3 +
configure | 75 ++-
configure.ac | 16 +-
init/systemd/strongswan.service.in | 2 +-
src/_updown/_updown.in | 31 ++
src/charon-cmd/charon-cmd.c | 12 +-
src/charon-nm/charon-nm.c | 10 +-
src/charon-systemd/charon-systemd.c | 10 +-
src/charon-tkm/src/charon-tkm.c | 14 +-
src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 7 +-
src/charon-tkm/src/tkm/tkm_spi_generator.c | 98 ++++
.../src/tkm/tkm_spi_generator.h} | 37 +-
src/charon/charon.c | 11 +-
src/conftest/conftest.c | 10 +-
src/include/Makefile.am | 2 +-
src/include/Makefile.in | 2 +-
src/include/linux/socket.h | 21 +
src/ipsec/_ipsec.8 | 2 +-
src/ipsec/_ipsec.in | 4 +-
src/libcharon/Android.mk | 1 -
src/libcharon/bus/listeners/file_logger.c | 32 +-
src/libcharon/bus/listeners/file_logger.h | 7 +-
src/libcharon/config/peer_cfg.c | 2 +-
src/libcharon/daemon.c | 46 +-
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 115 +++--
.../plugins/eap_radius/eap_radius_provider.c | 32 +-
.../plugins/error_notify/error_notify_listener.c | 2 +-
src/libcharon/plugins/ha/ha_child.c | 2 +-
src/libcharon/plugins/ha/ha_dispatcher.c | 2 +-
.../kernel_libipsec/kernel_libipsec_ipsec.c | 7 +-
.../plugins/kernel_wfp/kernel_wfp_ipsec.c | 9 +-
.../plugins/load_tester/load_tester_ipsec.c | 5 +-
.../plugins/socket_default/socket_default_socket.c | 281 +++++++----
.../plugins/socket_dynamic/socket_dynamic_socket.c | 94 ++--
src/libcharon/plugins/stroke/stroke_config.c | 6 +-
src/libcharon/plugins/stroke/stroke_control.c | 71 +--
src/libcharon/plugins/stroke/stroke_list.c | 6 +-
src/libcharon/plugins/vici/README.md | 21 +-
src/libcharon/plugins/vici/vici_attribute.c | 28 +-
src/libcharon/plugins/vici/vici_cred.c | 12 +-
src/libcharon/plugins/vici/vici_query.c | 47 ++
.../processing/jobs/initiate_mediation_job.c | 4 +
src/libcharon/sa/child_sa.c | 178 +++----
src/libcharon/sa/ike_sa_manager.c | 84 +++-
src/libcharon/sa/ike_sa_manager.h | 21 +-
src/libcharon/sa/ikev1/keymat_v1.c | 20 +-
src/libcharon/sa/ikev1/task_manager_v1.c | 110 ++++-
src/libcharon/sa/ikev1/tasks/mode_config.c | 4 +-
src/libcharon/sa/ikev1/tasks/quick_delete.c | 4 +-
src/libcharon/sa/ikev1/tasks/quick_mode.c | 6 +-
src/libcharon/sa/ikev1/tasks/xauth.c | 10 +-
src/libcharon/sa/ikev2/keymat_v2.c | 1 +
src/libcharon/sa/ikev2/tasks/child_create.c | 4 +-
src/libcharon/sa/ikev2/tasks/child_delete.c | 4 +-
src/libcharon/sa/ikev2/tasks/ike_mobike.c | 6 +-
src/libcharon/sa/ikev2/tasks/ike_natd.c | 28 +-
src/libcharon/sa/shunt_manager.c | 66 ++-
src/libcharon/sa/trap_manager.c | 2 +
src/libfast/fast_dispatcher.c | 3 +-
src/libhydra/Android.mk | 1 -
src/libhydra/kernel/kernel_interface.c | 27 +-
src/libhydra/kernel/kernel_interface.h | 53 ++-
src/libhydra/kernel/kernel_ipsec.c | 7 +-
src/libhydra/kernel/kernel_ipsec.h | 23 +-
src/libhydra/kernel/kernel_net.c | 7 +-
.../plugins/kernel_netlink/kernel_netlink_ipsec.c | 81 ++--
.../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 19 +-
src/libimcv/imv/data.sql | 48 ++
src/libipsec/Android.mk | 1 -
src/libipsec/esp_context.c | 14 +-
src/libstrongswan/Android.mk | 4 +-
src/libstrongswan/Makefile.am | 14 +-
src/libstrongswan/Makefile.in | 257 +++++-----
src/libstrongswan/asn1/oid.c | 511 ++++++++++----------
src/libstrongswan/asn1/oid.h | 201 ++++----
src/libstrongswan/asn1/oid.txt | 17 +-
src/libstrongswan/credentials/auth_cfg.c | 6 +-
src/libstrongswan/credentials/keys/public_key.c | 64 ++-
src/libstrongswan/credentials/keys/public_key.h | 20 +-
src/libstrongswan/crypto/hashers/hasher.c | 75 ++-
src/libstrongswan/crypto/hashers/hasher.h | 4 +
src/libstrongswan/crypto/iv/iv_gen.c | 5 +
src/libstrongswan/crypto/iv/iv_gen_null.c | 63 +++
.../iv/iv_gen_null.h} | 24 +-
src/libstrongswan/plugins/bliss/bliss_plugin.c | 24 +-
.../plugins/bliss/bliss_private_key.c | 12 +-
src/libstrongswan/plugins/bliss/bliss_public_key.c | 12 +-
.../plugins/bliss/tests/suites/test_bliss_sign.c | 10 +-
src/libstrongswan/plugins/curl/curl_fetcher.c | 6 +-
.../plugins/openssl/openssl_diffie_hellman.c | 1 +
.../plugins/openssl/openssl_ec_diffie_hellman.c | 1 +
.../plugins/openssl/openssl_rsa_private_key.c | 1 +
.../plugins/openssl/openssl_rsa_public_key.c | 1 +
src/libstrongswan/plugins/openssl/openssl_util.c | 1 +
src/libstrongswan/plugins/plugin_loader.c | 17 +-
src/libstrongswan/plugins/random/random_rng.c | 1 +
.../plugins/revocation/revocation_validator.c | 2 +-
src/libstrongswan/plugins/sha3/Makefile.am | 16 +
.../plugins/{test_vectors => sha3}/Makefile.in | 216 +--------
src/libstrongswan/plugins/sha3/sha3_hasher.c | 527 +++++++++++++++++++++
src/libstrongswan/plugins/sha3/sha3_hasher.h | 48 ++
src/libstrongswan/plugins/sha3/sha3_plugin.c | 79 +++
.../plugins/sha3/sha3_plugin.h} | 45 +-
src/libstrongswan/plugins/test_vectors/Makefile.am | 1 +
src/libstrongswan/plugins/test_vectors/Makefile.in | 11 +-
.../plugins/test_vectors/test_vectors.h | 24 +
.../plugins/test_vectors/test_vectors/sha3.c | 328 +++++++++++++
src/libstrongswan/plugins/x509/x509_ocsp_request.c | 4 +-
src/libstrongswan/selectors/traffic_selector.c | 9 +-
src/libstrongswan/settings/settings.c | 25 +
src/libstrongswan/settings/settings.h | 9 +
src/libstrongswan/tests/suites/test_hasher.c | 137 ++++--
.../tests/suites/test_identification.c | 1 +
src/libstrongswan/tests/suites/test_settings.c | 24 +
.../tests/suites/test_traffic_selector.c | 6 +-
src/libstrongswan/tests/suites/test_utils.c | 6 +-
.../compat/android.h} | 13 +-
src/libstrongswan/utils/compat/windows.h | 5 +
src/libstrongswan/utils/utils.c | 25 +-
src/libstrongswan/utils/utils.h | 19 +-
src/libtnccs/plugins/tnc_imc/tnc_imc.c | 8 +-
src/libtnccs/plugins/tnc_imv/tnc_imv.c | 8 +-
src/medsrv/Makefile.am | 4 +-
src/medsrv/Makefile.in | 4 +-
src/medsrv/templates/peer/add.cs | 2 +-
src/medsrv/templates/peer/edit.cs | 2 +-
src/medsrv/templates/static/mootools.js | 341 -------------
src/medsrv/templates/static/script.js | 13 -
src/medsrv/templates/static/style.css | 28 +-
src/medsrv/templates/user/add.cs | 2 +-
src/medsrv/templates/user/login.cs | 2 +-
src/pki/commands/acert.c | 3 +-
src/pki/commands/issue.c | 3 +-
src/pki/commands/req.c | 3 +-
src/pki/commands/self.c | 3 +-
src/pki/commands/signcrl.c | 2 +-
src/scepclient/scepclient.8 | 9 -
src/swanctl/commands/list_pools.c | 32 +-
src/swanctl/commands/list_sas.c | 12 +-
testing/do-tests | 79 +--
testing/hosts/default/etc/strongswan.conf.testing | 7 +
testing/hosts/winnetou/etc/openssl/generate-crl | 2 +-
testing/scripts/build-strongswan | 14 +
testing/scripts/recipes/010_tkm.mk | 2 +-
testing/scripts/recipes/013_strongswan.mk | 5 +-
testing/tests/af-alg/alg-camellia/pretest.dat | 3 +-
testing/tests/af-alg/rw-cert/pretest.dat | 6 +-
testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat | 2 +-
testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat | 2 +-
.../tests/gcrypt-ikev2/alg-camellia/pretest.dat | 3 +-
testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 3 +-
testing/tests/ha/active-passive/evaltest.dat | 2 +-
testing/tests/ha/active-passive/pretest.dat | 5 +-
testing/tests/ha/both-active/pretest.dat | 3 +-
testing/tests/ike/rw-cert/pretest.dat | 4 +-
testing/tests/ike/rw_v1-net_v2/pretest.dat | 4 +-
testing/tests/ikev1/alg-3des-md5/pretest.dat | 2 +-
testing/tests/ikev1/alg-blowfish/pretest.dat | 3 +-
testing/tests/ikev1/alg-modp-subgroup/pretest.dat | 3 +-
testing/tests/ikev1/alg-sha256/pretest.dat | 2 +-
testing/tests/ikev1/alg-sha384/pretest.dat | 2 +-
testing/tests/ikev1/alg-sha512/pretest.dat | 2 +-
testing/tests/ikev1/compress/pretest.dat | 2 +-
.../tests/ikev1/config-payload-push/pretest.dat | 4 +-
testing/tests/ikev1/config-payload/pretest.dat | 4 +-
testing/tests/ikev1/double-nat-net/pretest.dat | 3 +-
testing/tests/ikev1/double-nat/pretest.dat | 3 +-
testing/tests/ikev1/dpd-clear/description.txt | 2 +-
testing/tests/ikev1/dpd-clear/evaltest.dat | 4 +-
.../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf | 4 +-
testing/tests/ikev1/dpd-clear/pretest.dat | 2 +-
testing/tests/ikev1/dpd-restart/description.txt | 6 +-
testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +-
.../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf | 4 +-
testing/tests/ikev1/dpd-restart/pretest.dat | 2 +-
testing/tests/ikev1/dynamic-initiator/posttest.dat | 1 -
testing/tests/ikev1/dynamic-initiator/pretest.dat | 5 +-
testing/tests/ikev1/dynamic-responder/posttest.dat | 1 -
testing/tests/ikev1/dynamic-responder/pretest.dat | 7 +-
testing/tests/ikev1/dynamic-two-peers/posttest.dat | 1 -
testing/tests/ikev1/dynamic-two-peers/pretest.dat | 4 +-
testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat | 2 +-
testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat | 2 +-
testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat | 2 +-
testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat | 2 +-
testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat | 2 +-
testing/tests/ikev1/esp-alg-null/pretest.dat | 3 +-
testing/tests/ikev1/host2host-ah/pretest.dat | 2 +-
testing/tests/ikev1/host2host-cert/pretest.dat | 2 +-
.../tests/ikev1/host2host-transport/pretest.dat | 2 +-
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev1/ip-pool-db/posttest.dat | 1 -
testing/tests/ikev1/ip-pool-db/pretest.dat | 10 +-
testing/tests/ikev1/ip-pool-db/test.conf | 4 +
testing/tests/ikev1/ip-pool/pretest.dat | 4 +-
.../tests/ikev1/multi-level-ca-cr-init/pretest.dat | 3 +-
.../tests/ikev1/multi-level-ca-cr-resp/pretest.dat | 3 +-
testing/tests/ikev1/multi-level-ca/pretest.dat | 5 +-
testing/tests/ikev1/nat-rw/pretest.dat | 5 +-
testing/tests/ikev1/nat-virtual-ip/pretest.dat | 3 +-
testing/tests/ikev1/net2net-ah/pretest.dat | 4 +-
testing/tests/ikev1/net2net-cert/pretest.dat | 4 +-
.../tests/ikev1/net2net-fragmentation/pretest.dat | 4 +-
testing/tests/ikev1/net2net-ntru-cert/pretest.dat | 2 +-
testing/tests/ikev1/net2net-psk-fail/pretest.dat | 4 +-
testing/tests/ikev1/net2net-psk/pretest.dat | 4 +-
testing/tests/ikev1/protoport-dual/pretest.dat | 3 +-
testing/tests/ikev1/rw-cert-aggressive/pretest.dat | 3 +-
testing/tests/ikev1/rw-cert-unity/pretest.dat | 2 +-
testing/tests/ikev1/rw-cert/pretest.dat | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 -
testing/tests/ikev1/rw-initiator-only/pretest.dat | 3 +-
testing/tests/ikev1/rw-ntru-psk/pretest.dat | 4 +-
testing/tests/ikev1/rw-psk-aggressive/pretest.dat | 5 +-
testing/tests/ikev1/rw-psk-fqdn/pretest.dat | 5 +-
testing/tests/ikev1/rw-psk-ipv4/pretest.dat | 5 +-
testing/tests/ikev1/virtual-ip/pretest.dat | 3 +-
.../tests/ikev1/xauth-id-psk-config/pretest.dat | 3 +-
.../ikev1/xauth-id-rsa-aggressive/pretest.dat | 3 +-
.../tests/ikev1/xauth-id-rsa-config/pretest.dat | 3 +-
.../tests/ikev1/xauth-id-rsa-hybrid/pretest.dat | 3 +-
testing/tests/ikev1/xauth-psk/pretest.dat | 3 +-
.../ikev1/xauth-rsa-eap-md5-radius/pretest.dat | 3 +-
testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 3 +-
testing/tests/ikev1/xauth-rsa/pretest.dat | 3 +-
testing/tests/ikev2/acert-cached/evaltest.dat | 2 +-
testing/tests/ikev2/acert-cached/pretest.dat | 3 +-
testing/tests/ikev2/acert-fallback/evaltest.dat | 2 +-
testing/tests/ikev2/acert-fallback/pretest.dat | 2 +-
testing/tests/ikev2/acert-inline/evaltest.dat | 2 +-
testing/tests/ikev2/acert-inline/pretest.dat | 3 +-
testing/tests/ikev2/after-2038-certs/pretest.dat | 2 +-
testing/tests/ikev2/alg-3des-md5/pretest.dat | 2 +-
testing/tests/ikev2/alg-aes-ccm/pretest.dat | 2 +-
testing/tests/ikev2/alg-aes-ctr/pretest.dat | 2 +-
testing/tests/ikev2/alg-aes-gcm/pretest.dat | 2 +-
testing/tests/ikev2/alg-aes-xcbc/pretest.dat | 2 +-
testing/tests/ikev2/alg-blowfish/pretest.dat | 3 +-
.../tests/ikev2/alg-chacha20poly1305/pretest.dat | 2 +-
testing/tests/ikev2/alg-modp-subgroup/pretest.dat | 3 +-
testing/tests/ikev2/alg-sha256-96/pretest.dat | 2 +-
testing/tests/ikev2/alg-sha256/pretest.dat | 2 +-
testing/tests/ikev2/alg-sha384/pretest.dat | 2 +-
testing/tests/ikev2/alg-sha512/pretest.dat | 2 +-
testing/tests/ikev2/any-interface/pretest.dat | 9 +-
testing/tests/ikev2/compress/pretest.dat | 2 +-
.../tests/ikev2/config-payload-swapped/pretest.dat | 4 +-
testing/tests/ikev2/config-payload/pretest.dat | 4 +-
testing/tests/ikev2/critical-extension/pretest.dat | 2 +-
testing/tests/ikev2/crl-from-cache/pretest.dat | 2 +-
testing/tests/ikev2/crl-ldap/pretest.dat | 3 +-
testing/tests/ikev2/crl-revoked/pretest.dat | 2 +-
testing/tests/ikev2/crl-to-cache/pretest.dat | 2 +-
testing/tests/ikev2/default-keys/pretest.dat | 4 +-
testing/tests/ikev2/dhcp-dynamic/pretest.dat | 4 +-
.../tests/ikev2/dhcp-static-client-id/pretest.dat | 4 +-
testing/tests/ikev2/dhcp-static-mac/pretest.dat | 4 +-
testing/tests/ikev2/double-nat-net/pretest.dat | 3 +-
testing/tests/ikev2/double-nat/pretest.dat | 3 +-
testing/tests/ikev2/dpd-clear/description.txt | 2 +-
testing/tests/ikev2/dpd-clear/evaltest.dat | 4 +-
testing/tests/ikev2/dpd-clear/pretest.dat | 2 +-
testing/tests/ikev2/dpd-hold/evaltest.dat | 8 +-
testing/tests/ikev2/dpd-hold/pretest.dat | 2 +-
testing/tests/ikev2/dpd-restart/evaltest.dat | 6 +-
testing/tests/ikev2/dpd-restart/pretest.dat | 2 +-
.../tests/ikev2/dynamic-initiator/description.txt | 6 +-
testing/tests/ikev2/dynamic-initiator/posttest.dat | 1 -
testing/tests/ikev2/dynamic-initiator/pretest.dat | 5 +-
testing/tests/ikev2/dynamic-two-peers/posttest.dat | 1 -
testing/tests/ikev2/dynamic-two-peers/pretest.dat | 4 +-
testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat | 2 +-
testing/tests/ikev2/esp-alg-md5-128/pretest.dat | 3 +-
testing/tests/ikev2/esp-alg-null/pretest.dat | 3 +-
testing/tests/ikev2/esp-alg-sha1-160/pretest.dat | 3 +-
testing/tests/ikev2/farp/pretest.dat | 4 +-
testing/tests/ikev2/force-udp-encaps/pretest.dat | 4 +-
testing/tests/ikev2/forecast/pretest.dat | 4 +-
testing/tests/ikev2/host2host-ah/pretest.dat | 2 +-
testing/tests/ikev2/host2host-cert/pretest.dat | 2 +-
testing/tests/ikev2/host2host-swapped/pretest.dat | 2 +-
.../tests/ikev2/host2host-transport/pretest.dat | 2 +-
.../tests/ikev2/inactivity-timeout/evaltest.dat | 4 +-
testing/tests/ikev2/inactivity-timeout/pretest.dat | 3 +-
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/ip-pool-db/posttest.dat | 1 -
testing/tests/ikev2/ip-pool-db/pretest.dat | 10 +-
testing/tests/ikev2/ip-pool-db/test.conf | 4 +
testing/tests/ikev2/ip-pool-wish/pretest.dat | 4 +-
testing/tests/ikev2/ip-pool/pretest.dat | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/ip-split-pools-db/posttest.dat | 1 -
testing/tests/ikev2/ip-split-pools-db/pretest.dat | 8 +-
testing/tests/ikev2/ip-split-pools-db/test.conf | 4 +
.../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/ip-two-pools-db/posttest.dat | 1 -
testing/tests/ikev2/ip-two-pools-db/pretest.dat | 12 +-
testing/tests/ikev2/ip-two-pools-db/test.conf | 4 +
.../hosts/moon/etc/strongswan.conf | 2 +-
.../tests/ikev2/ip-two-pools-mixed/posttest.dat | 1 -
testing/tests/ikev2/ip-two-pools-mixed/pretest.dat | 10 +-
testing/tests/ikev2/ip-two-pools-mixed/test.conf | 4 +
.../hosts/moon/etc/strongswan.conf | 2 +-
.../tests/ikev2/ip-two-pools-v4v6-db/posttest.dat | 1 -
.../tests/ikev2/ip-two-pools-v4v6-db/pretest.dat | 6 +-
testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf | 4 +
testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat | 2 +-
testing/tests/ikev2/ip-two-pools/posttest.dat | 1 -
testing/tests/ikev2/ip-two-pools/pretest.dat | 4 +-
testing/tests/ikev2/lookip/pretest.dat | 4 +-
.../mobike-nat/hosts/alice/etc/iptables.rules | 6 +-
testing/tests/ikev2/mobike-nat/pretest.dat | 3 +-
.../hosts/alice/etc/iptables.rules | 4 +
testing/tests/ikev2/mobike-virtual-ip/pretest.dat | 3 +-
.../ikev2/mobike/hosts/alice/etc/iptables.rules | 4 +
testing/tests/ikev2/mobike/pretest.dat | 3 +-
.../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat | 2 +-
.../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat | 4 +-
.../tests/ikev2/multi-level-ca-cr-init/pretest.dat | 3 +-
.../tests/ikev2/multi-level-ca-cr-resp/pretest.dat | 3 +-
.../tests/ikev2/multi-level-ca-ldap/pretest.dat | 7 +-
.../tests/ikev2/multi-level-ca-loop/pretest.dat | 2 +-
.../tests/ikev2/multi-level-ca-pathlen/pretest.dat | 4 +-
.../tests/ikev2/multi-level-ca-revoked/pretest.dat | 2 +-
.../tests/ikev2/multi-level-ca-strict/pretest.dat | 5 +-
testing/tests/ikev2/multi-level-ca/posttest.dat | 1 -
testing/tests/ikev2/multi-level-ca/pretest.dat | 5 +-
testing/tests/ikev2/nat-rw-mark/pretest.dat | 5 +-
testing/tests/ikev2/nat-rw-psk/pretest.dat | 5 +-
testing/tests/ikev2/nat-rw/pretest.dat | 5 +-
testing/tests/ikev2/nat-virtual-ip/pretest.dat | 3 +-
testing/tests/ikev2/net2net-ah/pretest.dat | 2 +-
testing/tests/ikev2/net2net-cert-sha2/pretest.dat | 2 +-
testing/tests/ikev2/net2net-cert/pretest.dat | 2 +-
testing/tests/ikev2/net2net-dnscert/pretest.dat | 2 +-
testing/tests/ikev2/net2net-dnssec/pretest.dat | 2 +-
testing/tests/ikev2/net2net-esn/pretest.dat | 2 +-
.../tests/ikev2/net2net-ntru-bandwidth/pretest.dat | 2 +-
testing/tests/ikev2/net2net-ntru-cert/pretest.dat | 2 +-
testing/tests/ikev2/net2net-pgp-v3/pretest.dat | 2 +-
testing/tests/ikev2/net2net-pgp-v4/pretest.dat | 2 +-
testing/tests/ikev2/net2net-pkcs12/pretest.dat | 2 +-
testing/tests/ikev2/net2net-psk-dscp/pretest.dat | 5 +-
testing/tests/ikev2/net2net-psk-fail/pretest.dat | 2 +-
testing/tests/ikev2/net2net-psk/pretest.dat | 2 +-
testing/tests/ikev2/net2net-rfc3779/pretest.dat | 3 +-
testing/tests/ikev2/net2net-route/pretest.dat | 4 +-
testing/tests/ikev2/net2net-rsa/pretest.dat | 2 +-
testing/tests/ikev2/net2net-same-nets/pretest.dat | 2 +-
testing/tests/ikev2/net2net-start/pretest.dat | 3 +-
testing/tests/ikev2/ocsp-local-cert/pretest.dat | 2 +-
testing/tests/ikev2/ocsp-multi-level/pretest.dat | 3 +-
.../tests/ikev2/ocsp-no-signer-cert/pretest.dat | 4 +-
testing/tests/ikev2/ocsp-revoked/pretest.dat | 2 +-
testing/tests/ikev2/ocsp-root-cert/pretest.dat | 2 +-
testing/tests/ikev2/ocsp-signer-cert/pretest.dat | 2 +-
testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat | 2 +-
testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat | 3 +-
.../tests/ikev2/ocsp-timeouts-good/description.txt | 2 +-
.../tests/ikev2/ocsp-timeouts-good/evaltest.dat | 4 +-
.../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi | 2 +-
testing/tests/ikev2/ocsp-timeouts-good/pretest.dat | 2 +-
.../tests/ikev2/ocsp-timeouts-unknown/evaltest.dat | 2 +-
.../tests/ikev2/ocsp-timeouts-unknown/pretest.dat | 6 +-
.../tests/ikev2/ocsp-untrusted-cert/pretest.dat | 4 +-
testing/tests/ikev2/protoport-dual/pretest.dat | 3 +-
testing/tests/ikev2/protoport-route/pretest.dat | 6 +-
testing/tests/ikev2/reauth-early/pretest.dat | 2 +-
testing/tests/ikev2/reauth-late/pretest.dat | 2 +-
.../tests/ikev2/reauth-mbb-virtual-ip/pretest.dat | 2 +-
testing/tests/ikev2/reauth-mbb/pretest.dat | 2 +-
.../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/rw-cert/pretest.dat | 4 +-
testing/tests/ikev2/rw-dnssec/pretest.dat | 4 +-
testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-dynamic/pretest.dat | 4 +-
.../ikev2/rw-eap-framed-ip-radius/pretest.dat | 8 +-
.../ikev2/rw-eap-md5-class-radius/pretest.dat | 6 +-
.../tests/ikev2/rw-eap-md5-id-prompt/pretest.dat | 3 +-
.../tests/ikev2/rw-eap-md5-id-radius/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-md5-radius/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat | 3 +-
.../tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-peap-md5/pretest.dat | 4 +-
.../tests/ikev2/rw-eap-peap-mschapv2/pretest.dat | 4 +-
testing/tests/ikev2/rw-eap-peap-radius/pretest.dat | 4 +-
.../tests/ikev2/rw-eap-sim-id-radius/pretest.dat | 3 +-
.../ikev2/rw-eap-sim-only-radius/evaltest.dat | 2 +-
.../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 4 +-
testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat | 2 +-
testing/tests/ikev2/rw-eap-sim-radius/pretest.dat | 4 +-
testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat | 3 +-
.../tests/ikev2/rw-eap-tls-fragments/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-tls-only/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-tls-radius/pretest.dat | 3 +-
testing/tests/ikev2/rw-eap-ttls-only/pretest.dat | 4 +-
.../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat | 4 +-
testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat | 4 +-
testing/tests/ikev2/rw-hash-and-url/pretest.dat | 3 +-
.../hosts/dave/etc/strongswan.conf | 4 -
testing/tests/ikev2/rw-initiator-only/pretest.dat | 3 +-
testing/tests/ikev2/rw-mark-in-out/pretest.dat | 11 +-
testing/tests/ikev2/rw-ntru-bliss/evaltest.dat | 8 +-
.../ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf | 1 +
.../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf | 1 +
.../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf | 1 +
.../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/rw-ntru-bliss/pretest.dat | 4 +-
testing/tests/ikev2/rw-ntru-psk/pretest.dat | 4 +-
testing/tests/ikev2/rw-pkcs8/pretest.dat | 3 +-
testing/tests/ikev2/rw-psk-fqdn/pretest.dat | 3 +-
testing/tests/ikev2/rw-psk-ipv4/pretest.dat | 3 +-
testing/tests/ikev2/rw-psk-no-idr/pretest.dat | 3 +-
testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat | 3 +-
testing/tests/ikev2/rw-psk-rsa-split/pretest.dat | 3 +-
.../tests/ikev2/rw-radius-accounting/pretest.dat | 3 +-
testing/tests/ikev2/rw-sig-auth/pretest.dat | 6 +-
testing/tests/ikev2/rw-whitelist/evaltest.dat | 2 +-
testing/tests/ikev2/strong-keys-certs/pretest.dat | 4 +-
testing/tests/ikev2/trap-any/evaltest.dat | 10 +-
testing/tests/ikev2/two-certs/pretest.dat | 4 +-
.../tests/ikev2/virtual-ip-override/pretest.dat | 3 +-
testing/tests/ikev2/virtual-ip/pretest.dat | 3 +-
testing/tests/ikev2/wildcards/pretest.dat | 5 +-
.../hosts/sun/etc/ipsec.conf | 2 +-
.../hosts/sun/etc/ipsec.conf | 2 +-
testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 3 +-
testing/tests/libipsec/host2host-cert/pretest.dat | 2 +-
testing/tests/libipsec/net2net-3des/pretest.dat | 2 +-
testing/tests/libipsec/net2net-cert/pretest.dat | 2 +-
.../tests/libipsec/net2net-null/description.txt | 11 +
testing/tests/libipsec/net2net-null/evaltest.dat | 11 +
.../net2net-null}/hosts/moon/etc/ipsec.conf | 16 +-
.../net2net-null/hosts/moon/etc/strongswan.conf | 6 +
.../libipsec/net2net-null/hosts/moon/etc/updown | 16 +-
.../net2net-null}/hosts/sun/etc/ipsec.conf | 21 +-
.../net2net-null/hosts/sun/etc/strongswan.conf | 6 +
.../libipsec/net2net-null/hosts/sun/etc/updown | 16 +-
.../net2net-null}/posttest.dat | 2 -
.../net2net-null}/pretest.dat | 2 +-
.../net2net-null}/test.conf | 0
testing/tests/libipsec/rw-suite-b/pretest.dat | 4 +-
.../tests/openssl-ikev1/alg-camellia/pretest.dat | 3 +-
.../tests/openssl-ikev1/alg-ecp-high/pretest.dat | 3 +-
.../tests/openssl-ikev1/alg-ecp-low/pretest.dat | 3 +-
.../tests/openssl-ikev1/ecdsa-certs/pretest.dat | 3 +-
.../tests/openssl-ikev2/alg-aes-gcm/pretest.dat | 3 +-
.../tests/openssl-ikev2/alg-blowfish/pretest.dat | 3 +-
.../tests/openssl-ikev2/alg-camellia/pretest.dat | 3 +-
.../alg-ecp-brainpool-high/pretest.dat | 3 +-
.../alg-ecp-brainpool-low/pretest.dat | 3 +-
.../tests/openssl-ikev2/alg-ecp-high/pretest.dat | 3 +-
.../tests/openssl-ikev2/alg-ecp-low/pretest.dat | 3 +-
.../openssl-ikev2/critical-extension/pretest.dat | 2 +-
.../tests/openssl-ikev2/ecdsa-certs/pretest.dat | 3 +-
.../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat | 3 +-
.../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 2 +-
.../tests/openssl-ikev2/net2net-pkcs12/pretest.dat | 2 +-
testing/tests/openssl-ikev2/rw-cert/pretest.dat | 5 +-
.../openssl-ikev2/rw-eap-tls-only/pretest.dat | 3 +-
.../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 3 -
.../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 4 +-
.../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 3 -
.../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 4 +-
testing/tests/p2pnat/behind-same-nat/pretest.dat | 4 +-
testing/tests/p2pnat/medsrv-psk/pretest.dat | 4 +-
testing/tests/pfkey/alg-aes-xcbc/pretest.dat | 2 +-
testing/tests/pfkey/alg-sha384/pretest.dat | 2 +-
testing/tests/pfkey/alg-sha512/pretest.dat | 2 +-
testing/tests/pfkey/compress/pretest.dat | 2 +-
testing/tests/pfkey/esp-alg-null/pretest.dat | 2 +-
.../tests/pfkey/host2host-transport/pretest.dat | 2 +-
testing/tests/pfkey/nat-rw/pretest.dat | 5 +-
testing/tests/pfkey/net2net-route/pretest.dat | 4 +-
testing/tests/pfkey/protoport-dual/pretest.dat | 3 +-
testing/tests/pfkey/protoport-route/pretest.dat | 6 +-
testing/tests/pfkey/rw-cert/pretest.dat | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/sql/ip-pool-db-expired/posttest.dat | 4 -
testing/tests/sql/ip-pool-db-expired/pretest.dat | 15 +-
testing/tests/sql/ip-pool-db-expired/test.conf | 4 +
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/sql/ip-pool-db-restart/posttest.dat | 4 -
testing/tests/sql/ip-pool-db-restart/pretest.dat | 16 +-
testing/tests/sql/ip-pool-db-restart/test.conf | 4 +
.../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +-
.../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +-
.../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/sql/ip-pool-db/posttest.dat | 7 +-
testing/tests/sql/ip-pool-db/pretest.dat | 16 +-
testing/tests/sql/ip-pool-db/test.conf | 4 +
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../sql/ip-split-pools-db-restart/posttest.dat | 4 -
.../sql/ip-split-pools-db-restart/pretest.dat | 16 +-
.../tests/sql/ip-split-pools-db-restart/test.conf | 4 +
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/sql/ip-split-pools-db/posttest.dat | 4 -
testing/tests/sql/ip-split-pools-db/pretest.dat | 16 +-
testing/tests/sql/ip-split-pools-db/test.conf | 4 +
.../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/multi-level-ca/posttest.dat | 4 -
testing/tests/sql/multi-level-ca/pretest.dat | 15 +-
testing/tests/sql/multi-level-ca/test.conf | 4 +
.../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/sql/net2net-cert/posttest.dat | 2 -
testing/tests/sql/net2net-cert/pretest.dat | 10 +-
testing/tests/sql/net2net-cert/test.conf | 6 +-
.../sql/net2net-psk/hosts/moon/etc/strongswan.conf | 2 +-
.../sql/net2net-psk/hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/sql/net2net-psk/posttest.dat | 2 -
testing/tests/sql/net2net-psk/pretest.dat | 10 +-
testing/tests/sql/net2net-psk/test.conf | 6 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/sql/net2net-route-pem/posttest.dat | 2 -
testing/tests/sql/net2net-route-pem/pretest.dat | 14 +-
testing/tests/sql/net2net-route-pem/test.conf | 6 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/sql/net2net-start-pem/posttest.dat | 2 -
testing/tests/sql/net2net-start-pem/pretest.dat | 10 +-
testing/tests/sql/net2net-start-pem/test.conf | 6 +-
.../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../sql/rw-cert/hosts/moon/etc/strongswan.conf | 5 +-
testing/tests/sql/rw-cert/posttest.dat | 4 -
testing/tests/sql/rw-cert/pretest.dat | 15 +-
testing/tests/sql/rw-cert/test.conf | 4 +
.../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 3 -
testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 10 +-
testing/tests/sql/rw-eap-aka-rsa/test.conf | 4 +
.../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +-
.../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +-
.../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-psk-ipv4/posttest.dat | 4 -
testing/tests/sql/rw-psk-ipv4/pretest.dat | 15 +-
testing/tests/sql/rw-psk-ipv4/test.conf | 4 +
.../rw-psk-ipv6/hosts/carol/etc/strongswan.conf | 2 +-
.../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf | 2 +-
.../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-psk-ipv6/posttest.dat | 3 -
testing/tests/sql/rw-psk-ipv6/pretest.dat | 15 +-
testing/tests/sql/rw-psk-ipv6/test.conf | 4 +
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-psk-rsa-split/posttest.dat | 4 -
testing/tests/sql/rw-psk-rsa-split/pretest.dat | 15 +-
testing/tests/sql/rw-psk-rsa-split/test.conf | 4 +
.../rw-rsa-keyid/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-rsa-keyid/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-rsa-keyid/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-rsa-keyid/posttest.dat | 4 -
testing/tests/sql/rw-rsa-keyid/pretest.dat | 15 +-
testing/tests/sql/rw-rsa-keyid/test.conf | 4 +
.../sql/rw-rsa/hosts/carol/etc/strongswan.conf | 2 +-
.../sql/rw-rsa/hosts/dave/etc/strongswan.conf | 2 +-
.../sql/rw-rsa/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/sql/rw-rsa/posttest.dat | 4 -
testing/tests/sql/rw-rsa/pretest.dat | 15 +-
testing/tests/sql/rw-rsa/test.conf | 4 +
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 4 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
.../tests/sql/shunt-policies-nat-rw/posttest.dat | 3 -
.../tests/sql/shunt-policies-nat-rw/pretest.dat | 12 +-
testing/tests/sql/shunt-policies-nat-rw/test.conf | 4 +
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/swanctl/ip-pool-db/pretest.dat | 4 +-
testing/tests/swanctl/ip-pool-db/test.conf | 4 +
testing/tests/swanctl/ip-pool/evaltest.dat | 2 +
testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-11-fhh/pretest.dat | 5 +-
.../tests/tnc/tnccs-11-radius-block/evaltest.dat | 2 +-
.../tests/tnc/tnccs-11-radius-block/pretest.dat | 4 +-
testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 4 +-
.../hosts/alice/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 2 +
testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 1 -
testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 6 +-
testing/tests/tnc/tnccs-11-radius-pts/test.conf | 3 +
testing/tests/tnc/tnccs-11-radius/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-11-radius/pretest.dat | 4 +-
testing/tests/tnc/tnccs-11-supplicant/pretest.dat | 2 +-
testing/tests/tnc/tnccs-11/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-11/pretest.dat | 4 +-
testing/tests/tnc/tnccs-20-block/evaltest.dat | 2 +-
testing/tests/tnc/tnccs-20-block/pretest.dat | 4 +-
.../tests/tnc/tnccs-20-client-retry/evaltest.dat | 4 +-
.../tests/tnc/tnccs-20-client-retry/pretest.dat | 8 +-
testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 5 +-
testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 4 +-
testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-20-fhh/pretest.dat | 9 +-
.../alice/etc/apache2/sites-available/default | 26 -
.../tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql | 61 ---
.../hosts/alice/etc/strongTNC/settings.ini | 19 -
.../hosts/alice/etc/strongswan.conf | 9 +-
testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 4 +-
testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 2 +-
.../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 4 +-
testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 4 +-
.../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 2 +
.../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 6 +-
testing/tests/tnc/tnccs-20-os-pts/test.conf | 5 +-
testing/tests/tnc/tnccs-20-os/evaltest.dat | 4 +-
.../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/tnc/tnccs-20-os/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-os/pretest.dat | 2 +-
testing/tests/tnc/tnccs-20-os/test.conf | 5 +-
testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 4 +-
.../hosts/alice/etc/strongTNC/settings.ini | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +
.../hosts/dave/etc/strongswan.conf | 4 +-
testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 7 +-
testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 4 +-
.../hosts/alice/etc/strongTNC/settings.ini | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 7 +-
testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 5 +-
testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 4 +-
.../hosts/dave/etc/strongswan.conf | 2 +
.../hosts/moon/etc/strongswan.conf | 4 +-
testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 6 +-
testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf | 4 +-
testing/tests/tnc/tnccs-20-pts/evaltest.dat | 4 +-
.../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 2 +
.../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 6 +-
testing/tests/tnc/tnccs-20-pts/posttest.dat | 1 -
testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +-
testing/tests/tnc/tnccs-20-pts/test.conf | 4 +-
.../tests/tnc/tnccs-20-server-retry/evaltest.dat | 4 +-
.../tests/tnc/tnccs-20-server-retry/pretest.dat | 8 +-
testing/tests/tnc/tnccs-20-tls/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-20-tls/pretest.dat | 4 +-
testing/tests/tnc/tnccs-20/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-20/pretest.dat | 8 +-
testing/tests/tnc/tnccs-dynamic/evaltest.dat | 4 +-
testing/tests/tnc/tnccs-dynamic/pretest.dat | 4 +-
670 files changed, 4816 insertions(+), 2858 deletions(-)
diff --git a/Android.common.mk b/Android.common.mk
index 33b993e..baeeb36 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.3.3"
+strongswan_VERSION := "5.3.4"
diff --git a/NEWS b/NEWS
index 0940dff..4674e52 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,17 @@
+strongswan-5.3.4
+----------------
+
+- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
+ was caused by insufficient verification of the internal state when handling
+ MSCHAPv2 Success messages received by the client.
+ This vulnerability has been registered as CVE-2015-8023.
+
+- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
+ Within the strongSwan framework SHA3 is currently used for BLISS signatures
+ only because the OIDs for other signature algorithms haven't been defined
+ yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
+
+
strongswan-5.3.3
----------------
@@ -37,7 +51,7 @@ strongswan-5.3.3
since 5.0.0) and packets that have the flag set incorrectly are again ignored.
- Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy
- Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
+ Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
document drafted by the IEEE Printer Working Group (PWG).
- Fixed IF-M segmentation which failed in the presence of multiple small
diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf
index c91421d..4544059 100644
--- a/conf/options/charon-logging.conf
+++ b/conf/options/charon-logging.conf
@@ -25,6 +25,11 @@ charon {
# numerical identifier for each IKE_SA.
# ike_name = no
+ # Adds the milliseconds within the current second after the
+ # timestamp (separated by a dot, so time_format should end with %S
+ # or %T).
+ # time_add_ms = no
+
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt
index b437a9c..2bbb5dc 100644
--- a/conf/options/charon-logging.opt
+++ b/conf/options/charon-logging.opt
@@ -28,6 +28,10 @@ charon.filelog.<filename>.time_format
Prefix each log entry with a timestamp. The option accepts a format string
as passed to **strftime**(3).
+charon.filelog.<filename>.time_add_ms = no
+ Adds the milliseconds within the current second after the timestamp
+ (separated by a dot, so _time_format_ should end with %S or %T).
+
charon.syslog {}
Section to define syslog loggers, see LOGGER CONFIGURATION in
**strongswan.conf**(5).
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 5f27b08..b55d429 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -24,6 +24,10 @@ charon {
# strength.
# dh_exponent_ansi_x9_42 = yes
+ # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
+ # missing symbols immediately.
+ # dlopen_use_rtld_now = no
+
# DNS server assigned to peer via configuration payload (CP).
# dns1 =
@@ -123,6 +127,10 @@ charon {
# Initiate IKEv2 reauthentication with a make-before-break scheme.
# make_before_break = no
+ # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
+ # and track concurrently.
+ # max_ikev1_exchanges = 3
+
# Maximum packet size accepted by charon.
# max_packet = 10000
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 5d137ae..816f325 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -65,6 +65,10 @@ charon.dh_exponent_ansi_x9_42 = yes
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
strength.
+charon.dlopen_use_rtld_now = no
+ Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
+ symbols immediately.
+
charon.dns1
DNS server assigned to peer via configuration payload (CP).
@@ -204,6 +208,10 @@ charon.load_modular = no
plugin list is preserved. Enabled plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
+charon.max_ikev1_exchanges = 3
+ Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
+ track concurrently.
+
charon.max_packet = 10000
Maximum packet size accepted by charon.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 559efcb..7fc421c 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -102,6 +102,11 @@ Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
strength.
.TP
+.BR charon.dlopen_use_rtld_now " [no]"
+Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
+symbols immediately.
+
+.TP
.BR charon.dns1 " []"
DNS server assigned to peer via configuration payload (CP).
@@ -152,6 +157,13 @@ Prefix each log entry with the connection name and a unique numerical identifier
for each IKE_SA.
.TP
+.BR charon.filelog.<filename>.time_add_ms " [no]"
+Adds the milliseconds within the current second after the timestamp (separated
+by a dot, so
+.RI "" "time_format" ""
+should end with %S or %T).
+
+.TP
.BR charon.filelog.<filename>.time_format " []"
Prefix each log entry with a timestamp. The option accepts a format string as
passed to
@@ -344,6 +356,11 @@ reauthentication, but requires support for overlapping SAs by the peer.
strongSwan can handle such overlapping SAs since version 5.3.0.
.TP
+.BR charon.max_ikev1_exchanges " [3]"
+Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
+track concurrently.
+
+.TP
.BR charon.max_packet " [10000]"
Maximum packet size accepted by charon.
diff --git a/config.h.in b/config.h.in
index 729ddf0..b95e018 100644
--- a/config.h.in
+++ b/config.h.in
@@ -205,6 +205,9 @@
/* Define to 1 if you have the `setlinebuf' function. */
#undef HAVE_SETLINEBUF
+/* Define to 1 if you have the `sigwaitinfo' function. */
+#undef HAVE_SIGWAITINFO
+
/* have sqlite3_prepare_v2() */
#undef HAVE_SQLITE3_PREPARE_V2
diff --git a/configure b/configure
index 59a74cc..c810ffd 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.3.3.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.3.4.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.3.3'
-PACKAGE_STRING='strongSwan 5.3.3'
+PACKAGE_VERSION='5.3.4'
+PACKAGE_STRING='strongSwan 5.3.4'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -977,6 +977,8 @@ USE_GMP_FALSE
USE_GMP_TRUE
USE_FIPS_PRF_FALSE
USE_FIPS_PRF_TRUE
+USE_SHA3_FALSE
+USE_SHA3_TRUE
USE_SHA2_FALSE
USE_SHA2_TRUE
USE_SHA1_FALSE
@@ -1299,6 +1301,7 @@ enable_rdrand
enable_aesni
enable_sha1
enable_sha2
+enable_sha3
enable_xcbc
enable_dnskey
enable_pem
@@ -2029,7 +2032,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 5.3.3 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.3.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2099,7 +2102,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 5.3.3:";;
+ short | recursive ) echo "Configuration of strongSwan 5.3.4:";;
esac
cat <<\_ACEOF
@@ -2137,6 +2140,8 @@ Optional Features:
--disable-sha1 disable SHA1 software implementation plugin.
--disable-sha2 disable SHA256/SHA384/SHA512 software implementation
plugin.
+ --enable-sha3 enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software
+ implementation plugin.
--disable-xcbc disable xcbc crypto implementation plugin.
--disable-dnskey disable DNS RR key decoding plugin.
--disable-pem disable PEM decoding plugin.
@@ -2540,7 +2545,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 5.3.3
+strongSwan configure 5.3.4
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3062,7 +3067,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.3.3, which was
+It was created by strongSwan $as_me 5.3.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3925,7 +3930,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='5.3.3'
+ VERSION='5.3.4'
cat >>confdefs.h <<_ACEOF
@@ -5194,6 +5199,22 @@ fi
enabled_by_default=${enabled_by_default}" sha2"
+# Check whether --enable-sha3 was given.
+if test "${enable_sha3+set}" = set; then :
+ enableval=$enable_sha3; sha3_given=true
+ if test x$enableval = xyes; then
+ sha3=true
+ else
+ sha3=false
+ fi
+else
+ sha3=false
+ sha3_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" sha3"
+
# Check whether --enable-xcbc was given.
if test "${enable_xcbc+set}" = set; then :
enableval=$enable_xcbc; xcbc_given=true
@@ -18269,7 +18290,7 @@ _ACEOF
fi
done
-for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd
+for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -21969,6 +21990,7 @@ if test x$sha1 = xtrue; then
scepclient_plugins=${scepclient_plugins}" sha1"
pki_plugins=${pki_plugins}" sha1"
scripts_plugins=${scripts_plugins}" sha1"
+ manager_plugins=${manager_plugins}" sha1"
medsrv_plugins=${medsrv_plugins}" sha1"
attest_plugins=${attest_plugins}" sha1"
nm_plugins=${nm_plugins}" sha1"
@@ -21991,10 +22013,23 @@ if test x$sha2 = xtrue; then
fi
+if test x$sha3 = xtrue; then
+ s_plugins=${s_plugins}" sha3"
+ charon_plugins=${charon_plugins}" sha3"
+ scepclient_plugins=${scepclient_plugins}" sha3"
+ pki_plugins=${pki_plugins}" sha3"
+ scripts_plugins=${scripts_plugins}" sha3"
+ medsrv_plugins=${medsrv_plugins}" sha3"
+ attest_plugins=${attest_plugins}" sha3"
+ nm_plugins=${nm_plugins}" sha3"
+ cmd_plugins=${cmd_plugins}" sha3"
+ aikgen_plugins=${aikgen_plugins}" sha3"
+
+ fi
+
if test x$md4 = xtrue; then
s_plugins=${s_plugins}" md4"
charon_plugins=${charon_plugins}" md4"
- manager_plugins=${manager_plugins}" md4"
scepclient_plugins=${scepclient_plugins}" md4"
pki_plugins=${pki_plugins}" md4"
nm_plugins=${nm_plugins}" md4"
@@ -22035,6 +22070,7 @@ if test x$random = xtrue; then
scepclient_plugins=${scepclient_plugins}" random"
pki_plugins=${pki_plugins}" random"
scripts_plugins=${scripts_plugins}" random"
+ manager_plugins=${manager_plugins}" random"
medsrv_plugins=${medsrv_plugins}" random"
attest_plugins=${attest_plugins}" random"
nm_plugins=${nm_plugins}" random"
@@ -23031,6 +23067,14 @@ else
USE_SHA2_FALSE=
fi
+ if test x$sha3 = xtrue; then
+ USE_SHA3_TRUE=
+ USE_SHA3_FALSE='#'
+else
+ USE_SHA3_TRUE='#'
+ USE_SHA3_FALSE=
+fi
+
if test x$fips_prf = xtrue; then
USE_FIPS_PRF_TRUE=
USE_FIPS_PRF_FALSE='#'
@@ -24499,7 +24543,7 @@ fi
# build Makefiles
# =================
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswa [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswa [...]
# =================
@@ -24727,6 +24771,10 @@ if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
as_fn_error $? "conditional \"USE_SHA2\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_SHA3_TRUE}" && test -z "${USE_SHA3_FALSE}"; then
+ as_fn_error $? "conditional \"USE_SHA3\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25812,7 +25860,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 5.3.3, which was
+This file was extended by strongSwan $as_me 5.3.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25878,7 +25926,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 5.3.3
+strongSwan config.status 5.3.4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -26305,6 +26353,7 @@ do
"src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
"src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
"src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
+ "src/libstrongswan/plugins/sha3/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha3/Makefile" ;;
"src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
"src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
"src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index ffd0929..c073c70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,6 +1,6 @@
#
# Copyright (C) 2007-2015 Tobias Brunner
-# Copyright (C) 2006-2014 Andreas Steffen
+# Copyright (C) 2006-2015 Andreas Steffen
# Copyright (C) 2006-2014 Martin Willi
# Hochschule fuer Technik Rapperswil
#
@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
-AC_INIT([strongSwan],[5.3.3])
+AC_INIT([strongSwan],[5.3.4])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
@@ -148,6 +148,7 @@ ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.])
ARG_ENABL_SET([aesni], [enable Intel AES-NI crypto plugin.])
ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.])
ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_ENABL_SET([sha3], [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.])
ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.])
# encoding/decoding plugins
ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
@@ -585,7 +586,7 @@ AC_CHECK_FUNC(
)
AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
-AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd)
+AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo)
AC_CHECK_FUNC([syslog], [
AC_DEFINE([HAVE_SYSLOG], [], [have syslog(3) and friends])
@@ -1282,12 +1283,13 @@ ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd])
+ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([md4], [s charon scepclient pki nm cmd])
ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen])
ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([random], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([nonce], [s charon nm cmd aikgen])
ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen])
ADD_PLUGIN([revocation], [s charon pki nm cmd])
@@ -1439,6 +1441,7 @@ AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
+AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
@@ -1686,6 +1689,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/md5/Makefile
src/libstrongswan/plugins/sha1/Makefile
src/libstrongswan/plugins/sha2/Makefile
+ src/libstrongswan/plugins/sha3/Makefile
src/libstrongswan/plugins/fips_prf/Makefile
src/libstrongswan/plugins/gmp/Makefile
src/libstrongswan/plugins/rdrand/Makefile
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
index 608078b..49c1cd0 100644
--- a/init/systemd/strongswan.service.in
+++ b/init/systemd/strongswan.service.in
@@ -1,6 +1,6 @@
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
-After=syslog.target
+After=syslog.target network.target
[Service]
ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 6e7abca..e549e95 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -427,6 +427,14 @@ up-host-v6:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IP6IP6 traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -451,6 +459,13 @@ down-host-v6:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IP6IP6 exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -490,6 +505,15 @@ up-client-v6:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IP6IP6 traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -533,6 +557,13 @@ down-client-v6:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IP6IP6 exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index 6f2b6f1..b8f943f 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -17,14 +17,13 @@
*/
#include <stdio.h>
-#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
#include <signal.h>
-#undef _POSIX_PTHREAD_SEMANTICS
#include <pthread.h>
#include <sys/types.h>
#include <sys/utsname.h>
#include <unistd.h>
#include <getopt.h>
+#include <errno.h>
#include <library.h>
#include <hydra.h>
@@ -112,12 +111,11 @@ static int run()
while (TRUE)
{
int sig;
- int error;
- error = sigwait(&set, &sig);
- if (error)
+ sig = sigwaitinfo(&set, NULL);
+ if (sig == -1)
{
- DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+ DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
return 1;
}
switch (sig)
@@ -382,7 +380,7 @@ int main(int argc, char *argv[])
lib->plugins->status(lib->plugins, LEVEL_CTRL);
/* add handler for SEGV and ILL,
- * INT, TERM and HUP are handled by sigwait() in run() */
+ * INT, TERM and HUP are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
action.sa_flags = 0;
sigemptyset(&action.sa_mask);
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 80551f8..1773e7c 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -18,6 +18,7 @@
#include <signal.h>
#include <sys/types.h>
#include <unistd.h>
+#include <errno.h>
#include <hydra.h>
#include <daemon.h>
@@ -80,12 +81,11 @@ static void run()
while (TRUE)
{
int sig;
- int error;
- error = sigwait(&set, &sig);
- if (error)
+ sig = sigwaitinfo(&set, NULL);
+ if (sig == -1)
{
- DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+ DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
return;
}
switch (sig)
@@ -237,7 +237,7 @@ int main(int argc, char *argv[])
}
/* add handler for SEGV and ILL,
- * INT and TERM are handled by sigwait() in run() */
+ * INT and TERM are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
action.sa_flags = 0;
sigemptyset(&action.sa_mask);
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index e391a53..f302d45 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -249,12 +249,12 @@ static int run()
while (TRUE)
{
- int sig, error;
+ int sig;
- error = sigwait(&set, &sig);
- if (error)
+ sig = sigwaitinfo(&set, NULL);
+ if (sig == -1)
{
- DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(error));
+ DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
return SS_RC_INITIALIZATION_FAILED;
}
switch (sig)
@@ -393,7 +393,7 @@ int main(int argc, char *argv[])
}
/* add handler for SEGV and ILL,
- * INT, TERM and HUP are handled by sigwait() in run() */
+ * INT, TERM and HUP are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
action.sa_flags = 0;
sigemptyset(&action.sa_mask);
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 7c60f0c..52d82f3 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -24,6 +24,7 @@
#include <sys/types.h>
#include <unistd.h>
#include <libgen.h>
+#include <errno.h>
#include <hydra.h>
#include <daemon.h>
@@ -42,6 +43,7 @@
#include "tkm_public_key.h"
#include "tkm_cred.h"
#include "tkm_encoder.h"
+#include "tkm_spi_generator.h"
/**
* TKM bus listener for IKE authorize events.
@@ -98,12 +100,11 @@ static void run()
while (TRUE)
{
int sig;
- int error;
- error = sigwait(&set, &sig);
- if (error)
+ sig = sigwaitinfo(&set, NULL);
+ if (sig == -1)
{
- DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+ DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
return;
}
switch (sig)
@@ -298,6 +299,9 @@ int main(int argc, char *argv[])
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+ PLUGIN_CALLBACK(tkm_spi_generator_register, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "tkm-spi-generator"),
+ PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"),
};
lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
countof(features), TRUE, NULL, NULL);
@@ -358,7 +362,7 @@ int main(int argc, char *argv[])
lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode);
/* add handler for SEGV and ILL,
- * INT and TERM are handled by sigwait() in run() */
+ * INT and TERM are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
action.sa_flags = 0;
sigemptyset(&action.sa_mask);
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 7a0672a..2d22fbd 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -281,9 +281,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
- mark_t mark, policy_priority_t prio)
+ private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+ mark_t mark, policy_priority_t priority)
{
return SUCCESS;
}
diff --git a/src/charon-tkm/src/tkm/tkm_spi_generator.c b/src/charon-tkm/src/tkm/tkm_spi_generator.c
new file mode 100644
index 0000000..eff0ca9
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_spi_generator.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2015 Reto Buerki
+ * Copyright (C) 2015 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <inttypes.h>
+#include <library.h>
+#include <daemon.h>
+
+#include "tkm_spi_generator.h"
+
+/**
+ * Get SPI callback arguments
+ */
+typedef struct {
+ rng_t *rng;
+ u_int64_t spi_mask;
+ u_int64_t spi_label;
+} get_spi_args_t;
+
+static get_spi_args_t *spi_args;
+
+/**
+ * Callback called to generate an IKE SPI.
+ *
+ * @param this Callback args containing rng_t and spi mask & label
+ * @return labeled SPI
+ */
+CALLBACK(tkm_get_spi, u_int64_t,
+ const get_spi_args_t const *this)
+{
+ u_int64_t spi;
+
+ if (!this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
+ {
+ return 0;
+ }
+
+ return (spi & ~this->spi_mask) | this->spi_label;
+}
+
+bool tkm_spi_generator_register(plugin_t *plugin,
+ plugin_feature_t *feature,
+ bool reg, void *cb_data)
+{
+ u_int64_t spi_mask, spi_label;
+ char *spi_val;
+ rng_t *rng;
+
+ if (reg)
+ {
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ if (!rng)
+ {
+ return FALSE;
+ }
+
+ spi_val = lib->settings->get_str(lib->settings, "%s.spi_mask", NULL,
+ lib->ns);
+ spi_mask = settings_value_as_uint64(spi_val, 0);
+
+ spi_val = lib->settings->get_str(lib->settings, "%s.spi_label", NULL,
+ lib->ns);
+ spi_label = settings_value_as_uint64(spi_val, 0);
+
+ INIT(spi_args,
+ .rng = rng,
+ .spi_mask = spi_mask,
+ .spi_label = spi_label,
+ );
+
+ charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager,
+ tkm_get_spi, spi_args);
+ DBG1(DBG_IKE, "using SPI label 0x%.16"PRIx64" and mask 0x%.16"PRIx64,
+ spi_label, spi_mask);
+ }
+ else
+ {
+ if (spi_args)
+ {
+ DESTROY_IF(spi_args->rng);
+ free(spi_args);
+ }
+ }
+
+ return TRUE;
+}
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_spi_generator.h
similarity index 53%
copy from src/libhydra/kernel/kernel_ipsec.c
copy to src/charon-tkm/src/tkm/tkm_spi_generator.h
index 1a32ab4..5f9ff03 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_spi_generator.h
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2015 Reto Buerki
+ * Copyright (C) 2015 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -13,25 +14,23 @@
* for more details.
*/
-#include "kernel_ipsec.h"
+/**
+ * @defgroup tkm-spi-generator spi generator
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_SPI_GENERATOR_H_
+#define TKM_SPI_GENERATOR_H_
-#include <hydra.h>
+#include <plugins/plugin.h>
/**
- * See header
+ * Register the TKM SPI generator callback.
+ *
+ * @return TRUE on success
*/
-bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
- bool reg, void *data)
-{
- if (reg)
- {
- hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
- (kernel_ipsec_constructor_t)data);
- }
- else
- {
- hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
- (kernel_ipsec_constructor_t)data);
- }
- return TRUE;
-}
+bool tkm_spi_generator_register(plugin_t *plugin,
+ plugin_feature_t *feature,
+ bool reg, void *cb_data);
+
+#endif /** TKM_SPI_GENERATOR_H_ @}*/
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 081e494..f03b6e1 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -17,9 +17,7 @@
*/
#include <stdio.h>
-#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
#include <signal.h>
-#undef _POSIX_PTHREAD_SEMANTICS
#include <pthread.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -110,12 +108,11 @@ static void run()
while (TRUE)
{
int sig;
- int error;
- error = sigwait(&set, &sig);
- if (error)
+ sig = sigwaitinfo(&set, NULL);
+ if (sig == -1)
{
- DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+ DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
return;
}
switch (sig)
@@ -434,7 +431,7 @@ int main(int argc, char *argv[])
}
/* add handler for SEGV and ILL,
- * INT, TERM and HUP are handled by sigwait() in run() */
+ * INT, TERM and HUP are handled by sigwaitinfo() in run() */
action.sa_handler = segv_handler;
action.sa_flags = 0;
sigemptyset(&action.sa_mask);
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index 584a269..9348b64 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -382,15 +382,17 @@ static void load_log_levels(file_logger_t *logger, char *section)
*/
static void load_logger_options(file_logger_t *logger, char *section)
{
- bool ike_name;
char *time_format;
+ bool add_ms, ike_name;
time_format = conftest->test->get_str(conftest->test,
"log.%s.time_format", NULL, section);
+ add_ms = conftest->test->get_bool(conftest->test,
+ "log.%s.time_add_ms", FALSE, section);
ike_name = conftest->test->get_bool(conftest->test,
"log.%s.ike_name", FALSE, section);
- logger->set_options(logger, time_format, ike_name);
+ logger->set_options(logger, time_format, add_ms, ike_name);
}
/**
@@ -463,7 +465,7 @@ int main(int argc, char *argv[])
lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
logger = file_logger_create("stdout");
- logger->set_options(logger, NULL, FALSE);
+ logger->set_options(logger, NULL, FALSE, FALSE);
logger->open(logger, FALSE, FALSE);
logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
charon->bus->add_logger(charon->bus, &logger->logger);
@@ -563,7 +565,7 @@ int main(int argc, char *argv[])
sigaddset(&set, SIGTERM);
sigprocmask(SIG_BLOCK, &set, NULL);
- while (sigwait(&set, &sig) == 0)
+ while ((sig = sigwaitinfo(&set, NULL)) != -1)
{
switch (sig)
{
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 0284c09..8e6db88 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -1,2 +1,2 @@
EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
- linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h
+ linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index e2c3cd0..5740544 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -343,7 +343,7 @@ urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
- linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h
+ linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h
all: all-am
diff --git a/src/include/linux/socket.h b/src/include/linux/socket.h
new file mode 100644
index 0000000..76ab0c6
--- /dev/null
+++ b/src/include/linux/socket.h
@@ -0,0 +1,21 @@
+#ifndef _UAPI_LINUX_SOCKET_H
+#define _UAPI_LINUX_SOCKET_H
+
+/*
+ * Desired design of maximum size and alignment (see RFC2553)
+ */
+#define _K_SS_MAXSIZE 128 /* Implementation specific max size */
+#define _K_SS_ALIGNSIZE (__alignof__ (struct sockaddr *))
+ /* Implementation specific desired alignment */
+
+typedef unsigned short __kernel_sa_family_t;
+
+struct __kernel_sockaddr_storage {
+ __kernel_sa_family_t ss_family; /* address family */
+ /* Following field(s) are implementation specific */
+ char __data[_K_SS_MAXSIZE - sizeof(unsigned short)];
+ /* space to achieve desired size, */
+ /* _SS_MAXSIZE value minus size of ss_family */
+} __attribute__ ((aligned(_K_SS_ALIGNSIZE))); /* force desired alignment */
+
+#endif /* _UAPI_LINUX_SOCKET_H */
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 9795451..bc7b633 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.3.3dr5" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.3.4dr1" "strongSwan"
.
.SH NAME
.
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 0798830..89c7ef7 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -256,10 +256,10 @@ stop)
if [ -n "$spid" ]
then
kill $spid 2>/dev/null
- loop=11
+ loop=110
while [ $loop -gt 0 ] ; do
kill -0 $spid 2>/dev/null || break
- sleep 1
+ sleep 0.1
loop=$(($loop - 1))
done
if [ $loop -eq 0 ]
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 5eef6fd..1008579 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -228,7 +228,6 @@ endif
# build libcharon --------------------------------------------------------------
LOCAL_C_INCLUDES += \
- $(strongswan_PATH)/src/include \
$(strongswan_PATH)/src/libhydra \
$(strongswan_PATH)/src/libstrongswan
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index e3661bd..7a53e93 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -65,6 +65,11 @@ struct private_file_logger_t {
char *time_format;
/**
+ * Add milliseconds after the time string
+ */
+ bool add_ms;
+
+ /**
* Print the name/# of the IKE_SA?
*/
bool ike_name;
@@ -87,7 +92,9 @@ METHOD(logger_t, log_, void,
char timestr[128], namestr[128] = "";
const char *current = message, *next;
struct tm tm;
- time_t t;
+ timeval_t tv;
+ time_t s;
+ u_int ms = 0;
this->lock->read_lock(this->lock);
if (!this->out)
@@ -97,8 +104,10 @@ METHOD(logger_t, log_, void,
}
if (this->time_format)
{
- t = time(NULL);
- localtime_r(&t, &tm);
+ gettimeofday(&tv, NULL);
+ s = tv.tv_sec;
+ ms = tv.tv_usec / 1000;
+ localtime_r(&s, &tm);
strftime(timestr, sizeof(timestr), this->time_format, &tm);
}
if (this->ike_name && ike_sa)
@@ -126,8 +135,16 @@ METHOD(logger_t, log_, void,
next = strchr(current, '\n');
if (this->time_format)
{
- fprintf(this->out, "%s %.2d[%N]%s ",
- timestr, thread, debug_names, group, namestr);
+ if (this->add_ms)
+ {
+ fprintf(this->out, "%s.%03u %.2d[%N]%s ",
+ timestr, ms, thread, debug_names, group, namestr);
+ }
+ else
+ {
+ fprintf(this->out, "%s %.2d[%N]%s ",
+ timestr, thread, debug_names, group, namestr);
+ }
}
else
{
@@ -182,11 +199,12 @@ METHOD(file_logger_t, set_level, void,
}
METHOD(file_logger_t, set_options, void,
- private_file_logger_t *this, char *time_format, bool ike_name)
+ private_file_logger_t *this, char *time_format, bool add_ms, bool ike_name)
{
this->lock->write_lock(this->lock);
free(this->time_format);
this->time_format = strdupnull(time_format);
+ this->add_ms = add_ms;
this->ike_name = ike_name;
this->lock->unlock(this->lock);
}
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index 9e5aed5..1bcfec1 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -48,9 +48,12 @@ struct file_logger_t {
* Set options used by this logger
*
* @param time_format format of timestamp prefix, as in strftime(), cloned
+ * @param add_ms TRUE to add the number of milliseconds within the
+ * current second after the timestamp
* @param ike_name TRUE to prefix the name of the IKE_SA
*/
- void (*set_options) (file_logger_t *this, char *time_format, bool ike_name);
+ void (*set_options) (file_logger_t *this, char *time_format, bool add_ms,
+ bool ike_name);
/**
* Open (or reopen) the log file according to the given parameters
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index ce93010..aa2a39c 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -302,7 +302,7 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*,
enumerator_t *enumerator;
int best = 0;
- DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
+ DBG2(DBG_CFG, "looking for a child config for %#R === %#R", my_ts, other_ts);
enumerator = create_child_cfg_enumerator(this);
while (enumerator->enumerate(enumerator, ¤t))
{
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 316be76..dce2a71 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
@@ -324,11 +324,13 @@ static void load_file_logger(private_daemon_t *this, char *filename,
file_logger_t *file_logger;
debug_t group;
level_t def;
- bool ike_name, flush_line, append;
+ bool add_ms, ike_name, flush_line, append;
char *time_format;
time_format = lib->settings->get_str(lib->settings,
"%s.filelog.%s.time_format", NULL, lib->ns, filename);
+ add_ms = lib->settings->get_bool(lib->settings,
+ "%s.filelog.%s.time_add_ms", FALSE, lib->ns, filename);
ike_name = lib->settings->get_bool(lib->settings,
"%s.filelog.%s.ike_name", FALSE, lib->ns, filename);
flush_line = lib->settings->get_bool(lib->settings,
@@ -337,7 +339,7 @@ static void load_file_logger(private_daemon_t *this, char *filename,
"%s.filelog.%s.append", TRUE, lib->ns, filename);
file_logger = add_file_logger(this, filename, current_loggers);
- file_logger->set_options(file_logger, time_format, ike_name);
+ file_logger->set_options(file_logger, time_format, add_ms, ike_name);
file_logger->open(file_logger, flush_line, append);
def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
@@ -486,8 +488,6 @@ static void destroy(private_daemon_t *this)
DESTROY_IF(this->kernel_handler);
DESTROY_IF(this->public.traps);
DESTROY_IF(this->public.shunts);
- DESTROY_IF(this->public.child_sa_manager);
- DESTROY_IF(this->public.ike_sa_manager);
DESTROY_IF(this->public.controller);
DESTROY_IF(this->public.eap);
DESTROY_IF(this->public.xauth);
@@ -560,7 +560,6 @@ METHOD(daemon_t, start, void,
run_scripts(this, "start");
}
-
/**
* Initialize/deinitialize sender and receiver
*/
@@ -584,12 +583,36 @@ static bool sender_receiver_cb(void *plugin, plugin_feature_t *feature,
return TRUE;
}
+/**
+ * Initialize/deinitialize IKE_SA/CHILD_SA managers
+ */
+static bool sa_managers_cb(void *plugin, plugin_feature_t *feature,
+ bool reg, private_daemon_t *this)
+{
+ if (reg)
+ {
+ this->public.ike_sa_manager = ike_sa_manager_create();
+ if (!this->public.ike_sa_manager)
+ {
+ return FALSE;
+ }
+ this->public.child_sa_manager = child_sa_manager_create();
+ }
+ else
+ {
+ DESTROY_IF(this->public.ike_sa_manager);
+ DESTROY_IF(this->public.child_sa_manager);
+ }
+ return TRUE;
+}
+
METHOD(daemon_t, initialize, bool,
private_daemon_t *this, char *plugins)
{
plugin_feature_t features[] = {
PLUGIN_PROVIDE(CUSTOM, "libcharon"),
PLUGIN_DEPENDS(NONCE_GEN),
+ PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"),
PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"),
PLUGIN_DEPENDS(CUSTOM, "kernel-ipsec"),
PLUGIN_DEPENDS(CUSTOM, "kernel-net"),
@@ -598,6 +621,10 @@ METHOD(daemon_t, initialize, bool,
PLUGIN_DEPENDS(HASHER, HASH_SHA1),
PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_DEPENDS(CUSTOM, "socket"),
+ PLUGIN_CALLBACK((plugin_feature_callback_t)sa_managers_cb, this),
+ PLUGIN_PROVIDE(CUSTOM, "libcharon-sa-managers"),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+ PLUGIN_DEPENDS(RNG, RNG_WEAK),
};
lib->plugins->add_static_features(lib->plugins, lib->ns, features,
countof(features), TRUE, NULL, NULL);
@@ -608,13 +635,6 @@ METHOD(daemon_t, initialize, bool,
return FALSE;
}
- this->public.ike_sa_manager = ike_sa_manager_create();
- if (this->public.ike_sa_manager == NULL)
- {
- return FALSE;
- }
- this->public.child_sa_manager = child_sa_manager_create();
-
/* Queue start_action job */
lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create());
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index f7f39f9..16978f4 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2015 Tobias Brunner
* Copyright (C) 2010 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -81,6 +81,21 @@ struct private_eap_mschapv2_t
* Number of retries
*/
int retries;
+
+ /**
+ * Provide EAP-Identity
+ */
+ auth_cfg_t *auth;
+
+ /**
+ * Current state
+ */
+ enum {
+ S_EXPECT_CHALLENGE,
+ S_EXPECT_RESPONSE,
+ S_EXPECT_SUCCESS,
+ S_DONE,
+ } state;
};
/**
@@ -628,6 +643,7 @@ METHOD(eap_method_t, initiate_server, status_t,
memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
*out = eap_payload_create_data(chunk_create((void*) eap, len));
+ this->state = S_EXPECT_RESPONSE;
return NEED_MORE;
}
@@ -747,6 +763,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
memcpy(res->name, userid.ptr, userid.len);
*out = eap_payload_create_data(chunk_create((void*) eap, len));
+ this->state = S_EXPECT_SUCCESS;
return NEED_MORE;
}
@@ -829,6 +846,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
*out = eap_payload_create_data(chunk_create((void*) eap, len));
status = NEED_MORE;
+ this->state = S_DONE;
error:
chunk_free(&auth_string);
@@ -922,6 +940,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
*/
status = FAILED;
+ this->state = S_DONE;
error:
chunk_free(&challenge);
@@ -946,26 +965,38 @@ METHOD(eap_method_t, process_peer, status_t,
eap = (eap_mschapv2_header_t*)data.ptr;
+ switch (this->state)
+ {
+ case S_EXPECT_CHALLENGE:
+ if (eap->opcode == MSCHAPV2_CHALLENGE)
+ {
+ return process_peer_challenge(this, in, out);
+ }
+ break;
+ case S_EXPECT_SUCCESS:
+ switch (eap->opcode)
+ {
+ case MSCHAPV2_SUCCESS:
+ return process_peer_success(this, in, out);
+ case MSCHAPV2_FAILURE:
+ return process_peer_failure(this, in, out);
+ }
+ break;
+ default:
+ break;
+ }
switch (eap->opcode)
{
case MSCHAPV2_CHALLENGE:
- {
- return process_peer_challenge(this, in, out);
- }
case MSCHAPV2_SUCCESS:
- {
- return process_peer_success(this, in, out);
- }
case MSCHAPV2_FAILURE:
- {
- return process_peer_failure(this, in, out);
- }
+ DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with "
+ "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
+ break;
default:
- {
DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
"OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
break;
- }
}
return FAILED;
}
@@ -1027,6 +1058,8 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
/* delay the response for some time to make brute-force attacks harder */
sleep(RETRY_DELAY);
+ /* since the error is retryable the state does not change, we still
+ * expect an MSCHAPV2_RESPONSE from the peer */
return NEED_MORE;
}
@@ -1058,7 +1091,10 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
userid = identification_create_from_string(buf);
- DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
+ if (!userid->equals(userid, this->peer))
+ {
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
+ }
/* userid can only be destroyed after the last use of username */
username = extract_username(userid->get_encoding(userid));
@@ -1084,7 +1120,6 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
chunk_clear(&nt_hash);
return FAILED;
}
- userid->destroy(userid);
chunk_clear(&nt_hash);
if (memeq_const(res->response.nt_response, this->nt_response.ptr,
@@ -1109,9 +1144,12 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
chunk_free(&hex);
memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE));
*out = eap_payload_create_data(chunk_create((void*) eap, len));
+
+ this->auth->add(this->auth, AUTH_RULE_EAP_IDENTITY, userid);
+ this->state = S_EXPECT_SUCCESS;
return NEED_MORE;
}
-
+ userid->destroy(userid);
return process_server_retry(this, out);
}
@@ -1137,26 +1175,39 @@ METHOD(eap_method_t, process_server, status_t,
eap = (eap_mschapv2_header_t*)data.ptr;
+ switch (this->state)
+ {
+ case S_EXPECT_RESPONSE:
+ if (eap->opcode == MSCHAPV2_RESPONSE)
+ {
+ return process_server_response(this, in, out);
+ }
+ break;
+ case S_EXPECT_SUCCESS:
+ if (eap->opcode == MSCHAPV2_SUCCESS &&
+ this->msk.ptr)
+ {
+ return SUCCESS;
+ }
+ break;
+ default:
+ break;
+ }
switch (eap->opcode)
{
- case MSCHAPV2_RESPONSE:
- {
- return process_server_response(this, in, out);
- }
- case MSCHAPV2_SUCCESS:
- {
- return SUCCESS;
- }
case MSCHAPV2_FAILURE:
- {
+ /* the client may abort the authentication by sending us a failure
+ * in any state */
return FAILED;
- }
+ case MSCHAPV2_RESPONSE:
+ case MSCHAPV2_SUCCESS:
+ DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with "
+ "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
+ break;
default:
- {
DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
"OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
break;
- }
}
return FAILED;
}
@@ -1197,11 +1248,18 @@ METHOD(eap_method_t, is_mutual, bool,
return FALSE;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_mschapv2_t *this)
+{
+ return this->auth;
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_mschapv2_t *this)
{
this->peer->destroy(this->peer);
this->server->destroy(this->server);
+ this->auth->destroy(this->auth);
chunk_free(&this->challenge);
chunk_free(&this->nt_response);
chunk_free(&this->auth_response);
@@ -1224,11 +1282,14 @@ static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *ser
.get_msk = _get_msk,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
.peer = peer->clone(peer),
.server = server->clone(server),
+ .auth = auth_cfg_create(),
+ .state = S_EXPECT_CHALLENGE,
);
return this;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 0cf7237..0f207fb 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -178,18 +178,38 @@ static void add_addr(private_eap_radius_provider_t *this,
* Remove the next address from the locked hashtable stored for given id
*/
static host_t* remove_addr(private_eap_radius_provider_t *this,
- hashtable_t *hashtable, uintptr_t id)
+ hashtable_t *hashtable, uintptr_t id, host_t *addr)
{
+ enumerator_t *enumerator;
entry_t *entry;
- host_t *addr = NULL;
+ host_t *found = NULL, *current;
entry = hashtable->remove(hashtable, (void*)id);
if (entry)
{
- entry->addrs->remove_first(entry->addrs, (void**)&addr);
+ enumerator = entry->addrs->create_enumerator(entry->addrs);
+ while (enumerator->enumerate(enumerator, ¤t))
+ {
+ if (addr->ip_equals(addr, current))
+ { /* prefer an exact match */
+ entry->addrs->remove_at(entry->addrs, enumerator);
+ enumerator->destroy(enumerator);
+ put_or_destroy_entry(hashtable, entry);
+ return current;
+ }
+ if (!found && addr->get_family(addr) == current->get_family(current))
+ { /* fallback to the first IP with a matching address family */
+ found = current;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (found)
+ {
+ entry->addrs->remove(entry->addrs, found, NULL);
+ }
put_or_destroy_entry(hashtable, entry);
}
- return addr;
+ return found;
}
/**
@@ -326,7 +346,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
if (streq(name, "radius"))
{
this->listener.mutex->lock(this->listener.mutex);
- addr = remove_addr(this, this->listener.unclaimed, sa);
+ addr = remove_addr(this, this->listener.unclaimed, sa, requested);
if (addr)
{
add_addr(this, this->listener.claimed, sa, addr->clone(addr));
@@ -357,7 +377,7 @@ METHOD(attribute_provider_t, release_address, bool,
if (streq(name, "radius"))
{
this->listener.mutex->lock(this->listener.mutex);
- found = remove_addr(this, this->listener.claimed, sa);
+ found = remove_addr(this, this->listener.claimed, sa, address);
this->listener.mutex->unlock(this->listener.mutex);
break;
}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
index f7a1f49..ce577c6 100644
--- a/src/libcharon/plugins/error_notify/error_notify_listener.c
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -110,7 +110,7 @@ METHOD(listener_t, alert, bool,
list = va_arg(args, linked_list_t*);
list2 = va_arg(args, linked_list_t*);
snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
- "did not match: %#R=== %#R", list, list2);
+ "did not match: %#R === %#R", list, list2);
break;
case ALERT_INSTALL_CHILD_SA_FAILED:
msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 17f2d50..dbb6adc 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -126,7 +126,7 @@ METHOD(listener_t, child_keys, bool,
ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE));
seg_o = this->kernel->get_segment_spi(this->kernel,
ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
- DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R "
+ DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R "
"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
child_sa->get_unique_id(child_sa), local_ts, remote_ts,
seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index afa0993..07ef607 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -848,7 +848,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
seg_o = this->kernel->get_segment_spi(this->kernel,
ike_sa->get_other_host(ike_sa), outbound_spi);
- DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R "
+ DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R === %#R "
"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
child_sa->get_unique_id(child_sa), local_ts, remote_ts,
seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index 6246dc5..d738e6d 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -563,15 +563,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t priority)
{
policy_entry_t *policy, *found = NULL;
status_t status;
status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
- direction, reqid, mark, priority);
+ direction, sa->reqid, mark, priority);
policy = create_policy_entry(src_ts, dst_ts, direction);
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index b38ded8..95f79f1 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -2456,15 +2456,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_kernel_wfp_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t priority)
{
if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED)
{
- if (remove_trap(this, reqid, FALSE, src_ts, dst_ts))
+ if (remove_trap(this, sa->reqid, FALSE, src_ts, dst_ts))
{
- remove_trap(this, reqid, TRUE, src_ts, dst_ts);
+ remove_trap(this, sa->reqid, TRUE, src_ts, dst_ts);
return SUCCESS;
}
return NOT_FOUND;
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 62d43e3..6a86bb8 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -103,8 +103,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_load_tester_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t priority)
{
return SUCCESS;
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index dbfddbb..13bf3e7 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -148,6 +148,91 @@ struct private_socket_default_socket_t {
u_int rr_counter;
};
+/**
+ * Get the destination IPv4 address of a received packet, depending on the
+ * available mechanism.
+ */
+#ifdef IP_PKTINFO
+
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+{
+ struct sockaddr_in dst = {
+ .sin_family = AF_INET,
+ .sin_port = htons(port),
+ };
+ struct in_pktinfo *pktinfo;
+ struct in_addr *addr;
+
+ if (cmsgptr->cmsg_type == IP_PKTINFO)
+ {
+ pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
+ addr = &pktinfo->ipi_addr;
+ memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+ return host_create_from_sockaddr((sockaddr_t*)&dst);
+ }
+ return NULL;
+}
+
+#elif defined(IP_RECVDSTADDR)
+
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+{
+ struct sockaddr_in dst = {
+ .sin_family = AF_INET,
+ .sin_port = htons(port),
+ };
+ struct in_addr *addr;
+
+ if (cmsgptr->cmsg_type == IP_RECVDSTADDR)
+ {
+ addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+ memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+ return host_create_from_sockaddr((sockaddr_t*)&dst);
+ }
+ return NULL;
+}
+
+#else /* IP_PKTINFO || IP_RECVDSTADDR */
+
+static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port)
+{
+ return NULL;
+}
+
+#endif /* IP_PKTINFO || IP_RECVDSTADDR */
+
+/**
+ * Get the destination IPv6 address of a received packet, depending on the
+ * available mechanism.
+ */
+#ifdef HAVE_IN6_PKTINFO
+
+static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port)
+{
+ struct in6_pktinfo *pktinfo;
+ struct sockaddr_in6 dst = {
+ .sin6_family = AF_INET6,
+ .sin6_port = htons(port),
+ };
+
+ if (cmsgptr->cmsg_type == IPV6_PKTINFO)
+ {
+ pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
+ memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
+ return host_create_from_sockaddr((sockaddr_t*)&dst);
+ }
+ return NULL;
+}
+
+#else /* HAVE_IN6_PKTINFO */
+
+static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port)
+{
+ return NULL;
+}
+
+#endif /* HAVE_IN6_PKTINFO */
+
METHOD(socket_t, receiver, status_t,
private_socket_default_socket_t *this, packet_t **packet)
{
@@ -233,48 +318,13 @@ METHOD(socket_t, receiver, status_t,
DBG1(DBG_NET, "error reading ancillary data");
return FAILED;
}
-
-#ifdef HAVE_IN6_PKTINFO
- if (cmsgptr->cmsg_level == SOL_IPV6 &&
- cmsgptr->cmsg_type == IPV6_PKTINFO)
+ if (cmsgptr->cmsg_level == SOL_IP)
{
- struct in6_pktinfo *pktinfo;
- pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
- struct sockaddr_in6 dst;
-
- memset(&dst, 0, sizeof(dst));
- memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
- dst.sin6_family = AF_INET6;
- dst.sin6_port = htons(port);
- dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+ dest = get_dst_v4(cmsgptr, port);
}
-#endif /* HAVE_IN6_PKTINFO */
- if (cmsgptr->cmsg_level == SOL_IP &&
-#ifdef IP_PKTINFO
- cmsgptr->cmsg_type == IP_PKTINFO
-#elif defined(IP_RECVDSTADDR)
- cmsgptr->cmsg_type == IP_RECVDSTADDR
-#else
- FALSE
-#endif
- )
+ else if (cmsgptr->cmsg_level == SOL_IPV6)
{
- struct in_addr *addr;
- struct sockaddr_in dst;
-
-#ifdef IP_PKTINFO
- struct in_pktinfo *pktinfo;
- pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
- addr = &pktinfo->ipi_addr;
-#elif defined(IP_RECVDSTADDR)
- addr = (struct in_addr*)CMSG_DATA(cmsgptr);
-#endif
- memset(&dst, 0, sizeof(dst));
- memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
-
- dst.sin_family = AF_INET;
- dst.sin_port = htons(port);
- dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+ dest = get_dst_v6(cmsgptr, port);
}
if (dest)
{
@@ -305,6 +355,107 @@ METHOD(socket_t, receiver, status_t,
return SUCCESS;
}
+/**
+ * Generic function to send a message.
+ */
+static ssize_t send_msg_generic(int skt, struct msghdr *msg)
+{
+ return sendmsg(skt, msg, 0);
+}
+
+/**
+ * Send a message with the IPv4 source address set, if possible.
+ */
+#ifdef IP_PKTINFO
+
+static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src)
+{
+ char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {};
+ struct cmsghdr *cmsg;
+ struct in_addr *addr;
+ struct in_pktinfo *pktinfo;
+ struct sockaddr_in *sin;
+
+ msg->msg_control = buf;
+ msg->msg_controllen = sizeof(buf);
+ cmsg = CMSG_FIRSTHDR(msg);
+ cmsg->cmsg_level = SOL_IP;
+ cmsg->cmsg_type = IP_PKTINFO;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+
+ pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+ addr = &pktinfo->ipi_spec_dst;
+
+ sin = (struct sockaddr_in*)src->get_sockaddr(src);
+ memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+ return send_msg_generic(skt, msg);
+}
+
+#elif defined(IP_SENDSRCADDR)
+
+static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src)
+{
+ char buf[CMSG_SPACE(sizeof(struct in_addr))] = {};
+ struct cmsghdr *cmsg;
+ struct in_addr *addr;
+ struct sockaddr_in *sin;
+
+ msg->msg_control = buf;
+ msg->msg_controllen = sizeof(buf);
+ cmsg = CMSG_FIRSTHDR(msg);
+ cmsg->cmsg_level = SOL_IP;
+ cmsg->cmsg_type = IP_SENDSRCADDR;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+
+ addr = (struct in_addr*)CMSG_DATA(cmsg);
+
+ sin = (struct sockaddr_in*)src->get_sockaddr(src);
+ memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+ return send_msg_generic(skt, msg);
+}
+
+#else /* IP_PKTINFO || IP_RECVDSTADDR */
+
+static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src)
+{
+ return send_msg_generic(skt, msg);
+}
+
+#endif /* IP_PKTINFO || IP_RECVDSTADDR */
+
+/**
+ * Send a message with the IPv6 source address set, if possible.
+ */
+#ifdef HAVE_IN6_PKTINFO
+
+static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src)
+{
+ char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {};
+ struct cmsghdr *cmsg;
+ struct in6_pktinfo *pktinfo;
+ struct sockaddr_in6 *sin;
+
+ msg->msg_control = buf;
+ msg->msg_controllen = sizeof(buf);
+ cmsg = CMSG_FIRSTHDR(msg);
+ cmsg->cmsg_level = SOL_IPV6;
+ cmsg->cmsg_type = IPV6_PKTINFO;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+ pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+ sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+ memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+ return send_msg_generic(skt, msg);
+}
+
+#else /* HAVE_IN6_PKTINFO */
+
+static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src)
+{
+ return send_msg_generic(skt, msg);
+}
+
+#endif /* HAVE_IN6_PKTINFO */
+
METHOD(socket_t, sender, status_t,
private_socket_default_socket_t *this, packet_t *packet)
{
@@ -313,7 +464,6 @@ METHOD(socket_t, sender, status_t,
chunk_t data;
host_t *src, *dst;
struct msghdr msg;
- struct cmsghdr *cmsg;
struct iovec iov;
u_int8_t *dscp;
@@ -415,56 +565,17 @@ METHOD(socket_t, sender, status_t,
{
if (family == AF_INET)
{
-#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
- struct in_addr *addr;
- struct sockaddr_in *sin;
-#ifdef IP_PKTINFO
- char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
- struct in_pktinfo *pktinfo;
-#elif defined(IP_SENDSRCADDR)
- char buf[CMSG_SPACE(sizeof(struct in_addr))];
-#endif
- memset(buf, 0, sizeof(buf));
- msg.msg_control = buf;
- msg.msg_controllen = sizeof(buf);
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_IP;
-#ifdef IP_PKTINFO
- cmsg->cmsg_type = IP_PKTINFO;
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
- pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
- addr = &pktinfo->ipi_spec_dst;
-#elif defined(IP_SENDSRCADDR)
- cmsg->cmsg_type = IP_SENDSRCADDR;
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
- addr = (struct in_addr*)CMSG_DATA(cmsg);
-#endif
- sin = (struct sockaddr_in*)src->get_sockaddr(src);
- memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
-#endif /* IP_PKTINFO || IP_SENDSRCADDR */
+ bytes_sent = send_msg_v4(skt, &msg, src);
}
-#ifdef HAVE_IN6_PKTINFO
else
{
- char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
- struct in6_pktinfo *pktinfo;
- struct sockaddr_in6 *sin;
-
- memset(buf, 0, sizeof(buf));
- msg.msg_control = buf;
- msg.msg_controllen = sizeof(buf);
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_IPV6;
- cmsg->cmsg_type = IPV6_PKTINFO;
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
- pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
- sin = (struct sockaddr_in6*)src->get_sockaddr(src);
- memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+ bytes_sent = send_msg_v6(skt, &msg, src);
}
-#endif /* HAVE_IN6_PKTINFO */
}
-
- bytes_sent = sendmsg(skt, &msg, 0);
+ else
+ {
+ bytes_sent = send_msg_generic(skt, &msg);
+ }
if (bytes_sent != data.len)
{
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index b82a69e..a032134 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -527,6 +527,62 @@ static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
return skt;
}
+/**
+ * Generic function to send a message.
+ */
+static ssize_t send_msg_generic(int skt, struct msghdr *msg)
+{
+ return sendmsg(skt, msg, 0);
+}
+
+/**
+ * Send a message with the IPv4 source address set.
+ */
+static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src)
+{
+ char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {};
+ struct cmsghdr *cmsg;
+ struct in_addr *addr;
+ struct in_pktinfo *pktinfo;
+ struct sockaddr_in *sin;
+
+ msg->msg_control = buf;
+ msg->msg_controllen = sizeof(buf);
+ cmsg = CMSG_FIRSTHDR(msg);
+ cmsg->cmsg_level = SOL_IP;
+ cmsg->cmsg_type = IP_PKTINFO;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+
+ pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+ addr = &pktinfo->ipi_spec_dst;
+
+ sin = (struct sockaddr_in*)src->get_sockaddr(src);
+ memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+ return send_msg_generic(skt, msg);
+}
+
+/**
+ * Send a message with the IPv6 source address set.
+ */
+static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src)
+{
+ char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {};
+ struct cmsghdr *cmsg;
+ struct in6_pktinfo *pktinfo;
+ struct sockaddr_in6 *sin;
+
+ msg->msg_control = buf;
+ msg->msg_controllen = sizeof(buf);
+ cmsg = CMSG_FIRSTHDR(msg);
+ cmsg->cmsg_level = SOL_IPV6;
+ cmsg->cmsg_type = IPV6_PKTINFO;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+ pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+ sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+ memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+ return send_msg_generic(skt, msg);
+}
+
METHOD(socket_t, sender, status_t,
private_socket_dynamic_socket_t *this, packet_t *packet)
{
@@ -536,7 +592,6 @@ METHOD(socket_t, sender, status_t,
ssize_t len;
chunk_t data;
struct msghdr msg;
- struct cmsghdr *cmsg;
struct iovec iov;
src = packet->get_source(packet);
@@ -564,43 +619,18 @@ METHOD(socket_t, sender, status_t,
{
if (family == AF_INET)
{
- struct in_addr *addr;
- struct sockaddr_in *sin;
- char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
- struct in_pktinfo *pktinfo;
-
- memset(buf, 0, sizeof(buf));
- msg.msg_control = buf;
- msg.msg_controllen = sizeof(buf);
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_IP;
- cmsg->cmsg_type = IP_PKTINFO;
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
- pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
- addr = &pktinfo->ipi_spec_dst;
- sin = (struct sockaddr_in*)src->get_sockaddr(src);
- memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+ len = send_msg_v4(skt->fd, &msg, src);
}
else
{
- char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
- struct in6_pktinfo *pktinfo;
- struct sockaddr_in6 *sin;
-
- memset(buf, 0, sizeof(buf));
- msg.msg_control = buf;
- msg.msg_controllen = sizeof(buf);
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_IPV6;
- cmsg->cmsg_type = IPV6_PKTINFO;
- cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
- pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
- sin = (struct sockaddr_in6*)src->get_sockaddr(src);
- memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+ len = send_msg_v6(skt->fd, &msg, src);
}
}
+ else
+ {
+ len = send_msg_generic(skt->fd, &msg);
+ }
- len = sendmsg(skt->fd, &msg, 0);
if (len != data.len)
{
DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f717194..68cf830 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -346,9 +346,9 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
{ "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
{ "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
{ "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
- { "sha256", SIGN_BLISS_WITH_SHA256, KEY_BLISS, },
- { "sha384", SIGN_BLISS_WITH_SHA384, KEY_BLISS, },
- { "sha512", SIGN_BLISS_WITH_SHA512, KEY_BLISS, },
+ { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, },
+ { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, },
+ { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, },
};
if (rsa_len || ecdsa_len || bliss_strength)
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 0125d17..5a1a507 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2015 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -298,6 +298,41 @@ static void report_terminate_status(private_stroke_control_t *this,
}
}
+/**
+ * Call the charon controller to terminate a CHILD_SA
+ */
+static void charon_terminate(private_stroke_control_t *this, u_int32_t id,
+ stroke_msg_t *msg, FILE *out, bool child)
+{
+ if (msg->output_verbosity >= 0)
+ {
+ stroke_log_info_t info = { msg->output_verbosity, out };
+ status_t status;
+
+ if (child)
+ {
+ status = charon->controller->terminate_child(charon->controller, id,
+ (controller_cb_t)stroke_log, &info, this->timeout);
+ }
+ else
+ {
+ status = charon->controller->terminate_ike(charon->controller, id,
+ (controller_cb_t)stroke_log, &info, this->timeout);
+ }
+ report_terminate_status(this, status, out, id, child);
+ }
+ else if (child)
+ {
+ charon->controller->terminate_child(charon->controller, id,
+ NULL, NULL, 0);
+ }
+ else
+ {
+ charon->controller->terminate_ike(charon->controller, id,
+ NULL, NULL, 0);
+ }
+}
+
METHOD(stroke_control_t, terminate, void,
private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
@@ -307,9 +342,7 @@ METHOD(stroke_control_t, terminate, void,
ike_sa_t *ike_sa;
enumerator_t *enumerator;
linked_list_t *ike_list, *child_list;
- stroke_log_info_t info;
uintptr_t del;
- status_t status;
if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all))
{
@@ -317,22 +350,9 @@ METHOD(stroke_control_t, terminate, void,
return;
}
- info.out = out;
- info.level = msg->output_verbosity;
-
if (id)
{
- if (child)
- {
- status = charon->controller->terminate_child(charon->controller, id,
- (controller_cb_t)stroke_log, &info, this->timeout);
- }
- else
- {
- status = charon->controller->terminate_ike(charon->controller, id,
- (controller_cb_t)stroke_log, &info, this->timeout);
- }
- return report_terminate_status(this, status, out, id, child);
+ return charon_terminate(this, id, msg, out, child);
}
ike_list = linked_list_create();
@@ -380,18 +400,14 @@ METHOD(stroke_control_t, terminate, void,
enumerator = child_list->create_enumerator(child_list);
while (enumerator->enumerate(enumerator, &del))
{
- status = charon->controller->terminate_child(charon->controller, del,
- (controller_cb_t)stroke_log, &info, this->timeout);
- report_terminate_status(this, status, out, del, TRUE);
+ charon_terminate(this, del, msg, out, TRUE);
}
enumerator->destroy(enumerator);
enumerator = ike_list->create_enumerator(ike_list);
while (enumerator->enumerate(enumerator, &del))
{
- status = charon->controller->terminate_ike(charon->controller, del,
- (controller_cb_t)stroke_log, &info, this->timeout);
- report_terminate_status(this, status, out, del, FALSE);
+ charon_terminate(this, del, msg, out, FALSE);
}
enumerator->destroy(enumerator);
@@ -548,11 +564,6 @@ METHOD(stroke_control_t, purge_ike, void,
child_sa_t *child_sa;
linked_list_t *list;
uintptr_t del;
- stroke_log_info_t info;
- status_t status;
-
- info.out = out;
- info.level = msg->output_verbosity;
list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(
@@ -572,9 +583,7 @@ METHOD(stroke_control_t, purge_ike, void,
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &del))
{
- status = charon->controller->terminate_ike(charon->controller, del,
- (controller_cb_t)stroke_log, &info, this->timeout);
- report_terminate_status(this, status, out, del, TRUE);
+ charon_terminate(this, del, msg, out, FALSE);
}
enumerator->destroy(enumerator);
list->destroy(list);
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c7e4c9c..c0192b5 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -334,7 +334,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
child_sa->create_ts_enumerator(child_sa, TRUE));
other_ts = linked_list_create_from_enumerator(
child_sa->create_ts_enumerator(child_sa, FALSE));
- fprintf(out, "\n%12s{%d}: %#R=== %#R\n",
+ fprintf(out, "\n%12s{%d}: %#R === %#R\n",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
my_ts, other_ts);
my_ts->destroy(my_ts);
@@ -586,7 +586,7 @@ METHOD(stroke_list_t, status, void,
{
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
- fprintf(out, "%12s: child: %#R=== %#R%N",
+ fprintf(out, "%12s: child: %#R === %#R %N",
child_cfg->get_name(child_cfg), my_ts, other_ts,
ipsec_mode_names, child_cfg->get_mode(child_cfg));
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -620,7 +620,7 @@ METHOD(stroke_list_t, status, void,
}
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
- fprintf(out, "%12s: %#R=== %#R%N\n",
+ fprintf(out, "%12s: %#R === %#R %N\n",
child_cfg->get_name(child_cfg), my_ts, other_ts,
ipsec_mode_names, child_cfg->get_mode(child_cfg));
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index e20e8ab..b9531d8 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -526,12 +526,21 @@ Unloading fails for pools with leases currently online.
List the currently loaded pools.
- {} => {
+ {
+ leases = <set to yes to include leases>
+ } => {
<pool name>* = {
base = <virtual IP pool base address>
size = <total number of addresses in the pool>
online = <number of leases online>
offline = <number of leases offline>
+ leases = {
+ <zero-based index>* = {
+ address = <IP address>
+ identity = <assigned identity>
+ status = <online|offline>
+ }
+ }
}
}
@@ -587,6 +596,10 @@ command.
initiator = <yes, if initiator of IKE_SA>
initiator-spi = <hex encoded initiator SPI / cookie>
responder-spi = <hex encoded responder SPI / cookie>
+ nat-local = <yes, if local endpoint is behind a NAT>
+ nat-remote = <yes, if remote endpoint is behind a NAT>
+ nat-fake = <yes, if NAT situation has been faked as responder>
+ nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
encr-alg = <IKE encryption algorithm string>
encr-keysize = <key size for encr-alg, if applicable>
integ-alg = <IKE integrity algorithm string>
@@ -596,6 +609,12 @@ command.
established = <seconds the IKE_SA has been established>
rekey-time = <seconds before IKE_SA gets rekeyed>
reauth-time = <seconds before IKE_SA gets re-authenticated>
+ local-vips = [
+ <list of virtual IPs assigned by the remote peer, installed locally>
+ ]
+ remote-vips = [
+ <list of virtual IPs assigned to the remote peer>
+ ]
tasks-queued = [
<list of currently queued tasks for execution>
]
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index f04bae7..9064d3d 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Tobias Brunner
+ * Copyright (C) 2014-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2014 Martin Willi
@@ -662,9 +662,16 @@ CALLBACK(get_pools, vici_message_t*,
vici_message_t *message)
{
vici_builder_t *builder;
- enumerator_t *enumerator;
+ enumerator_t *enumerator, *leases;
mem_pool_t *vips;
pool_t *pool;
+ identification_t *uid;
+ host_t *lease;
+ bool list_leases, on;
+ char buf[32];
+ int i;
+
+ list_leases = message->get_bool(message, FALSE, "leases");
builder = vici_builder_create();
@@ -681,6 +688,23 @@ CALLBACK(get_pools, vici_message_t*,
builder->add_kv(builder, "online", "%u", vips->get_online(vips));
builder->add_kv(builder, "offline", "%u", vips->get_offline(vips));
+ if (list_leases)
+ {
+ i = 0;
+ builder->begin_section(builder, "leases");
+ leases = vips->create_lease_enumerator(vips);
+ while (leases && leases->enumerate(leases, &uid, &lease, &on))
+ {
+ snprintf(buf, sizeof(buf), "%d", i++);
+ builder->begin_section(builder, buf);
+ builder->add_kv(builder, "address", "%H", lease);
+ builder->add_kv(builder, "identity", "%Y", uid);
+ builder->add_kv(builder, "status", on ? "online" : "offline");
+ builder->end_section(builder);
+ }
+ leases->destroy(leases);
+ builder->end_section(builder);
+ }
builder->end_section(builder);
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index ffdc034..6631184 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -71,6 +71,7 @@ CALLBACK(load_cert, vici_message_t*,
certificate_t *cert;
x509_t *x509;
chunk_t data;
+ bool trusted = TRUE;
char *str;
str = message->get_str(message, NULL, "type");
@@ -99,6 +100,7 @@ CALLBACK(load_cert, vici_message_t*,
else if (strcaseeq(str, "x509ac"))
{
type = CERT_X509_AC;
+ trusted = FALSE;
}
else
{
@@ -131,8 +133,14 @@ CALLBACK(load_cert, vici_message_t*,
DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
- this->creds->add_cert(this->creds, TRUE, cert);
-
+ if (type == CERT_X509_CRL)
+ {
+ this->creds->add_crl(this->creds, (crl_t*)cert);
+ }
+ else
+ {
+ this->creds->add_cert(this->creds, trusted, cert);
+ }
return create_reply(NULL);
}
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 98d264f..9a3d832 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -222,6 +222,45 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b,
}
/**
+ * Add an IKE_SA condition to the given builder
+ */
+static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa,
+ char *key, ike_condition_t cond)
+{
+ if (ike_sa->has_condition(ike_sa, cond))
+ {
+ b->add_kv(b, key, "yes");
+ }
+}
+
+/**
+ * List virtual IPs
+ */
+static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+ ike_sa_t *ike_sa, bool local, char *name)
+{
+ enumerator_t *enumerator;
+ bool has = FALSE;
+ host_t *vip;
+
+ enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ if (!has)
+ {
+ b->begin_list(b, name);
+ has = TRUE;
+ }
+ b->add_li(b, "%H", vip);
+ }
+ enumerator->destroy(enumerator);
+ if (has)
+ {
+ b->end_list(b);
+ }
+}
+
+/**
* List details of an IKE_SA
*/
static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -265,6 +304,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id));
b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id));
+ add_condition(b, ike_sa, "nat-local", COND_NAT_HERE);
+ add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE);
+ add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
+ add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
+
proposal = ike_sa->get_proposal(ike_sa);
if (proposal)
{
@@ -310,6 +354,9 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
}
}
+ list_vips(this, b, ike_sa, TRUE, "local-vips");
+ list_vips(this, b, ike_sa, FALSE, "remote-vips");
+
list_task_queue(this, b, ike_sa, TASK_QUEUE_QUEUED, "tasks-queued");
list_task_queue(this, b, ike_sa, TASK_QUEUE_ACTIVE, "tasks-active");
list_task_queue(this, b, ike_sa, TASK_QUEUE_PASSIVE, "tasks-passive");
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
index 5b5fb9d..6c01ffe 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -161,6 +161,10 @@ METHOD(job_t, initiate, job_requeue_t,
}
mediated_cfg->destroy(mediated_cfg);
}
+ else
+ { /* newly created IKE_SA is not checked in yet, try again */
+ return JOB_RESCHEDULE_MS(100);
+ }
return JOB_REQUEUE_NONE;
}
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 73f2ec9..b0f163c 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -413,8 +413,14 @@ METHOD(enumerator_t, policy_enumerate, bool,
{ /* protocol mismatch */
continue;
}
- *my_out = this->ts;
- *other_out = other_ts;
+ if (my_out)
+ {
+ *my_out = this->ts;
+ }
+ if (other_out)
+ {
+ *other_out = other_ts;
+ }
return TRUE;
}
return FALSE;
@@ -775,6 +781,50 @@ static bool require_policy_update()
}
/**
+ * Prepare SA config to install/delete policies
+ */
+static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa,
+ ipsec_sa_cfg_t *other_sa)
+{
+ enumerator_t *enumerator;
+
+ *my_sa = (ipsec_sa_cfg_t){
+ .mode = this->mode,
+ .reqid = this->reqid,
+ .ipcomp = {
+ .transform = this->ipcomp,
+ },
+ };
+ *other_sa = *my_sa;
+
+ my_sa->ipcomp.cpi = this->my_cpi;
+ other_sa->ipcomp.cpi = this->other_cpi;
+
+ if (this->protocol == PROTO_ESP)
+ {
+ my_sa->esp.use = TRUE;
+ my_sa->esp.spi = this->my_spi;
+ other_sa->esp.use = TRUE;
+ other_sa->esp.spi = this->other_spi;
+ }
+ else
+ {
+ my_sa->ah.use = TRUE;
+ my_sa->ah.spi = this->my_spi;
+ other_sa->ah.use = TRUE;
+ other_sa->ah.spi = this->other_spi;
+ }
+
+ enumerator = create_policy_enumerator(this);
+ while (enumerator->enumerate(enumerator, NULL, NULL))
+ {
+ my_sa->policy_count++;
+ other_sa->policy_count++;
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
* Install 3 policies: out, in and forward
*/
static status_t install_policies_internal(private_child_sa_t *this,
@@ -806,20 +856,22 @@ static status_t install_policies_internal(private_child_sa_t *this,
* Delete 3 policies: out, in and forward
*/
static void del_policies_internal(private_child_sa_t *this,
- traffic_selector_t *my_ts, traffic_selector_t *other_ts,
- policy_priority_t priority)
+ host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
+ traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
+ ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
{
+
hydra->kernel_interface->del_policy(hydra->kernel_interface,
- my_ts, other_ts, POLICY_OUT, this->reqid,
- this->mark_out, priority);
+ my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type,
+ other_sa, this->mark_out, priority);
hydra->kernel_interface->del_policy(hydra->kernel_interface,
- other_ts, my_ts, POLICY_IN, this->reqid,
- this->mark_in, priority);
+ other_addr, my_addr, other_ts, my_ts, POLICY_IN,
+ type, my_sa, this->mark_in, priority);
if (this->mode != MODE_TRANSPORT)
{
hydra->kernel_interface->del_policy(hydra->kernel_interface,
- other_ts, my_ts, POLICY_FWD, this->reqid,
- this->mark_in, priority);
+ other_addr, my_addr, other_ts, my_ts, POLICY_FWD,
+ type, my_sa, this->mark_in, priority);
}
}
@@ -864,31 +916,9 @@ METHOD(child_sa_t, add_policies, status_t,
if (this->config->install_policy(this->config))
{
policy_priority_t priority;
- ipsec_sa_cfg_t my_sa = {
- .mode = this->mode,
- .reqid = this->reqid,
- .ipcomp = {
- .transform = this->ipcomp,
- },
- }, other_sa = my_sa;
-
- my_sa.ipcomp.cpi = this->my_cpi;
- other_sa.ipcomp.cpi = this->other_cpi;
-
- if (this->protocol == PROTO_ESP)
- {
- my_sa.esp.use = TRUE;
- my_sa.esp.spi = this->my_spi;
- other_sa.esp.use = TRUE;
- other_sa.esp.spi = this->other_spi;
- }
- else
- {
- my_sa.ah.use = TRUE;
- my_sa.ah.spi = this->my_spi;
- other_sa.ah.use = TRUE;
- other_sa.ah.spi = this->other_spi;
- }
+ ipsec_sa_cfg_t my_sa, other_sa;
+
+ prepare_sa_cfg(this, &my_sa, &other_sa);
/* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
* entry) we install a trap policy */
@@ -896,14 +926,6 @@ METHOD(child_sa_t, add_policies, status_t,
priority = this->trap ? POLICY_PRIORITY_ROUTED
: POLICY_PRIORITY_DEFAULT;
- enumerator = create_policy_enumerator(this);
- while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
- {
- my_sa.policy_count++;
- other_sa.policy_count++;
- }
- enumerator->destroy(enumerator);
-
/* enumerate pairs of traffic selectors */
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
@@ -1006,47 +1028,24 @@ METHOD(child_sa_t, update, status_t,
if (this->config->install_policy(this->config) && require_policy_update())
{
- ipsec_sa_cfg_t my_sa = {
- .mode = this->mode,
- .reqid = this->reqid,
- .ipcomp = {
- .transform = this->ipcomp,
- },
- }, other_sa = my_sa;
-
- my_sa.ipcomp.cpi = this->my_cpi;
- other_sa.ipcomp.cpi = this->other_cpi;
-
- if (this->protocol == PROTO_ESP)
- {
- my_sa.esp.use = TRUE;
- my_sa.esp.spi = this->my_spi;
- other_sa.esp.use = TRUE;
- other_sa.esp.spi = this->other_spi;
- }
- else
- {
- my_sa.ah.use = TRUE;
- my_sa.ah.spi = this->my_spi;
- other_sa.ah.use = TRUE;
- other_sa.ah.spi = this->other_spi;
- }
-
- /* update policies */
if (!me->ip_equals(me, this->my_addr) ||
!other->ip_equals(other, this->other_addr))
{
+ ipsec_sa_cfg_t my_sa, other_sa;
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
+ prepare_sa_cfg(this, &my_sa, &other_sa);
+
/* always use high priorities, as hosts getting updated are INSTALLED */
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
/* remove old policies first */
- del_policies_internal(this, my_ts, other_ts,
- POLICY_PRIORITY_DEFAULT);
+ del_policies_internal(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa,
+ POLICY_IPSEC, POLICY_PRIORITY_DEFAULT);
/* check if we have to update a "dynamic" traffic selector */
if (!me->ip_equals(me, this->my_addr) &&
@@ -1068,21 +1067,20 @@ METHOD(child_sa_t, update, status_t,
/* reinstall updated policies */
install_policies_internal(this, me, other, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_IPSEC,
- POLICY_PRIORITY_DEFAULT);
+ &my_sa, &other_sa, POLICY_IPSEC,
+ POLICY_PRIORITY_DEFAULT);
/* update fallback policies after the new policy is in place */
- if (old_my_ts || old_other_ts)
- {
- del_policies_internal(this, old_my_ts ?: my_ts,
- old_other_ts ?: other_ts,
+ del_policies_internal(this, this->my_addr, this->other_addr,
+ old_my_ts ?: my_ts,
+ old_other_ts ?: other_ts,
+ &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_FALLBACK);
+ install_policies_internal(this, me, other, my_ts, other_ts,
+ &my_sa, &other_sa, POLICY_DROP,
POLICY_PRIORITY_FALLBACK);
- install_policies_internal(this, me, other, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_FALLBACK);
- DESTROY_IF(old_my_ts);
- DESTROY_IF(old_other_ts);
- }
+ DESTROY_IF(old_my_ts);
+ DESTROY_IF(old_other_ts);
}
enumerator->destroy(enumerator);
}
@@ -1122,15 +1120,21 @@ METHOD(child_sa_t, destroy, void,
if (this->config->install_policy(this->config))
{
+ ipsec_sa_cfg_t my_sa, other_sa;
+
+ prepare_sa_cfg(this, &my_sa, &other_sa);
+
/* delete all policies in the kernel */
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- del_policies_internal(this, my_ts, other_ts, priority);
+ del_policies_internal(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority);
if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
{
- del_policies_internal(this, my_ts, other_ts,
- POLICY_PRIORITY_FALLBACK);
+ del_policies_internal(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_FALLBACK);
}
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 37d6987..4625df5 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -394,9 +394,17 @@ struct private_ike_sa_manager_t {
rng_t *rng;
/**
- * Lock to access the RNG instance
+ * Registered callback for IKE SPIs
*/
- rwlock_t *rng_lock;
+ struct {
+ spi_cb_t cb;
+ void *data;
+ } spi_cb;
+
+ /**
+ * Lock to access the RNG instance and the callback
+ */
+ rwlock_t *spi_lock;
/**
* reuse existing IKE_SAs in checkout_by_config
@@ -971,13 +979,17 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
{
u_int64_t spi;
- this->rng_lock->read_lock(this->rng_lock);
- if (!this->rng ||
- !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
+ this->spi_lock->read_lock(this->spi_lock);
+ if (this->spi_cb.cb)
+ {
+ spi = this->spi_cb.cb(this->spi_cb.data);
+ }
+ else if (!this->rng ||
+ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
{
spi = 0;
}
- this->rng_lock->unlock(this->rng_lock);
+ this->spi_lock->unlock(this->spi_lock);
return spi;
}
@@ -1188,11 +1200,15 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
*/
static u_int32_t get_message_id_or_hash(message_t *message)
{
- /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */
- if (message->get_major_version(message) == IKEV1_MAJOR_VERSION &&
- message->get_message_id(message) == 0)
+ if (message->get_major_version(message) == IKEV1_MAJOR_VERSION)
{
- return chunk_hash(message->get_packet_data(message));
+ /* Use a hash for IKEv1 Phase 1, where we don't have a MID, and Quick
+ * Mode, where all three messages use the same message ID */
+ if (message->get_message_id(message) == 0 ||
+ message->get_exchange_type(message) == QUICK_MODE)
+ {
+ return chunk_hash(message->get_packet_data(message));
+ }
}
return message->get_message_id(message);
}
@@ -1384,7 +1400,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
continue;
}
if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
- { /* skip IKE_SAs which are not usable */
+ { /* skip IKE_SAs which are not usable, wake other waiting threads */
+ entry->condvar->signal(entry->condvar);
continue;
}
@@ -1402,6 +1419,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
break;
}
}
+ /* other threads might be waiting for this entry */
+ entry->condvar->signal(entry->condvar);
}
enumerator->destroy(enumerator);
@@ -1434,6 +1453,8 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
entry->checked_out = TRUE;
break;
}
+ /* other threads might be waiting for this entry */
+ entry->condvar->signal(entry->condvar);
}
}
enumerator->destroy(enumerator);
@@ -1490,6 +1511,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
break;
}
+ /* other threads might be waiting for this entry */
+ entry->condvar->signal(entry->condvar);
}
}
enumerator->destroy(enumerator);
@@ -1628,8 +1651,27 @@ METHOD(ike_sa_manager_t, checkin, void,
* delete any existing IKE_SAs with that peer. */
if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN))
{
+ /* We can't hold the segment locked while checking the
+ * uniqueness as this could lead to deadlocks. We mark the
+ * entry as checked out while we release the lock so no other
+ * thread can acquire it. Since it is not yet in the list of
+ * connected peers that will not cause a deadlock as no other
+ * caller of check_unqiueness() will try to check out this SA */
+ entry->checked_out = TRUE;
+ unlock_single_segment(this, segment);
+
this->public.check_uniqueness(&this->public, ike_sa, TRUE);
ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE);
+
+ /* The entry could have been modified in the mean time, e.g.
+ * because another SA was added/removed next to it or another
+ * thread is waiting, but it should still exist, so there is no
+ * need for a lookup via get_entry_by... */
+ lock_single_segment(this, segment);
+ entry->checked_out = FALSE;
+ /* We already signaled waiting threads above, we have to do that
+ * again after checking the SA out and back in again. */
+ entry->condvar->signal(entry->condvar);
}
}
@@ -2010,6 +2052,15 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int,
return count;
}
+METHOD(ike_sa_manager_t, set_spi_cb, void,
+ private_ike_sa_manager_t *this, spi_cb_t callback, void *data)
+{
+ this->spi_lock->write_lock(this->spi_lock);
+ this->spi_cb.cb = callback;
+ this->spi_cb.data = data;
+ this->spi_lock->unlock(this->spi_lock);
+}
+
METHOD(ike_sa_manager_t, flush, void,
private_ike_sa_manager_t *this)
{
@@ -2092,10 +2143,12 @@ METHOD(ike_sa_manager_t, flush, void,
charon->bus->set_sa(charon->bus, NULL);
unlock_all_segments(this);
- this->rng_lock->write_lock(this->rng_lock);
+ this->spi_lock->write_lock(this->spi_lock);
this->rng->destroy(this->rng);
this->rng = NULL;
- this->rng_lock->unlock(this->rng_lock);
+ this->spi_cb.cb = NULL;
+ this->spi_cb.data = NULL;
+ this->spi_lock->unlock(this->spi_lock);
}
METHOD(ike_sa_manager_t, destroy, void,
@@ -2120,7 +2173,7 @@ METHOD(ike_sa_manager_t, destroy, void,
free(this->connected_peers_segments);
free(this->init_hashes_segments);
- this->rng_lock->destroy(this->rng_lock);
+ this->spi_lock->destroy(this->spi_lock);
free(this);
}
@@ -2167,6 +2220,7 @@ ike_sa_manager_t *ike_sa_manager_create()
.get_count = _get_count,
.get_half_open_count = _get_half_open_count,
.flush = _flush,
+ .set_spi_cb = _set_spi_cb,
.destroy = _destroy,
},
);
@@ -2178,7 +2232,7 @@ ike_sa_manager_t *ike_sa_manager_create()
free(this);
return NULL;
}
- this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+ this->spi_lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->ikesa_limit = lib->settings->get_int(lib->settings,
"%s.ikesa_limit", 0, lib->ns);
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index 3ea928e..f1b7c25 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -31,6 +31,16 @@ typedef struct ike_sa_manager_t ike_sa_manager_t;
#include <config/peer_cfg.h>
/**
+ * Callback called to generate an IKE SPI.
+ *
+ * This may be called from multiple threads concurrently.
+ *
+ * @param data data supplied during registration of the callback
+ * @return allocated SPI, 0 on failure
+ */
+typedef u_int64_t (*spi_cb_t)(void *data);
+
+/**
* Manages and synchronizes access to all IKE_SAs.
*
* To synchronize access to thread-unsave IKE_SAs, they are checked out for
@@ -227,6 +237,15 @@ struct ike_sa_manager_t {
bool responder_only);
/**
+ * Set the callback to generate IKE SPIs
+ *
+ * @param callback callback to register
+ * @param data data provided to callback
+ */
+ void (*set_spi_cb)(ike_sa_manager_t *this, spi_cb_t callback,
+ void *data);
+
+ /**
* Delete all existing IKE_SAs and destroy them immediately.
*
* Threads will be driven out, so all SAs can be deleted cleanly.
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index f5a91db..e428966 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -23,14 +23,9 @@
typedef struct private_keymat_v1_t private_keymat_v1_t;
/**
- * Max. number of IVs to track.
+ * Max. number of IVs/QMs to track.
*/
-#define MAX_IV 3
-
-/**
- * Max. number of Quick Modes to track.
- */
-#define MAX_QM 2
+#define MAX_EXCHANGES_DEFAULT 3
/**
* Data stored for IVs
@@ -110,6 +105,11 @@ struct private_keymat_v1_t {
* of QMs are tracked at the same time. Stores qm_data_t objects.
*/
linked_list_t *qms;
+
+ /**
+ * Max. number of IVs/Quick Modes to track.
+ */
+ int max_exchanges;
};
@@ -874,7 +874,7 @@ static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
}
this->qms->insert_first(this->qms, found);
/* remove least recently used state if maximum reached */
- if (this->qms->get_count(this->qms) > MAX_QM &&
+ if (this->qms->get_count(this->qms) > this->max_exchanges &&
this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
{
qm_data_destroy(qm);
@@ -1048,7 +1048,7 @@ static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
}
this->ivs->insert_first(this->ivs, found);
/* remove least recently used IV if maximum reached */
- if (this->ivs->get_count(this->ivs) > MAX_IV &&
+ if (this->ivs->get_count(this->ivs) > this->max_exchanges &&
this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
{
iv_data_destroy(iv);
@@ -1163,6 +1163,8 @@ keymat_v1_t *keymat_v1_create(bool initiator)
.ivs = linked_list_create(),
.qms = linked_list_create(),
.initiator = initiator,
+ .max_exchanges = lib->settings->get_int(lib->settings,
+ "%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns),
);
return &this->public;
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 678f99d..3c601a4 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -752,6 +752,12 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
case ALREADY_DONE:
cancelled = TRUE;
break;
+ case INVALID_ARG:
+ if (task->get_type(task) == TASK_QUICK_MODE)
+ { /* not responsible for this exchange */
+ continue;
+ }
+ /* FALL */
case FAILED:
default:
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -929,6 +935,28 @@ static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid)
}
/**
+ * Check if we still have an aggressive mode task queued
+ */
+static bool have_aggressive_mode_task(private_task_manager_t *this)
+{
+ enumerator_t *enumerator;
+ task_t *task;
+ bool found = FALSE;
+
+ enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
+ while (enumerator->enumerate(enumerator, &task))
+ {
+ if (task->get_type(task) == TASK_AGGRESSIVE_MODE)
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found;
+}
+
+/**
* handle an incoming request message
*/
static status_t process_request(private_task_manager_t *this,
@@ -1034,6 +1062,12 @@ static status_t process_request(private_task_manager_t *this,
case ALREADY_DONE:
send_response = FALSE;
break;
+ case INVALID_ARG:
+ if (task->get_type(task) == TASK_QUICK_MODE)
+ { /* not responsible for this exchange */
+ continue;
+ }
+ /* FALL */
case FAILED:
default:
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
@@ -1061,6 +1095,22 @@ static status_t process_request(private_task_manager_t *this,
* the same message again. */
clear_packets(this->responding.packets);
}
+ if (this->queued &&
+ this->queued->get_exchange_type(this->queued) == INFORMATIONAL_V1)
+ {
+ message_t *queued;
+ status_t status;
+
+ queued = this->queued;
+ this->queued = NULL;
+ status = this->public.task_manager.process_message(
+ &this->public.task_manager, queued);
+ queued->destroy(queued);
+ if (status == DESTROY_ME)
+ {
+ return status;
+ }
+ }
if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
this->queued_tasks->get_count(this->queued_tasks) > 0)
{
@@ -1133,7 +1183,8 @@ static status_t process_response(private_task_manager_t *this,
this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
clear_packets(this->initiating.packets);
- if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
+ if (this->queued && !this->active_tasks->get_count(this->active_tasks) &&
+ this->queued->get_exchange_type(this->queued) == TRANSACTION)
{
queued = this->queued;
this->queued = NULL;
@@ -1228,6 +1279,29 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
return status;
}
+/**
+ * Queue the given message if possible
+ */
+static status_t queue_message(private_task_manager_t *this, message_t *msg)
+{
+ if (this->queued)
+ {
+ DBG1(DBG_IKE, "ignoring %N request, queue full",
+ exchange_type_names, msg->get_exchange_type(msg));
+ return FAILED;
+ }
+ this->queued = message_create_from_packet(msg->get_packet(msg));
+ if (this->queued->parse_header(this->queued) != SUCCESS)
+ {
+ this->queued->destroy(this->queued);
+ this->queued = NULL;
+ return FAILED;
+ }
+ DBG1(DBG_IKE, "queueing %N request as tasks still active",
+ exchange_type_names, msg->get_exchange_type(msg));
+ return SUCCESS;
+}
+
METHOD(task_manager_t, process_message, status_t,
private_task_manager_t *this, message_t *msg)
{
@@ -1328,25 +1402,29 @@ METHOD(task_manager_t, process_message, status_t,
}
}
- if (msg->get_exchange_type(msg) == TRANSACTION &&
- this->active_tasks->get_count(this->active_tasks))
- { /* main mode not yet complete, queue XAuth/Mode config tasks */
- if (this->queued)
+ /* drop XAuth/Mode Config/Quick Mode messages until we received the last
+ * Aggressive Mode message. since Informational messages are not
+ * retransmitted we queue them. */
+ if (have_aggressive_mode_task(this))
+ {
+ if (msg->get_exchange_type(msg) == INFORMATIONAL_V1)
{
- DBG1(DBG_IKE, "ignoring additional %N request, queue full",
- exchange_type_names, TRANSACTION);
- return SUCCESS;
+ return queue_message(this, msg);
}
- this->queued = message_create_from_packet(msg->get_packet(msg));
- if (this->queued->parse_header(this->queued) != SUCCESS)
+ else if (msg->get_exchange_type(msg) != AGGRESSIVE)
{
- this->queued->destroy(this->queued);
- this->queued = NULL;
+ DBG1(DBG_IKE, "ignoring %N request while phase 1 is incomplete",
+ exchange_type_names, msg->get_exchange_type(msg));
return FAILED;
}
- DBG1(DBG_IKE, "queueing %N request as tasks still active",
- exchange_type_names, TRANSACTION);
- return SUCCESS;
+ }
+
+ /* queue XAuth/Mode Config messages unless the Main Mode exchange we
+ * initiated is complete */
+ if (msg->get_exchange_type(msg) == TRANSACTION &&
+ this->active_tasks->get_count(this->active_tasks))
+ {
+ return queue_message(this, msg);
}
msg->set_request(msg, TRUE);
@@ -1724,6 +1802,8 @@ METHOD(task_manager_t, queue_dpd, void,
pow(this->retransmit_base, retransmit));
}
}
+ /* compensate for the already elapsed dpd delay */
+ t -= 1000 * peer_cfg->get_dpd(peer_cfg);
/* schedule DPD timeout job */
lib->scheduler->schedule_job_ms(lib->scheduler,
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index d0994a9..a03477e 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -482,7 +482,9 @@ static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested)
enumerator = migrated->create_enumerator(migrated);
while (enumerator->enumerate(enumerator, &vip))
{
- if (vip->ip_equals(vip, requested))
+ if (vip->ip_equals(vip, requested) ||
+ (requested->is_anyaddr(requested) &&
+ requested->get_family(requested) == vip->get_family(vip)))
{
migrated->remove_at(migrated, enumerator);
found = vip;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 1b95a8b..ade59a2 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -115,7 +115,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
if (this->expired)
{
DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
@@ -126,7 +126,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
- "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+ "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index d6a3f2c..e7d2644 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -388,7 +388,7 @@ static bool install(private_quick_mode_t *this)
this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
this->child_sa->get_name(this->child_sa),
this->child_sa->get_unique_id(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
@@ -1026,7 +1026,7 @@ METHOD(task_t, process_r, status_t,
{
if (this->mid && this->mid != message->get_message_id(message))
{ /* not responsible for this quick mode exchange */
- return NEED_MORE;
+ return INVALID_ARG;
}
switch (this->state)
@@ -1200,7 +1200,7 @@ METHOD(task_t, build_r, status_t,
{
if (this->mid && this->mid != message->get_message_id(message))
{ /* not responsible for this quick mode exchange */
- return NEED_MORE;
+ return INVALID_ARG;
}
switch (this->state)
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index a770e90..c0c9157 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -271,7 +271,10 @@ static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
- auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id));
+ if (id)
+ {
+ auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id));
+ }
auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE);
this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
@@ -342,7 +345,10 @@ METHOD(task_t, build_i, status_t,
break;
case SUCCESS:
DESTROY_IF(cp);
- this->status = XAUTH_OK;
+ if (add_auth_cfg(this, NULL, FALSE) && allowed(this))
+ {
+ this->status = XAUTH_OK;
+ }
this->public.task.process = _process_i_status;
return build_i_status(this, message);
default:
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index fce0840..55cb5dd 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -527,6 +527,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
case ENCR_AES_CTR:
+ case ENCR_CAMELLIA_CTR:
case ENCR_NULL_AUTH_AES_GMAC:
case ENCR_CHACHA20_POLY1305:
enc_size += 4;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index e08f3da..97f73d8 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -712,7 +712,7 @@ static status_t select_and_install(private_child_create_t *this,
this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
this->child_sa->get_name(this->child_sa),
this->child_sa->get_unique_id(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
@@ -1245,7 +1245,7 @@ METHOD(task_t, build_r, status_t,
}
if (this->config == NULL)
{
- DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+ DBG1(DBG_IKE, "traffic selectors %#R === %#R inacceptable",
this->tsr, this->tsi);
charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index f0b11e2..877ae05 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -266,7 +266,7 @@ static void log_children(private_child_delete_t *this)
if (this->expired)
{
DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
@@ -277,7 +277,7 @@ static void log_children(private_child_delete_t *this)
child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
- "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+ "(%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index 11b0bb2..cbdc5e7 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -339,7 +339,11 @@ METHOD(ike_mobike_t, transmit, bool,
{
if (me->ip_equals(me, me_old))
{
- charon->sender->send(charon->sender, packet->clone(packet));
+ copy = packet->clone(packet);
+ /* hosts might have been updated by a peer's MOBIKE exchange */
+ copy->set_source(copy, me_old->clone(me_old));
+ copy->set_destination(copy, other_old->clone(other_old));
+ charon->sender->send(charon->sender, copy);
me->destroy(me);
return TRUE;
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index 9e0eb68..dd34c12 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -129,25 +129,6 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
}
/**
- * build a faked NATD payload to enforce UDP encap
- */
-static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
-{
- rng_t *rng;
- chunk_t chunk;
-
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk))
- {
- DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
- DESTROY_IF(rng);
- return chunk_empty;
- }
- rng->destroy(rng);
- return chunk;
-}
-
-/**
* Build a NAT detection notify payload.
*/
static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
@@ -162,7 +143,14 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
config = this->ike_sa->get_ike_cfg(this->ike_sa);
if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
{
- hash = generate_natd_hash_faked(this);
+ u_int32_t addr;
+
+ /* chunk_hash() is randomly keyed so this produces a random IPv4 address
+ * that changes with every restart but otherwise stays the same */
+ addr = chunk_hash(chunk_from_chars(0x00, 0x00, 0x00, 0x00));
+ host = host_create_from_chunk(AF_INET, chunk_from_thing(addr), 0);
+ hash = generate_natd_hash(this, ike_sa_id, host);
+ host->destroy(host);
}
else
{
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 1a98443..5231994 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -63,9 +63,9 @@ struct private_shunt_manager_t {
static bool install_shunt_policy(child_cfg_t *child)
{
enumerator_t *e_my_ts, *e_other_ts;
- linked_list_t *my_ts_list, *other_ts_list;
+ linked_list_t *my_ts_list, *other_ts_list, *hosts;
traffic_selector_t *my_ts, *other_ts;
- host_t *host_any;
+ host_t *host_any, *host_any6;
policy_type_t policy_type;
policy_priority_t policy_prio;
status_t status = SUCCESS;
@@ -85,9 +85,13 @@ static bool install_shunt_policy(child_cfg_t *child)
return FALSE;
}
- my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
- other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
host_any = host_create_any(AF_INET);
+ host_any6 = host_create_any(AF_INET6);
+
+ hosts = linked_list_create_with_items(host_any, host_any6, NULL);
+ my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts);
+ other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts);
+ hosts->destroy(hosts);
/* enumerate pairs of traffic selectors */
e_my_ts = my_ts_list->create_enumerator(my_ts_list);
@@ -96,6 +100,16 @@ static bool install_shunt_policy(child_cfg_t *child)
e_other_ts = other_ts_list->create_enumerator(other_ts_list);
while (e_other_ts->enumerate(e_other_ts, &other_ts))
{
+ if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
+ {
+ continue;
+ }
+ if (my_ts->get_protocol(my_ts) &&
+ other_ts->get_protocol(other_ts) &&
+ my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts))
+ {
+ continue;
+ }
/* install out policy */
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface, host_any, host_any,
@@ -125,6 +139,7 @@ static bool install_shunt_policy(child_cfg_t *child)
offsetof(traffic_selector_t, destroy));
other_ts_list->destroy_offset(other_ts_list,
offsetof(traffic_selector_t, destroy));
+ host_any6->destroy(host_any6);
host_any->destroy(host_any);
return status == SUCCESS;
@@ -185,25 +200,35 @@ METHOD(shunt_manager_t, install, bool,
static void uninstall_shunt_policy(child_cfg_t *child)
{
enumerator_t *e_my_ts, *e_other_ts;
- linked_list_t *my_ts_list, *other_ts_list;
+ linked_list_t *my_ts_list, *other_ts_list, *hosts;
traffic_selector_t *my_ts, *other_ts;
+ host_t *host_any, *host_any6;
+ policy_type_t policy_type;
policy_priority_t policy_prio;
status_t status = SUCCESS;
+ ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
switch (child->get_mode(child))
{
case MODE_PASS:
+ policy_type = POLICY_PASS;
policy_prio = POLICY_PRIORITY_PASS;
break;
case MODE_DROP:
+ policy_type = POLICY_DROP;
policy_prio = POLICY_PRIORITY_FALLBACK;
break;
default:
return;
}
- my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
- other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
+ host_any = host_create_any(AF_INET);
+ host_any6 = host_create_any(AF_INET6);
+
+ hosts = linked_list_create_with_items(host_any, host_any6, NULL);
+ my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts);
+ other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts);
+ hosts->destroy(hosts);
/* enumerate pairs of traffic selectors */
e_my_ts = my_ts_list->create_enumerator(my_ts_list);
@@ -212,22 +237,35 @@ static void uninstall_shunt_policy(child_cfg_t *child)
e_other_ts = other_ts_list->create_enumerator(other_ts_list);
while (e_other_ts->enumerate(e_other_ts, &other_ts))
{
+ if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
+ {
+ continue;
+ }
+ if (my_ts->get_protocol(my_ts) &&
+ other_ts->get_protocol(other_ts) &&
+ my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts))
+ {
+ continue;
+ }
/* uninstall out policy */
status |= hydra->kernel_interface->del_policy(
- hydra->kernel_interface, my_ts, other_ts,
- POLICY_OUT, 0, child->get_mark(child, FALSE),
+ hydra->kernel_interface, host_any, host_any,
+ my_ts, other_ts, POLICY_OUT, policy_type,
+ &sa, child->get_mark(child, FALSE),
policy_prio);
/* uninstall in policy */
status |= hydra->kernel_interface->del_policy(
- hydra->kernel_interface, other_ts, my_ts,
- POLICY_IN, 0, child->get_mark(child, TRUE),
+ hydra->kernel_interface, host_any, host_any,
+ other_ts, my_ts, POLICY_IN, policy_type,
+ &sa, child->get_mark(child, TRUE),
policy_prio);
/* uninstall forward policy */
status |= hydra->kernel_interface->del_policy(
- hydra->kernel_interface, other_ts, my_ts,
- POLICY_FWD, 0, child->get_mark(child, TRUE),
+ hydra->kernel_interface, host_any, host_any,
+ other_ts, my_ts, POLICY_FWD, policy_type,
+ &sa, child->get_mark(child, TRUE),
policy_prio);
}
e_other_ts->destroy(e_other_ts);
@@ -238,6 +276,8 @@ static void uninstall_shunt_policy(child_cfg_t *child)
offsetof(traffic_selector_t, destroy));
other_ts_list->destroy_offset(other_ts_list,
offsetof(traffic_selector_t, destroy));
+ host_any6->destroy(host_any6);
+ host_any->destroy(host_any);
if (status != SUCCESS)
{
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 63505c9..90ad7e4 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -211,6 +211,7 @@ METHOD(trap_manager_t, install, u_int32_t,
if (this->installing == INSTALL_DISABLED)
{ /* flush() has been called */
this->lock->unlock(this->lock);
+ other->destroy(other);
me->destroy(me);
return 0;
}
@@ -235,6 +236,7 @@ METHOD(trap_manager_t, install, u_int32_t,
{
DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name);
this->lock->unlock(this->lock);
+ other->destroy(other);
me->destroy(me);
return 0;
}
diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c
index 4daf919..b4c6ce3 100644
--- a/src/libfast/fast_dispatcher.c
+++ b/src/libfast/fast_dispatcher.c
@@ -383,14 +383,13 @@ METHOD(fast_dispatcher_t, waitsignal, void,
private_fast_dispatcher_t *this)
{
sigset_t set;
- int sig;
sigemptyset(&set);
sigaddset(&set, SIGINT);
sigaddset(&set, SIGTERM);
sigaddset(&set, SIGHUP);
sigprocmask(SIG_BLOCK, &set, NULL);
- sigwait(&set, &sig);
+ sigwaitinfo(&set, NULL);
}
METHOD(fast_dispatcher_t, destroy, void,
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index af39f04..7b62e95 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -20,7 +20,6 @@ LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
# build libhydra ---------------------------------------------------------------
LOCAL_C_INCLUDES += \
- $(strongswan_PATH)/src/include \
$(strongswan_PATH)/src/libstrongswan
LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index ce31bd4..89e95ad 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2013 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -509,16 +509,17 @@ METHOD(kernel_interface_t, query_policy, status_t,
}
METHOD(kernel_interface_t, del_policy, status_t,
- private_kernel_interface_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_kernel_interface_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t priority)
{
if (!this->ipsec)
{
return NOT_SUPPORTED;
}
- return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
- direction, reqid, mark, priority);
+ return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts,
+ direction, type, sa, mark, priority);
}
METHOD(kernel_interface_t, flush_policies, status_t,
@@ -738,44 +739,52 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
}
-METHOD(kernel_interface_t, add_ipsec_interface, void,
+METHOD(kernel_interface_t, add_ipsec_interface, bool,
private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
{
if (!this->ipsec)
{
this->ipsec_constructor = constructor;
this->ipsec = constructor();
+ return this->ipsec != NULL;
}
+ return FALSE;
}
-METHOD(kernel_interface_t, remove_ipsec_interface, void,
+METHOD(kernel_interface_t, remove_ipsec_interface, bool,
private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
{
if (constructor == this->ipsec_constructor && this->ipsec)
{
this->ipsec->destroy(this->ipsec);
this->ipsec = NULL;
+ return TRUE;
}
+ return FALSE;
}
-METHOD(kernel_interface_t, add_net_interface, void,
+METHOD(kernel_interface_t, add_net_interface, bool,
private_kernel_interface_t *this, kernel_net_constructor_t constructor)
{
if (!this->net)
{
this->net_constructor = constructor;
this->net = constructor();
+ return this->net != NULL;
}
+ return FALSE;
}
-METHOD(kernel_interface_t, remove_net_interface, void,
+METHOD(kernel_interface_t, remove_net_interface, bool,
private_kernel_interface_t *this, kernel_net_constructor_t constructor)
{
if (constructor == this->net_constructor && this->net)
{
this->net->destroy(this->net);
this->net = NULL;
+ return TRUE;
}
+ return FALSE;
}
METHOD(kernel_interface_t, add_listener, void,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 96ce9e2..45efe89 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -265,9 +265,6 @@ struct kernel_interface_t {
/**
* Add a policy to the SPD.
*
- * A policy is always associated to an SA. Traffic which matches a
- * policy is handled by the SA with the same reqid.
- *
* @param src source address of SA
* @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
@@ -309,24 +306,24 @@ struct kernel_interface_t {
/**
* Remove a policy from the SPD.
*
- * The kernel interface implements reference counting for policies.
- * If the same policy is installed multiple times (in the case of rekeying),
- * the reference counter is increased. del_policy() decreases the ref counter
- * and removes the policy only when no more references are available.
- *
+ * @param src source address of SA
+ * @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
- * @param reqid unique ID of the associated SA
- * @param mark optional mark
+ * @param type type of policy, POLICY_(IPSEC|PASS|DROP)
+ * @param sa details about the SA(s) tied to this policy
+ * @param mark mark for this policy
* @param priority priority of the policy
* @return SUCCESS if operation completed
*/
status_t (*del_policy) (kernel_interface_t *this,
+ host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t reqid,
- mark_t mark, policy_priority_t priority);
+ policy_dir_t direction, policy_type_t type,
+ ipsec_sa_cfg_t *sa, mark_t mark,
+ policy_priority_t priority);
/**
* Flush all policies from the SPD.
@@ -502,39 +499,49 @@ struct kernel_interface_t {
/**
* Register an ipsec kernel interface constructor on the manager.
*
- * @param create constructor to register
+ * @param create constructor to register
+ * @return TRUE if the ipsec kernel interface was registered
+ * successfully, FALSE if an interface was already
+ * registered or the registration failed
*/
- void (*add_ipsec_interface)(kernel_interface_t *this,
+ bool (*add_ipsec_interface)(kernel_interface_t *this,
kernel_ipsec_constructor_t create);
/**
* Unregister an ipsec kernel interface constructor.
*
- * @param create constructor to unregister
+ * @param create constructor to unregister
+ * @return TRUE if the ipsec kernel interface was unregistered
+ * successfully, FALSE otherwise
*/
- void (*remove_ipsec_interface)(kernel_interface_t *this,
+ bool (*remove_ipsec_interface)(kernel_interface_t *this,
kernel_ipsec_constructor_t create);
/**
* Register a network kernel interface constructor on the manager.
*
- * @param create constructor to register
+ * @param create constructor to register
+ * @return TRUE if the kernel net interface was registered
+ * successfully, FALSE if an interface was already
+ * registered or the registration failed
*/
- void (*add_net_interface)(kernel_interface_t *this,
+ bool (*add_net_interface)(kernel_interface_t *this,
kernel_net_constructor_t create);
/**
* Unregister a network kernel interface constructor.
*
- * @param create constructor to unregister
+ * @param create constructor to unregister
+ * @return TRUE if the kernel net interface was unregistered
+ * successfully, FALSE otherwise
*/
- void (*remove_net_interface)(kernel_interface_t *this,
+ bool (*remove_net_interface)(kernel_interface_t *this,
kernel_net_constructor_t create);
/**
* Add a listener to the kernel interface.
*
- * @param listener listener to add
+ * @param listener listener to add
*/
void (*add_listener)(kernel_interface_t *this,
kernel_listener_t *listener);
@@ -542,7 +549,7 @@ struct kernel_interface_t {
/**
* Remove a listener from the kernel interface.
*
- * @param listener listener to remove
+ * @param listener listener to remove
*/
void (*remove_listener)(kernel_interface_t *this,
kernel_listener_t *listener);
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c
index 1a32ab4..697b1b3 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/libhydra/kernel/kernel_ipsec.c
@@ -25,13 +25,14 @@ bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
{
if (reg)
{
- hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+ return hydra->kernel_interface->add_ipsec_interface(
+ hydra->kernel_interface,
(kernel_ipsec_constructor_t)data);
}
else
{
- hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+ return hydra->kernel_interface->remove_ipsec_interface(
+ hydra->kernel_interface,
(kernel_ipsec_constructor_t)data);
}
- return TRUE;
}
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 19caaa4..2458db5 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -186,9 +186,6 @@ struct kernel_ipsec_t {
/**
* Add a policy to the SPD.
*
- * A policy is always associated to an SA. Traffic which matches a
- * policy is handled by the SA with the same reqid.
- *
* @param src source address of SA
* @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
@@ -231,24 +228,24 @@ struct kernel_ipsec_t {
/**
* Remove a policy from the SPD.
*
- * The kernel interface implements reference counting for policies.
- * If the same policy is installed multiple times (in the case of rekeying),
- * the reference counter is increased. del_policy() decreases the ref counter
- * and removes the policy only when no more references are available.
- *
+ * @param src source address of SA
+ * @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
- * @param reqid unique ID of the associated SA
- * @param mark optional mark
+ * @param type type of policy, POLICY_(IPSEC|PASS|DROP)
+ * @param sa details about the SA(s) tied to this policy
+ * @param mark mark for this policy
* @param priority priority of the policy
* @return SUCCESS if operation completed
*/
status_t (*del_policy) (kernel_ipsec_t *this,
+ host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t reqid,
- mark_t mark, policy_priority_t priority);
+ policy_dir_t direction, policy_type_t type,
+ ipsec_sa_cfg_t *sa, mark_t mark,
+ policy_priority_t priority);
/**
* Flush all policies from the SPD.
diff --git a/src/libhydra/kernel/kernel_net.c b/src/libhydra/kernel/kernel_net.c
index 0841ed8..07d8b29 100644
--- a/src/libhydra/kernel/kernel_net.c
+++ b/src/libhydra/kernel/kernel_net.c
@@ -25,13 +25,14 @@ bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature,
{
if (reg)
{
- hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
+ return hydra->kernel_interface->add_net_interface(
+ hydra->kernel_interface,
(kernel_net_constructor_t)data);
}
else
{
- hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
+ return hydra->kernel_interface->remove_net_interface(
+ hydra->kernel_interface,
(kernel_net_constructor_t)data);
}
- return TRUE;
}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 605476e..8c506d9 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -318,11 +318,6 @@ struct private_kernel_netlink_ipsec_t {
bool proto_port_transport;
/**
- * Whether to track the history of a policy
- */
- bool policy_history;
-
- /**
* Whether to always use UPDATE to install policies
*/
bool policy_update;
@@ -2140,7 +2135,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
{
continue;
}
- tmpl->reqid = policy->reqid;
+ tmpl->reqid = ipsec->cfg.reqid;
tmpl->id.proto = protos[i].proto;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(proto_mode);
@@ -2322,7 +2317,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
current = this->policies->get(this->policies, policy);
if (current)
{
- if (current->reqid != sa->reqid)
+ if (current->reqid && sa->reqid && current->reqid != sa->reqid)
{
DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
"%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
@@ -2352,26 +2347,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
dst_ts, mark, sa);
assigned_sa->priority = get_priority(policy, priority);
- if (this->policy_history)
- { /* insert the SA according to its priority */
- enumerator = policy->used_by->create_enumerator(policy->used_by);
- while (enumerator->enumerate(enumerator, (void**)¤t_sa))
+ /* insert the SA according to its priority */
+ enumerator = policy->used_by->create_enumerator(policy->used_by);
+ while (enumerator->enumerate(enumerator, (void**)¤t_sa))
+ {
+ if (current_sa->priority >= assigned_sa->priority)
{
- if (current_sa->priority >= assigned_sa->priority)
- {
- break;
- }
- update = FALSE;
+ break;
}
- policy->used_by->insert_before(policy->used_by, enumerator,
- assigned_sa);
- enumerator->destroy(enumerator);
- }
- else
- { /* simply insert it last and only update if it is not installed yet */
- policy->used_by->insert_last(policy->used_by, assigned_sa);
- update = !found;
+ update = FALSE;
}
+ policy->used_by->insert_before(policy->used_by, enumerator,
+ assigned_sa);
+ enumerator->destroy(enumerator);
if (!update)
{ /* we don't update the policy if the priority is lower than that of
@@ -2482,8 +2470,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t prio)
{
policy_entry_t *current, policy;
@@ -2494,6 +2483,12 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
struct xfrm_userpolicy_id *policy_id;
bool is_installed = TRUE;
u_int32_t priority;
+ ipsec_sa_t assigned_sa = {
+ .src = src,
+ .dst = dst,
+ .mark = mark,
+ .cfg = *sa,
+ };
DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%08x)",
src_ts, dst_ts, policy_dir_names, direction,
@@ -2508,7 +2503,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
/* find the policy */
this->mutex->lock(this->mutex);
current = this->policies->get(this->policies, &policy);
- if (!current || current->reqid != reqid)
+ if (!current)
{
if (mark.value)
{
@@ -2525,28 +2520,21 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
return NOT_FOUND;
}
- if (this->policy_history)
- { /* remove mapping to SA by reqid and priority */
- priority = get_priority(current, prio);
- enumerator = current->used_by->create_enumerator(current->used_by);
- while (enumerator->enumerate(enumerator, (void**)&mapping))
+ /* remove mapping to SA by reqid and priority */
+ priority = get_priority(current, prio);
+ enumerator = current->used_by->create_enumerator(current->used_by);
+ while (enumerator->enumerate(enumerator, (void**)&mapping))
+ {
+ if (priority == mapping->priority && type == mapping->type &&
+ ipsec_sa_equals(mapping->sa, &assigned_sa))
{
- if (priority == mapping->priority)
- {
- current->used_by->remove_at(current->used_by, enumerator);
- policy_sa_destroy(mapping, &direction, this);
- break;
- }
- is_installed = FALSE;
+ current->used_by->remove_at(current->used_by, enumerator);
+ policy_sa_destroy(mapping, &direction, this);
+ break;
}
- enumerator->destroy(enumerator);
- }
- else
- { /* remove one of the SAs but don't update the policy */
- current->used_by->remove_last(current->used_by, (void**)&mapping);
- policy_sa_destroy(mapping, &direction, this);
is_installed = FALSE;
}
+ enumerator->destroy(enumerator);
if (current->used_by->get_count(current->used_by) > 0)
{ /* policy is used by more SAs, keep in kernel */
@@ -2915,7 +2903,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
(hashtable_equals_t)ipsec_sa_equals, 32),
.bypass = array_create(sizeof(bypass_t), 0),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .policy_history = TRUE,
.policy_update = lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
.install_routes = lib->settings->get_bool(lib->settings,
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 5027e17..c67366b 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
@@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = {
/* {ENCR_DES_IV32, 0 }, */
{ENCR_NULL, SADB_EALG_NULL },
{ENCR_AES_CBC, SADB_X_EALG_AESCBC },
-/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
+#ifdef SADB_X_EALG_AESCTR
+ {ENCR_AES_CTR, SADB_X_EALG_AESCTR },
+#endif
/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
@@ -2689,8 +2691,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
}
METHOD(kernel_ipsec_t, del_policy, status_t,
- private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+ private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+ policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
mark_t mark, policy_priority_t prio)
{
unsigned char request[PFKEY_BUFFER_SIZE];
@@ -2702,6 +2705,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
bool first = TRUE, is_installed = TRUE;
u_int32_t priority;
size_t len;
+ ipsec_sa_t assigned_sa = {
+ .src = src,
+ .dst = dst,
+ .cfg = *sa,
+ };
if (dir2kernel(direction) == IPSEC_DIR_INVALID)
{ /* FWD policies are not supported on all platforms */
@@ -2735,7 +2743,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
enumerator = policy->used_by->create_enumerator(policy->used_by);
while (enumerator->enumerate(enumerator, (void**)&mapping))
{
- if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
+ if (priority == mapping->priority &&
+ ipsec_sa_equals(mapping->sa, &assigned_sa))
{
to_remove = mapping;
is_installed = first;
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index ff61911..9162e3f 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -388,6 +388,30 @@ INSERT INTO products ( /* 65 */
'Debian 7.8 armv7l'
);
+INSERT INTO products ( /* 66 */
+ name
+) VALUES (
+ 'Debian 7.9 i686'
+);
+
+INSERT INTO products ( /* 67 */
+ name
+) VALUES (
+ 'Debian 7.9 x86_64'
+);
+
+INSERT INTO products ( /* 68 */
+ name
+) VALUES (
+ 'Debian 7.9 armv6l'
+);
+
+INSERT INTO products ( /* 69 */
+ name
+) VALUES (
+ 'Debian 7.9 armv7l'
+);
+
/* Directories */
INSERT INTO directories ( /* 1 */
@@ -889,6 +913,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 4, 66
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
5, 2
);
@@ -955,6 +985,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 5, 67
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
6, 9
);
@@ -1201,9 +1237,21 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 14, 68
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
15, 65
);
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 15, 69
+);
+
/* Policies */
INSERT INTO policies ( /* 1 */
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
index c5d9879..dffed94 100644
--- a/src/libipsec/Android.mk
+++ b/src/libipsec/Android.mk
@@ -20,7 +20,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES))
# build libipsec ---------------------------------------------------------------
LOCAL_C_INCLUDES += \
- $(strongswan_PATH)/src/include \
$(strongswan_PATH)/src/libstrongswan
LOCAL_CFLAGS := $(strongswan_CFLAGS)
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index b742d15..2b003e3 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -247,7 +247,19 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg,
signer_t *signer = NULL;
iv_gen_t *ivg;
- crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len);
+ switch (enc_alg)
+ {
+ case ENCR_AES_CTR:
+ case ENCR_CAMELLIA_CTR:
+ /* the key includes a 4 byte salt */
+ crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
+ enc_key.len - 4);
+ break;
+ default:
+ crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
+ enc_key.len);
+ break;
+ }
if (!crypter)
{
DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption "
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index d019d96..db3da8e 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -15,6 +15,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/iv/iv_gen_null.c \
crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
credentials/credential_factory.c credentials/builder.c \
credentials/cred_encoding.c credentials/keys/private_key.c \
@@ -116,8 +117,7 @@ LOCAL_SRC_FILES += $(call add_plugin, xcbc)
# build libstrongswan ----------------------------------------------------------
-LOCAL_CFLAGS := $(strongswan_CFLAGS) \
- -include $(LOCAL_PATH)/AndroidConfigLocal.h
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
LOCAL_MODULE := libstrongswan
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index adf3687..ed3b85d 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -13,6 +13,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/iv/iv_gen_null.c \
crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
credentials/credential_factory.c credentials/builder.c \
credentials/cred_encoding.c credentials/keys/private_key.c \
@@ -72,7 +73,7 @@ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
-crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
credentials/credential_factory.h credentials/builder.h \
credentials/cred_encoding.h credentials/keys/private_key.h \
@@ -109,7 +110,7 @@ utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \
utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
-utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \
+utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \
utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \
utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \
utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h
@@ -190,7 +191,7 @@ endif
EXTRA_DIST = \
asn1/oid.txt asn1/oid.pl \
crypto/proposal/proposal_keywords_static.txt \
-Android.mk AndroidConfigLocal.h
+Android.mk
BUILT_SOURCES = \
$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
@@ -288,6 +289,13 @@ if MONOLITHIC
endif
endif
+if USE_SHA3
+ SUBDIRS += plugins/sha3
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/sha3/libstrongswan-sha3.la
+endif
+endif
+
if USE_GMP
SUBDIRS += plugins/gmp
if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 9598c8b..284960f 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -131,93 +131,95 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_SHA1_TRUE at am__append_33 = plugins/sha1/libstrongswan-sha1.la
@USE_SHA2_TRUE at am__append_34 = plugins/sha2
@MONOLITHIC_TRUE@@USE_SHA2_TRUE at am__append_35 = plugins/sha2/libstrongswan-sha2.la
- at USE_GMP_TRUE@am__append_36 = plugins/gmp
- at MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_37 = plugins/gmp/libstrongswan-gmp.la
- at USE_RDRAND_TRUE@am__append_38 = plugins/rdrand
- at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_39 = plugins/rdrand/libstrongswan-rdrand.la
- at USE_AESNI_TRUE@am__append_40 = plugins/aesni
- at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_41 = plugins/aesni/libstrongswan-aesni.la
- at USE_RANDOM_TRUE@am__append_42 = plugins/random
- at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_43 = plugins/random/libstrongswan-random.la
- at USE_NONCE_TRUE@am__append_44 = plugins/nonce
- at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_45 = plugins/nonce/libstrongswan-nonce.la
- at USE_HMAC_TRUE@am__append_46 = plugins/hmac
- at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_47 = plugins/hmac/libstrongswan-hmac.la
- at USE_CMAC_TRUE@am__append_48 = plugins/cmac
- at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_49 = plugins/cmac/libstrongswan-cmac.la
- at USE_XCBC_TRUE@am__append_50 = plugins/xcbc
- at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_51 = plugins/xcbc/libstrongswan-xcbc.la
- at USE_X509_TRUE@am__append_52 = plugins/x509
- at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_53 = plugins/x509/libstrongswan-x509.la
- at USE_REVOCATION_TRUE@am__append_54 = plugins/revocation
- at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_55 = plugins/revocation/libstrongswan-revocation.la
- at USE_CONSTRAINTS_TRUE@am__append_56 = plugins/constraints
- at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_57 = plugins/constraints/libstrongswan-constraints.la
- at USE_ACERT_TRUE@am__append_58 = plugins/acert
- at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_59 = plugins/acert/libstrongswan-acert.la
- at USE_PUBKEY_TRUE@am__append_60 = plugins/pubkey
- at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_61 = plugins/pubkey/libstrongswan-pubkey.la
- at USE_PKCS1_TRUE@am__append_62 = plugins/pkcs1
- at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_63 = plugins/pkcs1/libstrongswan-pkcs1.la
- at USE_PKCS7_TRUE@am__append_64 = plugins/pkcs7
- at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_65 = plugins/pkcs7/libstrongswan-pkcs7.la
- at USE_PKCS8_TRUE@am__append_66 = plugins/pkcs8
- at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_67 = plugins/pkcs8/libstrongswan-pkcs8.la
- at USE_PKCS12_TRUE@am__append_68 = plugins/pkcs12
- at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_69 = plugins/pkcs12/libstrongswan-pkcs12.la
- at USE_PGP_TRUE@am__append_70 = plugins/pgp
- at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_71 = plugins/pgp/libstrongswan-pgp.la
- at USE_DNSKEY_TRUE@am__append_72 = plugins/dnskey
- at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_73 = plugins/dnskey/libstrongswan-dnskey.la
- at USE_SSHKEY_TRUE@am__append_74 = plugins/sshkey
- at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_75 = plugins/sshkey/libstrongswan-sshkey.la
- at USE_PEM_TRUE@am__append_76 = plugins/pem
- at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_77 = plugins/pem/libstrongswan-pem.la
- at USE_CURL_TRUE@am__append_78 = plugins/curl
- at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_79 = plugins/curl/libstrongswan-curl.la
- at USE_FILES_TRUE@am__append_80 = plugins/files
- at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_81 = plugins/files/libstrongswan-files.la
- at USE_WINHTTP_TRUE@am__append_82 = plugins/winhttp
- at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_83 = plugins/winhttp/libstrongswan-winhttp.la
- at USE_UNBOUND_TRUE@am__append_84 = plugins/unbound
- at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_85 = plugins/unbound/libstrongswan-unbound.la
- at USE_SOUP_TRUE@am__append_86 = plugins/soup
- at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_87 = plugins/soup/libstrongswan-soup.la
- at USE_LDAP_TRUE@am__append_88 = plugins/ldap
- at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_89 = plugins/ldap/libstrongswan-ldap.la
- at USE_MYSQL_TRUE@am__append_90 = plugins/mysql
- at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_91 = plugins/mysql/libstrongswan-mysql.la
- at USE_SQLITE_TRUE@am__append_92 = plugins/sqlite
- at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_93 = plugins/sqlite/libstrongswan-sqlite.la
- at USE_PADLOCK_TRUE@am__append_94 = plugins/padlock
- at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_95 = plugins/padlock/libstrongswan-padlock.la
- at USE_OPENSSL_TRUE@am__append_96 = plugins/openssl
- at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_97 = plugins/openssl/libstrongswan-openssl.la
- at USE_GCRYPT_TRUE@am__append_98 = plugins/gcrypt
- at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_99 = plugins/gcrypt/libstrongswan-gcrypt.la
- at USE_FIPS_PRF_TRUE@am__append_100 = plugins/fips_prf
- at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_101 = plugins/fips_prf/libstrongswan-fips-prf.la
- at USE_AGENT_TRUE@am__append_102 = plugins/agent
- at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_103 = plugins/agent/libstrongswan-agent.la
- at USE_KEYCHAIN_TRUE@am__append_104 = plugins/keychain
- at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_105 = plugins/keychain/libstrongswan-keychain.la
- at USE_PKCS11_TRUE@am__append_106 = plugins/pkcs11
- at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_107 = plugins/pkcs11/libstrongswan-pkcs11.la
- at USE_CHAPOLY_TRUE@am__append_108 = plugins/chapoly
- at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_109 = plugins/chapoly/libstrongswan-chapoly.la
- at USE_CTR_TRUE@am__append_110 = plugins/ctr
- at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_111 = plugins/ctr/libstrongswan-ctr.la
- at USE_CCM_TRUE@am__append_112 = plugins/ccm
- at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_113 = plugins/ccm/libstrongswan-ccm.la
- at USE_GCM_TRUE@am__append_114 = plugins/gcm
- at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_115 = plugins/gcm/libstrongswan-gcm.la
- at USE_NTRU_TRUE@am__append_116 = plugins/ntru
- at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_117 = plugins/ntru/libstrongswan-ntru.la
- at USE_BLISS_TRUE@am__append_118 = plugins/bliss
- at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_119 = plugins/bliss/libstrongswan-bliss.la
- at USE_TEST_VECTORS_TRUE@am__append_120 = plugins/test_vectors
- at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_121 = plugins/test_vectors/libstrongswan-test-vectors.la
- at USE_BLISS_TRUE@am__append_122 = plugins/bliss/tests
+ at USE_SHA3_TRUE@am__append_36 = plugins/sha3
+ at MONOLITHIC_TRUE@@USE_SHA3_TRUE at am__append_37 = plugins/sha3/libstrongswan-sha3.la
+ at USE_GMP_TRUE@am__append_38 = plugins/gmp
+ at MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_39 = plugins/gmp/libstrongswan-gmp.la
+ at USE_RDRAND_TRUE@am__append_40 = plugins/rdrand
+ at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_41 = plugins/rdrand/libstrongswan-rdrand.la
+ at USE_AESNI_TRUE@am__append_42 = plugins/aesni
+ at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_43 = plugins/aesni/libstrongswan-aesni.la
+ at USE_RANDOM_TRUE@am__append_44 = plugins/random
+ at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_45 = plugins/random/libstrongswan-random.la
+ at USE_NONCE_TRUE@am__append_46 = plugins/nonce
+ at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_47 = plugins/nonce/libstrongswan-nonce.la
+ at USE_HMAC_TRUE@am__append_48 = plugins/hmac
+ at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_49 = plugins/hmac/libstrongswan-hmac.la
+ at USE_CMAC_TRUE@am__append_50 = plugins/cmac
+ at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_51 = plugins/cmac/libstrongswan-cmac.la
+ at USE_XCBC_TRUE@am__append_52 = plugins/xcbc
+ at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_53 = plugins/xcbc/libstrongswan-xcbc.la
+ at USE_X509_TRUE@am__append_54 = plugins/x509
+ at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_55 = plugins/x509/libstrongswan-x509.la
+ at USE_REVOCATION_TRUE@am__append_56 = plugins/revocation
+ at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_57 = plugins/revocation/libstrongswan-revocation.la
+ at USE_CONSTRAINTS_TRUE@am__append_58 = plugins/constraints
+ at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_59 = plugins/constraints/libstrongswan-constraints.la
+ at USE_ACERT_TRUE@am__append_60 = plugins/acert
+ at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_61 = plugins/acert/libstrongswan-acert.la
+ at USE_PUBKEY_TRUE@am__append_62 = plugins/pubkey
+ at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_63 = plugins/pubkey/libstrongswan-pubkey.la
+ at USE_PKCS1_TRUE@am__append_64 = plugins/pkcs1
+ at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_65 = plugins/pkcs1/libstrongswan-pkcs1.la
+ at USE_PKCS7_TRUE@am__append_66 = plugins/pkcs7
+ at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_67 = plugins/pkcs7/libstrongswan-pkcs7.la
+ at USE_PKCS8_TRUE@am__append_68 = plugins/pkcs8
+ at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_69 = plugins/pkcs8/libstrongswan-pkcs8.la
+ at USE_PKCS12_TRUE@am__append_70 = plugins/pkcs12
+ at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_71 = plugins/pkcs12/libstrongswan-pkcs12.la
+ at USE_PGP_TRUE@am__append_72 = plugins/pgp
+ at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_73 = plugins/pgp/libstrongswan-pgp.la
+ at USE_DNSKEY_TRUE@am__append_74 = plugins/dnskey
+ at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_75 = plugins/dnskey/libstrongswan-dnskey.la
+ at USE_SSHKEY_TRUE@am__append_76 = plugins/sshkey
+ at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_77 = plugins/sshkey/libstrongswan-sshkey.la
+ at USE_PEM_TRUE@am__append_78 = plugins/pem
+ at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_79 = plugins/pem/libstrongswan-pem.la
+ at USE_CURL_TRUE@am__append_80 = plugins/curl
+ at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_81 = plugins/curl/libstrongswan-curl.la
+ at USE_FILES_TRUE@am__append_82 = plugins/files
+ at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_83 = plugins/files/libstrongswan-files.la
+ at USE_WINHTTP_TRUE@am__append_84 = plugins/winhttp
+ at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_85 = plugins/winhttp/libstrongswan-winhttp.la
+ at USE_UNBOUND_TRUE@am__append_86 = plugins/unbound
+ at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_87 = plugins/unbound/libstrongswan-unbound.la
+ at USE_SOUP_TRUE@am__append_88 = plugins/soup
+ at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_89 = plugins/soup/libstrongswan-soup.la
+ at USE_LDAP_TRUE@am__append_90 = plugins/ldap
+ at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_91 = plugins/ldap/libstrongswan-ldap.la
+ at USE_MYSQL_TRUE@am__append_92 = plugins/mysql
+ at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_93 = plugins/mysql/libstrongswan-mysql.la
+ at USE_SQLITE_TRUE@am__append_94 = plugins/sqlite
+ at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_95 = plugins/sqlite/libstrongswan-sqlite.la
+ at USE_PADLOCK_TRUE@am__append_96 = plugins/padlock
+ at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_97 = plugins/padlock/libstrongswan-padlock.la
+ at USE_OPENSSL_TRUE@am__append_98 = plugins/openssl
+ at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_99 = plugins/openssl/libstrongswan-openssl.la
+ at USE_GCRYPT_TRUE@am__append_100 = plugins/gcrypt
+ at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_101 = plugins/gcrypt/libstrongswan-gcrypt.la
+ at USE_FIPS_PRF_TRUE@am__append_102 = plugins/fips_prf
+ at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_103 = plugins/fips_prf/libstrongswan-fips-prf.la
+ at USE_AGENT_TRUE@am__append_104 = plugins/agent
+ at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_105 = plugins/agent/libstrongswan-agent.la
+ at USE_KEYCHAIN_TRUE@am__append_106 = plugins/keychain
+ at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_107 = plugins/keychain/libstrongswan-keychain.la
+ at USE_PKCS11_TRUE@am__append_108 = plugins/pkcs11
+ at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_109 = plugins/pkcs11/libstrongswan-pkcs11.la
+ at USE_CHAPOLY_TRUE@am__append_110 = plugins/chapoly
+ at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_111 = plugins/chapoly/libstrongswan-chapoly.la
+ at USE_CTR_TRUE@am__append_112 = plugins/ctr
+ at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_113 = plugins/ctr/libstrongswan-ctr.la
+ at USE_CCM_TRUE@am__append_114 = plugins/ccm
+ at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_115 = plugins/ccm/libstrongswan-ccm.la
+ at USE_GCM_TRUE@am__append_116 = plugins/gcm
+ at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_117 = plugins/gcm/libstrongswan-gcm.la
+ at USE_NTRU_TRUE@am__append_118 = plugins/ntru
+ at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_119 = plugins/ntru/libstrongswan-ntru.la
+ at USE_BLISS_TRUE@am__append_120 = plugins/bliss
+ at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_121 = plugins/bliss/libstrongswan-bliss.la
+ at USE_TEST_VECTORS_TRUE@am__append_122 = plugins/test_vectors
+ at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_123 = plugins/test_vectors/libstrongswan-test-vectors.la
+ at USE_BLISS_TRUE@am__append_124 = plugins/bliss/tests
subdir = src/libstrongswan
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
settings/settings_parser.h settings/settings_parser.c \
@@ -297,7 +299,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__append_101) $(am__append_103) $(am__append_105) \
$(am__append_107) $(am__append_109) $(am__append_111) \
$(am__append_113) $(am__append_115) $(am__append_117) \
- $(am__append_119) $(am__append_121)
+ $(am__append_119) $(am__append_121) $(am__append_123)
am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
bio/bio_writer.c collections/blocking_queue.c \
@@ -312,11 +314,11 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c \
crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \
- crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
- crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
- credentials/builder.c credentials/cred_encoding.c \
- credentials/keys/private_key.c credentials/keys/public_key.c \
- credentials/keys/shared_key.c \
+ crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \
+ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+ credentials/credential_factory.c credentials/builder.c \
+ credentials/cred_encoding.c credentials/keys/private_key.c \
+ credentials/keys/public_key.c credentials/keys/shared_key.c \
credentials/certificates/certificate.c \
credentials/certificates/crl.c \
credentials/certificates/ocsp_response.c \
@@ -397,7 +399,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
crypto/crypto_tester.lo crypto/diffie_hellman.lo \
crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen.lo \
crypto/iv/iv_gen_rand.lo crypto/iv/iv_gen_seq.lo \
- crypto/mgf1/mgf1.lo crypto/mgf1/mgf1_bitspender.lo \
+ crypto/iv/iv_gen_null.lo crypto/mgf1/mgf1.lo \
+ crypto/mgf1/mgf1_bitspender.lo \
credentials/credential_factory.lo credentials/builder.lo \
credentials/cred_encoding.lo credentials/keys/private_key.lo \
credentials/keys/public_key.lo credentials/keys/shared_key.lo \
@@ -524,10 +527,11 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
- crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
- credentials/credential_factory.h credentials/builder.h \
- credentials/cred_encoding.h credentials/keys/private_key.h \
- credentials/keys/public_key.h credentials/keys/shared_key.h \
+ crypto/iv/iv_gen_null.h crypto/mgf1/mgf1.h \
+ crypto/mgf1/mgf1_bitspender.h credentials/credential_factory.h \
+ credentials/builder.h credentials/cred_encoding.h \
+ credentials/keys/private_key.h credentials/keys/public_key.h \
+ credentials/keys/shared_key.h \
credentials/certificates/certificate.h \
credentials/certificates/x509.h credentials/certificates/ac.h \
credentials/certificates/crl.h \
@@ -574,7 +578,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \
utils/test.h utils/integrity_checker.h utils/process.h \
utils/utils/strerror.h utils/compat/windows.h \
- utils/compat/apple.h utils/utils/atomics.h utils/utils/types.h \
+ utils/compat/apple.h utils/compat/android.h \
+ utils/utils/atomics.h utils/utils/types.h \
utils/utils/byteorder.h utils/utils/string.h \
utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \
utils/utils/status.h utils/utils/object.h utils/utils/time.h \
@@ -609,18 +614,19 @@ ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
- plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \
- plugins/aesni plugins/random plugins/nonce plugins/hmac \
- plugins/cmac plugins/xcbc plugins/x509 plugins/revocation \
- plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \
- plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \
- plugins/dnskey plugins/sshkey plugins/pem plugins/curl \
- plugins/files plugins/winhttp plugins/unbound plugins/soup \
- plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \
- plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \
- plugins/keychain plugins/pkcs11 plugins/chapoly plugins/ctr \
- plugins/ccm plugins/gcm plugins/ntru plugins/bliss \
- plugins/test_vectors tests plugins/bliss/tests
+ plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \
+ plugins/rdrand plugins/aesni plugins/random plugins/nonce \
+ plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \
+ plugins/revocation plugins/constraints plugins/acert \
+ plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
+ plugins/pkcs12 plugins/pgp plugins/dnskey plugins/sshkey \
+ plugins/pem plugins/curl plugins/files plugins/winhttp \
+ plugins/unbound plugins/soup plugins/ldap plugins/mysql \
+ plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
+ plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
+ plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \
+ plugins/ntru plugins/bliss plugins/test_vectors tests \
+ plugins/bliss/tests
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -886,11 +892,11 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c \
crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \
- crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
- crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
- credentials/builder.c credentials/cred_encoding.c \
- credentials/keys/private_key.c credentials/keys/public_key.c \
- credentials/keys/shared_key.c \
+ crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \
+ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
+ credentials/credential_factory.c credentials/builder.c \
+ credentials/cred_encoding.c credentials/keys/private_key.c \
+ credentials/keys/public_key.c credentials/keys/shared_key.c \
credentials/certificates/certificate.c \
credentials/certificates/crl.c \
credentials/certificates/ocsp_response.c \
@@ -945,7 +951,7 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE at crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
@USE_DEV_HEADERS_TRUE at crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@USE_DEV_HEADERS_TRUE at crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
- at USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+ at USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
@USE_DEV_HEADERS_TRUE at crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
@USE_DEV_HEADERS_TRUE at credentials/credential_factory.h credentials/builder.h \
@USE_DEV_HEADERS_TRUE at credentials/cred_encoding.h credentials/keys/private_key.h \
@@ -982,7 +988,7 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE at utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \
@USE_DEV_HEADERS_TRUE at utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
@USE_DEV_HEADERS_TRUE at utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
- at USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \
+ at USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \
@USE_DEV_HEADERS_TRUE at utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \
@USE_DEV_HEADERS_TRUE at utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \
@USE_DEV_HEADERS_TRUE at utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h
@@ -1007,7 +1013,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \
$(am__append_101) $(am__append_103) $(am__append_105) \
$(am__append_107) $(am__append_109) $(am__append_111) \
$(am__append_113) $(am__append_115) $(am__append_117) \
- $(am__append_119) $(am__append_121)
+ $(am__append_119) $(am__append_121) $(am__append_123)
AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
-DPLUGINDIR=\"${plugindir}\" \
@@ -1023,7 +1029,7 @@ AM_YFLAGS = -v -d
EXTRA_DIST = \
asn1/oid.txt asn1/oid.pl \
crypto/proposal/proposal_keywords_static.txt \
-Android.mk AndroidConfigLocal.h
+Android.mk
BUILT_SOURCES = \
$(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
@@ -1059,8 +1065,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \
@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \
@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \
- at MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) tests \
- at MONOLITHIC_FALSE@ $(am__append_122)
+ at MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \
+ at MONOLITHIC_FALSE@ $(am__append_122) tests $(am__append_124)
# build plugins with their own Makefile
#######################################
@@ -1089,8 +1095,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \
@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \
@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \
- at MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) . tests \
- at MONOLITHIC_TRUE@ $(am__append_122)
+ at MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \
+ at MONOLITHIC_TRUE@ $(am__append_122) . tests $(am__append_124)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -1284,6 +1290,8 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \
crypto/iv/$(DEPDIR)/$(am__dirstamp)
crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \
crypto/iv/$(DEPDIR)/$(am__dirstamp)
+crypto/iv/iv_gen_null.lo: crypto/iv/$(am__dirstamp) \
+ crypto/iv/$(DEPDIR)/$(am__dirstamp)
crypto/mgf1/$(am__dirstamp):
@$(MKDIR_P) crypto/mgf1
@: > crypto/mgf1/$(am__dirstamp)
@@ -1750,6 +1758,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at crypto/hashers/$(DEPDIR)/hasher.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_null.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_rand.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at crypto/iv/$(DEPDIR)/iv_gen_seq.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at crypto/mgf1/$(DEPDIR)/mgf1.Plo at am__quote@
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index a750f7f..a088b05 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -199,12 +199,12 @@ const oid_t oid_names[] = {
{ 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */
{ 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */
- {0x2B, 413, 1, 0, "" }, /* 189 */
- { 0x06, 327, 1, 1, "dod" }, /* 190 */
+ {0x2B, 416, 1, 0, "" }, /* 189 */
+ { 0x06, 330, 1, 1, "dod" }, /* 190 */
{ 0x01, 0, 1, 2, "internet" }, /* 191 */
- { 0x04, 278, 1, 3, "private" }, /* 192 */
+ { 0x04, 281, 1, 3, "private" }, /* 192 */
{ 0x01, 0, 1, 4, "enterprise" }, /* 193 */
- { 0x82, 228, 1, 5, "" }, /* 194 */
+ { 0x82, 231, 1, 5, "" }, /* 194 */
{ 0x37, 207, 1, 6, "Microsoft" }, /* 195 */
{ 0x0A, 200, 1, 7, "" }, /* 196 */
{ 0x03, 0, 1, 8, "" }, /* 197 */
@@ -235,254 +235,257 @@ const oid_t oid_names[] = {
{ 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */
{ 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */
{ 0x03, 0, 1, 9, "blissSigType" }, /* 224 */
- { 0x01, 226, 0, 10, "BLISS-with-SHA512" }, /* 225 */
- { 0x02, 227, 0, 10, "BLISS-with-SHA384" }, /* 226 */
- { 0x03, 0, 0, 10, "BLISS-with-SHA256" }, /* 227 */
- { 0x89, 235, 1, 5, "" }, /* 228 */
- { 0x31, 0, 1, 6, "" }, /* 229 */
- { 0x01, 0, 1, 7, "" }, /* 230 */
- { 0x01, 0, 1, 8, "" }, /* 231 */
- { 0x02, 0, 1, 9, "" }, /* 232 */
- { 0x02, 0, 1, 10, "" }, /* 233 */
- { 0x4B, 0, 0, 11, "TCGID" }, /* 234 */
- { 0x97, 239, 1, 5, "" }, /* 235 */
- { 0x55, 0, 1, 6, "" }, /* 236 */
- { 0x01, 0, 1, 7, "" }, /* 237 */
- { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 238 */
- { 0xC1, 0, 1, 5, "" }, /* 239 */
- { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 240 */
- { 0x01, 0, 1, 7, "eess" }, /* 241 */
- { 0x01, 0, 1, 8, "eess1" }, /* 242 */
- { 0x01, 247, 1, 9, "eess1-algs" }, /* 243 */
- { 0x01, 245, 0, 10, "ntru-EESS1v1-SVES" }, /* 244 */
- { 0x02, 246, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 245 */
- { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 246 */
- { 0x02, 277, 1, 9, "eess1-params" }, /* 247 */
- { 0x01, 249, 0, 10, "ees251ep1" }, /* 248 */
- { 0x02, 250, 0, 10, "ees347ep1" }, /* 249 */
- { 0x03, 251, 0, 10, "ees503ep1" }, /* 250 */
- { 0x07, 252, 0, 10, "ees251sp2" }, /* 251 */
- { 0x0C, 253, 0, 10, "ees251ep4" }, /* 252 */
- { 0x0D, 254, 0, 10, "ees251ep5" }, /* 253 */
- { 0x0E, 255, 0, 10, "ees251sp3" }, /* 254 */
- { 0x0F, 256, 0, 10, "ees251sp4" }, /* 255 */
- { 0x10, 257, 0, 10, "ees251sp5" }, /* 256 */
- { 0x11, 258, 0, 10, "ees251sp6" }, /* 257 */
- { 0x12, 259, 0, 10, "ees251sp7" }, /* 258 */
- { 0x13, 260, 0, 10, "ees251sp8" }, /* 259 */
- { 0x14, 261, 0, 10, "ees251sp9" }, /* 260 */
- { 0x22, 262, 0, 10, "ees401ep1" }, /* 261 */
- { 0x23, 263, 0, 10, "ees449ep1" }, /* 262 */
- { 0x24, 264, 0, 10, "ees677ep1" }, /* 263 */
- { 0x25, 265, 0, 10, "ees1087ep2" }, /* 264 */
- { 0x26, 266, 0, 10, "ees541ep1" }, /* 265 */
- { 0x27, 267, 0, 10, "ees613ep1" }, /* 266 */
- { 0x28, 268, 0, 10, "ees887ep1" }, /* 267 */
- { 0x29, 269, 0, 10, "ees1171ep1" }, /* 268 */
- { 0x2A, 270, 0, 10, "ees659ep1" }, /* 269 */
- { 0x2B, 271, 0, 10, "ees761ep1" }, /* 270 */
- { 0x2C, 272, 0, 10, "ees1087ep1" }, /* 271 */
- { 0x2D, 273, 0, 10, "ees1499ep1" }, /* 272 */
- { 0x2E, 274, 0, 10, "ees401ep2" }, /* 273 */
- { 0x2F, 275, 0, 10, "ees439ep1" }, /* 274 */
- { 0x30, 276, 0, 10, "ees593ep1" }, /* 275 */
- { 0x31, 0, 0, 10, "ees743ep1" }, /* 276 */
- { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 277 */
- { 0x05, 0, 1, 3, "security" }, /* 278 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 279 */
- { 0x07, 324, 1, 5, "id-pkix" }, /* 280 */
- { 0x01, 285, 1, 6, "id-pe" }, /* 281 */
- { 0x01, 283, 0, 7, "authorityInfoAccess" }, /* 282 */
- { 0x03, 284, 0, 7, "qcStatements" }, /* 283 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 284 */
- { 0x02, 288, 1, 6, "id-qt" }, /* 285 */
- { 0x01, 287, 0, 7, "cps" }, /* 286 */
- { 0x02, 0, 0, 7, "unotice" }, /* 287 */
- { 0x03, 298, 1, 6, "id-kp" }, /* 288 */
- { 0x01, 290, 0, 7, "serverAuth" }, /* 289 */
- { 0x02, 291, 0, 7, "clientAuth" }, /* 290 */
- { 0x03, 292, 0, 7, "codeSigning" }, /* 291 */
- { 0x04, 293, 0, 7, "emailProtection" }, /* 292 */
- { 0x05, 294, 0, 7, "ipsecEndSystem" }, /* 293 */
- { 0x06, 295, 0, 7, "ipsecTunnel" }, /* 294 */
- { 0x07, 296, 0, 7, "ipsecUser" }, /* 295 */
- { 0x08, 297, 0, 7, "timeStamping" }, /* 296 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 297 */
- { 0x08, 306, 1, 6, "id-otherNames" }, /* 298 */
- { 0x01, 300, 0, 7, "personalData" }, /* 299 */
- { 0x02, 301, 0, 7, "userGroup" }, /* 300 */
- { 0x03, 302, 0, 7, "id-on-permanentIdentifier" }, /* 301 */
- { 0x04, 303, 0, 7, "id-on-hardwareModuleName" }, /* 302 */
- { 0x05, 304, 0, 7, "xmppAddr" }, /* 303 */
- { 0x06, 305, 0, 7, "id-on-SIM" }, /* 304 */
- { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 305 */
- { 0x0A, 311, 1, 6, "id-aca" }, /* 306 */
- { 0x01, 308, 0, 7, "authenticationInfo" }, /* 307 */
- { 0x02, 309, 0, 7, "accessIdentity" }, /* 308 */
- { 0x03, 310, 0, 7, "chargingIdentity" }, /* 309 */
- { 0x04, 0, 0, 7, "group" }, /* 310 */
- { 0x0B, 312, 0, 6, "subjectInfoAccess" }, /* 311 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 312 */
- { 0x01, 321, 1, 7, "ocsp" }, /* 313 */
- { 0x01, 315, 0, 8, "basic" }, /* 314 */
- { 0x02, 316, 0, 8, "nonce" }, /* 315 */
- { 0x03, 317, 0, 8, "crl" }, /* 316 */
- { 0x04, 318, 0, 8, "response" }, /* 317 */
- { 0x05, 319, 0, 8, "noCheck" }, /* 318 */
- { 0x06, 320, 0, 8, "archiveCutoff" }, /* 319 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 320 */
- { 0x02, 322, 0, 7, "caIssuers" }, /* 321 */
- { 0x03, 323, 0, 7, "timeStamping" }, /* 322 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 323 */
- { 0x08, 0, 1, 5, "ipsec" }, /* 324 */
- { 0x02, 0, 1, 6, "certificate" }, /* 325 */
- { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 326 */
- { 0x0E, 333, 1, 1, "oiw" }, /* 327 */
- { 0x03, 0, 1, 2, "secsig" }, /* 328 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 329 */
- { 0x07, 331, 0, 4, "des-cbc" }, /* 330 */
- { 0x1A, 332, 0, 4, "sha-1" }, /* 331 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 332 */
- { 0x24, 379, 1, 1, "TeleTrusT" }, /* 333 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 334 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 335 */
- { 0x01, 340, 1, 4, "rsaSignature" }, /* 336 */
- { 0x02, 338, 0, 5, "rsaSigWithripemd160" }, /* 337 */
- { 0x03, 339, 0, 5, "rsaSigWithripemd128" }, /* 338 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 339 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 340 */
- { 0x01, 342, 0, 5, "ecSignWithsha1" }, /* 341 */
- { 0x02, 343, 0, 5, "ecSignWithripemd160" }, /* 342 */
- { 0x03, 344, 0, 5, "ecSignWithmd2" }, /* 343 */
- { 0x04, 345, 0, 5, "ecSignWithmd5" }, /* 344 */
- { 0x05, 362, 1, 5, "ttt-ecg" }, /* 345 */
- { 0x01, 350, 1, 6, "fieldType" }, /* 346 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 347 */
- { 0x01, 0, 1, 8, "basisType" }, /* 348 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 349 */
- { 0x02, 352, 1, 6, "keyType" }, /* 350 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 351 */
- { 0x03, 353, 0, 6, "curve" }, /* 352 */
- { 0x04, 360, 1, 6, "signatures" }, /* 353 */
- { 0x01, 355, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 354 */
- { 0x02, 356, 0, 7, "ecgdsa-with-SHA1" }, /* 355 */
- { 0x03, 357, 0, 7, "ecgdsa-with-SHA224" }, /* 356 */
- { 0x04, 358, 0, 7, "ecgdsa-with-SHA256" }, /* 357 */
- { 0x05, 359, 0, 7, "ecgdsa-with-SHA384" }, /* 358 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 359 */
- { 0x05, 0, 1, 6, "module" }, /* 360 */
- { 0x01, 0, 0, 7, "1" }, /* 361 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 362 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 363 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 364 */
- { 0x01, 366, 0, 8, "brainpoolP160r1" }, /* 365 */
- { 0x02, 367, 0, 8, "brainpoolP160t1" }, /* 366 */
- { 0x03, 368, 0, 8, "brainpoolP192r1" }, /* 367 */
- { 0x04, 369, 0, 8, "brainpoolP192t1" }, /* 368 */
- { 0x05, 370, 0, 8, "brainpoolP224r1" }, /* 369 */
- { 0x06, 371, 0, 8, "brainpoolP224t1" }, /* 370 */
- { 0x07, 372, 0, 8, "brainpoolP256r1" }, /* 371 */
- { 0x08, 373, 0, 8, "brainpoolP256t1" }, /* 372 */
- { 0x09, 374, 0, 8, "brainpoolP320r1" }, /* 373 */
- { 0x0A, 375, 0, 8, "brainpoolP320t1" }, /* 374 */
- { 0x0B, 376, 0, 8, "brainpoolP384r1" }, /* 375 */
- { 0x0C, 377, 0, 8, "brainpoolP384t1" }, /* 376 */
- { 0x0D, 378, 0, 8, "brainpoolP512r1" }, /* 377 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 378 */
- { 0x81, 0, 1, 1, "" }, /* 379 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 380 */
- { 0x00, 0, 1, 3, "curve" }, /* 381 */
- { 0x01, 383, 0, 4, "sect163k1" }, /* 382 */
- { 0x02, 384, 0, 4, "sect163r1" }, /* 383 */
- { 0x03, 385, 0, 4, "sect239k1" }, /* 384 */
- { 0x04, 386, 0, 4, "sect113r1" }, /* 385 */
- { 0x05, 387, 0, 4, "sect113r2" }, /* 386 */
- { 0x06, 388, 0, 4, "secp112r1" }, /* 387 */
- { 0x07, 389, 0, 4, "secp112r2" }, /* 388 */
- { 0x08, 390, 0, 4, "secp160r1" }, /* 389 */
- { 0x09, 391, 0, 4, "secp160k1" }, /* 390 */
- { 0x0A, 392, 0, 4, "secp256k1" }, /* 391 */
- { 0x0F, 393, 0, 4, "sect163r2" }, /* 392 */
- { 0x10, 394, 0, 4, "sect283k1" }, /* 393 */
- { 0x11, 395, 0, 4, "sect283r1" }, /* 394 */
- { 0x16, 396, 0, 4, "sect131r1" }, /* 395 */
- { 0x17, 397, 0, 4, "sect131r2" }, /* 396 */
- { 0x18, 398, 0, 4, "sect193r1" }, /* 397 */
- { 0x19, 399, 0, 4, "sect193r2" }, /* 398 */
- { 0x1A, 400, 0, 4, "sect233k1" }, /* 399 */
- { 0x1B, 401, 0, 4, "sect233r1" }, /* 400 */
- { 0x1C, 402, 0, 4, "secp128r1" }, /* 401 */
- { 0x1D, 403, 0, 4, "secp128r2" }, /* 402 */
- { 0x1E, 404, 0, 4, "secp160r2" }, /* 403 */
- { 0x1F, 405, 0, 4, "secp192k1" }, /* 404 */
- { 0x20, 406, 0, 4, "secp224k1" }, /* 405 */
- { 0x21, 407, 0, 4, "secp224r1" }, /* 406 */
- { 0x22, 408, 0, 4, "secp384r1" }, /* 407 */
- { 0x23, 409, 0, 4, "secp521r1" }, /* 408 */
- { 0x24, 410, 0, 4, "sect409k1" }, /* 409 */
- { 0x25, 411, 0, 4, "sect409r1" }, /* 410 */
- { 0x26, 412, 0, 4, "sect571k1" }, /* 411 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 412 */
- {0x60, 467, 1, 0, "" }, /* 413 */
- { 0x86, 0, 1, 1, "" }, /* 414 */
- { 0x48, 0, 1, 2, "" }, /* 415 */
- { 0x01, 0, 1, 3, "organization" }, /* 416 */
- { 0x65, 443, 1, 4, "gov" }, /* 417 */
- { 0x03, 0, 1, 5, "csor" }, /* 418 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 419 */
- { 0x01, 430, 1, 7, "aes" }, /* 420 */
- { 0x02, 422, 0, 8, "id-aes128-CBC" }, /* 421 */
- { 0x06, 423, 0, 8, "id-aes128-GCM" }, /* 422 */
- { 0x07, 424, 0, 8, "id-aes128-CCM" }, /* 423 */
- { 0x16, 425, 0, 8, "id-aes192-CBC" }, /* 424 */
- { 0x1A, 426, 0, 8, "id-aes192-GCM" }, /* 425 */
- { 0x1B, 427, 0, 8, "id-aes192-CCM" }, /* 426 */
- { 0x2A, 428, 0, 8, "id-aes256-CBC" }, /* 427 */
- { 0x2E, 429, 0, 8, "id-aes256-GCM" }, /* 428 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 429 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 430 */
- { 0x01, 432, 0, 8, "id-sha256" }, /* 431 */
- { 0x02, 433, 0, 8, "id-sha384" }, /* 432 */
- { 0x03, 434, 0, 8, "id-sha512" }, /* 433 */
- { 0x04, 435, 0, 8, "id-sha224" }, /* 434 */
- { 0x05, 436, 0, 8, "id-sha512-224" }, /* 435 */
- { 0x06, 437, 0, 8, "id-sha512-256" }, /* 436 */
- { 0x07, 438, 0, 8, "id-sha3-224" }, /* 437 */
- { 0x08, 439, 0, 8, "id-sha3-256" }, /* 438 */
- { 0x09, 440, 0, 8, "id-sha3-384" }, /* 439 */
- { 0x0A, 441, 0, 8, "id-sha3-512" }, /* 440 */
- { 0x0B, 442, 0, 8, "id-shake128" }, /* 441 */
- { 0x0C, 0, 0, 8, "id-shake256" }, /* 442 */
- { 0x86, 0, 1, 4, "" }, /* 443 */
- { 0xf8, 0, 1, 5, "" }, /* 444 */
- { 0x42, 457, 1, 6, "netscape" }, /* 445 */
- { 0x01, 452, 1, 7, "" }, /* 446 */
- { 0x01, 448, 0, 8, "nsCertType" }, /* 447 */
- { 0x03, 449, 0, 8, "nsRevocationUrl" }, /* 448 */
- { 0x04, 450, 0, 8, "nsCaRevocationUrl" }, /* 449 */
- { 0x08, 451, 0, 8, "nsCaPolicyUrl" }, /* 450 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 451 */
- { 0x03, 455, 1, 7, "directory" }, /* 452 */
- { 0x01, 0, 1, 8, "" }, /* 453 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 454 */
- { 0x04, 0, 1, 7, "policy" }, /* 455 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 456 */
- { 0x45, 0, 1, 6, "verisign" }, /* 457 */
- { 0x01, 0, 1, 7, "pki" }, /* 458 */
- { 0x09, 0, 1, 8, "attributes" }, /* 459 */
- { 0x02, 461, 0, 9, "messageType" }, /* 460 */
- { 0x03, 462, 0, 9, "pkiStatus" }, /* 461 */
- { 0x04, 463, 0, 9, "failInfo" }, /* 462 */
- { 0x05, 464, 0, 9, "senderNonce" }, /* 463 */
- { 0x06, 465, 0, 9, "recipientNonce" }, /* 464 */
- { 0x07, 466, 0, 9, "transID" }, /* 465 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 466 */
- {0x67, 0, 1, 0, "" }, /* 467 */
- { 0x81, 0, 1, 1, "" }, /* 468 */
- { 0x05, 0, 1, 2, "" }, /* 469 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 470 */
- { 0x01, 472, 0, 4, "tcg-at-tpmManufacturer" }, /* 471 */
- { 0x02, 473, 0, 4, "tcg-at-tpmModel" }, /* 472 */
- { 0x03, 474, 0, 4, "tcg-at-tpmVersion" }, /* 473 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 474 */
+ { 0x01, 226, 0, 10, "BLISS-with-SHA2-512" }, /* 225 */
+ { 0x02, 227, 0, 10, "BLISS-with-SHA2-384" }, /* 226 */
+ { 0x03, 228, 0, 10, "BLISS-with-SHA2-256" }, /* 227 */
+ { 0x04, 229, 0, 10, "BLISS-with-SHA3-512" }, /* 228 */
+ { 0x05, 230, 0, 10, "BLISS-with-SHA3-384" }, /* 229 */
+ { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 230 */
+ { 0x89, 238, 1, 5, "" }, /* 231 */
+ { 0x31, 0, 1, 6, "" }, /* 232 */
+ { 0x01, 0, 1, 7, "" }, /* 233 */
+ { 0x01, 0, 1, 8, "" }, /* 234 */
+ { 0x02, 0, 1, 9, "" }, /* 235 */
+ { 0x02, 0, 1, 10, "" }, /* 236 */
+ { 0x4B, 0, 0, 11, "TCGID" }, /* 237 */
+ { 0x97, 242, 1, 5, "" }, /* 238 */
+ { 0x55, 0, 1, 6, "" }, /* 239 */
+ { 0x01, 0, 1, 7, "" }, /* 240 */
+ { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 241 */
+ { 0xC1, 0, 1, 5, "" }, /* 242 */
+ { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 243 */
+ { 0x01, 0, 1, 7, "eess" }, /* 244 */
+ { 0x01, 0, 1, 8, "eess1" }, /* 245 */
+ { 0x01, 250, 1, 9, "eess1-algs" }, /* 246 */
+ { 0x01, 248, 0, 10, "ntru-EESS1v1-SVES" }, /* 247 */
+ { 0x02, 249, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 248 */
+ { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 249 */
+ { 0x02, 280, 1, 9, "eess1-params" }, /* 250 */
+ { 0x01, 252, 0, 10, "ees251ep1" }, /* 251 */
+ { 0x02, 253, 0, 10, "ees347ep1" }, /* 252 */
+ { 0x03, 254, 0, 10, "ees503ep1" }, /* 253 */
+ { 0x07, 255, 0, 10, "ees251sp2" }, /* 254 */
+ { 0x0C, 256, 0, 10, "ees251ep4" }, /* 255 */
+ { 0x0D, 257, 0, 10, "ees251ep5" }, /* 256 */
+ { 0x0E, 258, 0, 10, "ees251sp3" }, /* 257 */
+ { 0x0F, 259, 0, 10, "ees251sp4" }, /* 258 */
+ { 0x10, 260, 0, 10, "ees251sp5" }, /* 259 */
+ { 0x11, 261, 0, 10, "ees251sp6" }, /* 260 */
+ { 0x12, 262, 0, 10, "ees251sp7" }, /* 261 */
+ { 0x13, 263, 0, 10, "ees251sp8" }, /* 262 */
+ { 0x14, 264, 0, 10, "ees251sp9" }, /* 263 */
+ { 0x22, 265, 0, 10, "ees401ep1" }, /* 264 */
+ { 0x23, 266, 0, 10, "ees449ep1" }, /* 265 */
+ { 0x24, 267, 0, 10, "ees677ep1" }, /* 266 */
+ { 0x25, 268, 0, 10, "ees1087ep2" }, /* 267 */
+ { 0x26, 269, 0, 10, "ees541ep1" }, /* 268 */
+ { 0x27, 270, 0, 10, "ees613ep1" }, /* 269 */
+ { 0x28, 271, 0, 10, "ees887ep1" }, /* 270 */
+ { 0x29, 272, 0, 10, "ees1171ep1" }, /* 271 */
+ { 0x2A, 273, 0, 10, "ees659ep1" }, /* 272 */
+ { 0x2B, 274, 0, 10, "ees761ep1" }, /* 273 */
+ { 0x2C, 275, 0, 10, "ees1087ep1" }, /* 274 */
+ { 0x2D, 276, 0, 10, "ees1499ep1" }, /* 275 */
+ { 0x2E, 277, 0, 10, "ees401ep2" }, /* 276 */
+ { 0x2F, 278, 0, 10, "ees439ep1" }, /* 277 */
+ { 0x30, 279, 0, 10, "ees593ep1" }, /* 278 */
+ { 0x31, 0, 0, 10, "ees743ep1" }, /* 279 */
+ { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 280 */
+ { 0x05, 0, 1, 3, "security" }, /* 281 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 282 */
+ { 0x07, 327, 1, 5, "id-pkix" }, /* 283 */
+ { 0x01, 288, 1, 6, "id-pe" }, /* 284 */
+ { 0x01, 286, 0, 7, "authorityInfoAccess" }, /* 285 */
+ { 0x03, 287, 0, 7, "qcStatements" }, /* 286 */
+ { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 287 */
+ { 0x02, 291, 1, 6, "id-qt" }, /* 288 */
+ { 0x01, 290, 0, 7, "cps" }, /* 289 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 290 */
+ { 0x03, 301, 1, 6, "id-kp" }, /* 291 */
+ { 0x01, 293, 0, 7, "serverAuth" }, /* 292 */
+ { 0x02, 294, 0, 7, "clientAuth" }, /* 293 */
+ { 0x03, 295, 0, 7, "codeSigning" }, /* 294 */
+ { 0x04, 296, 0, 7, "emailProtection" }, /* 295 */
+ { 0x05, 297, 0, 7, "ipsecEndSystem" }, /* 296 */
+ { 0x06, 298, 0, 7, "ipsecTunnel" }, /* 297 */
+ { 0x07, 299, 0, 7, "ipsecUser" }, /* 298 */
+ { 0x08, 300, 0, 7, "timeStamping" }, /* 299 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 300 */
+ { 0x08, 309, 1, 6, "id-otherNames" }, /* 301 */
+ { 0x01, 303, 0, 7, "personalData" }, /* 302 */
+ { 0x02, 304, 0, 7, "userGroup" }, /* 303 */
+ { 0x03, 305, 0, 7, "id-on-permanentIdentifier" }, /* 304 */
+ { 0x04, 306, 0, 7, "id-on-hardwareModuleName" }, /* 305 */
+ { 0x05, 307, 0, 7, "xmppAddr" }, /* 306 */
+ { 0x06, 308, 0, 7, "id-on-SIM" }, /* 307 */
+ { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 308 */
+ { 0x0A, 314, 1, 6, "id-aca" }, /* 309 */
+ { 0x01, 311, 0, 7, "authenticationInfo" }, /* 310 */
+ { 0x02, 312, 0, 7, "accessIdentity" }, /* 311 */
+ { 0x03, 313, 0, 7, "chargingIdentity" }, /* 312 */
+ { 0x04, 0, 0, 7, "group" }, /* 313 */
+ { 0x0B, 315, 0, 6, "subjectInfoAccess" }, /* 314 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 315 */
+ { 0x01, 324, 1, 7, "ocsp" }, /* 316 */
+ { 0x01, 318, 0, 8, "basic" }, /* 317 */
+ { 0x02, 319, 0, 8, "nonce" }, /* 318 */
+ { 0x03, 320, 0, 8, "crl" }, /* 319 */
+ { 0x04, 321, 0, 8, "response" }, /* 320 */
+ { 0x05, 322, 0, 8, "noCheck" }, /* 321 */
+ { 0x06, 323, 0, 8, "archiveCutoff" }, /* 322 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 323 */
+ { 0x02, 325, 0, 7, "caIssuers" }, /* 324 */
+ { 0x03, 326, 0, 7, "timeStamping" }, /* 325 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 326 */
+ { 0x08, 0, 1, 5, "ipsec" }, /* 327 */
+ { 0x02, 0, 1, 6, "certificate" }, /* 328 */
+ { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 329 */
+ { 0x0E, 336, 1, 1, "oiw" }, /* 330 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 331 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 332 */
+ { 0x07, 334, 0, 4, "des-cbc" }, /* 333 */
+ { 0x1A, 335, 0, 4, "sha-1" }, /* 334 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 335 */
+ { 0x24, 382, 1, 1, "TeleTrusT" }, /* 336 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 337 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 338 */
+ { 0x01, 343, 1, 4, "rsaSignature" }, /* 339 */
+ { 0x02, 341, 0, 5, "rsaSigWithripemd160" }, /* 340 */
+ { 0x03, 342, 0, 5, "rsaSigWithripemd128" }, /* 341 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 342 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 343 */
+ { 0x01, 345, 0, 5, "ecSignWithsha1" }, /* 344 */
+ { 0x02, 346, 0, 5, "ecSignWithripemd160" }, /* 345 */
+ { 0x03, 347, 0, 5, "ecSignWithmd2" }, /* 346 */
+ { 0x04, 348, 0, 5, "ecSignWithmd5" }, /* 347 */
+ { 0x05, 365, 1, 5, "ttt-ecg" }, /* 348 */
+ { 0x01, 353, 1, 6, "fieldType" }, /* 349 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 350 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 351 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 352 */
+ { 0x02, 355, 1, 6, "keyType" }, /* 353 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 354 */
+ { 0x03, 356, 0, 6, "curve" }, /* 355 */
+ { 0x04, 363, 1, 6, "signatures" }, /* 356 */
+ { 0x01, 358, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 357 */
+ { 0x02, 359, 0, 7, "ecgdsa-with-SHA1" }, /* 358 */
+ { 0x03, 360, 0, 7, "ecgdsa-with-SHA224" }, /* 359 */
+ { 0x04, 361, 0, 7, "ecgdsa-with-SHA256" }, /* 360 */
+ { 0x05, 362, 0, 7, "ecgdsa-with-SHA384" }, /* 361 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 362 */
+ { 0x05, 0, 1, 6, "module" }, /* 363 */
+ { 0x01, 0, 0, 7, "1" }, /* 364 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 365 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 366 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 367 */
+ { 0x01, 369, 0, 8, "brainpoolP160r1" }, /* 368 */
+ { 0x02, 370, 0, 8, "brainpoolP160t1" }, /* 369 */
+ { 0x03, 371, 0, 8, "brainpoolP192r1" }, /* 370 */
+ { 0x04, 372, 0, 8, "brainpoolP192t1" }, /* 371 */
+ { 0x05, 373, 0, 8, "brainpoolP224r1" }, /* 372 */
+ { 0x06, 374, 0, 8, "brainpoolP224t1" }, /* 373 */
+ { 0x07, 375, 0, 8, "brainpoolP256r1" }, /* 374 */
+ { 0x08, 376, 0, 8, "brainpoolP256t1" }, /* 375 */
+ { 0x09, 377, 0, 8, "brainpoolP320r1" }, /* 376 */
+ { 0x0A, 378, 0, 8, "brainpoolP320t1" }, /* 377 */
+ { 0x0B, 379, 0, 8, "brainpoolP384r1" }, /* 378 */
+ { 0x0C, 380, 0, 8, "brainpoolP384t1" }, /* 379 */
+ { 0x0D, 381, 0, 8, "brainpoolP512r1" }, /* 380 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 381 */
+ { 0x81, 0, 1, 1, "" }, /* 382 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 383 */
+ { 0x00, 0, 1, 3, "curve" }, /* 384 */
+ { 0x01, 386, 0, 4, "sect163k1" }, /* 385 */
+ { 0x02, 387, 0, 4, "sect163r1" }, /* 386 */
+ { 0x03, 388, 0, 4, "sect239k1" }, /* 387 */
+ { 0x04, 389, 0, 4, "sect113r1" }, /* 388 */
+ { 0x05, 390, 0, 4, "sect113r2" }, /* 389 */
+ { 0x06, 391, 0, 4, "secp112r1" }, /* 390 */
+ { 0x07, 392, 0, 4, "secp112r2" }, /* 391 */
+ { 0x08, 393, 0, 4, "secp160r1" }, /* 392 */
+ { 0x09, 394, 0, 4, "secp160k1" }, /* 393 */
+ { 0x0A, 395, 0, 4, "secp256k1" }, /* 394 */
+ { 0x0F, 396, 0, 4, "sect163r2" }, /* 395 */
+ { 0x10, 397, 0, 4, "sect283k1" }, /* 396 */
+ { 0x11, 398, 0, 4, "sect283r1" }, /* 397 */
+ { 0x16, 399, 0, 4, "sect131r1" }, /* 398 */
+ { 0x17, 400, 0, 4, "sect131r2" }, /* 399 */
+ { 0x18, 401, 0, 4, "sect193r1" }, /* 400 */
+ { 0x19, 402, 0, 4, "sect193r2" }, /* 401 */
+ { 0x1A, 403, 0, 4, "sect233k1" }, /* 402 */
+ { 0x1B, 404, 0, 4, "sect233r1" }, /* 403 */
+ { 0x1C, 405, 0, 4, "secp128r1" }, /* 404 */
+ { 0x1D, 406, 0, 4, "secp128r2" }, /* 405 */
+ { 0x1E, 407, 0, 4, "secp160r2" }, /* 406 */
+ { 0x1F, 408, 0, 4, "secp192k1" }, /* 407 */
+ { 0x20, 409, 0, 4, "secp224k1" }, /* 408 */
+ { 0x21, 410, 0, 4, "secp224r1" }, /* 409 */
+ { 0x22, 411, 0, 4, "secp384r1" }, /* 410 */
+ { 0x23, 412, 0, 4, "secp521r1" }, /* 411 */
+ { 0x24, 413, 0, 4, "sect409k1" }, /* 412 */
+ { 0x25, 414, 0, 4, "sect409r1" }, /* 413 */
+ { 0x26, 415, 0, 4, "sect571k1" }, /* 414 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 415 */
+ {0x60, 470, 1, 0, "" }, /* 416 */
+ { 0x86, 0, 1, 1, "" }, /* 417 */
+ { 0x48, 0, 1, 2, "" }, /* 418 */
+ { 0x01, 0, 1, 3, "organization" }, /* 419 */
+ { 0x65, 446, 1, 4, "gov" }, /* 420 */
+ { 0x03, 0, 1, 5, "csor" }, /* 421 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 422 */
+ { 0x01, 433, 1, 7, "aes" }, /* 423 */
+ { 0x02, 425, 0, 8, "id-aes128-CBC" }, /* 424 */
+ { 0x06, 426, 0, 8, "id-aes128-GCM" }, /* 425 */
+ { 0x07, 427, 0, 8, "id-aes128-CCM" }, /* 426 */
+ { 0x16, 428, 0, 8, "id-aes192-CBC" }, /* 427 */
+ { 0x1A, 429, 0, 8, "id-aes192-GCM" }, /* 428 */
+ { 0x1B, 430, 0, 8, "id-aes192-CCM" }, /* 429 */
+ { 0x2A, 431, 0, 8, "id-aes256-CBC" }, /* 430 */
+ { 0x2E, 432, 0, 8, "id-aes256-GCM" }, /* 431 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 432 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 433 */
+ { 0x01, 435, 0, 8, "id-sha256" }, /* 434 */
+ { 0x02, 436, 0, 8, "id-sha384" }, /* 435 */
+ { 0x03, 437, 0, 8, "id-sha512" }, /* 436 */
+ { 0x04, 438, 0, 8, "id-sha224" }, /* 437 */
+ { 0x05, 439, 0, 8, "id-sha512-224" }, /* 438 */
+ { 0x06, 440, 0, 8, "id-sha512-256" }, /* 439 */
+ { 0x07, 441, 0, 8, "id-sha3-224" }, /* 440 */
+ { 0x08, 442, 0, 8, "id-sha3-256" }, /* 441 */
+ { 0x09, 443, 0, 8, "id-sha3-384" }, /* 442 */
+ { 0x0A, 444, 0, 8, "id-sha3-512" }, /* 443 */
+ { 0x0B, 445, 0, 8, "id-shake128" }, /* 444 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 445 */
+ { 0x86, 0, 1, 4, "" }, /* 446 */
+ { 0xf8, 0, 1, 5, "" }, /* 447 */
+ { 0x42, 460, 1, 6, "netscape" }, /* 448 */
+ { 0x01, 455, 1, 7, "" }, /* 449 */
+ { 0x01, 451, 0, 8, "nsCertType" }, /* 450 */
+ { 0x03, 452, 0, 8, "nsRevocationUrl" }, /* 451 */
+ { 0x04, 453, 0, 8, "nsCaRevocationUrl" }, /* 452 */
+ { 0x08, 454, 0, 8, "nsCaPolicyUrl" }, /* 453 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 454 */
+ { 0x03, 458, 1, 7, "directory" }, /* 455 */
+ { 0x01, 0, 1, 8, "" }, /* 456 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 457 */
+ { 0x04, 0, 1, 7, "policy" }, /* 458 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 459 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 460 */
+ { 0x01, 0, 1, 7, "pki" }, /* 461 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 462 */
+ { 0x02, 464, 0, 9, "messageType" }, /* 463 */
+ { 0x03, 465, 0, 9, "pkiStatus" }, /* 464 */
+ { 0x04, 466, 0, 9, "failInfo" }, /* 465 */
+ { 0x05, 467, 0, 9, "senderNonce" }, /* 466 */
+ { 0x06, 468, 0, 9, "recipientNonce" }, /* 467 */
+ { 0x07, 469, 0, 9, "transID" }, /* 468 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 469 */
+ {0x67, 0, 1, 0, "" }, /* 470 */
+ { 0x81, 0, 1, 1, "" }, /* 471 */
+ { 0x05, 0, 1, 2, "" }, /* 472 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 473 */
+ { 0x01, 475, 0, 4, "tcg-at-tpmManufacturer" }, /* 474 */
+ { 0x02, 476, 0, 4, "tcg-at-tpmModel" }, /* 475 */
+ { 0x03, 477, 0, 4, "tcg-at-tpmVersion" }, /* 476 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 477 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 0f7c5d6..b9ed08d 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -150,103 +150,110 @@ extern const oid_t oid_names[];
#define OID_BLISS_B_II 221
#define OID_BLISS_B_III 222
#define OID_BLISS_B_IV 223
-#define OID_BLISS_WITH_SHA512 225
-#define OID_BLISS_WITH_SHA384 226
-#define OID_BLISS_WITH_SHA256 227
-#define OID_TCGID 234
-#define OID_BLOWFISH_CBC 238
-#define OID_AUTHORITY_INFO_ACCESS 282
-#define OID_IP_ADDR_BLOCKS 284
-#define OID_POLICY_QUALIFIER_CPS 286
-#define OID_POLICY_QUALIFIER_UNOTICE 287
-#define OID_SERVER_AUTH 289
-#define OID_CLIENT_AUTH 290
-#define OID_OCSP_SIGNING 297
-#define OID_XMPP_ADDR 303
-#define OID_AUTHENTICATION_INFO 307
-#define OID_ACCESS_IDENTITY 308
-#define OID_CHARGING_IDENTITY 309
-#define OID_GROUP 310
-#define OID_OCSP 313
-#define OID_BASIC 314
-#define OID_NONCE 315
-#define OID_CRL 316
-#define OID_RESPONSE 317
-#define OID_NO_CHECK 318
-#define OID_ARCHIVE_CUTOFF 319
-#define OID_SERVICE_LOCATOR 320
-#define OID_CA_ISSUERS 321
-#define OID_IKE_INTERMEDIATE 326
-#define OID_DES_CBC 330
-#define OID_SHA1 331
-#define OID_SHA1_WITH_RSA_OIW 332
-#define OID_ECGDSA_PUBKEY 351
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 354
-#define OID_ECGDSA_SIG_WITH_SHA1 355
-#define OID_ECGDSA_SIG_WITH_SHA224 356
-#define OID_ECGDSA_SIG_WITH_SHA256 357
-#define OID_ECGDSA_SIG_WITH_SHA384 358
-#define OID_ECGDSA_SIG_WITH_SHA512 359
-#define OID_SECT163K1 382
-#define OID_SECT163R1 383
-#define OID_SECT239K1 384
-#define OID_SECT113R1 385
-#define OID_SECT113R2 386
-#define OID_SECT112R1 387
-#define OID_SECT112R2 388
-#define OID_SECT160R1 389
-#define OID_SECT160K1 390
-#define OID_SECT256K1 391
-#define OID_SECT163R2 392
-#define OID_SECT283K1 393
-#define OID_SECT283R1 394
-#define OID_SECT131R1 395
-#define OID_SECT131R2 396
-#define OID_SECT193R1 397
-#define OID_SECT193R2 398
-#define OID_SECT233K1 399
-#define OID_SECT233R1 400
-#define OID_SECT128R1 401
-#define OID_SECT128R2 402
-#define OID_SECT160R2 403
-#define OID_SECT192K1 404
-#define OID_SECT224K1 405
-#define OID_SECT224R1 406
-#define OID_SECT384R1 407
-#define OID_SECT521R1 408
-#define OID_SECT409K1 409
-#define OID_SECT409R1 410
-#define OID_SECT571K1 411
-#define OID_SECT571R1 412
-#define OID_AES128_CBC 421
-#define OID_AES128_GCM 422
-#define OID_AES128_CCM 423
-#define OID_AES192_CBC 424
-#define OID_AES192_GCM 425
-#define OID_AES192_CCM 426
-#define OID_AES256_CBC 427
-#define OID_AES256_GCM 428
-#define OID_AES256_CCM 429
-#define OID_SHA256 431
-#define OID_SHA384 432
-#define OID_SHA512 433
-#define OID_SHA224 434
-#define OID_NS_REVOCATION_URL 448
-#define OID_NS_CA_REVOCATION_URL 449
-#define OID_NS_CA_POLICY_URL 450
-#define OID_NS_COMMENT 451
-#define OID_EMPLOYEE_NUMBER 454
-#define OID_PKI_MESSAGE_TYPE 460
-#define OID_PKI_STATUS 461
-#define OID_PKI_FAIL_INFO 462
-#define OID_PKI_SENDER_NONCE 463
-#define OID_PKI_RECIPIENT_NONCE 464
-#define OID_PKI_TRANS_ID 465
-#define OID_TPM_MANUFACTURER 471
-#define OID_TPM_MODEL 472
-#define OID_TPM_VERSION 473
-#define OID_TPM_ID_LABEL 474
+#define OID_BLISS_WITH_SHA2_512 225
+#define OID_BLISS_WITH_SHA2_384 226
+#define OID_BLISS_WITH_SHA2_256 227
+#define OID_BLISS_WITH_SHA3_512 228
+#define OID_BLISS_WITH_SHA3_384 229
+#define OID_BLISS_WITH_SHA3_256 230
+#define OID_TCGID 237
+#define OID_BLOWFISH_CBC 241
+#define OID_AUTHORITY_INFO_ACCESS 285
+#define OID_IP_ADDR_BLOCKS 287
+#define OID_POLICY_QUALIFIER_CPS 289
+#define OID_POLICY_QUALIFIER_UNOTICE 290
+#define OID_SERVER_AUTH 292
+#define OID_CLIENT_AUTH 293
+#define OID_OCSP_SIGNING 300
+#define OID_XMPP_ADDR 306
+#define OID_AUTHENTICATION_INFO 310
+#define OID_ACCESS_IDENTITY 311
+#define OID_CHARGING_IDENTITY 312
+#define OID_GROUP 313
+#define OID_OCSP 316
+#define OID_BASIC 317
+#define OID_NONCE 318
+#define OID_CRL 319
+#define OID_RESPONSE 320
+#define OID_NO_CHECK 321
+#define OID_ARCHIVE_CUTOFF 322
+#define OID_SERVICE_LOCATOR 323
+#define OID_CA_ISSUERS 324
+#define OID_IKE_INTERMEDIATE 329
+#define OID_DES_CBC 333
+#define OID_SHA1 334
+#define OID_SHA1_WITH_RSA_OIW 335
+#define OID_ECGDSA_PUBKEY 354
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 357
+#define OID_ECGDSA_SIG_WITH_SHA1 358
+#define OID_ECGDSA_SIG_WITH_SHA224 359
+#define OID_ECGDSA_SIG_WITH_SHA256 360
+#define OID_ECGDSA_SIG_WITH_SHA384 361
+#define OID_ECGDSA_SIG_WITH_SHA512 362
+#define OID_SECT163K1 385
+#define OID_SECT163R1 386
+#define OID_SECT239K1 387
+#define OID_SECT113R1 388
+#define OID_SECT113R2 389
+#define OID_SECT112R1 390
+#define OID_SECT112R2 391
+#define OID_SECT160R1 392
+#define OID_SECT160K1 393
+#define OID_SECT256K1 394
+#define OID_SECT163R2 395
+#define OID_SECT283K1 396
+#define OID_SECT283R1 397
+#define OID_SECT131R1 398
+#define OID_SECT131R2 399
+#define OID_SECT193R1 400
+#define OID_SECT193R2 401
+#define OID_SECT233K1 402
+#define OID_SECT233R1 403
+#define OID_SECT128R1 404
+#define OID_SECT128R2 405
+#define OID_SECT160R2 406
+#define OID_SECT192K1 407
+#define OID_SECT224K1 408
+#define OID_SECT224R1 409
+#define OID_SECT384R1 410
+#define OID_SECT521R1 411
+#define OID_SECT409K1 412
+#define OID_SECT409R1 413
+#define OID_SECT571K1 414
+#define OID_SECT571R1 415
+#define OID_AES128_CBC 424
+#define OID_AES128_GCM 425
+#define OID_AES128_CCM 426
+#define OID_AES192_CBC 427
+#define OID_AES192_GCM 428
+#define OID_AES192_CCM 429
+#define OID_AES256_CBC 430
+#define OID_AES256_GCM 431
+#define OID_AES256_CCM 432
+#define OID_SHA256 434
+#define OID_SHA384 435
+#define OID_SHA512 436
+#define OID_SHA224 437
+#define OID_SHA3_224 440
+#define OID_SHA3_256 441
+#define OID_SHA3_384 442
+#define OID_SHA3_512 443
+#define OID_NS_REVOCATION_URL 451
+#define OID_NS_CA_REVOCATION_URL 452
+#define OID_NS_CA_POLICY_URL 453
+#define OID_NS_COMMENT 454
+#define OID_EMPLOYEE_NUMBER 457
+#define OID_PKI_MESSAGE_TYPE 463
+#define OID_PKI_STATUS 464
+#define OID_PKI_FAIL_INFO 465
+#define OID_PKI_SENDER_NONCE 466
+#define OID_PKI_RECIPIENT_NONCE 467
+#define OID_PKI_TRANS_ID 468
+#define OID_TPM_MANUFACTURER 474
+#define OID_TPM_MODEL 475
+#define OID_TPM_VERSION 476
+#define OID_TPM_ID_LABEL 477
-#define OID_MAX 475
+#define OID_MAX 478
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 919d24c..64dedcb 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -223,9 +223,12 @@
0x07 "BLISS-B-III" OID_BLISS_B_III
0x08 "BLISS-B-IV" OID_BLISS_B_IV
0x03 "blissSigType"
- 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512
- 0x02 "BLISS-with-SHA384" OID_BLISS_WITH_SHA384
- 0x03 "BLISS-with-SHA256" OID_BLISS_WITH_SHA256
+ 0x01 "BLISS-with-SHA2-512" OID_BLISS_WITH_SHA2_512
+ 0x02 "BLISS-with-SHA2-384" OID_BLISS_WITH_SHA2_384
+ 0x03 "BLISS-with-SHA2-256" OID_BLISS_WITH_SHA2_256
+ 0x04 "BLISS-with-SHA3-512" OID_BLISS_WITH_SHA3_512
+ 0x05 "BLISS-with-SHA3-384" OID_BLISS_WITH_SHA3_384
+ 0x06 "BLISS-with-SHA3-256" OID_BLISS_WITH_SHA3_256
0x89 ""
0x31 ""
0x01 ""
@@ -435,10 +438,10 @@
0x04 "id-sha224" OID_SHA224
0x05 "id-sha512-224"
0x06 "id-sha512-256"
- 0x07 "id-sha3-224"
- 0x08 "id-sha3-256"
- 0x09 "id-sha3-384"
- 0x0A "id-sha3-512"
+ 0x07 "id-sha3-224" OID_SHA3_224
+ 0x08 "id-sha3-256" OID_SHA3_256
+ 0x09 "id-sha3-384" OID_SHA3_384
+ 0x0A "id-sha3-512" OID_SHA3_512
0x0B "id-shake128"
0x0C "id-shake256"
0x86 ""
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 1e93f02..9988d80 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -951,9 +951,9 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
{
entry_t entry;
- while (array_remove(other->entries, ARRAY_HEAD, &entry))
- {
- array_insert(this->entries, ARRAY_TAIL, &entry);
+ while (array_remove(other->entries, ARRAY_TAIL, &entry))
+ { /* keep order but prefer new values (esp. for single valued ones) */
+ array_insert(this->entries, ARRAY_HEAD, &entry);
}
array_compress(other->entries);
}
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index bd5915e..d6f211a 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -27,7 +27,7 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS,
"BLISS"
);
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
"UNKNOWN",
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
@@ -44,9 +44,12 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
"ECDSA-256",
"ECDSA-384",
"ECDSA-521",
- "BLISS_WITH_SHA256",
- "BLISS_WITH_SHA384",
- "BLISS_WITH_SHA512",
+ "BLISS_WITH_SHA2_256",
+ "BLISS_WITH_SHA2_384",
+ "BLISS_WITH_SHA2_512",
+ "BLISS_WITH_SHA3_256",
+ "BLISS_WITH_SHA3_384",
+ "BLISS_WITH_SHA3_512",
);
ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -137,12 +140,18 @@ signature_scheme_t signature_scheme_from_oid(int oid)
case OID_ECDSA_WITH_SHA512:
return SIGN_ECDSA_WITH_SHA512_DER;
case OID_BLISS_PUBLICKEY:
- case OID_BLISS_WITH_SHA512:
- return SIGN_BLISS_WITH_SHA512;
- case OID_BLISS_WITH_SHA256:
- return SIGN_BLISS_WITH_SHA256;
- case OID_BLISS_WITH_SHA384:
- return SIGN_BLISS_WITH_SHA384;
+ case OID_BLISS_WITH_SHA2_512:
+ return SIGN_BLISS_WITH_SHA2_512;
+ case OID_BLISS_WITH_SHA2_384:
+ return SIGN_BLISS_WITH_SHA2_384;
+ case OID_BLISS_WITH_SHA2_256:
+ return SIGN_BLISS_WITH_SHA2_256;
+ case OID_BLISS_WITH_SHA3_512:
+ return SIGN_BLISS_WITH_SHA3_512;
+ case OID_BLISS_WITH_SHA3_384:
+ return SIGN_BLISS_WITH_SHA3_384;
+ case OID_BLISS_WITH_SHA3_256:
+ return SIGN_BLISS_WITH_SHA3_256;
}
return SIGN_UNKNOWN;
}
@@ -181,12 +190,18 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
return OID_ECDSA_WITH_SHA384;
case SIGN_ECDSA_WITH_SHA512_DER:
return OID_ECDSA_WITH_SHA512;
- case SIGN_BLISS_WITH_SHA256:
- return OID_BLISS_WITH_SHA256;
- case SIGN_BLISS_WITH_SHA384:
- return OID_BLISS_WITH_SHA384;
- case SIGN_BLISS_WITH_SHA512:
- return OID_BLISS_WITH_SHA512;
+ case SIGN_BLISS_WITH_SHA2_256:
+ return OID_BLISS_WITH_SHA2_256;
+ case SIGN_BLISS_WITH_SHA2_384:
+ return OID_BLISS_WITH_SHA2_384;
+ case SIGN_BLISS_WITH_SHA2_512:
+ return OID_BLISS_WITH_SHA2_512;
+ case SIGN_BLISS_WITH_SHA3_256:
+ return OID_BLISS_WITH_SHA3_256;
+ case SIGN_BLISS_WITH_SHA3_384:
+ return OID_BLISS_WITH_SHA3_384;
+ case SIGN_BLISS_WITH_SHA3_512:
+ return OID_BLISS_WITH_SHA3_512;
}
return OID_UNKNOWN;
}
@@ -207,9 +222,9 @@ static struct {
{ SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
{ SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
{ SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
- { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 },
- { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 },
- { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 },
+ { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 },
+ { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 },
+ { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 }
};
/**
@@ -284,9 +299,12 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
case SIGN_ECDSA_384:
case SIGN_ECDSA_521:
return KEY_ECDSA;
- case SIGN_BLISS_WITH_SHA256:
- case SIGN_BLISS_WITH_SHA384:
- case SIGN_BLISS_WITH_SHA512:
+ case SIGN_BLISS_WITH_SHA2_256:
+ case SIGN_BLISS_WITH_SHA2_384:
+ case SIGN_BLISS_WITH_SHA2_512:
+ case SIGN_BLISS_WITH_SHA3_256:
+ case SIGN_BLISS_WITH_SHA3_384:
+ case SIGN_BLISS_WITH_SHA3_512:
return KEY_BLISS;
}
return KEY_ANY;
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 66e98b2..ce48f9b 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -94,12 +94,18 @@ enum signature_scheme_t {
SIGN_ECDSA_384,
/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */
SIGN_ECDSA_521,
- /** BLISS with SHA-256 */
- SIGN_BLISS_WITH_SHA256,
- /** BLISS with SHA-384 */
- SIGN_BLISS_WITH_SHA384,
- /** BLISS with SHA-512 */
- SIGN_BLISS_WITH_SHA512,
+ /** BLISS with SHA-2_256 */
+ SIGN_BLISS_WITH_SHA2_256,
+ /** BLISS with SHA-2_384 */
+ SIGN_BLISS_WITH_SHA2_384,
+ /** BLISS with SHA-2_512 */
+ SIGN_BLISS_WITH_SHA2_512,
+ /** BLISS with SHA-3_256 */
+ SIGN_BLISS_WITH_SHA3_256,
+ /** BLISS with SHA-3_384 */
+ SIGN_BLISS_WITH_SHA3_384,
+ /** BLISS with SHA-3_512 */
+ SIGN_BLISS_WITH_SHA3_512,
};
/**
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 38eebea..e220593 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,8 +1,9 @@
/*
* Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2015 Andreas Steffen
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -24,26 +25,34 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512,
"HASH_SHA256",
"HASH_SHA384",
"HASH_SHA512");
-ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
+ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
"HASH_UNKNOWN",
"HASH_MD2",
"HASH_MD4",
"HASH_MD5",
- "HASH_SHA224");
-ENUM_END(hash_algorithm_names, HASH_SHA224);
+ "HASH_SHA224",
+ "HASH_SHA3_224",
+ "HASH_SHA3_256",
+ "HASH_SHA3_384",
+ "HASH_SHA3_512");
+ENUM_END(hash_algorithm_names, HASH_SHA3_512);
ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512,
"sha1",
"sha256",
"sha384",
"sha512");
-ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
+ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
"unknown",
"md2",
"md4",
"md5",
- "sha224");
-ENUM_END(hash_algorithm_short_names, HASH_SHA224);
+ "sha224",
+ "sha3_224",
+ "sha3_256",
+ "sha3_384",
+ "sha3_512");
+ENUM_END(hash_algorithm_short_names, HASH_SHA3_512);
/*
* Described in header.
@@ -73,6 +82,14 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
case OID_SHA512:
case OID_SHA512_WITH_RSA:
return HASH_SHA512;
+ case OID_SHA3_224:
+ return HASH_SHA3_224;
+ case OID_SHA3_256:
+ return HASH_SHA3_256;
+ case OID_SHA3_384:
+ return HASH_SHA3_384;
+ case OID_SHA3_512:
+ return HASH_SHA3_512;
default:
return HASH_UNKNOWN;
}
@@ -242,6 +259,10 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
case HASH_MD2:
case HASH_MD4:
case HASH_SHA224:
+ case HASH_SHA3_224:
+ case HASH_SHA3_256:
+ case HASH_SHA3_384:
+ case HASH_SHA3_512:
case HASH_UNKNOWN:
break;
}
@@ -265,6 +286,10 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
case HASH_MD4:
case HASH_MD5:
case HASH_SHA224:
+ case HASH_SHA3_224:
+ case HASH_SHA3_256:
+ case HASH_SHA3_384:
+ case HASH_SHA3_512:
break;
}
return FALSE;
@@ -300,6 +325,18 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
case HASH_SHA512:
oid = OID_SHA512;
break;
+ case HASH_SHA3_224:
+ oid = OID_SHA3_224;
+ break;
+ case HASH_SHA3_256:
+ oid = OID_SHA3_256;
+ break;
+ case HASH_SHA3_384:
+ oid = OID_SHA3_384;
+ break;
+ case HASH_SHA3_512:
+ oid = OID_SHA3_512;
+ break;
default:
oid = OID_UNKNOWN;
}
@@ -351,11 +388,17 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
switch (alg)
{
case HASH_SHA256:
- return OID_BLISS_WITH_SHA256;
+ return OID_BLISS_WITH_SHA2_256;
case HASH_SHA384:
- return OID_BLISS_WITH_SHA384;
+ return OID_BLISS_WITH_SHA2_384;
case HASH_SHA512:
- return OID_BLISS_WITH_SHA512;
+ return OID_BLISS_WITH_SHA2_512;
+ case HASH_SHA3_256:
+ return OID_BLISS_WITH_SHA3_256;
+ case HASH_SHA3_384:
+ return OID_BLISS_WITH_SHA3_384;
+ case HASH_SHA3_512:
+ return OID_BLISS_WITH_SHA3_512;
default:
return OID_UNKNOWN;
}
@@ -385,18 +428,24 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
case SIGN_RSA_EMSA_PKCS1_SHA256:
case SIGN_ECDSA_WITH_SHA256_DER:
case SIGN_ECDSA_256:
- case SIGN_BLISS_WITH_SHA256:
+ case SIGN_BLISS_WITH_SHA2_256:
return HASH_SHA256;
case SIGN_RSA_EMSA_PKCS1_SHA384:
case SIGN_ECDSA_WITH_SHA384_DER:
case SIGN_ECDSA_384:
- case SIGN_BLISS_WITH_SHA384:
+ case SIGN_BLISS_WITH_SHA2_384:
return HASH_SHA384;
case SIGN_RSA_EMSA_PKCS1_SHA512:
case SIGN_ECDSA_WITH_SHA512_DER:
case SIGN_ECDSA_521:
- case SIGN_BLISS_WITH_SHA512:
+ case SIGN_BLISS_WITH_SHA2_512:
return HASH_SHA512;
+ case SIGN_BLISS_WITH_SHA3_256:
+ return HASH_SHA3_256;
+ case SIGN_BLISS_WITH_SHA3_384:
+ return HASH_SHA3_384;
+ case SIGN_BLISS_WITH_SHA3_512:
+ return HASH_SHA3_512;
}
return HASH_UNKNOWN;
}
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 7725863..272502c 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -45,6 +45,10 @@ enum hash_algorithm_t {
HASH_MD4 = 1026,
HASH_MD5 = 1027,
HASH_SHA224 = 1028,
+ HASH_SHA3_224 = 1029,
+ HASH_SHA3_256 = 1030,
+ HASH_SHA3_384 = 1031,
+ HASH_SHA3_512 = 1032
};
#define HASH_SIZE_MD2 16
diff --git a/src/libstrongswan/crypto/iv/iv_gen.c b/src/libstrongswan/crypto/iv/iv_gen.c
index 7d6570a..c706277 100644
--- a/src/libstrongswan/crypto/iv/iv_gen.c
+++ b/src/libstrongswan/crypto/iv/iv_gen.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2015 Martin Willi
* Copyright (C) 2015 revosec AG
*
@@ -16,6 +19,7 @@
#include "iv_gen.h"
#include "iv_gen_rand.h"
#include "iv_gen_seq.h"
+#include "iv_gen_null.h"
/**
* See header.
@@ -52,6 +56,7 @@ iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg)
case ENCR_NULL_AUTH_AES_GMAC:
return iv_gen_seq_create();
case ENCR_NULL:
+ return iv_gen_null_create();
case ENCR_UNDEFINED:
case ENCR_DES_ECB:
case ENCR_DES_IV32:
diff --git a/src/libstrongswan/crypto/iv/iv_gen_null.c b/src/libstrongswan/crypto/iv/iv_gen_null.c
new file mode 100644
index 0000000..b13de06
--- /dev/null
+++ b/src/libstrongswan/crypto/iv/iv_gen_null.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "iv_gen_null.h"
+
+typedef struct private_iv_gen_t private_iv_gen_t;
+
+/**
+ * Private data of an iv_gen_t object.
+ */
+struct private_iv_gen_t {
+
+ /**
+ * Public iv_gen_t interface.
+ */
+ iv_gen_t public;
+};
+
+METHOD(iv_gen_t, get_iv, bool,
+ private_iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer)
+{
+ return size == 0;
+}
+
+METHOD(iv_gen_t, allocate_iv, bool,
+ private_iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk)
+{
+ *chunk = chunk_empty;
+ return size == 0;
+}
+
+METHOD(iv_gen_t, destroy, void,
+ private_iv_gen_t *this)
+{
+ free(this);
+}
+
+iv_gen_t *iv_gen_null_create()
+{
+ private_iv_gen_t *this;
+
+ INIT(this,
+ .public = {
+ .get_iv = _get_iv,
+ .allocate_iv = _allocate_iv,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/crypto/iv/iv_gen_null.h
similarity index 61%
copy from src/libstrongswan/AndroidConfigLocal.h
copy to src/libstrongswan/crypto/iv/iv_gen_null.h
index ae0e606..b63f0c3 100644
--- a/src/libstrongswan/AndroidConfigLocal.h
+++ b/src/libstrongswan/crypto/iv/iv_gen_null.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -13,10 +13,20 @@
* for more details.
*/
-/* stuff defined in AndroidConfig.h, which is included using the -include
- * command-line option, thus cannot be undefined using -U CFLAGS options.
- * the reason we have to undefine these flags in the first place, is that
- * AndroidConfig.h defines them as 0, which in turn means that they are
- * actually defined. */
+/**
+ * @{ @ingroup iv
+ */
+
+#ifndef IV_GEN_NULL_H_
+#define IV_GEN_NULL_H_
+
+#include <crypto/iv/iv_gen.h>
+
+/**
+ * Create an IV generator that does not actually generate an IV.
+ *
+ * @return IV generator
+ */
+iv_gen_t *iv_gen_null_create();
-#undef HAVE_BACKTRACE
+#endif /** IV_GEN_NULL_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c
index 07597c3..4adcf1e 100644
--- a/src/libstrongswan/plugins/bliss/bliss_plugin.c
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c
@@ -55,19 +55,31 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
/* signature schemes, private */
- PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_256),
PLUGIN_DEPENDS(HASHER, HASH_SHA256),
- PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_384),
PLUGIN_DEPENDS(HASHER, HASH_SHA384),
- PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_512),
PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_256),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_384),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
/* signature verification schemes */
- PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_256),
PLUGIN_DEPENDS(HASHER, HASH_SHA256),
- PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_384),
PLUGIN_DEPENDS(HASHER, HASH_SHA384),
- PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_512),
PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_256),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_256),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_384),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_384),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA3_512),
};
*features = f;
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
index 1386eeb..20bbc6a 100644
--- a/src/libstrongswan/plugins/bliss/bliss_private_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -511,12 +511,18 @@ METHOD(private_key_t, sign, bool,
{
switch (scheme)
{
- case SIGN_BLISS_WITH_SHA256:
+ case SIGN_BLISS_WITH_SHA2_256:
return sign_bliss(this, HASH_SHA256, data, signature);
- case SIGN_BLISS_WITH_SHA384:
+ case SIGN_BLISS_WITH_SHA2_384:
return sign_bliss(this, HASH_SHA384, data, signature);
- case SIGN_BLISS_WITH_SHA512:
+ case SIGN_BLISS_WITH_SHA2_512:
return sign_bliss(this, HASH_SHA512, data, signature);
+ case SIGN_BLISS_WITH_SHA3_256:
+ return sign_bliss(this, HASH_SHA3_256, data, signature);
+ case SIGN_BLISS_WITH_SHA3_384:
+ return sign_bliss(this, HASH_SHA3_384, data, signature);
+ case SIGN_BLISS_WITH_SHA3_512:
+ return sign_bliss(this, HASH_SHA3_512, data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
index 2b305f6..93d1165 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -193,12 +193,18 @@ METHOD(public_key_t, verify, bool,
{
switch (scheme)
{
- case SIGN_BLISS_WITH_SHA256:
+ case SIGN_BLISS_WITH_SHA2_256:
return verify_bliss(this, HASH_SHA256, data, signature);
- case SIGN_BLISS_WITH_SHA384:
+ case SIGN_BLISS_WITH_SHA2_384:
return verify_bliss(this, HASH_SHA384, data, signature);
- case SIGN_BLISS_WITH_SHA512:
+ case SIGN_BLISS_WITH_SHA2_512:
return verify_bliss(this, HASH_SHA512, data, signature);
+ case SIGN_BLISS_WITH_SHA3_256:
+ return verify_bliss(this, HASH_SHA3_256, data, signature);
+ case SIGN_BLISS_WITH_SHA3_384:
+ return verify_bliss(this, HASH_SHA3_384, data, signature);
+ case SIGN_BLISS_WITH_SHA3_512:
+ return verify_bliss(this, HASH_SHA3_512, data, signature);
default:
DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
signature_scheme_names, scheme);
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
index 8b4e9cb..a3e4420 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
@@ -36,13 +36,13 @@ START_TEST(test_bliss_sign_all)
switch (k)
{
case 1:
- signature_scheme = SIGN_BLISS_WITH_SHA256;
+ signature_scheme = SIGN_BLISS_WITH_SHA2_256;
break;
case 2:
- signature_scheme = SIGN_BLISS_WITH_SHA384;
+ signature_scheme = SIGN_BLISS_WITH_SHA2_384;
break;
default:
- signature_scheme = SIGN_BLISS_WITH_SHA512;
+ signature_scheme = SIGN_BLISS_WITH_SHA2_512;
}
/* enforce BLISS-B key for k = 2, 3 */
@@ -176,14 +176,14 @@ START_TEST(test_bliss_sign_fail)
/* generate valid signature */
msg = chunk_from_str("Hello Dolly!");
- ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature));
+ ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature));
/* verify with invalid signature scheme */
ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature));
/* corrupt signature */
signature.ptr[signature.len - 1] ^= 0x80;
- ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature));
+ ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature));
free(signature.ptr);
privkey->destroy(privkey);
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 7653c19..9207f11 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -123,7 +123,7 @@ METHOD(fetcher_t, fetch, status_t,
curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
}
- DBG2(DBG_LIB, " sending http request to '%s'...", uri);
+ DBG2(DBG_LIB, " sending request to '%s'...", uri);
curl_status = curl_easy_perform(this->curl);
switch (curl_status)
{
@@ -137,10 +137,10 @@ METHOD(fetcher_t, fetch, status_t,
{
*this->result = result;
}
- status = (result >= 200 && result < 300) ? SUCCESS : FAILED;
+ status = (result < 400) ? SUCCESS : FAILED;
break;
default:
- DBG1(DBG_LIB, "libcurl http request failed [%d]: %s", curl_status,
+ DBG1(DBG_LIB, "libcurl request failed [%d]: %s", curl_status,
error);
status = FAILED;
break;
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index cac442f..49ec488 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -18,6 +18,7 @@
#ifndef OPENSSL_NO_DH
+#include <openssl/bn.h>
#include <openssl/dh.h>
#include "openssl_diffie_hellman.h"
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index a1af500..11d6e8e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -17,6 +17,7 @@
#ifndef OPENSSL_NO_EC
+#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/objects.h>
#include <openssl/bn.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 10a35c1..de02f30 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -23,6 +23,7 @@
#include <utils/debug.h>
+#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#ifndef OPENSSL_NO_ENGINE
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index aa54d3b..db92856 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -23,6 +23,7 @@
#include <utils/debug.h>
+#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 0e61086..2f98137 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -18,6 +18,7 @@
#include <utils/debug.h>
+#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index f7ac347..01d0495 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -356,6 +356,7 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
{
plugin_entry_t *entry;
void *handle;
+ int flag = RTLD_LAZY;
switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, critical, &entry))
{
@@ -380,15 +381,19 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
return NULL;
}
}
- handle = dlopen(file, RTLD_LAZY
+ if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now",
+ lib->ns, FALSE))
+ {
+ flag = RTLD_NOW;
+ }
#ifdef RTLD_NODELETE
- /* if supported, do not unload library when unloading a plugin. It really
- * doesn't matter in productive systems, but causes many (dependency)
- * library reloads during unit tests. Some libraries can't handle that,
+ /* If supported, do not unload the library when unloading a plugin. It
+ * really doesn't matter in productive systems, but causes many (dependency)
+ * library reloads during unit tests. Some libraries can't handle that, e.g.
* GnuTLS leaks file descriptors in its library load/unload functions. */
- | RTLD_NODELETE
+ flag |= RTLD_NODELETE;
#endif
- );
+ handle = dlopen(file, flag);
if (handle == NULL)
{
DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 36d5446..177b3c2 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -56,6 +56,7 @@ METHOD(rng_t, get_bytes, bool,
DBG1(DBG_LIB, "reading from random FD %d failed: %s, retrying...",
this->fd, strerror(errno));
sleep(1);
+ continue;
}
done += got;
}
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 9fd5b2a..fdcb990 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -367,7 +367,7 @@ static certificate_t* fetch_crl(char *url)
return NULL;
}
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
- BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+ BUILD_BLOB_PEM, chunk, BUILD_END);
chunk_free(&chunk);
if (!crl)
{
diff --git a/src/libstrongswan/plugins/sha3/Makefile.am b/src/libstrongswan/plugins/sha3/Makefile.am
new file mode 100644
index 0000000..7ccf58c
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sha3.la
+else
+plugin_LTLIBRARIES = libstrongswan-sha3.la
+endif
+
+libstrongswan_sha3_la_SOURCES = \
+ sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h
+
+libstrongswan_sha3_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in
similarity index 70%
copy from src/libstrongswan/plugins/test_vectors/Makefile.in
copy to src/libstrongswan/plugins/sha3/Makefile.in
index fa7c3cb..3034ea5 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/sha3/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libstrongswan/plugins/test_vectors
+subdir = src/libstrongswan/plugins/sha3
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -127,37 +127,19 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_test_vectors_la_LIBADD =
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
- test_vectors/3des_cbc.lo test_vectors/aes_cbc.lo \
- test_vectors/aes_ctr.lo test_vectors/aes_xcbc.lo \
- test_vectors/aes_cmac.lo test_vectors/aes_ccm.lo \
- test_vectors/aes_gcm.lo test_vectors/chacha20poly1305.lo \
- test_vectors/blowfish.lo test_vectors/camellia_cbc.lo \
- test_vectors/camellia_ctr.lo test_vectors/camellia_xcbc.lo \
- test_vectors/cast.lo test_vectors/des.lo test_vectors/idea.lo \
- test_vectors/null.lo test_vectors/rc2.lo test_vectors/rc5.lo \
- test_vectors/serpent_cbc.lo test_vectors/twofish_cbc.lo \
- test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \
- test_vectors/md5_hmac.lo test_vectors/sha1.lo \
- test_vectors/sha1_hmac.lo test_vectors/sha2.lo \
- test_vectors/sha2_hmac.lo test_vectors/fips_prf.lo \
- test_vectors/modp.lo test_vectors/modpsub.lo \
- test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo
-libstrongswan_test_vectors_la_OBJECTS = \
- $(am_libstrongswan_test_vectors_la_OBJECTS)
+libstrongswan_sha3_la_LIBADD =
+am_libstrongswan_sha3_la_OBJECTS = sha3_plugin.lo sha3_hasher.lo
+libstrongswan_sha3_la_OBJECTS = $(am_libstrongswan_sha3_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
-libstrongswan_test_vectors_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_sha3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
- $(AM_CFLAGS) $(CFLAGS) \
- $(libstrongswan_test_vectors_la_LDFLAGS) $(LDFLAGS) -o $@
- at MONOLITHIC_FALSE@am_libstrongswan_test_vectors_la_rpath = -rpath \
- at MONOLITHIC_FALSE@ $(plugindir)
- at MONOLITHIC_TRUE@am_libstrongswan_test_vectors_la_rpath =
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha3_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_sha3_la_rpath = -rpath $(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_sha3_la_rpath =
AM_V_P = $(am__v_P_ at AM_V@)
am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
am__v_P_0 = false
@@ -192,8 +174,8 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
+SOURCES = $(libstrongswan_sha3_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sha3_la_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -450,46 +432,12 @@ AM_CPPFLAGS = \
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
- at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-test-vectors.la
- at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-test-vectors.la
-libstrongswan_test_vectors_la_SOURCES = \
- test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
- test_vectors/3des_cbc.c \
- test_vectors/aes_cbc.c \
- test_vectors/aes_ctr.c \
- test_vectors/aes_xcbc.c \
- test_vectors/aes_cmac.c \
- test_vectors/aes_ccm.c \
- test_vectors/aes_gcm.c \
- test_vectors/chacha20poly1305.c \
- test_vectors/blowfish.c \
- test_vectors/camellia_cbc.c \
- test_vectors/camellia_ctr.c \
- test_vectors/camellia_xcbc.c \
- test_vectors/cast.c \
- test_vectors/des.c \
- test_vectors/idea.c \
- test_vectors/null.c \
- test_vectors/rc2.c \
- test_vectors/rc5.c \
- test_vectors/serpent_cbc.c \
- test_vectors/twofish_cbc.c \
- test_vectors/md2.c \
- test_vectors/md4.c \
- test_vectors/md5.c \
- test_vectors/md5_hmac.c \
- test_vectors/sha1.c \
- test_vectors/sha1_hmac.c \
- test_vectors/sha2.c \
- test_vectors/sha2_hmac.c \
- test_vectors/fips_prf.c \
- test_vectors/modp.c \
- test_vectors/modpsub.c \
- test_vectors/ecp.c \
- test_vectors/ecpbp.c \
- test_vectors/rng.c
-
-libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha3.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha3.la
+libstrongswan_sha3_la_SOURCES = \
+ sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h
+
+libstrongswan_sha3_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
@@ -503,9 +451,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/test_vectors/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libstrongswan/plugins/test_vectors/Makefile
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -570,127 +518,18 @@ clean-pluginLTLIBRARIES:
echo rm -f $${locs}; \
rm -f $${locs}; \
}
-test_vectors/$(am__dirstamp):
- @$(MKDIR_P) test_vectors
- @: > test_vectors/$(am__dirstamp)
-test_vectors/$(DEPDIR)/$(am__dirstamp):
- @$(MKDIR_P) test_vectors/$(DEPDIR)
- @: > test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/3des_cbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_cbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_ctr.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_xcbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_cmac.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_ccm.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/aes_gcm.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/chacha20poly1305.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/blowfish.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/camellia_cbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/camellia_ctr.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/camellia_xcbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/cast.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/des.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/idea.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/null.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/rc2.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/rc5.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/serpent_cbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/twofish_cbc.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/md2.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/md4.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/md5.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/md5_hmac.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/sha1.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/sha1_hmac.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/sha2.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/modp.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/modpsub.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/ecp.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-test_vectors/rng.lo: test_vectors/$(am__dirstamp) \
- test_vectors/$(DEPDIR)/$(am__dirstamp)
-
-libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) $(EXTRA_libstrongswan_test_vectors_la_DEPENDENCIES)
- $(AM_V_CCLD)$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
+
+libstrongswan-sha3.la: $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha3_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_sha3_la_LINK) $(am_libstrongswan_sha3_la_rpath) $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
- -rm -f test_vectors/*.$(OBJEXT)
- -rm -f test_vectors/*.lo
distclean-compile:
-rm -f *.tab.c
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/test_vectors_plugin.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/3des_cbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_cbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_ccm.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_cmac.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_ctr.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_gcm.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/aes_xcbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/blowfish.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/camellia_cbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/camellia_ctr.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/camellia_xcbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/cast.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/chacha20poly1305.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/des.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/ecp.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/ecpbp.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/fips_prf.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/idea.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/md2.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/md4.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/md5.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/md5_hmac.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/modp.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/modpsub.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/null.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/rc2.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/rc5.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/rng.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/serpent_cbc.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha1.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha1_hmac.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2_hmac.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/twofish_cbc.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_hasher.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/sha3_plugin.Plo at am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -721,7 +560,6 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
- -rm -rf test_vectors/.libs test_vectors/_libs
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -838,8 +676,6 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
- -rm -f test_vectors/$(DEPDIR)/$(am__dirstamp)
- -rm -f test_vectors/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -850,7 +686,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR) test_vectors/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -896,7 +732,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR) test_vectors/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.c b/src/libstrongswan/plugins/sha3/sha3_hasher.c
new file mode 100644
index 0000000..b34a025
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_hasher.c
@@ -0,0 +1,527 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the implementation by the Keccak, Keyak and Ketje Teams, namely,
+ * Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and
+ * Ronny Van Keer, hereby denoted as "the implementer".
+ *
+ * To the extent possible under law, the implementer has waived all copyright
+ * and related or neighboring rights to the source code in this file.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+#include <string.h>
+
+#include "sha3_hasher.h"
+
+typedef struct private_sha3_hasher_t private_sha3_hasher_t;
+
+#define KECCAK_STATE_SIZE 200 /* bytes */
+#define KECCAK_MAX_RATE 144 /* bytes */
+#define DELIMITED_SUFFIX 0x06
+
+static const uint64_t round_constants[] = {
+ 0x0000000000000001ULL,
+ 0x0000000000008082ULL,
+ 0x800000000000808aULL,
+ 0x8000000080008000ULL,
+ 0x000000000000808bULL,
+ 0x0000000080000001ULL,
+ 0x8000000080008081ULL,
+ 0x8000000000008009ULL,
+ 0x000000000000008aULL,
+ 0x0000000000000088ULL,
+ 0x0000000080008009ULL,
+ 0x000000008000000aULL,
+ 0x000000008000808bULL,
+ 0x800000000000008bULL,
+ 0x8000000000008089ULL,
+ 0x8000000000008003ULL,
+ 0x8000000000008002ULL,
+ 0x8000000000000080ULL,
+ 0x000000000000800aULL,
+ 0x800000008000000aULL,
+ 0x8000000080008081ULL,
+ 0x8000000000008080ULL,
+ 0x0000000080000001ULL,
+ 0x8000000080008008ULL
+};
+
+/**
+ * Private data structure with hashing context for SHA-3
+ */
+struct private_sha3_hasher_t {
+
+ /**
+ * Public interface for this hasher.
+ */
+ sha3_hasher_t public;
+
+ /**
+ * SHA-3 algorithm to be used
+ */
+ hash_algorithm_t algorithm;
+
+ /**
+ * Internal state of 1600 bits as defined by FIPS-202
+ */
+ uint8_t state[KECCAK_STATE_SIZE];
+
+ /**
+ * Rate in bytes
+ */
+ u_int rate;
+
+ /**
+ * Rate input buffer
+ */
+ uint8_t rate_buffer[KECCAK_MAX_RATE];
+
+ /**
+ * Index pointing to the current position in the rate buffer
+ */
+ u_int rate_index;
+
+};
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+/**
+ * Function to load a 64-bit value using the little-endian (LE) convention.
+ * On a LE platform, this could be greatly simplified using a cast.
+ */
+static uint64_t load64(const uint8_t *x)
+{
+ int i;
+ uint64_t u = 0;
+
+ for (i = 7; i >= 0; --i)
+ {
+ u <<= 8;
+ u |= x[i];
+ }
+ return u;
+}
+
+/**
+ * Function to store a 64-bit value using the little-endian (LE) convention.
+ * On a LE platform, this could be greatly simplified using a cast.
+ */
+static void store64(uint8_t *x, uint64_t u)
+{
+ u_int i;
+
+ for (i = 0; i < 8; ++i)
+ {
+ x[i] = u;
+ u >>= 8;
+ }
+}
+
+/**
+ * Function to XOR into a 64-bit value using the little-endian (LE) convention.
+ * On a LE platform, this could be greatly simplified using a cast.
+ */
+static void xor64(uint8_t *x, uint64_t u)
+{
+ u_int i;
+
+ for (i = 0; i < 8; ++i)
+ {
+ x[i] ^= u;
+ u >>= 8;
+ }
+}
+#endif
+
+/**
+ * Some macros used by the Keccak-f[1600] permutation.
+ */
+#define ROL64(a, offset) ((((uint64_t)a) << offset) ^ (((uint64_t)a) >> (64-offset)))
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+ #define readLane(i) (((uint64_t*)state)[i])
+ #define writeLane(i, lane) (((uint64_t*)state)[i]) = (lane)
+ #define XORLane(i, lane) (((uint64_t*)state)[i]) ^= (lane)
+#elif BYTE_ORDER == BIG_ENDIAN
+ #define readLane(i) load64((uint8_t*)state+sizeof(uint64_t)*i))
+ #define writeLane(i, lane) store64((uint8_t*)state+sizeof(uint64_t)*i, lane)
+ #define XORLane(i, lane) xor64((uint8_t*)state+sizeof(uint64_t)*i, lane)
+#endif
+
+/**
+ * Function that computes the Keccak-f[1600] permutation on the given state.
+ */
+static void keccak_f1600_state_permute(void *state)
+{
+ int round;
+
+ for (round = 0; round < 24; round++)
+ {
+ { /* θ step (see [Keccak Reference, Section 2.3.2]) */
+
+ uint64_t C[5], D;
+
+ /* Compute the parity of the columns */
+ C[0] = readLane(0) ^ readLane( 5) ^ readLane(10)
+ ^ readLane(15) ^ readLane(20);
+ C[1] = readLane(1) ^ readLane( 6) ^ readLane(11)
+ ^ readLane(16) ^ readLane(21);
+ C[2] = readLane(2) ^ readLane( 7) ^ readLane(12)
+ ^ readLane(17) ^ readLane(22);
+ C[3] = readLane(3) ^ readLane( 8) ^ readLane(13)
+ ^ readLane(18) ^ readLane(23);
+ C[4] = readLane(4) ^ readLane( 9) ^ readLane(14)
+ ^ readLane(19) ^ readLane(24);
+
+ /* Compute and add the θ effect to the whole column */
+ D = C[4] ^ ROL64(C[1], 1);
+ XORLane( 0, D);
+ XORLane( 5, D);
+ XORLane(10, D);
+ XORLane(15, D);
+ XORLane(20, D);
+
+ D = C[0] ^ ROL64(C[2], 1);
+ XORLane( 1, D);
+ XORLane( 6, D);
+ XORLane(11, D);
+ XORLane(16, D);
+ XORLane(21, D);
+
+ D = C[1] ^ ROL64(C[3], 1);
+ XORLane( 2, D);
+ XORLane( 7, D);
+ XORLane(12, D);
+ XORLane(17, D);
+ XORLane(22, D);
+
+ D = C[2] ^ ROL64(C[4], 1);
+ XORLane( 3, D);
+ XORLane( 8, D);
+ XORLane(13, D);
+ XORLane(18, D);
+ XORLane(23, D);
+
+ D = C[3] ^ ROL64(C[0], 1);
+ XORLane( 4, D);
+ XORLane( 9, D);
+ XORLane(14, D);
+ XORLane(19, D);
+ XORLane(24, D);
+ }
+
+ { /* ρ and π steps (see [Keccak Reference, Sections 2.3.3 and 2.3.4]) */
+
+ uint64_t t1, t2;
+
+ t1 = readLane( 1);
+
+ t2 = readLane(10);
+ writeLane(10, ROL64(t1, 1));
+
+ t1 = readLane( 7);
+ writeLane( 7, ROL64(t2, 3));
+
+ t2 = readLane(11);
+ writeLane(11, ROL64(t1, 6));
+
+ t1 = readLane(17);
+ writeLane(17, ROL64(t2, 10));
+
+ t2 = readLane(18);
+ writeLane(18, ROL64(t1, 15));
+
+ t1 = readLane( 3);
+ writeLane( 3, ROL64(t2, 21));
+
+ t2 = readLane( 5);
+ writeLane( 5, ROL64(t1, 28));
+
+ t1 = readLane(16);
+ writeLane(16, ROL64(t2, 36));
+
+ t2 = readLane( 8);
+ writeLane( 8, ROL64(t1, 45));
+
+ t1 = readLane(21);
+ writeLane(21, ROL64(t2, 55));
+
+ t2 = readLane(24);
+ writeLane(24, ROL64(t1, 2));
+
+ t1 = readLane( 4);
+ writeLane( 4, ROL64(t2, 14));
+
+ t2 = readLane(15);
+ writeLane(15, ROL64(t1, 27));
+
+ t1 = readLane(23);
+ writeLane(23, ROL64(t2, 41));
+
+ t2 = readLane(19);
+ writeLane(19, ROL64(t1, 56));
+
+ t1 = readLane(13);
+ writeLane(13, ROL64(t2, 8));
+
+ t2 = readLane(12);
+ writeLane(12, ROL64(t1, 25));
+
+ t1 = readLane( 2);
+ writeLane( 2, ROL64(t2, 43));
+
+ t2 = readLane(20);
+ writeLane(20, ROL64(t1, 62));
+
+ t1 = readLane(14);
+ writeLane(14, ROL64(t2, 18));
+
+ t2 = readLane(22);
+ writeLane(22, ROL64(t1, 39));
+
+ t1 = readLane( 9);
+ writeLane( 9, ROL64(t2, 61));
+
+ t2 = readLane( 6);
+ writeLane( 6, ROL64(t1, 20));
+
+ writeLane( 1, ROL64(t2, 44));
+ }
+
+ { /* χ step (see [Keccak Reference, Section 2.3.1]) */
+
+ uint64_t t[5];
+
+ t[0] = readLane(0);
+ t[1] = readLane(1);
+ t[2] = readLane(2);
+ t[3] = readLane(3);
+ t[4] = readLane(4);
+
+ writeLane(0, t[0] ^ ((~t[1]) & t[2]));
+ writeLane(1, t[1] ^ ((~t[2]) & t[3]));
+ writeLane(2, t[2] ^ ((~t[3]) & t[4]));
+ writeLane(3, t[3] ^ ((~t[4]) & t[0]));
+ writeLane(4, t[4] ^ ((~t[0]) & t[1]));
+
+ t[0] = readLane(5);
+ t[1] = readLane(6);
+ t[2] = readLane(7);
+ t[3] = readLane(8);
+ t[4] = readLane(9);
+
+ writeLane(5, t[0] ^ ((~t[1]) & t[2]));
+ writeLane(6, t[1] ^ ((~t[2]) & t[3]));
+ writeLane(7, t[2] ^ ((~t[3]) & t[4]));
+ writeLane(8, t[3] ^ ((~t[4]) & t[0]));
+ writeLane(9, t[4] ^ ((~t[0]) & t[1]));
+
+ t[0] = readLane(10);
+ t[1] = readLane(11);
+ t[2] = readLane(12);
+ t[3] = readLane(13);
+ t[4] = readLane(14);
+
+ writeLane(10, t[0] ^ ((~t[1]) & t[2]));
+ writeLane(11, t[1] ^ ((~t[2]) & t[3]));
+ writeLane(12, t[2] ^ ((~t[3]) & t[4]));
+ writeLane(13, t[3] ^ ((~t[4]) & t[0]));
+ writeLane(14, t[4] ^ ((~t[0]) & t[1]));
+
+ t[0] = readLane(15);
+ t[1] = readLane(16);
+ t[2] = readLane(17);
+ t[3] = readLane(18);
+ t[4] = readLane(19);
+
+ writeLane(15, t[0] ^ ((~t[1]) & t[2]));
+ writeLane(16, t[1] ^ ((~t[2]) & t[3]));
+ writeLane(17, t[2] ^ ((~t[3]) & t[4]));
+ writeLane(18, t[3] ^ ((~t[4]) & t[0]));
+ writeLane(19, t[4] ^ ((~t[0]) & t[1]));
+
+ t[0] = readLane(20);
+ t[1] = readLane(21);
+ t[2] = readLane(22);
+ t[3] = readLane(23);
+ t[4] = readLane(24);
+
+ writeLane(20, t[0] ^ ((~t[1]) & t[2]));
+ writeLane(21, t[1] ^ ((~t[2]) & t[3]));
+ writeLane(22, t[2] ^ ((~t[3]) & t[4]));
+ writeLane(23, t[3] ^ ((~t[4]) & t[0]));
+ writeLane(24, t[4] ^ ((~t[0]) & t[1]));
+ }
+
+ { /* ι step (see [Keccak Reference, Section 2.3.5]) */
+
+ XORLane(0, round_constants[round]);
+ }
+ }
+}
+
+METHOD(hasher_t, reset, bool,
+ private_sha3_hasher_t *this)
+{
+ memset(this->state, 0x00, KECCAK_STATE_SIZE);
+ this->rate_index = 0;
+
+ return TRUE;
+}
+
+METHOD(hasher_t, get_hash_size, size_t,
+ private_sha3_hasher_t *this)
+{
+ switch (this->algorithm)
+ {
+ case HASH_SHA3_224:
+ return HASH_SIZE_SHA224;
+ case HASH_SHA3_256:
+ return HASH_SIZE_SHA256;
+ case HASH_SHA3_384:
+ return HASH_SIZE_SHA384;
+ case HASH_SHA3_512:
+ return HASH_SIZE_SHA512;
+ default:
+ return 0;
+ }
+}
+
+static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data)
+{
+ uint64_t *buffer_lanes, *state_lanes;
+ size_t len, rate_lanes;
+ int i;
+
+ buffer_lanes = (uint64_t*)this->rate_buffer;
+ state_lanes = (uint64_t*)this->state;
+ rate_lanes = this->rate / sizeof(uint64_t);
+
+ while (data.len)
+ {
+ len = min(data.len, this->rate - this->rate_index);
+ memcpy(this->rate_buffer + this->rate_index, data.ptr, len);
+ this->rate_index += len;
+ data.ptr += len;
+ data.len -= len;
+
+ if (this->rate_index == this->rate)
+ {
+ for (i = 0; i < rate_lanes; i++)
+ {
+ state_lanes[i] ^= buffer_lanes[i];
+ }
+ this->rate_index = 0;
+
+ keccak_f1600_state_permute(this->state);
+ }
+ }
+}
+
+static void sha3_final(private_sha3_hasher_t *this)
+{
+ uint64_t *buffer_lanes, *state_lanes;
+ size_t rate_lanes, remainder;
+ int i;
+
+ /* Add the delimitedSuffix as the first bit of padding */
+ this->rate_buffer[this->rate_index++] = DELIMITED_SUFFIX;
+
+ buffer_lanes = (uint64_t*)this->rate_buffer;
+ state_lanes = (uint64_t*)this->state;
+ rate_lanes = this->rate_index / sizeof(uint64_t);
+
+ remainder = this->rate_index - rate_lanes * sizeof(uint64_t);
+ if (remainder)
+ {
+ memset(this->rate_buffer + this->rate_index, 0x00,
+ sizeof(uint64_t) - remainder);
+ rate_lanes++;
+ }
+ for (i = 0; i < rate_lanes; i++)
+ {
+ state_lanes[i] ^= buffer_lanes[i];
+ }
+
+ /* Add the second bit of padding */
+ this->state[this->rate - 1] ^= 0x80;
+
+ /* Switch to the squeezing phase */
+ keccak_f1600_state_permute(this->state);
+}
+
+METHOD(hasher_t, get_hash, bool,
+ private_sha3_hasher_t *this, chunk_t chunk, uint8_t *buffer)
+{
+ sha3_absorb(this, chunk);
+
+ if (buffer != NULL)
+ {
+ sha3_final(this);
+ memcpy(buffer, this->state, get_hash_size(this));
+ reset(this);
+ }
+ return TRUE;
+}
+
+METHOD(hasher_t, allocate_hash, bool,
+ private_sha3_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+ chunk_t allocated_hash;
+
+ sha3_absorb(this, chunk);
+
+ if (hash != NULL)
+ {
+ sha3_final(this);
+ allocated_hash = chunk_alloc(get_hash_size(this));
+ memcpy(allocated_hash.ptr, this->state, allocated_hash.len);
+ reset(this);
+ *hash = allocated_hash;
+ }
+ return TRUE;
+}
+
+METHOD(hasher_t, destroy, void,
+ sha3_hasher_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm)
+{
+ private_sha3_hasher_t *this;
+
+ switch (algorithm)
+ {
+ case HASH_SHA3_224:
+ case HASH_SHA3_256:
+ case HASH_SHA3_384:
+ case HASH_SHA3_512:
+ break;
+ default:
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .hasher_interface = {
+ .reset = _reset,
+ .get_hash_size = _get_hash_size,
+ .get_hash = _get_hash,
+ .allocate_hash = _allocate_hash,
+ .destroy = _destroy,
+ },
+ },
+ .algorithm = algorithm,
+ );
+
+ this->rate = KECCAK_STATE_SIZE - 2*get_hash_size(this);
+ reset(this);
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.h b/src/libstrongswan/plugins/sha3/sha3_hasher.h
new file mode 100644
index 0000000..2f18d35
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_hasher.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sha3_hasher sha3_hasher
+ * @{ @ingroup sha3_p
+ */
+
+#ifndef SHA3_HASHER_H_
+#define SHA3_HASHER_H_
+
+typedef struct sha3_hasher_t sha3_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the SHA-3 algorithm family
+ * SHA3_224, SHA3_256, SHA3_384 and SHA3_512 as defined by FIPS-202.
+ */
+struct sha3_hasher_t {
+
+ /**
+ * Generic hasher_t interface for this hasher.
+ */
+ hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new sha3_hasher_t.
+ *
+ * @param algorithm HASH3_224, HASH_SHA3_256, HASH_SHA3_384 or HASH_SHA3_512
+ * @return sha3_hasher_t object, NULL if not supported
+ */
+sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm);
+
+#endif /** SHA3_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.c b/src/libstrongswan/plugins/sha3/sha3_plugin.c
new file mode 100644
index 0000000..28068f3
--- /dev/null
+++ b/src/libstrongswan/plugins/sha3/sha3_plugin.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "sha3_plugin.h"
+
+#include <library.h>
+#include "sha3_hasher.h"
+
+typedef struct private_sha3_plugin_t private_sha3_plugin_t;
+
+/**
+ * private data of sha3_plugin
+ */
+struct private_sha3_plugin_t {
+
+ /**
+ * public functions
+ */
+ sha3_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_sha3_plugin_t *this)
+{
+ return "sha3";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_sha3_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_REGISTER(HASHER, sha3_hasher_create),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_224),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_256),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_384),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA3_512),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_sha3_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *sha3_plugin_create()
+{
+ private_sha3_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
+
diff --git a/src/libhydra/kernel/kernel_net.c b/src/libstrongswan/plugins/sha3/sha3_plugin.h
similarity index 52%
copy from src/libhydra/kernel/kernel_net.c
copy to src/libstrongswan/plugins/sha3/sha3_plugin.h
index 0841ed8..09c8e5d 100644
--- a/src/libhydra/kernel/kernel_net.c
+++ b/src/libstrongswan/plugins/sha3/sha3_plugin.h
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -13,25 +13,30 @@
* for more details.
*/
-#include "kernel_net.h"
+/**
+ * @defgroup sha3_p sha3
+ * @ingroup plugins
+ *
+ * @defgroup sha3_plugin sha3_plugin
+ * @{ @ingroup sha3_p
+ */
+
+#ifndef SHA3_PLUGIN_H_
+#define SHA3_PLUGIN_H_
-#include <hydra.h>
+#include <plugins/plugin.h>
+
+typedef struct sha3_plugin_t sha3_plugin_t;
/**
- * See header
+ * Plugin implementing the SHA356, SHA384 and SHA512 algorithms in software.
*/
-bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature,
- bool reg, void *data)
-{
- if (reg)
- {
- hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
- (kernel_net_constructor_t)data);
- }
- else
- {
- hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
- (kernel_net_constructor_t)data);
- }
- return TRUE;
-}
+struct sha3_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** SHA3_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 72ba4ce..ab540e7 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -40,6 +40,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/sha1_hmac.c \
test_vectors/sha2.c \
test_vectors/sha2_hmac.c \
+ test_vectors/sha3.c \
test_vectors/fips_prf.c \
test_vectors/modp.c \
test_vectors/modpsub.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index fa7c3cb..100f3b1 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -142,9 +142,10 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \
test_vectors/md5_hmac.lo test_vectors/sha1.lo \
test_vectors/sha1_hmac.lo test_vectors/sha2.lo \
- test_vectors/sha2_hmac.lo test_vectors/fips_prf.lo \
- test_vectors/modp.lo test_vectors/modpsub.lo \
- test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo
+ test_vectors/sha2_hmac.lo test_vectors/sha3.lo \
+ test_vectors/fips_prf.lo test_vectors/modp.lo \
+ test_vectors/modpsub.lo test_vectors/ecp.lo \
+ test_vectors/ecpbp.lo test_vectors/rng.lo
libstrongswan_test_vectors_la_OBJECTS = \
$(am_libstrongswan_test_vectors_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
@@ -482,6 +483,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/sha1_hmac.c \
test_vectors/sha2.c \
test_vectors/sha2_hmac.c \
+ test_vectors/sha3.c \
test_vectors/fips_prf.c \
test_vectors/modp.c \
test_vectors/modpsub.c \
@@ -632,6 +634,8 @@ test_vectors/sha2.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/sha3.lo: test_vectors/$(am__dirstamp) \
+ test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/modp.lo: test_vectors/$(am__dirstamp) \
@@ -690,6 +694,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha1_hmac.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha2_hmac.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/sha3.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/twofish_cbc.Plo at am__quote@
.c.o:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 57c218c..3ff211d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -184,6 +184,30 @@ TEST_VECTOR_HASHER(sha384_3)
TEST_VECTOR_HASHER(sha512_1)
TEST_VECTOR_HASHER(sha512_2)
TEST_VECTOR_HASHER(sha512_3)
+TEST_VECTOR_HASHER(sha3_224_0)
+TEST_VECTOR_HASHER(sha3_256_0)
+TEST_VECTOR_HASHER(sha3_384_0)
+TEST_VECTOR_HASHER(sha3_512_0)
+TEST_VECTOR_HASHER(sha3_224_1)
+TEST_VECTOR_HASHER(sha3_256_1)
+TEST_VECTOR_HASHER(sha3_384_1)
+TEST_VECTOR_HASHER(sha3_512_1)
+TEST_VECTOR_HASHER(sha3_224_2)
+TEST_VECTOR_HASHER(sha3_256_2)
+TEST_VECTOR_HASHER(sha3_384_2)
+TEST_VECTOR_HASHER(sha3_512_2)
+TEST_VECTOR_HASHER(sha3_224_143)
+TEST_VECTOR_HASHER(sha3_256_135)
+TEST_VECTOR_HASHER(sha3_384_103)
+TEST_VECTOR_HASHER(sha3_512_71)
+TEST_VECTOR_HASHER(sha3_224_144)
+TEST_VECTOR_HASHER(sha3_256_136)
+TEST_VECTOR_HASHER(sha3_384_104)
+TEST_VECTOR_HASHER(sha3_512_72)
+TEST_VECTOR_HASHER(sha3_224_255)
+TEST_VECTOR_HASHER(sha3_256_255)
+TEST_VECTOR_HASHER(sha3_384_255)
+TEST_VECTOR_HASHER(sha3_512_255)
TEST_VECTOR_PRF(aes_xcbc_p1)
TEST_VECTOR_PRF(aes_xcbc_p2)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c
new file mode 100644
index 0000000..e659f66
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * SHA-3_224 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+hasher_test_vector_t sha3_224_0 = {
+ .alg = HASH_SHA3_224, .len = 0,
+ .data = "",
+ .hash = "\x6B\x4E\x03\x42\x36\x67\xDB\xB7\x3B\x6E\x15\x45\x4F\x0E\xB1\xAB"
+ "\xD4\x59\x7F\x9A\x1B\x07\x8E\x3F\x5B\x5A\x6B\xC7"
+
+};
+
+hasher_test_vector_t sha3_224_1 = {
+ .alg = HASH_SHA3_224, .len = 1,
+ .data = "\xCC",
+ .hash = "\xDF\x70\xAD\xC4\x9B\x2E\x76\xEE\xE3\xA6\x93\x1B\x93\xFA\x41\x84"
+ "\x1C\x3A\xF2\xCD\xF5\xB3\x2A\x18\xB5\x47\x8C\x39"
+};
+
+hasher_test_vector_t sha3_224_2 = {
+ .alg = HASH_SHA3_224, .len = 2,
+ .data = "\x41\xFB",
+ .hash = "\xBF\xF2\x95\x86\x1D\xAE\xDF\x33\xE7\x05\x19\xB1\xE2\xBC\xB4\xC2"
+ "\xE9\xFE\x33\x64\xD7\x89\xBC\x3B\x17\x30\x1C\x15"
+};
+
+hasher_test_vector_t sha3_224_143 = {
+ .alg = HASH_SHA3_224, .len = 143,
+ .data = "\xEA\x40\xE8\x3C\xB1\x8B\x3A\x24\x2C\x1E\xCC\x6C\xCD\x0B\x78\x53"
+ "\xA4\x39\xDA\xB2\xC5\x69\xCF\xC6\xDC\x38\xA1\x9F\x5C\x90\xAC\xBF"
+ "\x76\xAE\xF9\xEA\x37\x42\xFF\x3B\x54\xEF\x7D\x36\xEB\x7C\xE4\xFF"
+ "\x1C\x9A\xB3\xBC\x11\x9C\xFF\x6B\xE9\x3C\x03\xE2\x08\x78\x33\x35"
+ "\xC0\xAB\x81\x37\xBE\x5B\x10\xCD\xC6\x6F\xF3\xF8\x9A\x1B\xDD\xC6"
+ "\xA1\xEE\xD7\x4F\x50\x4C\xBE\x72\x90\x69\x0B\xB2\x95\xA8\x72\xB9"
+ "\xE3\xFE\x2C\xEE\x9E\x6C\x67\xC4\x1D\xB8\xEF\xD7\xD8\x63\xCF\x10"
+ "\xF8\x40\xFE\x61\x8E\x79\x36\xDA\x3D\xCA\x5C\xA6\xDF\x93\x3F\x24"
+ "\xF6\x95\x4B\xA0\x80\x1A\x12\x94\xCD\x8D\x7E\x66\xDF\xAF\xEC",
+ .hash = "\xAB\x0F\xD3\x08\x59\x05\x74\xD6\xF6\x13\x02\x32\xD9\xFA\xFA\x9F"
+ "\xFC\xFE\xA7\x85\x79\xA6\xA8\xF6\x7C\x59\x04\x20"
+};
+
+hasher_test_vector_t sha3_224_144 = {
+ .alg = HASH_SHA3_224, .len = 144,
+ .data = "\x15\x7D\x5B\x7E\x45\x07\xF6\x6D\x9A\x26\x74\x76\xD3\x38\x31\xE7"
+ "\xBB\x76\x8D\x4D\x04\xCC\x34\x38\xDA\x12\xF9\x01\x02\x63\xEA\x5F"
+ "\xCA\xFB\xDE\x25\x79\xDB\x2F\x6B\x58\xF9\x11\xD5\x93\xD5\xF7\x9F"
+ "\xB0\x5F\xE3\x59\x6E\x3F\xA8\x0F\xF2\xF7\x61\xD1\xB0\xE5\x70\x80"
+ "\x05\x5C\x11\x8C\x53\xE5\x3C\xDB\x63\x05\x52\x61\xD7\xC9\xB2\xB3"
+ "\x9B\xD9\x0A\xCC\x32\x52\x0C\xBB\xDB\xDA\x2C\x4F\xD8\x85\x6D\xBC"
+ "\xEE\x17\x31\x32\xA2\x67\x91\x98\xDA\xF8\x30\x07\xA9\xB5\xC5\x15"
+ "\x11\xAE\x49\x76\x6C\x79\x2A\x29\x52\x03\x88\x44\x4E\xBE\xFE\x28"
+ "\x25\x6F\xB3\x3D\x42\x60\x43\x9C\xBA\x73\xA9\x47\x9E\xE0\x0C\x63",
+ .hash = "\xD5\x13\x42\x00\xDC\x98\xF4\xCA\x48\x0C\xD2\x4D\x24\x49\x77\x37"
+ "\x25\x2B\x55\x97\x7A\xE5\xA8\x69\xBA\x27\x08\x9D"
+};
+
+hasher_test_vector_t sha3_224_255 = {
+ .alg = HASH_SHA3_224, .len = 255,
+ .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+ "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+ "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+ "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+ "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+ "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+ "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+ "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+ "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+ "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+ "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+ "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+ "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+ "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+ "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+ "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+ .hash = "\x94\x68\x9E\xA9\xF3\x47\xDD\xA8\xDD\x79\x8A\x85\x86\x05\x86\x87"
+ "\x43\xC6\xBD\x03\xA6\xA6\x5C\x60\x85\xD5\x2B\xED"
+};
+
+/**
+ * SHA-3_256 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+hasher_test_vector_t sha3_256_0 = {
+ .alg = HASH_SHA3_256, .len = 0,
+ .data = "",
+ .hash = "\xA7\xFF\xC6\xF8\xBF\x1E\xD7\x66\x51\xC1\x47\x56\xA0\x61\xD6\x62"
+ "\xF5\x80\xFF\x4D\xE4\x3B\x49\xFA\x82\xD8\x0A\x4B\x80\xF8\x43\x4A"
+};
+
+hasher_test_vector_t sha3_256_1 = {
+ .alg = HASH_SHA3_256, .len = 1,
+ .data = "\xCC",
+ .hash = "\x67\x70\x35\x39\x1C\xD3\x70\x12\x93\xD3\x85\xF0\x37\xBA\x32\x79"
+ "\x62\x52\xBB\x7C\xE1\x80\xB0\x0B\x58\x2D\xD9\xB2\x0A\xAA\xD7\xF0"
+};
+
+hasher_test_vector_t sha3_256_2 = {
+ .alg = HASH_SHA3_256, .len = 2,
+ .data = "\x41\xFB",
+ .hash = "\x39\xF3\x1B\x6E\x65\x3D\xFC\xD9\xCA\xED\x26\x02\xFD\x87\xF6\x1B"
+ "\x62\x54\xF5\x81\x31\x2F\xB6\xEE\xEC\x4D\x71\x48\xFA\x2E\x72\xAA"
+};
+
+hasher_test_vector_t sha3_256_135 = {
+ .alg = HASH_SHA3_256, .len = 135,
+ .data = "\xB7\x71\xD5\xCE\xF5\xD1\xA4\x1A\x93\xD1\x56\x43\xD7\x18\x1D\x2A"
+ "\x2E\xF0\xA8\xE8\x4D\x91\x81\x2F\x20\xED\x21\xF1\x47\xBE\xF7\x32"
+ "\xBF\x3A\x60\xEF\x40\x67\xC3\x73\x4B\x85\xBC\x8C\xD4\x71\x78\x0F"
+ "\x10\xDC\x9E\x82\x91\xB5\x83\x39\xA6\x77\xB9\x60\x21\x8F\x71\xE7"
+ "\x93\xF2\x79\x7A\xEA\x34\x94\x06\x51\x28\x29\x06\x5D\x37\xBB\x55"
+ "\xEA\x79\x6F\xA4\xF5\x6F\xD8\x89\x6B\x49\xB2\xCD\x19\xB4\x32\x15"
+ "\xAD\x96\x7C\x71\x2B\x24\xE5\x03\x2D\x06\x52\x32\xE0\x2C\x12\x74"
+ "\x09\xD2\xED\x41\x46\xB9\xD7\x5D\x76\x3D\x52\xDB\x98\xD9\x49\xD3"
+ "\xB0\xFE\xD6\xA8\x05\x2F\xBB",
+ .hash = "\xA1\x9E\xEE\x92\xBB\x20\x97\xB6\x4E\x82\x3D\x59\x77\x98\xAA\x18"
+ "\xBE\x9B\x7C\x73\x6B\x80\x59\xAB\xFD\x67\x79\xAC\x35\xAC\x81\xB5"
+};
+
+hasher_test_vector_t sha3_256_136 = {
+ .alg = HASH_SHA3_256, .len = 136,
+ .data = "\xB3\x2D\x95\xB0\xB9\xAA\xD2\xA8\x81\x6D\xE6\xD0\x6D\x1F\x86\x00"
+ "\x85\x05\xBD\x8C\x14\x12\x4F\x6E\x9A\x16\x3B\x5A\x2A\xDE\x55\xF8"
+ "\x35\xD0\xEC\x38\x80\xEF\x50\x70\x0D\x3B\x25\xE4\x2C\xC0\xAF\x05"
+ "\x0C\xCD\x1B\xE5\xE5\x55\xB2\x30\x87\xE0\x4D\x7B\xF9\x81\x36\x22"
+ "\x78\x0C\x73\x13\xA1\x95\x4F\x87\x40\xB6\xEE\x2D\x3F\x71\xF7\x68"
+ "\xDD\x41\x7F\x52\x04\x82\xBD\x3A\x08\xD4\xF2\x22\xB4\xEE\x9D\xBD"
+ "\x01\x54\x47\xB3\x35\x07\xDD\x50\xF3\xAB\x42\x47\xC5\xDE\x9A\x8A"
+ "\xBD\x62\xA8\xDE\xCE\xA0\x1E\x3B\x87\xC8\xB9\x27\xF5\xB0\x8B\xEB"
+ "\x37\x67\x4C\x6F\x8E\x38\x0C\x04",
+ .hash = "\xDF\x67\x3F\x41\x05\x37\x9F\xF6\xB7\x55\xEE\xAB\x20\xCE\xB0\xDC"
+ "\x77\xB5\x28\x63\x64\xFE\x16\xC5\x9C\xC8\xA9\x07\xAF\xF0\x77\x32"
+};
+
+hasher_test_vector_t sha3_256_255 = {
+ .alg = HASH_SHA3_256, .len = 255,
+ .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+ "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+ "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+ "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+ "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+ "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+ "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+ "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+ "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+ "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+ "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+ "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+ "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+ "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+ "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+ "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+ .hash = "\xC1\x1F\x35\x22\xA8\xFB\x7B\x35\x32\xD8\x0B\x6D\x40\x02\x3A\x92"
+ "\xB4\x89\xAD\xDA\xD9\x3B\xF5\xD6\x4B\x23\xF3\x5E\x96\x63\x52\x1C"
+};
+
+/**
+ * SHA-3_384 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+hasher_test_vector_t sha3_384_0 = {
+ .alg = HASH_SHA3_384, .len = 0,
+ .data = "",
+ .hash = "\x0C\x63\xA7\x5B\x84\x5E\x4F\x7D\x01\x10\x7D\x85\x2E\x4C\x24\x85"
+ "\xC5\x1A\x50\xAA\xAA\x94\xFC\x61\x99\x5E\x71\xBB\xEE\x98\x3A\x2A"
+ "\xC3\x71\x38\x31\x26\x4A\xDB\x47\xFB\x6B\xD1\xE0\x58\xD5\xF0\x04"
+};
+
+hasher_test_vector_t sha3_384_1 = {
+ .alg = HASH_SHA3_384, .len = 1,
+ .data = "\xCC",
+ .hash = "\x5E\xE7\xF3\x74\x97\x3C\xD4\xBB\x3D\xC4\x1E\x30\x81\x34\x67\x98"
+ "\x49\x7F\xF6\xE3\x6C\xB9\x35\x22\x81\xDF\xE0\x7D\x07\xFC\x53\x0C"
+ "\xA9\xAD\x8E\xF7\xAA\xD5\x6E\xF5\xD4\x1B\xE8\x3D\x5E\x54\x38\x07"
+};
+
+hasher_test_vector_t sha3_384_2 = {
+ .alg = HASH_SHA3_384, .len = 2,
+ .data = "\x41\xFB",
+ .hash = "\x1D\xD8\x16\x09\xDC\xC2\x90\xEF\xFD\x7A\xC0\xA9\x5D\x4A\x20\x82"
+ "\x15\x80\xE5\x6B\xD5\x0D\xBD\x84\x39\x20\x65\x0B\xE7\xA8\x0A\x17"
+ "\x19\x57\x7D\xA3\x37\xCF\xDF\x86\xE5\x1C\x76\x4C\xAA\x2E\x10\xBD"
+};
+
+hasher_test_vector_t sha3_384_103 = {
+ .alg = HASH_SHA3_384, .len = 103,
+ .data = "\xF1\x3C\x97\x2C\x52\xCB\x3C\xC4\xA4\xDF\x28\xC9\x7F\x2D\xF1\x1C"
+ "\xE0\x89\xB8\x15\x46\x6B\xE8\x88\x63\x24\x3E\xB3\x18\xC2\xAD\xB1"
+ "\xA4\x17\xCB\x10\x41\x30\x85\x98\x54\x17\x20\x19\x7B\x9B\x1C\xB5"
+ "\xBA\x23\x18\xBD\x55\x74\xD1\xDF\x21\x74\xAF\x14\x88\x41\x49\xBA"
+ "\x9B\x2F\x44\x6D\x60\x9D\xF2\x40\xCE\x33\x55\x99\x95\x7B\x8E\xC8"
+ "\x08\x76\xD9\xA0\x85\xAE\x08\x49\x07\xBC\x59\x61\xB2\x0B\xF5\xF6"
+ "\xCA\x58\xD5\xDA\xB3\x8A\xDB",
+ .hash = "\x0A\x83\x4E\x11\x1B\x4E\x84\x0E\x78\x7C\x19\x74\x84\x65\xA4\x7D"
+ "\x88\xB3\xF0\xF3\xDA\xAF\x15\xDB\x25\x53\x6B\xDC\x60\x78\xFA\x9C"
+ "\x05\xE6\xC9\x53\x83\x02\x74\x22\x39\x68\x84\x7D\xA8\xBF\xD2\x0D"
+};
+
+hasher_test_vector_t sha3_384_104 = {
+ .alg = HASH_SHA3_384, .len = 104,
+ .data = "\xE3\x57\x80\xEB\x97\x99\xAD\x4C\x77\x53\x5D\x4D\xDB\x68\x3C\xF3"
+ "\x3E\xF3\x67\x71\x53\x27\xCF\x4C\x4A\x58\xED\x9C\xBD\xCD\xD4\x86"
+ "\xF6\x69\xF8\x01\x89\xD5\x49\xA9\x36\x4F\xA8\x2A\x51\xA5\x26\x54"
+ "\xEC\x72\x1B\xB3\xAA\xB9\x5D\xCE\xB4\xA8\x6A\x6A\xFA\x93\x82\x6D"
+ "\xB9\x23\x51\x7E\x92\x8F\x33\xE3\xFB\xA8\x50\xD4\x56\x60\xEF\x83"
+ "\xB9\x87\x6A\xCC\xAF\xA2\xA9\x98\x7A\x25\x4B\x13\x7C\x6E\x14\x0A"
+ "\x21\x69\x1E\x10\x69\x41\x38\x48",
+ .hash = "\xD1\xC0\xFA\x85\xC8\xD1\x83\xBE\xFF\x99\xAD\x9D\x75\x2B\x26\x3E"
+ "\x28\x6B\x47\x7F\x79\xF0\x71\x0B\x01\x03\x17\x01\x73\x97\x81\x33"
+ "\x44\xB9\x9D\xAF\x3B\xB7\xB1\xBC\x5E\x8D\x72\x2B\xAC\x85\x94\x3A"
+};
+
+hasher_test_vector_t sha3_384_255 = {
+ .alg = HASH_SHA3_384, .len = 255,
+ .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+ "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+ "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+ "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+ "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+ "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+ "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+ "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+ "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+ "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+ "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+ "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+ "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+ "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+ "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+ "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+ .hash = "\x12\x8D\xC6\x11\x76\x2B\xE9\xB1\x35\xB3\x73\x94\x84\xCF\xAA\xDC"
+ "\xA7\x48\x1D\x68\x51\x4F\x3D\xFD\x6F\x5D\x78\xBB\x18\x63\xAE\x68"
+ "\x13\x08\x35\xCD\xC7\x06\x1A\x7E\xD9\x64\xB3\x2F\x1D\xB7\x5E\xE1"
+};
+
+/**
+ * SHA-3_512 vectors from "https://github.com/gvanas/KeccakCodePackage/"
+ */
+hasher_test_vector_t sha3_512_0 = {
+ .alg = HASH_SHA3_512, .len = 0,
+ .data = "",
+ .hash = "\xA6\x9F\x73\xCC\xA2\x3A\x9A\xC5\xC8\xB5\x67\xDC\x18\x5A\x75\x6E"
+ "\x97\xC9\x82\x16\x4F\xE2\x58\x59\xE0\xD1\xDC\xC1\x47\x5C\x80\xA6"
+ "\x15\xB2\x12\x3A\xF1\xF5\xF9\x4C\x11\xE3\xE9\x40\x2C\x3A\xC5\x58"
+ "\xF5\x00\x19\x9D\x95\xB6\xD3\xE3\x01\x75\x85\x86\x28\x1D\xCD\x26"
+};
+
+hasher_test_vector_t sha3_512_1 = {
+ .alg = HASH_SHA3_512, .len = 1,
+ .data = "\xCC",
+ .hash = "\x39\x39\xFC\xC8\xB5\x7B\x63\x61\x25\x42\xDA\x31\xA8\x34\xE5\xDC"
+ "\xC3\x6E\x2E\xE0\xF6\x52\xAC\x72\xE0\x26\x24\xFA\x2E\x5A\xDE\xEC"
+ "\xC7\xDD\x6B\xB3\x58\x02\x24\xB4\xD6\x13\x87\x06\xFC\x6E\x80\x59"
+ "\x7B\x52\x80\x51\x23\x0B\x00\x62\x1C\xC2\xB2\x29\x99\xEA\xA2\x05"
+};
+
+hasher_test_vector_t sha3_512_2 = {
+ .alg = HASH_SHA3_512, .len = 2,
+ .data = "\x41\xFB",
+ .hash = "\xAA\x09\x28\x65\xA4\x06\x94\xD9\x17\x54\xDB\xC7\x67\xB5\x20\x2C"
+ "\x54\x6E\x22\x68\x77\x14\x7A\x95\xCB\x8B\x4C\x8F\x87\x09\xFE\x8C"
+ "\xD6\x90\x52\x56\xB0\x89\xDA\x37\x89\x6E\xA5\xCA\x19\xD2\xCD\x9A"
+ "\xB9\x4C\x71\x92\xFC\x39\xF7\xCD\x4D\x59\x89\x75\xA3\x01\x3C\x69"
+};
+
+hasher_test_vector_t sha3_512_71 = {
+ .alg = HASH_SHA3_512, .len = 71,
+ .data = "\x13\xBD\x28\x11\xF6\xED\x2B\x6F\x04\xFF\x38\x95\xAC\xEE\xD7\xBE"
+ "\xF8\xDC\xD4\x5E\xB1\x21\x79\x1B\xC1\x94\xA0\xF8\x06\x20\x6B\xFF"
+ "\xC3\xB9\x28\x1C\x2B\x30\x8B\x1A\x72\x9C\xE0\x08\x11\x9D\xD3\x06"
+ "\x6E\x93\x78\xAC\xDC\xC5\x0A\x98\xA8\x2E\x20\x73\x88\x00\xB6\xCD"
+ "\xDB\xE5\xFE\x96\x94\xAD\x6D",
+ .hash = "\xDE\xF4\xAB\x6C\xDA\x88\x39\x72\x9A\x03\xE0\x00\x84\x66\x04\xB1"
+ "\x7F\x03\xC5\xD5\xD7\xEC\x23\xC4\x83\x67\x0A\x13\xE1\x15\x73\xC1"
+ "\xE9\x34\x7A\x63\xEC\x69\xA5\xAB\xB2\x13\x05\xF9\x38\x2E\xCD\xAA"
+ "\xAB\xC6\x85\x0F\x92\x84\x0E\x86\xF8\x8F\x4D\xAB\xFC\xD9\x3C\xC0"
+};
+
+hasher_test_vector_t sha3_512_72 = {
+ .alg = HASH_SHA3_512, .len = 72,
+ .data = "\x1E\xED\x9C\xBA\x17\x9A\x00\x9E\xC2\xEC\x55\x08\x77\x3D\xD3\x05"
+ "\x47\x7C\xA1\x17\xE6\xD5\x69\xE6\x6B\x5F\x64\xC6\xBC\x64\x80\x1C"
+ "\xE2\x5A\x84\x24\xCE\x4A\x26\xD5\x75\xB8\xA6\xFB\x10\xEA\xD3\xFD"
+ "\x19\x92\xED\xDD\xEE\xC2\xEB\xE7\x15\x0D\xC9\x8F\x63\xAD\xC3\x23"
+ "\x7E\xF5\x7B\x91\x39\x7A\xA8\xA7",
+ .hash = "\xA3\xE1\x68\xB0\xD6\xC1\x43\xEE\x9E\x17\xEA\xE9\x29\x30\xB9\x7E"
+ "\x66\x00\x35\x6B\x73\xAE\xBB\x5D\x68\x00\x5D\xD1\xD0\x74\x94\x45"
+ "\x1A\x37\x05\x2F\x7B\x39\xFF\x03\x0C\x1A\xE1\xD7\xEF\xC4\xE0\xC3"
+ "\x66\x7E\xB7\xA7\x6C\x62\x7E\xC1\x43\x54\xC4\xF6\xA7\x96\xE2\xC6"
+};
+
+hasher_test_vector_t sha3_512_255 = {
+ .alg = HASH_SHA3_512, .len = 255,
+ .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B"
+ "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5"
+ "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A"
+ "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A"
+ "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD"
+ "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0"
+ "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE"
+ "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64"
+ "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5"
+ "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43"
+ "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4"
+ "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D"
+ "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4"
+ "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08"
+ "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7"
+ "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1",
+ .hash = "\x6E\x8B\x8B\xD1\x95\xBD\xD5\x60\x68\x9A\xF2\x34\x8B\xDC\x74\xAB"
+ "\x7C\xD0\x5E\xD8\xB9\xA5\x77\x11\xE9\xBE\x71\xE9\x72\x6F\xDA\x45"
+ "\x91\xFE\xE1\x22\x05\xED\xAC\xAF\x82\xFF\xBB\xAF\x16\xDF\xF9\xE7"
+ "\x02\xA7\x08\x86\x20\x80\x16\x6C\x2F\xF6\xBA\x37\x9B\xC7\xFF\xC2"
+};
+
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index eb5b019..e32f8ee 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -266,8 +266,8 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
scheme = SIGN_ECDSA_WITH_SHA1_DER;
break;
case KEY_BLISS:
- oid = OID_BLISS_WITH_SHA512;
- scheme = SIGN_BLISS_WITH_SHA512;
+ oid = OID_BLISS_WITH_SHA2_512;
+ scheme = SIGN_BLISS_WITH_SHA2_512;
break;
default:
DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 6686324..a6298b3 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -219,9 +219,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
enumerator_t *enumerator;
char from_str[INET6_ADDRSTRLEN] = "";
char to_str[INET6_ADDRSTRLEN] = "";
- char *serv_proto = NULL;
- bool has_proto;
- bool has_ports;
+ char *serv_proto = NULL, *sep = "";
+ bool has_proto, has_ports;
size_t written = 0;
u_int32_t from[4], to[4];
@@ -235,8 +234,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&this))
{
- /* call recursivly */
- written += print_in_hook(data, "%R ", this);
+ written += print_in_hook(data, "%s%R", sep, this);
+ sep = " ";
}
enumerator->destroy(enumerator);
return written;
diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c
index 305ebe6..56cc2f1 100644
--- a/src/libstrongswan/settings/settings.c
+++ b/src/libstrongswan/settings/settings.c
@@ -540,6 +540,31 @@ METHOD(settings_t, get_int, int,
/**
* Described in header
*/
+inline u_int64_t settings_value_as_uint64(char *value, u_int64_t def)
+{
+ u_int64_t intval;
+ char *end;
+ int base = 10;
+
+ if (value)
+ {
+ errno = 0;
+ if (value[0] == '0' && value[1] == 'x')
+ { /* manually detect 0x prefix as we want to avoid octal encoding */
+ base = 16;
+ }
+ intval = strtoull(value, &end, base);
+ if (errno == 0 && *end == 0 && end != value)
+ {
+ return intval;
+ }
+ }
+ return def;
+}
+
+/**
+ * Described in header
+ */
inline double settings_value_as_double(char *value, double def)
{
double dval;
diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h
index 4ef80d0..a133a36 100644
--- a/src/libstrongswan/settings/settings.h
+++ b/src/libstrongswan/settings/settings.h
@@ -51,6 +51,15 @@ bool settings_value_as_bool(char *value, bool def);
int settings_value_as_int(char *value, int def);
/**
+ * Convert a string value returned by a key/value enumerator to an u_int64_t.
+ *
+ * @see settings_t.create_key_value_enumerator()
+ * @param value the string value
+ * @param def the default value, if value is NULL or invalid
+ */
+u_int64_t settings_value_as_uint64(char *value, u_int64_t def);
+
+/**
* Convert a string value returned by a key/value enumerator to a double.
*
* @see settings_t.create_key_value_enumerator()
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index 14cc321..067abf0 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -28,30 +28,38 @@ typedef struct {
}hasher_oid_t;
static hasher_oid_t oids[] = {
- { OID_MD2, HASH_MD2, KEY_ANY },
- { OID_MD5, HASH_MD5, KEY_ANY },
- { OID_SHA1, HASH_SHA1, KEY_ANY },
- { OID_SHA224, HASH_SHA224, KEY_ANY },
- { OID_SHA256, HASH_SHA256, KEY_ANY },
- { OID_SHA384, HASH_SHA384, KEY_ANY },
- { OID_SHA512, HASH_SHA512, KEY_ANY },
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },
- { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },
- { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },
- { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },
- { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },
- { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },
- { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },
- { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },
- { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },
- { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },
- { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },
- { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },
- { OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS },
- { OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS },
- { OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS },
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }
+ { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */
+ { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */
+ { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */
+ { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */
+ { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */
+ { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */
+ { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */
+ { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */
+ { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */
+ { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */
+ { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */
+ { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */
+ { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */
+ { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */
+ { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */
+ { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */
+ { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */
+ { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 19 */
+ { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 20 */
+ { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 21 */
+ { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 22 */
+ { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 23 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 24 */
+ { OID_BLISS_WITH_SHA2_256, HASH_SHA256, KEY_BLISS }, /* 25 */
+ { OID_BLISS_WITH_SHA2_384, HASH_SHA384, KEY_BLISS }, /* 26 */
+ { OID_BLISS_WITH_SHA2_512, HASH_SHA512, KEY_BLISS }, /* 27 */
+ { OID_BLISS_WITH_SHA3_256, HASH_SHA3_256, KEY_BLISS }, /* 28 */
+ { OID_BLISS_WITH_SHA3_384, HASH_SHA3_384, KEY_BLISS }, /* 29 */
+ { OID_BLISS_WITH_SHA3_512, HASH_SHA3_512, KEY_BLISS }, /* 30 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_BLISS } /* 31 */
};
START_TEST(test_hasher_from_oid)
@@ -74,6 +82,44 @@ START_TEST(test_hasher_sig_to_oid)
END_TEST
typedef struct {
+ signature_scheme_t scheme;
+ hash_algorithm_t alg;
+}hasher_sig_scheme_t;
+
+static hasher_sig_scheme_t sig_schemes[] = {
+ { SIGN_UNKNOWN, HASH_UNKNOWN },
+ { SIGN_RSA_EMSA_PKCS1_NULL, HASH_UNKNOWN },
+ { SIGN_RSA_EMSA_PKCS1_MD5, HASH_MD5 },
+ { SIGN_RSA_EMSA_PKCS1_SHA1, HASH_SHA1 },
+ { SIGN_RSA_EMSA_PKCS1_SHA224, HASH_SHA224 },
+ { SIGN_RSA_EMSA_PKCS1_SHA256, HASH_SHA256 },
+ { SIGN_RSA_EMSA_PKCS1_SHA384, HASH_SHA384 },
+ { SIGN_RSA_EMSA_PKCS1_SHA512, HASH_SHA512 },
+ { SIGN_ECDSA_WITH_SHA1_DER, HASH_SHA1 },
+ { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256 },
+ { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384 },
+ { SIGN_ECDSA_WITH_SHA512_DER, HASH_SHA512 },
+ { SIGN_ECDSA_WITH_NULL, HASH_UNKNOWN },
+ { SIGN_ECDSA_256, HASH_SHA256 },
+ { SIGN_ECDSA_384, HASH_SHA384 },
+ { SIGN_ECDSA_521, HASH_SHA512 },
+ { SIGN_BLISS_WITH_SHA2_256, HASH_SHA256 },
+ { SIGN_BLISS_WITH_SHA2_384, HASH_SHA384 },
+ { SIGN_BLISS_WITH_SHA2_512, HASH_SHA512 },
+ { SIGN_BLISS_WITH_SHA3_256, HASH_SHA3_256 },
+ { SIGN_BLISS_WITH_SHA3_384, HASH_SHA3_384 },
+ { SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 },
+ { 30, HASH_UNKNOWN }
+};
+
+START_TEST(test_hasher_from_sig_scheme)
+{
+ ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) ==
+ sig_schemes[_i].alg);
+}
+END_TEST
+
+typedef struct {
pseudo_random_function_t prf;
hash_algorithm_t alg;
}hasher_prf_t;
@@ -157,6 +203,35 @@ START_TEST(test_hasher_to_integrity)
}
END_TEST
+
+typedef struct {
+ hash_algorithm_t alg;
+ bool ikev2;
+}hasher_ikev2_t;
+
+static hasher_ikev2_t ikev2[] = {
+ { HASH_SHA1, TRUE },
+ { HASH_SHA256, TRUE },
+ { HASH_SHA384, TRUE },
+ { HASH_SHA512, TRUE },
+ { HASH_UNKNOWN, FALSE },
+ { HASH_MD2, FALSE },
+ { HASH_MD4, FALSE },
+ { HASH_MD5, FALSE },
+ { HASH_SHA224, FALSE },
+ { HASH_SHA3_224, FALSE },
+ { HASH_SHA3_256, FALSE },
+ { HASH_SHA3_384, FALSE },
+ { HASH_SHA3_512, FALSE },
+ { 30, FALSE }
+};
+
+START_TEST(test_hasher_for_ikev2)
+{
+ ck_assert(hasher_algorithm_for_ikev2(ikev2[_i].alg) == ikev2[_i].ikev2);
+}
+END_TEST
+
Suite *hasher_suite_create()
{
Suite *s;
@@ -169,11 +244,15 @@ Suite *hasher_suite_create()
suite_add_tcase(s, tc);
tc = tcase_create("to_oid");
- tcase_add_loop_test(tc, test_hasher_to_oid, 0, 8);
+ tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12);
suite_add_tcase(s, tc);
tc = tcase_create("sig_to_oid");
- tcase_add_loop_test(tc, test_hasher_sig_to_oid, 7, countof(oids));
+ tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("from_sig_scheme");
+ tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes));
suite_add_tcase(s, tc);
tc = tcase_create("from_prf");
@@ -188,5 +267,9 @@ Suite *hasher_suite_create()
tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
suite_add_tcase(s, tc);
+ tc = tcase_create("for_ikev2");
+ tcase_add_loop_test(tc, test_hasher_for_ikev2, 0, countof(ikev2));
+ suite_add_tcase(s, tc);
+
return s;
}
diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index ff14ba8..9554d29 100644
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -550,6 +550,7 @@ START_TEST(test_matches)
a = identification_create_from_string("C=CH, E=moon at strongswan.org, CN=moon");
ck_assert(id_matches(a, "C=CH, E=moon at strongswan.org, CN=moon", ID_MATCH_PERFECT));
+ ck_assert(id_matches(a, "C=CH, E=*@strongswan.org, CN=moon", ID_MATCH_NONE));
ck_assert(id_matches(a, "C=CH, E=*, CN=moon", ID_MATCH_ONE_WILDCARD));
ck_assert(id_matches(a, "C=CH, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 1));
ck_assert(id_matches(a, "C=*, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 2));
diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c
index bead9d7..5ddd0bb 100644
--- a/src/libstrongswan/tests/suites/test_settings.c
+++ b/src/libstrongswan/tests/suites/test_settings.c
@@ -317,6 +317,26 @@ START_TEST(test_set_int)
}
END_TEST
+START_TEST(test_value_as_unit64)
+{
+ test_int_eq(1, settings_value_as_uint64(NULL, 1));
+ test_int_eq(1, settings_value_as_uint64("", 1));
+ test_int_eq(1, settings_value_as_uint64("2a", 1));
+ test_int_eq(1, settings_value_as_uint64("a2", 1));
+ test_int_eq(1, settings_value_as_uint64("2.0", 1));
+
+ test_int_eq(10, settings_value_as_uint64("10", 0));
+ test_int_eq(10, settings_value_as_uint64("010", 0));
+ test_int_eq(16, settings_value_as_uint64("0x010", 0));
+ test_int_eq(0x2a, settings_value_as_uint64("0x2a", 0));
+
+ test_int_eq(0xffffffffffffffffLL, settings_value_as_uint64("0xffffffffffffffff", 0));
+ test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("0xffffffff00000000", 0));
+ test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("18446744069414584320", 0));
+ test_int_eq(0xffffffff00000001LL, settings_value_as_uint64("18446744069414584321", 0));
+}
+END_TEST
+
START_SETUP(setup_double_config)
{
create_settings(chunk_from_str(
@@ -1158,6 +1178,10 @@ Suite *settings_suite_create()
tcase_add_test(tc, test_set_int);
suite_add_tcase(s, tc);
+ tc = tcase_create("settings_value_as_uint64");
+ tcase_add_test(tc, test_value_as_unit64);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("get/set_double");
tcase_add_checked_fixture(tc, setup_double_config, teardown_config);
tcase_add_test(tc, test_get_double);
diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c
index bec32d2..5c0fb75 100644
--- a/src/libstrongswan/tests/suites/test_traffic_selector.c
+++ b/src/libstrongswan/tests/suites/test_traffic_selector.c
@@ -770,17 +770,17 @@ START_TEST(test_printf_hook_hash)
list = linked_list_create_with_items(
traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535),
NULL);
- verify_list("10.1.0.0/16 ", NULL, list);
+ verify_list("10.1.0.0/16", NULL, list);
list = linked_list_create_with_items(
traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535),
traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235),
NULL);
- verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1/32[17/1234-1235] ", list);
+ verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235]", "10.1.0.0/16 10.1.0.1/32[17/1234-1235]", list);
list = linked_list_create_with_items(
traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535),
traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE, "10.1.0.1", 1234, "10.1.0.99", 1235),
NULL);
- verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235] ", list);
+ verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235]", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235]", list);
}
END_TEST
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index b38f2cb..104b0b2 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -789,9 +789,9 @@ static struct {
{KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
{KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
{KEY_ECDSA, 512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
- {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
- {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
- {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+ {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA2_256, SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
+ {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
+ {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }},
};
START_TEST(test_signature_schemes_for_key)
diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/utils/compat/android.h
similarity index 84%
rename from src/libstrongswan/AndroidConfigLocal.h
rename to src/libstrongswan/utils/compat/android.h
index ae0e606..b3ea9c4 100644
--- a/src/libstrongswan/AndroidConfigLocal.h
+++ b/src/libstrongswan/utils/compat/android.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -13,10 +13,19 @@
* for more details.
*/
+/**
+ * @defgroup android android
+ * @{ @ingroup compat
+ */
+
+#ifndef ANDROID_H_
+#define ANDROID_H_
+
/* stuff defined in AndroidConfig.h, which is included using the -include
* command-line option, thus cannot be undefined using -U CFLAGS options.
* the reason we have to undefine these flags in the first place, is that
* AndroidConfig.h defines them as 0, which in turn means that they are
* actually defined. */
-
#undef HAVE_BACKTRACE
+
+#endif /** ANDROID_H_ @}*/
diff --git a/src/libstrongswan/utils/compat/windows.h b/src/libstrongswan/utils/compat/windows.h
index fd4f1f1..f7e6207 100644
--- a/src/libstrongswan/utils/compat/windows.h
+++ b/src/libstrongswan/utils/compat/windows.h
@@ -221,6 +221,11 @@ static inline int setenv(const char *name, const char *value, int overwrite)
#define RTLD_LAZY 1
/**
+ * Immediate binding, ignored on Windows
+ */
+#define RTLD_NOW 2
+
+/**
* Default handle targeting .exe
*/
#define RTLD_DEFAULT (NULL)
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
index b4a4db8..47d72ee 100644
--- a/src/libstrongswan/utils/utils.c
+++ b/src/libstrongswan/utils/utils.c
@@ -20,6 +20,7 @@
#include <unistd.h>
#include <limits.h>
#include <ctype.h>
+#include <errno.h>
#ifndef WIN32
# include <signal.h>
#endif
@@ -117,17 +118,35 @@ void wait_sigint()
void wait_sigint()
{
sigset_t set;
- int sig;
sigemptyset(&set);
sigaddset(&set, SIGINT);
sigaddset(&set, SIGTERM);
sigprocmask(SIG_BLOCK, &set, NULL);
- sigwait(&set, &sig);
+ sigwaitinfo(&set, NULL);
}
-#endif
+#ifndef HAVE_SIGWAITINFO
+int sigwaitinfo(const sigset_t *set, void *info)
+{
+ int sig, err;
+
+ if (info)
+ { /* we don't replicate siginfo_t, fail if anybody tries to use it */
+ errno = EINVAL;
+ return -1;
+ }
+ err = sigwait(set, &sig);
+ if (err != 0)
+ {
+ errno = err;
+ sig = -1;
+ }
+ return sig;
+}
+#endif /* HAVE_SIGWAITINFO */
+#endif /* WIN32 */
#ifndef HAVE_CLOSEFROM
/**
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index acc15c4..18b17b1 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2014 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -38,6 +38,7 @@
# include <netinet/in.h>
# include <sched.h>
# include <poll.h>
+# include <signal.h>
#endif
#include "utils/types.h"
@@ -56,6 +57,9 @@
#ifdef __APPLE__
# include "compat/apple.h"
#endif
+#ifdef __ANDROID__
+# include "compat/android.h"
+#endif
/**
* Initialize utility functions
@@ -148,6 +152,19 @@ void utils_deinit();
*/
#define ignore_result(call) { if(call){}; }
+#if !defined(HAVE_SIGWAITINFO) && !defined(WIN32)
+/**
+ * Block and wait for a set of signals
+ *
+ * We don't replicate the functionality of siginfo_t. If info is not NULL
+ * -1 is returend and errno is set to EINVAL.
+ *
+ * @param set set of signals to wait for
+ * @param info must be NULL
+ */
+int sigwaitinfo(const sigset_t *set, void *info);
+#endif
+
/**
* Portable function to wait for SIGINT/SIGTERM (or equivalent).
*/
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
index 623da7f..822df3f 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
@@ -349,10 +349,16 @@ static private_tnc_imc_t* tnc_imc_create_empty(char *name)
imc_t* tnc_imc_create(char *name, char *path)
{
private_tnc_imc_t *this;
+ int flag = RTLD_LAZY;
this = tnc_imc_create_empty(name);
- this->handle = dlopen(path, RTLD_LAZY);
+ if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now",
+ lib->ns, FALSE))
+ {
+ flag = RTLD_NOW;
+ }
+ this->handle = dlopen(path, flag);
if (!this->handle)
{
DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror());
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
index 039f1fc..9a03041 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
@@ -345,10 +345,16 @@ static private_tnc_imv_t* tnc_imv_create_empty(char *name)
imv_t* tnc_imv_create(char *name, char *path)
{
private_tnc_imv_t *this;
+ int flag = RTLD_LAZY;
this = tnc_imv_create_empty(name);
- this->handle = dlopen(path, RTLD_LAZY);
+ if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now",
+ lib->ns, FALSE))
+ {
+ flag = RTLD_NOW;
+ }
+ this->handle = dlopen(path, flag);
if (!this->handle)
{
DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index 94ab0cf..bee7ae1 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -35,11 +35,11 @@ templates/peer/list.cs
medsrv_templates_staticdir = ${medsrv_templatesdir}/static
medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \
templates/static/style.css templates/static/strongswan.png \
-templates/static/favicon.ico templates/static/mootools.js templates/static/script.js
+templates/static/favicon.ico
EXTRA_DIST = templates/header.cs templates/footer.cs \
templates/static/style.css templates/static/strongswan.png \
-templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \
+templates/static/favicon.ico \
templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \
templates/user/login.cs templates/user/add.cs templates/user/edit.cs \
templates/user/help.cs
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 7265457..42830e1 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -466,11 +466,11 @@ templates/peer/list.cs
medsrv_templates_staticdir = ${medsrv_templatesdir}/static
medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \
templates/static/style.css templates/static/strongswan.png \
-templates/static/favicon.ico templates/static/mootools.js templates/static/script.js
+templates/static/favicon.ico
EXTRA_DIST = templates/header.cs templates/footer.cs \
templates/static/style.css templates/static/strongswan.png \
-templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \
+templates/static/favicon.ico \
templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \
templates/user/login.cs templates/user/add.cs templates/user/edit.cs \
templates/user/help.cs
diff --git a/src/medsrv/templates/peer/add.cs b/src/medsrv/templates/peer/add.cs
index 28a994f..27fdf06 100644
--- a/src/medsrv/templates/peer/add.cs
+++ b/src/medsrv/templates/peer/add.cs
@@ -6,7 +6,7 @@
<table class="peer">
<tr>
<td><label for="alias">Alias</label></td>
- <td><input type="text" id="alias" name="alias" class="focus" maxlength="30" value="<?cs var:alias ?>";"/></td>
+ <td><input type="text" id="alias" name="alias" autofocus maxlength="30" value="<?cs var:alias ?>";"/></td>
</tr>
<tr>
<td valign="top"><label for="public_key">Public Key</label></td>
diff --git a/src/medsrv/templates/peer/edit.cs b/src/medsrv/templates/peer/edit.cs
index 76fb9da..942762b 100644
--- a/src/medsrv/templates/peer/edit.cs
+++ b/src/medsrv/templates/peer/edit.cs
@@ -6,7 +6,7 @@
<table class="peer">
<tr>
<td><label for="alias">Alias</label></td>
- <td><input type="text" id="alias" name="alias" maxlength="30" class="focus" value="<?cs var:alias ?>"/></td>
+ <td><input type="text" id="alias" name="alias" maxlength="30" autofocus value="<?cs var:alias ?>"/></td>
</tr>
<tr>
<td valign="top"><label for="public_key">Public Key</label></td>
diff --git a/src/medsrv/templates/static/mootools.js b/src/medsrv/templates/static/mootools.js
deleted file mode 100644
index d953a1c..0000000
--- a/src/medsrv/templates/static/mootools.js
+++ /dev/null
@@ -1,341 +0,0 @@
-//MooTools, <http://mootools.net>, My Object Oriented (JavaScript) Tools. Copyright (c) 2006-2008 Valerio Proietti, <http://mad4milk.net>, MIT Style License.
-
-var MooTools={version:"1.2dev",build:""};var Native=function(J){J=J||{};var F=J.afterImplement||function(){};var G=J.generics;G=(G!==false);var H=J.legacy;
-var E=J.initialize;var B=J.protect;var A=J.name;var C=E||H;C.constructor=Native;C.$family={name:"native"};if(H&&E){C.prototype=H.prototype;}C.prototype.constructor=C;
-if(A){var D=A.toLowerCase();C.prototype.$family={name:D};Native.typize(C,D);}var I=function(M,K,N,L){if(!B||L||!M.prototype[K]){M.prototype[K]=N;}if(G){Native.genericize(M,K,B);
-}F.call(M,K,N);return M;};C.implement=function(L,K,N){if(typeof L=="string"){return I(this,L,K,N);}for(var M in L){I(this,M,L[M],K);}return this;};C.alias=function(M,K,N){if(typeof M=="string"){M=this.prototype[M];
-if(M){I(this,K,M,N);}}else{for(var L in M){this.alias(L,M[L],K);}}return this;};return C;};Native.implement=function(D,C){for(var B=0,A=D.length;B<A;B++){D[B].implement(C);
-}};Native.genericize=function(B,C,A){if((!A||!B[C])&&typeof B.prototype[C]=="function"){B[C]=function(){var D=Array.prototype.slice.call(arguments);return B.prototype[C].apply(D.shift(),D);
-};}};Native.typize=function(A,B){if(!A.type){A.type=function(C){return($type(C)===B);};}};Native.alias=function(E,B,A,F){for(var D=0,C=E.length;D<C;D++){E[D].alias(B,A,F);
-}};(function(B){for(var A in B){Native.typize(B[A],A);}})({"boolean":Boolean,"native":Native,object:Object});(function(B){for(var A in B){new Native({name:A,initialize:B[A],protect:true});
-}})({String:String,Function:Function,Number:Number,Array:Array,RegExp:RegExp,Date:Date});(function(B,A){for(var C=A.length;C--;C){Native.genericize(B,A[C],true);
-}return arguments.callee;})(Array,["pop","push","reverse","shift","sort","splice","unshift","concat","join","slice","toString","valueOf","indexOf","lastIndexOf"])(String,["charAt","charCodeAt","concat","indexOf","lastIndexOf","match","replace","search","slice","split","substr","substring","toLowerCase","toUpperCase","valueOf"]);
-function $chk(A){return !!(A||A===0);}function $clear(A){clearTimeout(A);clearInterval(A);return null;}function $defined(A){return(A!=undefined);}function $empty(){}function $arguments(A){return function(){return arguments[A];
-};}function $lambda(A){return(typeof A=="function")?A:function(){return A;};}function $extend(C,A){for(var B in (A||{})){C[B]=A[B];}return C;}function $unlink(C){var B;
-switch($type(C)){case"object":B={};for(var E in C){B[E]=$unlink(C[E]);}break;case"hash":B=$unlink(C.getClean());break;case"array":B=[];for(var D=0,A=C.length;
-D<A;D++){B[D]=$unlink(C[D]);}break;default:return C;}return B;}function $merge(){var E={};for(var D=0,A=arguments.length;D<A;D++){var B=arguments[D];if($type(B)!="object"){continue;
-}for(var C in B){var G=B[C],F=E[C];E[C]=(F&&$type(G)=="object"&&$type(F)=="object")?$merge(F,G):$unlink(G);}}return E;}function $pick(){for(var B=0,A=arguments.length;
-B<A;B++){if(arguments[B]!=undefined){return arguments[B];}}return null;}function $random(B,A){return Math.floor(Math.random()*(A-B+1)+B);}function $splat(B){var A=$type(B);
-return(A)?((A!="array"&&A!="arguments")?[B]:B):[];}var $time=Date.now||function(){return new Date().getTime();};function $try(){for(var B=0,A=arguments.length;
-B<A;B++){try{return arguments[B]();}catch(C){}}return null;}function $type(A){if(A==undefined){return false;}if(A.$family){return(A.$family.name=="number"&&!isFinite(A))?false:A.$family.name;
-}if(A.nodeName){switch(A.nodeType){case 1:return"element";case 3:return(/\S/).test(A.nodeValue)?"textnode":"whitespace";}}else{if(typeof A.length=="number"){if(A.callee){return"arguments";
-}else{if(A.item){return"collection";}}}}return typeof A;}var Hash=new Native({name:"Hash",initialize:function(A){if($type(A)=="hash"){A=$unlink(A.getClean());
-}for(var B in A){this[B]=A[B];}return this;}});Hash.implement({getLength:function(){var B=0;for(var A in this){if(this.hasOwnProperty(A)){B++;}}return B;
-},forEach:function(B,C){for(var A in this){if(this.hasOwnProperty(A)){B.call(C,this[A],A,this);}}},getClean:function(){var B={};for(var A in this){if(this.hasOwnProperty(A)){B[A]=this[A];
-}}return B;}});Hash.alias("forEach","each");function $H(A){return new Hash(A);}Array.implement({forEach:function(C,D){for(var B=0,A=this.length;B<A;B++){C.call(D,this[B],B,this);
-}}});Array.alias("forEach","each");function $A(C){if(C.item){var D=[];for(var B=0,A=C.length;B<A;B++){D[B]=C[B];}return D;}return Array.prototype.slice.call(C);
-}function $each(C,B,D){var A=$type(C);((A=="arguments"||A=="collection"||A=="array")?Array:Hash).each(C,B,D);}var Browser=new Hash({Engine:{name:"unknown",version:""},Platform:{name:(navigator.platform.match(/mac|win|linux/i)||["other"])[0].toLowerCase()},Features:{xpath:!!(document.evaluate),air:!!(window.runtime)},Plugins:{}});
-if(window.opera){Browser.Engine={name:"presto",version:(document.getElementsByClassName)?950:925};}else{if(window.ActiveXObject){Browser.Engine={name:"trident",version:(window.XMLHttpRequest)?5:4};
-}else{if(!navigator.taintEnabled){Browser.Engine={name:"webkit",version:(Browser.Features.xpath)?420:419};}else{if(document.getBoxObjectFor!=null){Browser.Engine={name:"gecko",version:(document.getElementsByClassName)?19:18};
-}}}}Browser.Engine[Browser.Engine.name]=Browser.Engine[Browser.Engine.name+Browser.Engine.version]=true;if(window.orientation!=undefined){Browser.Platform.name="ipod";
-}Browser.Platform[Browser.Platform.name]=true;Browser.Request=function(){return $try(function(){return new XMLHttpRequest();},function(){return new ActiveXObject("MSXML2.XMLHTTP");
-});};Browser.Features.xhr=!!(Browser.Request());Browser.Plugins.Flash=(function(){var A=($try(function(){return navigator.plugins["Shockwave Flash"].description;
-},function(){return new ActiveXObject("ShockwaveFlash.ShockwaveFlash").GetVariable("$version");})||"0 r0").match(/\d+/g);return{version:parseInt(A[0]||0+"."+A[1]||0),build:parseInt(A[2]||0)};
-})();function $exec(B){if(!B){return B;}if(window.execScript){window.execScript(B);}else{var A=document.createElement("script");A.setAttribute("type","text/javascript");
-A.text=B;document.head.appendChild(A);document.head.removeChild(A);}return B;}Native.UID=1;var $uid=(Browser.Engine.trident)?function(A){return(A.uid||(A.uid=[Native.UID++]))[0];
-}:function(A){return A.uid||(A.uid=Native.UID++);};var Window=new Native({name:"Window",legacy:(Browser.Engine.trident)?null:window.Window,initialize:function(A){$uid(A);
-if(!A.Element){A.Element=$empty;if(Browser.Engine.webkit){A.document.createElement("iframe");}A.Element.prototype=(Browser.Engine.webkit)?window["[[DOMElement.prototype]]"]:{};
-}return $extend(A,Window.Prototype);},afterImplement:function(B,A){window[B]=Window.Prototype[B]=A;}});Window.Prototype={$family:{name:"window"}};new Window(window);
-var Document=new Native({name:"Document",legacy:(Browser.Engine.trident)?null:window.Document,initialize:function(A){$uid(A);A.head=A.getElementsByTagName("head")[0];
-A.html=A.getElementsByTagName("html")[0];A.window=A.defaultView||A.parentWindow;if(Browser.Engine.trident4){$try(function(){A.execCommand("BackgroundImageCache",false,true);
-});}return $extend(A,Document.Prototype);},afterImplement:function(B,A){document[B]=Document.Prototype[B]=A;}});Document.Prototype={$family:{name:"document"}};
-new Document(document);Array.implement({every:function(C,D){for(var B=0,A=this.length;B<A;B++){if(!C.call(D,this[B],B,this)){return false;}}return true;
-},filter:function(D,E){var C=[];for(var B=0,A=this.length;B<A;B++){if(D.call(E,this[B],B,this)){C.push(this[B]);}}return C;},clean:function(){return this.filter($defined);
-},indexOf:function(C,D){var A=this.length;for(var B=(D<0)?Math.max(0,A+D):D||0;B<A;B++){if(this[B]===C){return B;}}return -1;},map:function(D,E){var C=[];
-for(var B=0,A=this.length;B<A;B++){C[B]=D.call(E,this[B],B,this);}return C;},some:function(C,D){for(var B=0,A=this.length;B<A;B++){if(C.call(D,this[B],B,this)){return true;
-}}return false;},associate:function(C){var D={},B=Math.min(this.length,C.length);for(var A=0;A<B;A++){D[C[A]]=this[A];}return D;},link:function(C){var A={};
-for(var E=0,B=this.length;E<B;E++){for(var D in C){if(C[D](this[E])){A[D]=this[E];delete C[D];break;}}}return A;},contains:function(A,B){return this.indexOf(A,B)!=-1;
-},extend:function(C){for(var B=0,A=C.length;B<A;B++){this.push(C[B]);}return this;},getLast:function(){return(this.length)?this[this.length-1]:null;},getRandom:function(){return(this.length)?this[$random(0,this.length-1)]:null;
-},include:function(A){if(!this.contains(A)){this.push(A);}return this;},combine:function(C){for(var B=0,A=C.length;B<A;B++){this.include(C[B]);}return this;
-},erase:function(B){for(var A=this.length;A--;A){if(this[A]===B){this.splice(A,1);}}return this;},empty:function(){this.length=0;return this;},flatten:function(){var D=[];
-for(var B=0,A=this.length;B<A;B++){var C=$type(this[B]);if(!C){continue;}D=D.concat((C=="array"||C=="collection"||C=="arguments")?Array.flatten(this[B]):this[B]);
-}return D;},hexToRgb:function(B){if(this.length!=3){return null;}var A=this.map(function(C){if(C.length==1){C+=C;}return C.toInt(16);});return(B)?A:"rgb("+A+")";
-},rgbToHex:function(D){if(this.length<3){return null;}if(this.length==4&&this[3]==0&&!D){return"transparent";}var B=[];for(var A=0;A<3;A++){var C=(this[A]-0).toString(16);
-B.push((C.length==1)?"0"+C:C);}return(D)?B:"#"+B.join("");}});Function.implement({extend:function(A){for(var B in A){this[B]=A[B];}return this;},create:function(B){var A=this;
-B=B||{};return function(D){var C=B.arguments;C=(C!=undefined)?$splat(C):Array.slice(arguments,(B.event)?1:0);if(B.event){C=[D||window.event].extend(C);
-}var E=function(){return A.apply(B.bind||null,C);};if(B.delay){return setTimeout(E,B.delay);}if(B.periodical){return setInterval(E,B.periodical);}if(B.attempt){return $try(E);
-}return E();};},pass:function(A,B){return this.create({arguments:A,bind:B});},attempt:function(A,B){return this.create({arguments:A,bind:B,attempt:true})();
-},bind:function(B,A){return this.create({bind:B,arguments:A});},bindWithEvent:function(B,A){return this.create({bind:B,event:true,arguments:A});},delay:function(B,C,A){return this.create({delay:B,bind:C,arguments:A})();
-},periodical:function(A,C,B){return this.create({periodical:A,bind:C,arguments:B})();},run:function(A,B){return this.apply(B,$splat(A));}});Number.implement({limit:function(B,A){return Math.min(A,Math.max(B,this));
-},round:function(A){A=Math.pow(10,A||0);return Math.round(this*A)/A;},times:function(B,C){for(var A=0;A<this;A++){B.call(C,A,this);}},toFloat:function(){return parseFloat(this);
-},toInt:function(A){return parseInt(this,A||10);}});Number.alias("times","each");(function(B){var A={};B.each(function(C){if(!Number[C]){A[C]=function(){return Math[C].apply(null,[this].concat($A(arguments)));
-};}});Number.implement(A);})(["abs","acos","asin","atan","atan2","ceil","cos","exp","floor","log","max","min","pow","sin","sqrt","tan"]);String.implement({test:function(A,B){return((typeof A=="string")?new RegExp(A,B):A).test(this);
-},contains:function(A,B){return(B)?(B+this+B).indexOf(B+A+B)>-1:this.indexOf(A)>-1;},trim:function(){return this.replace(/^\s+|\s+$/g,"");},clean:function(){return this.replace(/\s+/g," ").trim();
-},camelCase:function(){return this.replace(/-\D/g,function(A){return A.charAt(1).toUpperCase();});},hyphenate:function(){return this.replace(/[A-Z]/g,function(A){return("-"+A.charAt(0).toLowerCase());
-});},capitalize:function(){return this.replace(/\b[a-z]/g,function(A){return A.toUpperCase();});},escapeRegExp:function(){return this.replace(/([-.*+?^${}()|[\]\/\\])/g,"\\$1");
-},toInt:function(A){return parseInt(this,A||10);},toFloat:function(){return parseFloat(this);},hexToRgb:function(B){var A=this.match(/^#?(\w{1,2})(\w{1,2})(\w{1,2})$/);
-return(A)?A.slice(1).hexToRgb(B):null;},rgbToHex:function(B){var A=this.match(/\d{1,3}/g);return(A)?A.rgbToHex(B):null;},stripScripts:function(B){var A="";
-var C=this.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi,function(){A+=arguments[1]+"\n";return"";});if(B===true){$exec(A);}else{if($type(B)=="function"){B(A,C);
-}}return C;},substitute:function(A,B){return this.replace(B||(/\\?\{([^}]+)\}/g),function(D,C){if(D.charAt(0)=="\\"){return D.slice(1);}return(A[C]!=undefined)?A[C]:"";
-});}});Hash.implement({has:Object.prototype.hasOwnProperty,keyOf:function(B){for(var A in this){if(this.hasOwnProperty(A)&&this[A]===B){return A;}}return null;
-},hasValue:function(A){return(Hash.keyOf(this,A)!==null);},extend:function(A){Hash.each(A,function(C,B){Hash.set(this,B,C);},this);return this;},combine:function(A){Hash.each(A,function(C,B){Hash.include(this,B,C);
-},this);return this;},erase:function(A){if(this.hasOwnProperty(A)){delete this[A];}return this;},get:function(A){return(this.hasOwnProperty(A))?this[A]:null;
-},set:function(A,B){if(!this[A]||this.hasOwnProperty(A)){this[A]=B;}return this;},empty:function(){Hash.each(this,function(B,A){delete this[A];},this);
-return this;},include:function(B,C){var A=this[B];if(A==undefined){this[B]=C;}return this;},map:function(B,C){var A=new Hash;Hash.each(this,function(E,D){A.set(D,B.call(C,E,D,this));
-},this);return A;},filter:function(B,C){var A=new Hash;Hash.each(this,function(E,D){if(B.call(C,E,D,this)){A.set(D,E);}},this);return A;},every:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&!B.call(C,this[A],A)){return false;
-}}return true;},some:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&B.call(C,this[A],A)){return true;}}return false;},getKeys:function(){var A=[];
-Hash.each(this,function(C,B){A.push(B);});return A;},getValues:function(){var A=[];Hash.each(this,function(B){A.push(B);});return A;},toQueryString:function(A){var B=[];
-Hash.each(this,function(F,E){if(A){E=A+"["+E+"]";}var D;switch($type(F)){case"object":D=Hash.toQueryString(F,E);break;case"array":var C={};F.each(function(H,G){C[G]=H;
-});D=Hash.toQueryString(C,E);break;default:D=E+"="+encodeURIComponent(F);}if(F!=undefined){B.push(D);}});return B.join("&");}});Hash.alias({keyOf:"indexOf",hasValue:"contains"});
-var Event=new Native({name:"Event",initialize:function(A,F){F=F||window;var K=F.document;A=A||F.event;if(A.$extended){return A;}this.$extended=true;var J=A.type;
-var G=A.target||A.srcElement;while(G&&G.nodeType==3){G=G.parentNode;}if(J.test(/key/)){var B=A.which||A.keyCode;var M=Event.Keys.keyOf(B);if(J=="keydown"){var D=B-111;
-if(D>0&&D<13){M="f"+D;}}M=M||String.fromCharCode(B).toLowerCase();}else{if(J.match(/(click|mouse|menu)/i)){K=(!K.compatMode||K.compatMode=="CSS1Compat")?K.html:K.body;
-var I={x:A.pageX||A.clientX+K.scrollLeft,y:A.pageY||A.clientY+K.scrollTop};var C={x:(A.pageX)?A.pageX-F.pageXOffset:A.clientX,y:(A.pageY)?A.pageY-F.pageYOffset:A.clientY};
-if(J.match(/DOMMouseScroll|mousewheel/)){var H=(A.wheelDelta)?A.wheelDelta/120:-(A.detail||0)/3;}var E=(A.which==3)||(A.button==2);var L=null;if(J.match(/over|out/)){switch(J){case"mouseover":L=A.relatedTarget||A.fromElement;
-break;case"mouseout":L=A.relatedTarget||A.toElement;}if(!(function(){while(L&&L.nodeType==3){L=L.parentNode;}return true;}).create({attempt:Browser.Engine.gecko})()){L=false;
-}}}}return $extend(this,{event:A,type:J,page:I,client:C,rightClick:E,wheel:H,relatedTarget:L,target:G,code:B,key:M,shift:A.shiftKey,control:A.ctrlKey,alt:A.altKey,meta:A.metaKey});
-}});Event.Keys=new Hash({enter:13,up:38,down:40,left:37,right:39,esc:27,space:32,backspace:8,tab:9,"delete":46});Event.implement({stop:function(){return this.stopPropagation().preventDefault();
-},stopPropagation:function(){if(this.event.stopPropagation){this.event.stopPropagation();}else{this.event.cancelBubble=true;}return this;},preventDefault:function(){if(this.event.preventDefault){this.event.preventDefault();
-}else{this.event.returnValue=false;}return this;}});var Class=new Native({name:"Class",initialize:function(B){B=B||{};var A=function(E){for(var D in this){this[D]=$unlink(this[D]);
-}for(var F in Class.Mutators){if(!this[F]){continue;}Class.Mutators[F](this,this[F]);delete this[F];}this.constructor=A;if(E===$empty){return this;}var C=(this.initialize)?this.initialize.apply(this,arguments):this;
-if(this.options&&this.options.initialize){this.options.initialize.call(this);}return C;};$extend(A,this);A.constructor=Class;A.prototype=B;return A;}});
-Class.implement({implement:function(){Class.Mutators.Implements(this.prototype,Array.slice(arguments));return this;}});Class.Mutators={Implements:function(A,B){$splat(B).each(function(C){$extend(A,($type(C)=="class")?new C($empty):C);
-});},Extends:function(self,klass){var instance=new klass($empty);delete instance.parent;delete instance.parentOf;for(var key in instance){var current=self[key],previous=instance[key];
-if(current==undefined){self[key]=previous;continue;}var ctype=$type(current),ptype=$type(previous);if(ctype!=ptype){continue;}switch(ctype){case"function":if(!arguments.callee.caller){self[key]=eval("("+String(current).replace(/\bthis\.parent\(\s*(\))?/g,function(full,close){return"arguments.callee._parent_.call(this"+(close||", ");
-})+")");}self[key]._parent_=previous;break;case"object":self[key]=$merge(previous,current);}}self.parent=function(){return arguments.callee.caller._parent_.apply(this,arguments);
-};self.parentOf=function(descendant){return descendant._parent_.apply(this,Array.slice(arguments,1));};}};var Chain=new Class({chain:function(){this.$chain=(this.$chain||[]).extend(arguments);
-return this;},callChain:function(){return(this.$chain&&this.$chain.length)?this.$chain.shift().apply(this,arguments):false;},clearChain:function(){if(this.$chain){this.$chain.empty();
-}return this;}});var Events=new Class({addEvent:function(C,B,A){C=Events.removeOn(C);if(B!=$empty){this.$events=this.$events||{};this.$events[C]=this.$events[C]||[];
-this.$events[C].include(B);if(A){B.internal=true;}}return this;},addEvents:function(A){for(var B in A){this.addEvent(B,A[B]);}return this;},fireEvent:function(C,B,A){C=Events.removeOn(C);
-if(!this.$events||!this.$events[C]){return this;}this.$events[C].each(function(D){D.create({bind:this,delay:A,"arguments":B})();},this);return this;},removeEvent:function(B,A){B=Events.removeOn(B);
-if(!this.$events||!this.$events[B]){return this;}if(!A.internal){this.$events[B].erase(A);}return this;},removeEvents:function(C){for(var D in this.$events){if(C&&C!=D){continue;
-}var B=this.$events[D];for(var A=B.length;A--;A){this.removeEvent(D,B[A]);}}return this;}});Events.removeOn=function(A){return A.replace(/^on([A-Z])/,function(B,C){return C.toLowerCase();
-});};var Options=new Class({setOptions:function(){this.options=$merge.run([this.options].extend(arguments));if(!this.addEvent){return this;}for(var A in this.options){if($type(this.options[A])!="function"||!(/^on[A-Z]/).test(A)){continue;
-}this.addEvent(A,this.options[A]);delete this.options[A];}return this;}});Document.implement({newElement:function(A,B){if(Browser.Engine.trident&&B){["name","type","checked"].each(function(C){if(!B[C]){return ;
-}A+=" "+C+'="'+B[C]+'"';if(C!="checked"){delete B[C];}});A="<"+A+">";}return $.element(this.createElement(A)).set(B);},newTextNode:function(A){return this.createTextNode(A);
-},getDocument:function(){return this;},getWindow:function(){return this.defaultView||this.parentWindow;},purge:function(){var C=this.getElementsByTagName("*");
-for(var B=0,A=C.length;B<A;B++){Browser.freeMem(C[B]);}}});var Element=new Native({name:"Element",legacy:window.Element,initialize:function(A,B){var C=Element.Constructors.get(A);
-if(C){return C(B);}if(typeof A=="string"){return document.newElement(A,B);}return $(A).set(B);},afterImplement:function(A,B){if(!Array[A]){Elements.implement(A,Elements.multi(A));
-}Element.Prototype[A]=B;}});Element.Prototype={$family:{name:"element"}};Element.Constructors=new Hash;var IFrame=new Native({name:"IFrame",generics:false,initialize:function(){var E=Array.link(arguments,{properties:Object.type,iframe:$defined});
-var C=E.properties||{};var B=$(E.iframe)||false;var D=C.onload||$empty;delete C.onload;C.id=C.name=$pick(C.id,C.name,B.id,B.name,"IFrame_"+$time());B=new Element(B||"iframe",C);
-var A=function(){var F=$try(function(){return B.contentWindow.location.host;});if(F&&F==window.location.host){var H=new Window(B.contentWindow);var G=new Document(B.contentWindow.document);
-$extend(H.Element.prototype,Element.Prototype);}D.call(B.contentWindow,B.contentWindow.document);};(!window.frames[C.id])?B.addListener("load",A):A();return B;
-}});var Elements=new Native({initialize:function(F,B){B=$extend({ddup:true,cash:true},B);F=F||[];if(B.ddup||B.cash){var G={},E=[];for(var C=0,A=F.length;
-C<A;C++){var D=$.element(F[C],!B.cash);if(B.ddup){if(G[D.uid]){continue;}G[D.uid]=true;}E.push(D);}F=E;}return(B.cash)?$extend(F,this):F;}});Elements.implement({filter:function(A,B){if(!A){return this;
-}return new Elements(Array.filter(this,(typeof A=="string")?function(C){return C.match(A);}:A,B));}});Elements.multi=function(A){return function(){var B=[];
-var F=true;for(var D=0,C=this.length;D<C;D++){var E=this[D][A].apply(this[D],arguments);B.push(E);if(F){F=($type(E)=="element");}}return(F)?new Elements(B):B;
-};};Window.implement({$:function(B,C){if(B&&B.$family&&B.uid){return B;}var A=$type(B);return($[A])?$[A](B,C,this.document):null;},$$:function(A){if(arguments.length==1&&typeof A=="string"){return this.document.getElements(A);
-}var F=[];var C=Array.flatten(arguments);for(var D=0,B=C.length;D<B;D++){var E=C[D];switch($type(E)){case"element":E=[E];break;case"string":E=this.document.getElements(E,true);
-break;default:E=false;}if(E){F.extend(E);}}return new Elements(F);},getDocument:function(){return this.document;},getWindow:function(){return this;}});
-$.string=function(C,B,A){C=A.getElementById(C);return(C)?$.element(C,B):null;};$.element=function(A,D){$uid(A);if(!D&&!A.$family&&!(/^object|embed$/i).test(A.tagName)){var B=Element.Prototype;
-for(var C in B){A[C]=B[C];}}return A;};$.object=function(B,C,A){if(B.toElement){return $.element(B.toElement(A),C);}return null;};$.textnode=$.whitespace=$.window=$.document=$arguments(0);
-Native.implement([Element,Document],{getElement:function(A,B){return $(this.getElements(A,true)[0]||null,B);},getElements:function(A,D){A=A.split(",");
-var C=[];var B=(A.length>1);A.each(function(E){var F=this.getElementsByTagName(E.trim());(B)?C.extend(F):C=F;},this);return new Elements(C,{ddup:B,cash:!D});
-}});Element.Storage={get:function(A){return(this[A]||(this[A]={}));}};Element.Inserters=new Hash({before:function(B,A){if(A.parentNode){A.parentNode.insertBefore(B,A);
-}},after:function(B,A){if(!A.parentNode){return ;}var C=A.nextSibling;(C)?A.parentNode.insertBefore(B,C):A.parentNode.appendChild(B);},bottom:function(B,A){A.appendChild(B);
-},top:function(B,A){var C=A.firstChild;(C)?A.insertBefore(B,C):A.appendChild(B);}});Element.Inserters.inside=Element.Inserters.bottom;Element.Inserters.each(function(C,B){var A=B.capitalize();
-Element.implement("inject"+A,function(D){C(this,$(D,true));return this;});Element.implement("grab"+A,function(D){C($(D,true),this);return this;});});Element.implement({getDocument:function(){return this.ownerDocument;
-},getWindow:function(){return this.ownerDocument.getWindow();},getElementById:function(D,C){var B=this.ownerDocument.getElementById(D);if(!B){return null;
-}for(var A=B.parentNode;A!=this;A=A.parentNode){if(!A){return null;}}return $.element(B,C);},set:function(D,B){switch($type(D)){case"object":for(var C in D){this.set(C,D[C]);
-}break;case"string":var A=Element.Properties.get(D);(A&&A.set)?A.set.apply(this,Array.slice(arguments,1)):this.setProperty(D,B);}return this;},get:function(B){var A=Element.Properties.get(B);
-return(A&&A.get)?A.get.apply(this,Array.slice(arguments,1)):this.getProperty(B);},erase:function(B){var A=Element.Properties.get(B);(A&&A.erase)?A.erase.apply(this,Array.slice(arguments,1)):this.removeProperty(B);
-return this;},match:function(A){return(!A||Element.get(this,"tag")==A);},inject:function(B,A){Element.Inserters.get(A||"bottom")(this,$(B,true));return this;
-},wraps:function(B,A){B=$(B,true);return this.replaces(B).grab(B,A);},grab:function(B,A){Element.Inserters.get(A||"bottom")($(B,true),this);return this;
-},appendText:function(B,A){return this.grab(this.getDocument().newTextNode(B),A);},adopt:function(){Array.flatten(arguments).each(function(A){A=$(A,true);
-if(A){this.appendChild(A);}},this);return this;},dispose:function(){return(this.parentNode)?this.parentNode.removeChild(this):this;},clone:function(D,C){switch($type(this)){case"element":var H={};
-for(var G=0,E=this.attributes.length;G<E;G++){var B=this.attributes[G],L=B.nodeName.toLowerCase();if(Browser.Engine.trident&&(/input/i).test(this.tagName)&&(/width|height/).test(L)){continue;
-}var K=(L=="style"&&this.style)?this.style.cssText:B.nodeValue;if(!$chk(K)||L=="uid"||(L=="id"&&!C)){continue;}if(K!="inherit"&&["string","number"].contains($type(K))){H[L]=K;
-}}var J=new Element(this.nodeName.toLowerCase(),H);if(D!==false){for(var I=0,F=this.childNodes.length;I<F;I++){var A=Element.clone(this.childNodes[I],true,C);
-if(A){J.grab(A);}}}return J;case"textnode":return document.newTextNode(this.nodeValue);}return null;},replaces:function(A){A=$(A,true);A.parentNode.replaceChild(this,A);
-return this;},hasClass:function(A){return this.className.contains(A," ");},addClass:function(A){if(!this.hasClass(A)){this.className=(this.className+" "+A).clean();
-}return this;},removeClass:function(A){this.className=this.className.replace(new RegExp("(^|\\s)"+A+"(?:\\s|$)"),"$1").clean();return this;},toggleClass:function(A){return this.hasClass(A)?this.removeClass(A):this.addClass(A);
-},getComputedStyle:function(B){if(this.currentStyle){return this.currentStyle[B.camelCase()];}var A=this.getWindow().getComputedStyle(this,null);return(A)?A.getPropertyValue([B.hyphenate()]):null;
-},empty:function(){$A(this.childNodes).each(function(A){Browser.freeMem(A);Element.empty(A);Element.dispose(A);},this);return this;},destroy:function(){Browser.freeMem(this.empty().dispose());
-return null;},getSelected:function(){return new Elements($A(this.options).filter(function(A){return A.selected;}));},toQueryString:function(){var A=[];
-this.getElements("input, select, textarea").each(function(B){if(!B.name||B.disabled){return ;}var C=(B.tagName.toLowerCase()=="select")?Element.getSelected(B).map(function(D){return D.value;
-}):((B.type=="radio"||B.type=="checkbox")&&!B.checked)?null:B.value;$splat(C).each(function(D){if(D){A.push(B.name+"="+encodeURIComponent(D));}});});return A.join("&");
-},getProperty:function(C){var B=Element.Attributes,A=B.Props[C];var D=(A)?this[A]:this.getAttribute(C,2);return(B.Bools[C])?!!D:(A)?D:D||null;},getProperties:function(){var A=$A(arguments);
-return A.map(function(B){return this.getProperty(B);},this).associate(A);},setProperty:function(D,E){var C=Element.Attributes,B=C.Props[D],A=$defined(E);
-if(B&&C.Bools[D]){E=(E||!A)?true:false;}else{if(!A){return this.removeProperty(D);}}(B)?this[B]=E:this.setAttribute(D,E);return this;},setProperties:function(A){for(var B in A){this.setProperty(B,A[B]);
-}return this;},removeProperty:function(D){var C=Element.Attributes,B=C.Props[D],A=(B&&C.Bools[D]);(B)?this[B]=(A)?false:"":this.removeAttribute(D);return this;
-},removeProperties:function(){Array.each(arguments,this.removeProperty,this);return this;}});(function(){var A=function(D,B,I,C,F,H){var E=D[I||B];var G=[];
-while(E){if(E.nodeType==1&&(!C||Element.match(E,C))){G.push(E);if(!F){break;}}E=E[B];}return(F)?new Elements(G,{ddup:false,cash:!H}):$(G[0],H);};Element.implement({getPrevious:function(B,C){return A(this,"previousSibling",null,B,false,C);
-},getAllPrevious:function(B,C){return A(this,"previousSibling",null,B,true,C);},getNext:function(B,C){return A(this,"nextSibling",null,B,false,C);},getAllNext:function(B,C){return A(this,"nextSibling",null,B,true,C);
-},getFirst:function(B,C){return A(this,"nextSibling","firstChild",B,false,C);},getLast:function(B,C){return A(this,"previousSibling","lastChild",B,false,C);
-},getParent:function(B,C){return A(this,"parentNode",null,B,false,C);},getParents:function(B,C){return A(this,"parentNode",null,B,true,C);},getChildren:function(B,C){return A(this,"nextSibling","firstChild",B,true,C);
-},hasChild:function(B){B=$(B,true);return(!!B&&$A(this.getElementsByTagName(B.tagName)).contains(B));}});})();Element.Properties=new Hash;Element.Properties.style={set:function(A){this.style.cssText=A;
-},get:function(){return this.style.cssText;},erase:function(){this.style.cssText="";}};Element.Properties.tag={get:function(){return this.tagName.toLowerCase();
-}};Element.Properties.href={get:function(){return(!this.href)?null:this.href.replace(new RegExp("^"+document.location.protocol+"//"+document.location.host),"");
-}};Element.Properties.html={set:function(){return this.innerHTML=Array.flatten(arguments).join("");}};Native.implement([Element,Window,Document],{addListener:function(B,A){if(this.addEventListener){this.addEventListener(B,A,false);
-}else{this.attachEvent("on"+B,A);}return this;},removeListener:function(B,A){if(this.removeEventListener){this.removeEventListener(B,A,false);}else{this.detachEvent("on"+B,A);
-}return this;},retrieve:function(B,A){var D=Element.Storage.get(this.uid);var C=D[B];if($defined(A)&&!$defined(C)){C=D[B]=A;}return $pick(C);},store:function(B,A){var C=Element.Storage.get(this.uid);
-C[B]=A;return this;},eliminate:function(A){var B=Element.Storage.get(this.uid);delete B[A];return this;}});Element.Attributes=new Hash({Props:{html:"innerHTML","class":"className","for":"htmlFor",text:(Browser.Engine.trident)?"innerText":"textContent"},Bools:["compact","nowrap","ismap","declare","noshade","checked","disabled","readonly","multiple","selected","noresize","defer"],Camels:["value","accessKey","cellPadding","cellSpacing","colSpan","frameBorder","maxLength","readOnly","rowSpan [...]
-Browser.freeMem=function(A){if(!A){return ;}if(Browser.Engine.trident&&(/object/i).test(A.tagName)){for(var B in A){if(typeof A[B]=="function"){A[B]=$empty;
-}}Element.dispose(A);}if(A.uid&&A.removeEvents){A.removeEvents();}};(function(B){var C=B.Bools,A=B.Camels;B.Bools=C=C.associate(C);Hash.extend(Hash.combine(B.Props,C),A.associate(A.map(function(D){return D.toLowerCase();
-})));B.erase("Camels");})(Element.Attributes);window.addListener("unload",function(){window.removeListener("unload",arguments.callee);document.purge();
-if(Browser.Engine.trident){CollectGarbage();}});Element.Properties.events={set:function(A){this.addEvents(A);}};Native.implement([Element,Window,Document],{addEvent:function(E,G){var H=this.retrieve("events",{});
-H[E]=H[E]||{keys:[],values:[]};if(H[E].keys.contains(G)){return this;}H[E].keys.push(G);var F=E,A=Element.Events.get(E),C=G,I=this;if(A){if(A.onAdd){A.onAdd.call(this,G);
-}if(A.condition){C=function(J){if(A.condition.call(this,J)){return G.call(this,J);}return false;};}F=A.base||F;}var D=function(){return G.call(I);};var B=Element.NativeEvents[F]||0;
-if(B){if(B==2){D=function(J){J=new Event(J,I.getWindow());if(C.call(I,J)===false){J.stop();}};}this.addListener(F,D);}H[E].values.push(D);return this;},removeEvent:function(D,C){var B=this.retrieve("events");
-if(!B||!B[D]){return this;}var G=B[D].keys.indexOf(C);if(G==-1){return this;}var A=B[D].keys.splice(G,1)[0];var F=B[D].values.splice(G,1)[0];var E=Element.Events.get(D);
-if(E){if(E.onRemove){E.onRemove.call(this,C);}D=E.base||D;}return(Element.NativeEvents[D])?this.removeListener(D,F):this;},addEvents:function(A){for(var B in A){this.addEvent(B,A[B]);
-}return this;},removeEvents:function(B){var A=this.retrieve("events");if(!A){return this;}if(!B){for(var C in A){this.removeEvents(C);}A=null;}else{if(A[B]){while(A[B].keys[0]){this.removeEvent(B,A[B].keys[0]);
-}A[B]=null;}}return this;},fireEvent:function(D,B,A){var C=this.retrieve("events");if(!C||!C[D]){return this;}C[D].keys.each(function(E){E.create({bind:this,delay:A,"arguments":B})();
-},this);return this;},cloneEvents:function(D,A){D=$(D);var C=D.retrieve("events");if(!C){return this;}if(!A){for(var B in C){this.cloneEvents(D,B);}}else{if(C[A]){C[A].keys.each(function(E){this.addEvent(A,E);
-},this);}}return this;}});Element.NativeEvents={click:2,dblclick:2,mouseup:2,mousedown:2,contextmenu:2,mousewheel:2,DOMMouseScroll:2,mouseover:2,mouseout:2,mousemove:2,selectstart:2,selectend:2,keydown:2,keypress:2,keyup:2,focus:2,blur:2,change:2,reset:2,select:2,submit:2,load:1,unload:1,beforeunload:2,resize:1,move:1,DOMContentLoaded:1,readystatechange:1,error:1,abort:1,scroll:1};
-(function(){var A=function(B){var C=B.relatedTarget;if(C==undefined){return true;}if(C===false){return false;}return($type(this)!="document"&&C!=this&&C.prefix!="xul"&&!this.hasChild(C));
-};Element.Events=new Hash({mouseenter:{base:"mouseover",condition:A},mouseleave:{base:"mouseout",condition:A},mousewheel:{base:(Browser.Engine.gecko)?"DOMMouseScroll":"mousewheel"}});
-})();Element.Properties.styles={set:function(A){this.setStyles(A);}};Element.Properties.opacity={set:function(A,B){if(!B){if(A==0){if(this.style.visibility!="hidden"){this.style.visibility="hidden";
-}}else{if(this.style.visibility!="visible"){this.style.visibility="visible";}}}if(!this.currentStyle||!this.currentStyle.hasLayout){this.style.zoom=1;}if(Browser.Engine.trident){this.style.filter=(A==1)?"":"alpha(opacity="+A*100+")";
-}this.style.opacity=A;this.store("opacity",A);},get:function(){return this.retrieve("opacity",1);}};Element.implement({setOpacity:function(A){return this.set("opacity",A,true);
-},getOpacity:function(){return this.get("opacity");},setStyle:function(B,A){switch(B){case"opacity":return this.set("opacity",parseFloat(A));case"float":B=(Browser.Engine.trident)?"styleFloat":"cssFloat";
-}B=B.camelCase();if($type(A)!="string"){var C=(Element.Styles.get(B)||"@").split(" ");A=$splat(A).map(function(E,D){if(!C[D]){return"";}return($type(E)=="number")?C[D].replace("@",Math.round(E)):E;
-}).join(" ");}else{if(A==String(Number(A))){A=Math.round(A);}}this.style[B]=A;return this;},getStyle:function(G){switch(G){case"opacity":return this.get("opacity");
-case"float":G=(Browser.Engine.trident)?"styleFloat":"cssFloat";}G=G.camelCase();var A=this.style[G];if(!$chk(A)){A=[];for(var F in Element.ShortStyles){if(G!=F){continue;
-}for(var E in Element.ShortStyles[F]){A.push(this.getStyle(E));}return A.join(" ");}A=this.getComputedStyle(G);}if(A){A=String(A);var C=A.match(/rgba?\([\d\s,]+\)/);
-if(C){A=A.replace(C[0],C[0].rgbToHex());}}if(Browser.Engine.presto||(Browser.Engine.trident&&!$chk(parseInt(A)))){if(G.test(/^(height|width)$/)){var B=(G=="width")?["left","right"]:["top","bottom"],D=0;
-B.each(function(H){D+=this.getStyle("border-"+H+"-width").toInt()+this.getStyle("padding-"+H).toInt();},this);return this["offset"+G.capitalize()]-D+"px";
-}if(Browser.Engine.presto&&String(A).test("px")){return A;}if(G.test(/(border(.+)Width|margin|padding)/)){return"0px";}}return A;},setStyles:function(B){for(var A in B){this.setStyle(A,B[A]);
-}return this;},getStyles:function(){var A={};Array.each(arguments,function(B){A[B]=this.getStyle(B);},this);return A;}});Element.Styles=new Hash({left:"@px",top:"@px",bottom:"@px",right:"@px",width:"@px",height:"@px",maxWidth:"@px",maxHeight:"@px",minWidth:"@px",minHeight:"@px",backgroundColor:"rgb(@, @, @)",backgroundPosition:"@px @px",color:"rgb(@, @, @)",fontSize:"@px",letterSpacing:"@px",lineHeight:"@px",clip:"rect(@px @px @px @px)",margin:"@px @px @px @px",padding:"@px @px @px @px", [...]
-Element.ShortStyles={margin:{},padding:{},border:{},borderWidth:{},borderStyle:{},borderColor:{}};["Top","Right","Bottom","Left"].each(function(G){var F=Element.ShortStyles;
-var B=Element.Styles;["margin","padding"].each(function(H){var I=H+G;F[H][I]=B[I]="@px";});var E="border"+G;F.border[E]=B[E]="@px @ rgb(@, @, @)";var D=E+"Width",A=E+"Style",C=E+"Color";
-F[E]={};F.borderWidth[D]=F[E][D]=B[D]="@px";F.borderStyle[A]=F[E][A]=B[A]="@";F.borderColor[C]=F[E][C]=B[C]="rgb(@, @, @)";});(function(){Element.implement({scrollTo:function(H,I){if(B(this)){this.getWindow().scrollTo(H,I);
-}else{this.scrollLeft=H;this.scrollTop=I;}return this;},getSize:function(){if(B(this)){return this.getWindow().getSize();}return{x:this.offsetWidth,y:this.offsetHeight};
-},getScrollSize:function(){if(B(this)){return this.getWindow().getScrollSize();}return{x:this.scrollWidth,y:this.scrollHeight};},getScroll:function(){if(B(this)){return this.getWindow().getScroll();
-}return{x:this.scrollLeft,y:this.scrollTop};},getScrolls:function(){var I=this,H={x:0,y:0};while(I&&!B(I)){H.x+=I.scrollLeft;H.y+=I.scrollTop;I=I.parentNode;
-}return H;},getOffsetParent:function(){var H=this;if(B(H)){return null;}if(!Browser.Engine.trident){return H.offsetParent;}while((H=H.parentNode)&&!B(H)){if(D(H,"position")!="static"){return H;
-}}return null;},getOffsets:function(){var I=this,H={x:0,y:0};if(B(this)){return H;}while(I&&!B(I)){H.x+=I.offsetLeft;H.y+=I.offsetTop;if(Browser.Engine.gecko){if(!F(I)){H.x+=C(I);
-H.y+=G(I);}var J=I.parentNode;if(J&&D(J,"overflow")!="visible"){H.x+=C(J);H.y+=G(J);}}else{if(I!=this&&(Browser.Engine.trident||Browser.Engine.webkit)){H.x+=C(I);
-H.y+=G(I);}}I=I.offsetParent;if(Browser.Engine.trident){while(I&&!I.currentStyle.hasLayout){I=I.offsetParent;}}}if(Browser.Engine.gecko&&!F(this)){H.x-=C(this);
-H.y-=G(this);}return H;},getPosition:function(K){if(B(this)){return{x:0,y:0};}var L=this.getOffsets(),I=this.getScrolls();var H={x:L.x-I.x,y:L.y-I.y};var J=(K&&(K=$(K)))?K.getPosition():{x:0,y:0};
-return{x:H.x-J.x,y:H.y-J.y};},getCoordinates:function(J){if(B(this)){return this.getWindow().getCoordinates();}var H=this.getPosition(J),I=this.getSize();
-var K={left:H.x,top:H.y,width:I.x,height:I.y};K.right=K.left+K.width;K.bottom=K.top+K.height;return K;},computePosition:function(H){return{left:H.x-E(this,"margin-left"),top:H.y-E(this,"margin-top")};
-},position:function(H){return this.setStyles(this.computePosition(H));}});Native.implement([Document,Window],{getSize:function(){var I=this.getWindow();
-if(Browser.Engine.presto||Browser.Engine.webkit){return{x:I.innerWidth,y:I.innerHeight};}var H=A(this);return{x:H.clientWidth,y:H.clientHeight};},getScroll:function(){var I=this.getWindow();
-var H=A(this);return{x:I.pageXOffset||H.scrollLeft,y:I.pageYOffset||H.scrollTop};},getScrollSize:function(){var I=A(this);var H=this.getSize();return{x:Math.max(I.scrollWidth,H.x),y:Math.max(I.scrollHeight,H.y)};
-},getPosition:function(){return{x:0,y:0};},getCoordinates:function(){var H=this.getSize();return{top:0,left:0,bottom:H.y,right:H.x,height:H.y,width:H.x};
-}});var D=Element.getComputedStyle;function E(H,I){return D(H,I).toInt()||0;}function F(H){return D(H,"-moz-box-sizing")=="border-box";}function G(H){return E(H,"border-top-width");
-}function C(H){return E(H,"border-left-width");}function B(H){return(/^(?:body|html)$/i).test(H.tagName);}function A(H){var I=H.getDocument();return(!I.compatMode||I.compatMode=="CSS1Compat")?I.html:I.body;
-}})();Native.implement([Window,Document,Element],{getHeight:function(){return this.getSize().y;},getWidth:function(){return this.getSize().x;},getScrollTop:function(){return this.getScroll().y;
-},getScrollLeft:function(){return this.getScroll().x;},getScrollHeight:function(){return this.getScrollSize().y;},getScrollWidth:function(){return this.getScrollSize().x;
-},getTop:function(){return this.getPosition().y;},getLeft:function(){return this.getPosition().x;}});Native.implement([Document,Element],{getElements:function(H,G){H=H.split(",");
-var C,E={};for(var D=0,B=H.length;D<B;D++){var A=H[D],F=Selectors.Utils.search(this,A,E);if(D!=0&&F.item){F=$A(F);}C=(D==0)?F:(C.item)?$A(C).concat(F):C.concat(F);
-}return new Elements(C,{ddup:(H.length>1),cash:!G});}});Element.implement({match:function(B){if(!B){return true;}var D=Selectors.Utils.parseTagAndID(B);
-var A=D[0],E=D[1];if(!Selectors.Filters.byID(this,E)||!Selectors.Filters.byTag(this,A)){return false;}var C=Selectors.Utils.parseSelector(B);return(C)?Selectors.Utils.filter(this,C,{}):true;
-}});var Selectors={Cache:{nth:{},parsed:{}}};Selectors.RegExps={id:(/#([\w-]+)/),tag:(/^(\w+|\*)/),quick:(/^(\w+|\*)$/),splitter:(/\s*([+>~\s])\s*([a-zA-Z#.*:\[])/g),combined:(/\.([\w-]+)|\[(\w+)(?:([!*^$~|]?=)["']?(.*?)["']?)?\]|:([\w-]+)(?:\(["']?(.*?)?["']?\)|$)/g)};
-Selectors.Utils={chk:function(B,C){if(!C){return true;}var A=$uid(B);if(!C[A]){return C[A]=true;}return false;},parseNthArgument:function(F){if(Selectors.Cache.nth[F]){return Selectors.Cache.nth[F];
-}var C=F.match(/^([+-]?\d*)?([a-z]+)?([+-]?\d*)?$/);if(!C){return false;}var E=parseInt(C[1]);var B=(E||E===0)?E:1;var D=C[2]||false;var A=parseInt(C[3])||0;
-if(B!=0){A--;while(A<1){A+=B;}while(A>=B){A-=B;}}else{B=A;D="index";}switch(D){case"n":C={a:B,b:A,special:"n"};break;case"odd":C={a:2,b:0,special:"n"};
-break;case"even":C={a:2,b:1,special:"n"};break;case"first":C={a:0,special:"index"};break;case"last":C={special:"last-child"};break;case"only":C={special:"only-child"};
-break;default:C={a:(B-1),special:"index"};}return Selectors.Cache.nth[F]=C;},parseSelector:function(E){if(Selectors.Cache.parsed[E]){return Selectors.Cache.parsed[E];
-}var D,H={classes:[],pseudos:[],attributes:[]};while((D=Selectors.RegExps.combined.exec(E))){var I=D[1],G=D[2],F=D[3],B=D[4],C=D[5],J=D[6];if(I){H.classes.push(I);
-}else{if(C){var A=Selectors.Pseudo.get(C);if(A){H.pseudos.push({parser:A,argument:J});}else{H.attributes.push({name:C,operator:"=",value:J});}}else{if(G){H.attributes.push({name:G,operator:F,value:B});
-}}}}if(!H.classes.length){delete H.classes;}if(!H.attributes.length){delete H.attributes;}if(!H.pseudos.length){delete H.pseudos;}if(!H.classes&&!H.attributes&&!H.pseudos){H=null;
-}return Selectors.Cache.parsed[E]=H;},parseTagAndID:function(B){var A=B.match(Selectors.RegExps.tag);var C=B.match(Selectors.RegExps.id);return[(A)?A[1]:"*",(C)?C[1]:false];
-},filter:function(F,C,E){var D;if(C.classes){for(D=C.classes.length;D--;D){var G=C.classes[D];if(!Selectors.Filters.byClass(F,G)){return false;}}}if(C.attributes){for(D=C.attributes.length;
-D--;D){var B=C.attributes[D];if(!Selectors.Filters.byAttribute(F,B.name,B.operator,B.value)){return false;}}}if(C.pseudos){for(D=C.pseudos.length;D--;D){var A=C.pseudos[D];
-if(!Selectors.Filters.byPseudo(F,A.parser,A.argument,E)){return false;}}}return true;},getByTagAndID:function(B,A,D){if(D){var C=(B.getElementById)?B.getElementById(D,true):Element.getElementById(B,D,true);
-return(C&&Selectors.Filters.byTag(C,A))?[C]:[];}else{return B.getElementsByTagName(A);}},search:function(J,I,O){var B=[];var C=I.trim().replace(Selectors.RegExps.splitter,function(Z,Y,X){B.push(Y);
-return":)"+X;}).split(":)");var K,F,E,V;for(var U=0,Q=C.length;U<Q;U++){var T=C[U];if(U==0&&Selectors.RegExps.quick.test(T)){K=J.getElementsByTagName(T);
-continue;}var A=B[U-1];var L=Selectors.Utils.parseTagAndID(T);var W=L[0],M=L[1];if(U==0){K=Selectors.Utils.getByTagAndID(J,W,M);}else{var D={},H=[];for(var S=0,R=K.length;
-S<R;S++){H=Selectors.Getters[A](H,K[S],W,M,D);}K=H;}var G=Selectors.Utils.parseSelector(T);if(G){E=[];for(var P=0,N=K.length;P<N;P++){V=K[P];if(Selectors.Utils.filter(V,G,O)){E.push(V);
-}}K=E;}}return K;}};Selectors.Getters={" ":function(H,G,I,A,E){var D=Selectors.Utils.getByTagAndID(G,I,A);for(var C=0,B=D.length;C<B;C++){var F=D[C];if(Selectors.Utils.chk(F,E)){H.push(F);
-}}return H;},">":function(H,G,I,A,F){var C=Selectors.Utils.getByTagAndID(G,I,A);for(var E=0,D=C.length;E<D;E++){var B=C[E];if(B.parentNode==G&&Selectors.Utils.chk(B,F)){H.push(B);
-}}return H;},"+":function(C,B,A,E,D){while((B=B.nextSibling)){if(B.nodeType==1){if(Selectors.Utils.chk(B,D)&&Selectors.Filters.byTag(B,A)&&Selectors.Filters.byID(B,E)){C.push(B);
-}break;}}return C;},"~":function(C,B,A,E,D){while((B=B.nextSibling)){if(B.nodeType==1){if(!Selectors.Utils.chk(B,D)){break;}if(Selectors.Filters.byTag(B,A)&&Selectors.Filters.byID(B,E)){C.push(B);
-}}}return C;}};Selectors.Filters={byTag:function(B,A){return(A=="*"||(B.tagName&&B.tagName.toLowerCase()==A));},byID:function(A,B){return(!B||(A.id&&A.id==B));
-},byClass:function(B,A){return(B.className&&B.className.contains(A," "));},byPseudo:function(A,D,C,B){return D.call(A,C,B);},byAttribute:function(C,D,B,E){var A=Element.prototype.getProperty.call(C,D);
-if(!A){return false;}if(!B||E==undefined){return true;}switch(B){case"=":return(A==E);case"*=":return(A.contains(E));case"^=":return(A.substr(0,E.length)==E);
-case"$=":return(A.substr(A.length-E.length)==E);case"!=":return(A!=E);case"~=":return A.contains(E," ");case"|=":return A.contains(E,"-");}return false;
-}};Selectors.Pseudo=new Hash({empty:function(){return !(this.innerText||this.textContent||"").length;},not:function(A){return !Element.match(this,A);},contains:function(A){return(this.innerText||this.textContent||"").contains(A);
-},"first-child":function(){return Selectors.Pseudo.index.call(this,0);},"last-child":function(){var A=this;while((A=A.nextSibling)){if(A.nodeType==1){return false;
-}}return true;},"only-child":function(){var B=this;while((B=B.previousSibling)){if(B.nodeType==1){return false;}}var A=this;while((A=A.nextSibling)){if(A.nodeType==1){return false;
-}}return true;},"nth-child":function(G,E){G=(G==undefined)?"n":G;var C=Selectors.Utils.parseNthArgument(G);if(C.special!="n"){return Selectors.Pseudo[C.special].call(this,C.a,E);
-}var F=0;E.positions=E.positions||{};var D=$uid(this);if(!E.positions[D]){var B=this;while((B=B.previousSibling)){if(B.nodeType!=1){continue;}F++;var A=E.positions[$uid(B)];
-if(A!=undefined){F=A+F;break;}}E.positions[D]=F;}return(E.positions[D]%C.a==C.b);},index:function(A){var B=this,C=0;while((B=B.previousSibling)){if(B.nodeType==1&&++C>A){return false;
-}}return(C==A);},even:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n+1",A);},odd:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n",A);
-}});Element.Events.domready={onAdd:function(A){if(Browser.loaded){A.call(this);}}};(function(){var B=function(){if(Browser.loaded){return ;}Browser.loaded=true;
-window.fireEvent("domready");document.fireEvent("domready");};switch(Browser.Engine.name){case"webkit":(function(){(["loaded","complete"].contains(document.readyState))?B():arguments.callee.delay(50);
-})();break;case"trident":var A=document.createElement("div");(function(){($try(function(){A.doScroll("left");return $(A).inject(document.body).set("html","temp").dispose();
-}))?B():arguments.callee.delay(50);})();break;default:window.addEvent("load",B);document.addEvent("DOMContentLoaded",B);}})();var JSON=new Hash({encode:function(B){switch($type(B)){case"string":return'"'+B.replace(/[\x00-\x1f\\"]/g,JSON.$replaceChars)+'"';
-case"array":return"["+String(B.map(JSON.encode).filter($defined))+"]";case"object":case"hash":var A=[];Hash.each(B,function(E,D){var C=JSON.encode(E);if(C){A.push(JSON.encode(D)+":"+C);
-}});return"{"+A+"}";case"number":case"boolean":return String(B);case false:return"null";}return null;},$specialChars:{"\b":"\\b","\t":"\\t","\n":"\\n","\f":"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"},$replaceChars:function(A){return JSON.$specialChars[A]||"\\u00"+Math.floor(A.charCodeAt()/16).toString(16)+(A.charCodeAt()%16).toString(16);
-},decode:function(string,secure){if($type(string)!="string"||!string.length){return null;}if(secure&&!(/^[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]*$/).test(string.replace(/\\./g,"@").replace(/"[^"\\\n\r]*"/g,""))){return null;
-}return eval("("+string+")");}});Native.implement([Hash,Array,String,Number],{toJSON:function(){return JSON.encode(this);}});var Cookie=new Class({Implements:Options,options:{path:false,domain:false,duration:false,secure:false,document:document},initialize:function(B,A){this.key=B;
-this.setOptions(A);},write:function(B){B=encodeURIComponent(B);if(this.options.domain){B+="; domain="+this.options.domain;}if(this.options.path){B+="; path="+this.options.path;
-}if(this.options.duration){var A=new Date();A.setTime(A.getTime()+this.options.duration*24*60*60*1000);B+="; expires="+A.toGMTString();}if(this.options.secure){B+="; secure";
-}this.options.document.cookie=this.key+"="+B;return this;},read:function(){var A=this.options.document.cookie.match("(?:^|;)\\s*"+this.key.escapeRegExp()+"=([^;]*)");
-return(A)?decodeURIComponent(A[1]):null;},dispose:function(){new Cookie(this.key,$merge(this.options,{duration:-1})).write("");return this;}});Cookie.write=function(B,C,A){return new Cookie(B,A).write(C);
-};Cookie.read=function(A){return new Cookie(A).read();};Cookie.dispose=function(B,A){return new Cookie(B,A).dispose();};var Swiff=new Class({Implements:[Options],options:{id:null,height:1,width:1,container:null,properties:{},params:{quality:"high",allowScriptAccess:"always",wMode:"transparent",swLiveConnect:true},callBacks:{},vars:{}},toElement:function(){return this.object;
-},initialize:function(L,M){this.instance="Swiff_"+$time();this.setOptions(M);M=this.options;var B=this.id=M.id||this.instance;var A=$(M.container);Swiff.CallBacks[this.instance]={};
-var E=M.params,G=M.vars,F=M.callBacks;var H=$extend({height:M.height,width:M.width},M.properties);var K=this;for(var D in F){Swiff.CallBacks[this.instance][D]=(function(N){return function(){return N.apply(K.object,arguments);
-};})(F[D]);G[D]="Swiff.CallBacks."+this.instance+"."+D;}E.flashVars=Hash.toQueryString(G);if(Browser.Engine.trident){H.classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000";
-E.movie=L;}else{H.type="application/x-shockwave-flash";H.data=L;}var J='<object id="'+B+'"';for(var I in H){J+=" "+I+'="'+H[I]+'"';}J+=">";for(var C in E){if(E[C]){J+='<param name="'+C+'" value="'+E[C]+'" />';
-}}J+="</object>";this.object=((A)?A.empty():new Element("div")).set("html",J).firstChild;},replaces:function(A){A=$(A,true);A.parentNode.replaceChild(this.toElement(),A);
-return this;},inject:function(A){$(A,true).appendChild(this.toElement());return this;},remote:function(){return Swiff.remote.apply(Swiff,[this.toElement()].extend(arguments));
-}});Swiff.CallBacks={};Swiff.remote=function(obj,fn){var rs=obj.CallFunction('<invoke name="'+fn+'" returntype="javascript">'+__flash__argumentsToXML(arguments,2)+"</invoke>");
-return eval(rs);};var Fx=new Class({Implements:[Chain,Events,Options],options:{fps:50,unit:false,duration:500,link:"ignore",transition:function(A){return -(Math.cos(Math.PI*A)-1)/2;
-}},initialize:function(A){this.subject=this.subject||this;this.setOptions(A);this.options.duration=Fx.Durations[this.options.duration]||this.options.duration.toInt();
-var B=this.options.wait;if(B===false){this.options.link="cancel";}},step:function(){var A=$time();if(A<this.time+this.options.duration){var B=this.options.transition((A-this.time)/this.options.duration);
-this.set(this.compute(this.from,this.to,B));}else{this.set(this.compute(this.from,this.to,1));this.complete();}},set:function(A){return A;},compute:function(C,B,A){return Fx.compute(C,B,A);
-},check:function(A){if(!this.timer){return true;}switch(this.options.link){case"cancel":this.cancel();return true;case"chain":this.chain(A.bind(this,Array.slice(arguments,1)));
-return false;}return false;},start:function(B,A){if(!this.check(arguments.callee,B,A)){return this;}this.from=B;this.to=A;this.time=0;this.startTimer();
-this.onStart();return this;},complete:function(){if(this.stopTimer()){this.onComplete();}return this;},cancel:function(){if(this.stopTimer()){this.onCancel();
-}return this;},onStart:function(){this.fireEvent("start",this.subject);},onComplete:function(){this.fireEvent("complete",this.subject);if(!this.callChain()){this.fireEvent("chainComplete",this.subject);
-}},onCancel:function(){this.fireEvent("cancel",this.subject).clearChain();},pause:function(){this.stopTimer();return this;},resume:function(){this.startTimer();
-return this;},stopTimer:function(){if(!this.timer){return false;}this.time=$time()-this.time;this.timer=$clear(this.timer);return true;},startTimer:function(){if(this.timer){return false;
-}this.time=$time()-this.time;this.timer=this.step.periodical(Math.round(1000/this.options.fps),this);return true;}});Fx.compute=function(C,B,A){return(B-C)*A+C;
-};Fx.Durations={"short":250,normal:500,"long":1000};Fx.CSS=new Class({Extends:Fx,prepare:function(D,E,B){B=$splat(B);var C=B[1];if(!$chk(C)){B[1]=B[0];
-B[0]=D.getStyle(E);}var A=B.map(this.parse);return{from:A[0],to:A[1]};},parse:function(A){A=$lambda(A)();A=(typeof A=="string")?A.split(" "):$splat(A);
-return A.map(function(C){C=String(C);var B=false;Fx.CSS.Parsers.each(function(F,E){if(B){return ;}var D=F.parse(C);if($chk(D)){B={value:D,parser:F};}});
-B=B||{value:C,parser:Fx.CSS.Parsers.String};return B;});},compute:function(D,C,B){var A=[];(Math.min(D.length,C.length)).times(function(E){A.push({value:D[E].parser.compute(D[E].value,C[E].value,B),parser:D[E].parser});
-});A.$family={name:"fx:css:value"};return A;},serve:function(C,B){if($type(C)!="fx:css:value"){C=this.parse(C);}var A=[];C.each(function(D){A=A.concat(D.parser.serve(D.value,B));
-});return A;},render:function(A,D,C,B){A.setStyle(D,this.serve(C,B));},search:function(A){if(Fx.CSS.Cache[A]){return Fx.CSS.Cache[A];}var B={};Array.each(document.styleSheets,function(E,D){var C=E.href;
-if(C&&C.contains("://")&&!C.contains(document.domain)){return ;}var F=E.rules||E.cssRules;Array.each(F,function(I,G){if(!I.style){return ;}var H=(I.selectorText)?I.selectorText.replace(/^\w+/,function(J){return J.toLowerCase();
-}):null;if(!H||!H.test("^"+A+"$")){return ;}Element.Styles.each(function(K,J){if(!I.style[J]||Element.ShortStyles[J]){return ;}K=String(I.style[J]);B[J]=(K.test(/^rgb/))?K.rgbToHex():K;
-});});});return Fx.CSS.Cache[A]=B;}});Fx.CSS.Cache={};Fx.CSS.Parsers=new Hash({Color:{parse:function(A){if(A.match(/^#[0-9a-f]{3,6}$/i)){return A.hexToRgb(true);
-}return((A=A.match(/(\d+),\s*(\d+),\s*(\d+)/)))?[A[1],A[2],A[3]]:false;},compute:function(C,B,A){return C.map(function(E,D){return Math.round(Fx.compute(C[D],B[D],A));
-});},serve:function(A){return A.map(Number);}},Number:{parse:parseFloat,compute:Fx.compute,serve:function(B,A){return(A)?B+A:B;}},String:{parse:$lambda(false),compute:$arguments(1),serve:$arguments(0)}});
-Fx.Tween=new Class({Extends:Fx.CSS,initialize:function(B,A){this.element=this.subject=$(B);this.parent(A);},set:function(B,A){if(arguments.length==1){A=B;
-B=this.property||this.options.property;}this.render(this.element,B,A,this.options.unit);return this;},start:function(C,E,D){if(!this.check(arguments.callee,C,E,D)){return this;
-}var B=Array.flatten(arguments);this.property=this.options.property||B.shift();var A=this.prepare(this.element,this.property,B);return this.parent(A.from,A.to);
-}});Element.Properties.tween={set:function(A){var B=this.retrieve("tween");if(B){B.cancel();}return this.eliminate("tween").store("tween:options",$extend({link:"cancel"},A));
-},get:function(A){if(A||!this.retrieve("tween")){if(A||!this.retrieve("tween:options")){this.set("tween",A);}this.store("tween",new Fx.Tween(this,this.retrieve("tween:options")));
-}return this.retrieve("tween");}};Element.implement({tween:function(A,C,B){this.get("tween").start(arguments);return this;},fade:function(C){var E=this.get("tween"),D="opacity",A;
-C=$pick(C,"toggle");switch(C){case"in":E.start(D,1);break;case"out":E.start(D,0);break;case"show":E.set(D,1);break;case"hide":E.set(D,0);break;case"toggle":var B=this.retrieve("fade:flag",this.get("opacity")==1);
-E.start(D,(B)?0:1);this.store("fade:flag",!B);A=true;break;default:E.start(D,arguments);}if(!A){this.eliminate("fade:flag");}return this;},highlight:function(C,A){if(!A){A=this.retrieve("highlight:original",this.getStyle("background-color"));
-A=(A=="transparent")?"#fff":A;}var B=this.get("tween");B.start("background-color",C||"#ffff88",A).chain(function(){this.setStyle("background-color",this.retrieve("highlight:original"));
-B.callChain();}.bind(this));return this;}});Fx.Morph=new Class({Extends:Fx.CSS,initialize:function(B,A){this.element=this.subject=$(B);this.parent(A);},set:function(A){if(typeof A=="string"){A=this.search(A);
-}for(var B in A){this.render(this.element,B,A[B],this.options.unit);}return this;},compute:function(E,D,C){var A={};for(var B in E){A[B]=this.parent(E[B],D[B],C);
-}return A;},start:function(B){if(!this.check(arguments.callee,B)){return this;}if(typeof B=="string"){B=this.search(B);}var E={},D={};for(var C in B){var A=this.prepare(this.element,C,B[C]);
-E[C]=A.from;D[C]=A.to;}return this.parent(E,D);}});Element.Properties.morph={set:function(A){var B=this.retrieve("morph");if(B){B.cancel();}return this.eliminate("morph").store("morph:options",$extend({link:"cancel"},A));
-},get:function(A){if(A||!this.retrieve("morph")){if(A||!this.retrieve("morph:options")){this.set("morph",A);}this.store("morph",new Fx.Morph(this,this.retrieve("morph:options")));
-}return this.retrieve("morph");}};Element.implement({morph:function(A){this.get("morph").start(A);return this;}});(function(){var A=Fx.prototype.initialize;
-Fx.prototype.initialize=function(B){A.call(this,B);var C=this.options.transition;if(typeof C=="string"&&(C=C.split(":"))){var D=Fx.Transitions;D=D[C[0]]||D[C[0].capitalize()];
-if(C[1]){D=D["ease"+C[1].capitalize()+(C[2]?C[2].capitalize():"")];}this.options.transition=D;}};})();Fx.Transition=function(B,A){A=$splat(A);return $extend(B,{easeIn:function(C){return B(C,A);
-},easeOut:function(C){return 1-B(1-C,A);},easeInOut:function(C){return(C<=0.5)?B(2*C,A)/2:(2-B(2*(1-C),A))/2;}});};Fx.Transitions=new Hash({linear:$arguments(0)});
-Fx.Transitions.extend=function(A){for(var B in A){Fx.Transitions[B]=new Fx.Transition(A[B]);}};Fx.Transitions.extend({Pow:function(B,A){return Math.pow(B,A[0]||6);
-},Expo:function(A){return Math.pow(2,8*(A-1));},Circ:function(A){return 1-Math.sin(Math.acos(A));},Sine:function(A){return 1-Math.sin((1-A)*Math.PI/2);
-},Back:function(B,A){A=A[0]||1.618;return Math.pow(B,2)*((A+1)*B-A);},Bounce:function(D){var C;for(var B=0,A=1;1;B+=A,A/=2){if(D>=(7-4*B)/11){C=-Math.pow((11-6*B-11*D)/4,2)+A*A;
-break;}}return C;},Elastic:function(B,A){return Math.pow(2,10*--B)*Math.cos(20*B*Math.PI*(A[0]||1)/3);}});["Quad","Cubic","Quart","Quint"].each(function(B,A){Fx.Transitions[B]=new Fx.Transition(function(C){return Math.pow(C,[A+2]);
-});});var Request=new Class({Implements:[Chain,Events,Options],options:{url:"",data:"",headers:{"X-Requested-With":"XMLHttpRequest",Accept:"text/javascript, text/html, application/xml, text/xml, */*"},async:true,format:false,method:"post",link:"ignore",isSuccess:null,emulation:true,urlEncoded:true,encoding:"utf-8",evalScripts:false,evalResponse:false},initialize:function(A){this.xhr=new Browser.Request();
-this.setOptions(A);this.options.isSuccess=this.options.isSuccess||this.isSuccess;this.headers=new Hash(this.options.headers);},onStateChange:function(){if(this.xhr.readyState!=4||!this.running){return ;
-}this.running=false;this.status=0;$try(function(){this.status=this.xhr.status;}.bind(this));if(this.options.isSuccess.call(this,this.status)){this.response={text:this.xhr.responseText,xml:this.xhr.responseXML};
-this.success(this.response.text,this.response.xml);}else{this.response={text:null,xml:null};this.failure();}this.xhr.onreadystatechange=$empty;},isSuccess:function(){return((this.status>=200)&&(this.status<300));
-},processScripts:function(A){if(this.options.evalResponse||(/(ecma|java)script/).test(this.getHeader("Content-type"))){return $exec(A);}return A.stripScripts(this.options.evalScripts);
-},success:function(B,A){this.onSuccess(this.processScripts(B),A);},onSuccess:function(){this.fireEvent("complete",arguments).fireEvent("success",arguments).callChain();
-},failure:function(){this.onFailure();},onFailure:function(){this.fireEvent("complete").fireEvent("failure",this.xhr);},setHeader:function(A,B){this.headers.set(A,B);
-return this;},getHeader:function(A){return $try(function(){return this.xhr.getResponseHeader(A);}.bind(this));},check:function(A){if(!this.running){return true;
-}switch(this.options.link){case"cancel":this.cancel();return true;case"chain":this.chain(A.bind(this,Array.slice(arguments,1)));return false;}return false;
-},send:function(I){if(!this.check(arguments.callee,I)){return this;}this.running=true;var G=$type(I);if(G=="string"||G=="element"){I={data:I};}var D=this.options;
-I=$extend({data:D.data,url:D.url,method:D.method},I);var E=I.data,B=I.url,A=I.method;switch($type(E)){case"element":E=$(E).toQueryString();break;case"object":case"hash":E=Hash.toQueryString(E);
-}if(this.options.format){var H="format="+this.options.format;E=(E)?H+"&"+E:H;}if(this.options.emulation&&["put","delete"].contains(A)){var F="_method="+A;
-E=(E)?F+"&"+E:F;A="post";}if(this.options.urlEncoded&&A=="post"){var C=(this.options.encoding)?"; charset="+this.options.encoding:"";this.headers.set("Content-type","application/x-www-form-urlencoded"+C);
-}if(E&&A=="get"){B=B+(B.contains("?")?"&":"?")+E;E=null;}this.xhr.open(A.toUpperCase(),B,this.options.async);this.xhr.onreadystatechange=this.onStateChange.bind(this);
-this.headers.each(function(K,J){if(!$try(function(){this.xhr.setRequestHeader(J,K);return true;}.bind(this))){this.fireEvent("exception",[J,K]);}},this);
-this.fireEvent("request");this.xhr.send(E);if(!this.options.async){this.onStateChange();}return this;},cancel:function(){if(!this.running){return this;
-}this.running=false;this.xhr.abort();this.xhr.onreadystatechange=$empty;this.xhr=new Browser.Request();this.fireEvent("cancel");return this;}});(function(){var A={};
-["get","post","put","delete","GET","POST","PUT","DELETE"].each(function(B){A[B]=function(){var C=Array.link(arguments,{url:String.type,data:$defined});
-return this.send($extend(C,{method:B.toLowerCase()}));};});Request.implement(A);})();Element.Properties.send={set:function(A){var B=this.retrieve("send");
-if(B){B.cancel();}return this.eliminate("send").store("send:options",$extend({data:this,link:"cancel",method:this.get("method")||"post",url:this.get("action")},A));
-},get:function(A){if(A||!this.retrieve("send")){if(A||!this.retrieve("send:options")){this.set("send",A);}this.store("send",new Request(this.retrieve("send:options")));
-}return this.retrieve("send");}};Element.implement({send:function(A){var B=this.get("send");B.send({data:this,url:A||B.options.url});return this;}});Request.HTML=new Class({Extends:Request,options:{update:false,evalScripts:true,filter:false},processHTML:function(C){var B=C.match(/<body[^>]*>([\s\S]*?)<\/body>/i);
-C=(B)?B[1]:C;var A=new Element("div");return $try(function(){var D="<root>"+C+"</root>",G;if(Browser.Engine.trident){G=new ActiveXObject("Microsoft.XMLDOM");
-G.async=false;G.loadXML(D);}else{G=new DOMParser().parseFromString(D,"text/xml");}D=G.getElementsByTagName("root")[0];for(var F=0,E=D.childNodes.length;
-F<E;F++){var H=Element.clone(D.childNodes[F],true,true);if(H){A.grab(H);}}return A;})||A.set("html",C);},success:function(D){var C=this.options,B=this.response;
-B.html=D.stripScripts(function(E){B.javascript=E;});var A=this.processHTML(B.html);B.tree=A.childNodes;B.elements=A.getElements("*");if(C.filter){B.tree=B.elements.filter(C.filter);
-}if(C.update){$(C.update).empty().adopt(B.tree);}if(C.evalScripts){$exec(B.javascript);}this.onSuccess(B.tree,B.elements,B.html,B.javascript);}});Element.Properties.load={set:function(A){var B=this.retrieve("load");
-if(B){send.cancel();}return this.eliminate("load").store("load:options",$extend({data:this,link:"cancel",update:this,method:"get"},A));},get:function(A){if(A||!this.retrieve("load")){if(A||!this.retrieve("load:options")){this.set("load",A);
-}this.store("load",new Request.HTML(this.retrieve("load:options")));}return this.retrieve("load");}};Element.implement({load:function(){this.get("load").send(Array.link(arguments,{data:Object.type,url:String.type}));
-return this;}});Request.JSON=new Class({Extends:Request,options:{secure:true},initialize:function(A){this.parent(A);this.headers.extend({Accept:"application/json","X-Request":"JSON"});
-},success:function(A){this.response.json=JSON.decode(A,this.options.secure);this.onSuccess(this.response.json,A);}});
diff --git a/src/medsrv/templates/static/script.js b/src/medsrv/templates/static/script.js
deleted file mode 100644
index f2ab1e0..0000000
--- a/src/medsrv/templates/static/script.js
+++ /dev/null
@@ -1,13 +0,0 @@
-window.addEvent('domready', function() {
- $$('.focus').each(function(e){e.focus();});
- $$('table.list tr:nth-child(2n) td').each(function(e){e.set('class', 'even');});
- $$('table.list tr:nth-child(2n+1) td').each(function(e){e.set('class', 'odd');});
- $$('table.list tr th').each(function(e){e.set('class', 'head');});
- $$('table.list tr td').each(function(e){e.addEvents({
- 'click': function(){
- location.href = this.getChildren('a')[0].get('href');
- }
- })});
-});
-
-
diff --git a/src/medsrv/templates/static/style.css b/src/medsrv/templates/static/style.css
index e109ce2..cb7f303 100644
--- a/src/medsrv/templates/static/style.css
+++ b/src/medsrv/templates/static/style.css
@@ -104,29 +104,25 @@ a img {
color: #dd0000;
}
-.even {
- cursor : pointer;
-}
-
-.even a, .odd a {
- text-decoration: none;
+table.list * {
+ padding: 0px 1em 0px 0.2em;
}
-.odd {
- background-color: #f2cd6f;
- cursor : pointer;
+table.list tr td, table.list tr th {
+ border: solid 1px;
+ border-color: black;
}
-.head {
+table.list tr th {
background-color: #ffec9e;
}
-table.list * {
- padding: 0px 1em 0px 0.2em;
+table.list tr:nth-child(odd) td {
+ background-color: #f2cd6f;
}
-table.list tr td, table.list tr th {
- border: solid 1px;
- border-color: black;
+table.list tr td a {
+ text-decoration: none;
+ display: inline-block;
+ width: 100%;
}
-
diff --git a/src/medsrv/templates/user/add.cs b/src/medsrv/templates/user/add.cs
index 8ba4e5c..82442c5 100644
--- a/src/medsrv/templates/user/add.cs
+++ b/src/medsrv/templates/user/add.cs
@@ -6,7 +6,7 @@
<table class="user">
<tr>
<td><label for="new_login">Username</label></td>
- <td><input type="text" id="new_login" name="new_login" class="focus" maxlength="30" value="<?cs var:new_login ?>"/></td>
+ <td><input type="text" id="new_login" name="new_login" autofocus maxlength="30" value="<?cs var:new_login ?>"/></td>
</tr>
<tr>
<td><label for="new_password">Password</label></td>
diff --git a/src/medsrv/templates/user/login.cs b/src/medsrv/templates/user/login.cs
index 1d6eadb..fbf5b8b 100644
--- a/src/medsrv/templates/user/login.cs
+++ b/src/medsrv/templates/user/login.cs
@@ -6,7 +6,7 @@
<table class="user">
<tr>
<td><label for="login">Username</label></td>
- <td><input type="text" id="login" name="login" size="30" maxlength="30" class="focus"/></td>
+ <td><input type="text" id="login" name="login" size="30" maxlength="30" autofocus /></td>
</tr>
<tr>
<td><label for="password">Password</label></td>
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 7099977..4f850d6 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -278,7 +278,8 @@ static void __attribute__ ((constructor))reg()
{"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
" --issuercert file [--serial hex] [--lifetime hours]",
" [--not-before datetime] [--not-after datetime] [--dateform form]",
- "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "holder certificate, default: stdin"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2dc9fcc..fdc43d7 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -588,7 +588,8 @@ static void __attribute__ ((constructor))reg()
"[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
- "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "key/request file to issue, default: stdin"},
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index da991b5..68d6112 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -196,7 +196,8 @@ static void __attribute__ ((constructor))reg()
"create a PKCS#10 certificate request",
{" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
- "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index a785c2a..f4e83c7 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -425,7 +425,8 @@ static void __attribute__ ((constructor))reg()
"[--policy-map issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
- "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
+ "[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 720dfd8..6c27289 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -451,7 +451,7 @@ static void __attribute__ ((constructor))reg()
" [[--reason key-compromise|ca-compromise|affiliation-changed|",
" superseded|cessation-of-operation|certificate-hold]",
" [--date timestamp] --cert file|--serial hex]*",
- " [--digest md5|sha1|sha224|sha256|sha384|sha512]",
+ " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
" [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index bf71bf8..78ce5c6 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -289,14 +289,5 @@ The challenge password is '5xH2pnT7wq'. The encryption and signature check has t
caCert.der.
.RE
-
.SH "BUGS"
\fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
-.SH "COPYRIGHT"
-Copyright (C) 2005 Jan Hutter, Martin Willi
-.br
-Hochschule fuer Technik Rapperswil
-.PP
-This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-.PP
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
diff --git a/src/swanctl/commands/list_pools.c b/src/swanctl/commands/list_pools.c
index 1557716..429107e 100644
--- a/src/swanctl/commands/list_pools.c
+++ b/src/swanctl/commands/list_pools.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
@@ -19,8 +22,22 @@
#include "command.h"
+CALLBACK(list_leases, int,
+ char *pool, vici_res_t *res, char *name)
+{
+ if (streq(name, "leases"))
+ {
+ return vici_parse_cb(res, list_leases, NULL, NULL, pool);
+ }
+ printf(" %-30s %-8s '%s'\n",
+ vici_find_str(res, "", "%s.leases.%s.address", pool, name),
+ vici_find_str(res, "", "%s.leases.%s.status", pool, name),
+ vici_find_str(res, "", "%s.leases.%s.identity", pool, name));
+ return 0;
+}
+
CALLBACK(list_pool, int,
- linked_list_t *list, vici_res_t *res, char *name)
+ void *not_used, vici_res_t *res, char *name)
{
char pool[64], leases[32];
@@ -33,7 +50,7 @@ CALLBACK(list_pool, int,
printf("%-20s %-30s %16s\n",
name, vici_find_str(res, "", "%s.base", name), leases);
- return 0;
+ return vici_parse_cb(res, list_leases, NULL, NULL, name);
}
static int list_pools(vici_conn_t *conn)
@@ -43,6 +60,7 @@ static int list_pools(vici_conn_t *conn)
command_format_options_t format = COMMAND_FORMAT_NONE;
char *arg;
int ret = 0;
+ bool leases = FALSE;
while (TRUE)
{
@@ -56,6 +74,9 @@ static int list_pools(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'l':
+ leases = TRUE;
+ continue;
case EOF:
break;
default:
@@ -65,6 +86,10 @@ static int list_pools(vici_conn_t *conn)
}
req = vici_begin("get-pools");
+ if (leases)
+ {
+ vici_add_key_valuef(req, "leases", "yes");
+ }
res = vici_submit(req, conn);
if (!res)
{
@@ -92,11 +117,12 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
list_pools, 'A', "list-pools", "list loaded pool configurations",
- {"[--raw|--pretty]"},
+ {"[--leases] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"leases", 'l', 0, "list leases of each pool"},
}
});
}
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 1aca6d2..93dd7ed 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -198,8 +198,14 @@ CALLBACK(ike_sa, int,
ike->get(ike, "state"), ike->get(ike, "version"),
ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi"));
- printf(" local '%s' @ %s\n",
+ printf(" local '%s' @ %s",
ike->get(ike, "local-id"), ike->get(ike, "local-host"));
+ if (ike->get(ike, "local-vips"))
+ {
+ printf(" [%s]", ike->get(ike, "local-vips"));
+ }
+ printf("\n");
+
printf(" remote '%s' @ %s",
ike->get(ike, "remote-id"), ike->get(ike, "remote-host"));
if (ike->get(ike, "remote-eap-id"))
@@ -210,6 +216,10 @@ CALLBACK(ike_sa, int,
{
printf(" XAuth: '%s'", ike->get(ike, "remote-xauth-id"));
}
+ if (ike->get(ike, "remote-vips"))
+ {
+ printf(" [%s]", ike->get(ike, "remote-vips"));
+ }
printf("\n");
if (ike->get(ike, "encr-alg"))
diff --git a/testing/do-tests b/testing/do-tests
index c01152c..c87ba05 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -47,7 +47,6 @@ testnumber="0"
failed_cnt="0"
passed_cnt="0"
-
##############################################################################
# copy default tests to $BUILDDIR
#
@@ -105,6 +104,12 @@ do
do_on_exit kill `eval echo \\\$ssh_pid_$host`
done
+##############################################################################
+# determine actual software versions
+#
+
+[ -f $SHAREDDIR/.strongswan-version ] && SWANVERSION=`cat $SHAREDDIR/.strongswan-version`
+KERNELVERSION=`ssh $SSHCONF root@\$ipv4_winnetou uname -r 2>/dev/null`
##############################################################################
# create header for the results html file
@@ -131,7 +136,7 @@ ENVIRONMENT_HEADER=$(cat <<@EOF
<tr>
<td width="100"> </td>
<td width="300"> </td>
- <td width=" 50"> </td>
+ <td width=" 80"> </td>
<td > </td>
</tr>
@EOF
@@ -159,7 +164,8 @@ cat > $TESTRESULTSHTML <<@EOF
<tr align="left">
<th>Number</th>
<th>Test</th>
- <th colspan="2">Result</th>
+ <th align="right">Time [s]</th>
+ <th>Result</th>
</tr>
@EOF
@@ -249,6 +255,8 @@ do
testname=$SUBDIR/$name
log_action " $testnumber $testname:"
+ teststart=$(date +%s)
+
if [ ! -d $DEFAULTTESTSDIR/${testname} ]
then
echo "is missing..skipped"
@@ -329,8 +337,11 @@ do
# copy test specific configurations to uml hosts and clear auth.log files
#
+ DBDIR=/etc/db.d
+
$DIR/scripts/load-testconfig $testname
unset RADIUSHOSTS
+ unset DBHOSTS
unset IPV6
unset SWANCTL
source $TESTDIR/test.conf
@@ -356,6 +367,17 @@ do
fi
##########################################################################
+ # create database directory in RAM
+ #
+
+ for host in $DBHOSTS
+ do
+ eval HOSTLOGIN=root@\$ipv4_${host}
+ ssh $SSHCONF $HOSTLOGIN "mkdir -p $DBDIR; mount -t ramfs -o size=5m ramfs $DBDIR" >/dev/null 2>&1
+ ssh $SSHCONF $HOSTLOGIN "chgrp www-data $DBDIR; chmod g+w $DBDIR" >/dev/null 2>&1
+ done
+
+ ##########################################################################
# flush conntrack table on all hosts
#
@@ -504,32 +526,20 @@ do
scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
$TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1
-
if [ -n "$SWANCTL" ]
then
scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \
$TESTRESULTDIR/${host}.swanctl.conf > /dev/null 2>&1
- ssh $SSHCONF $HOSTLOGIN swanctl --list-conns \
- > $TESTRESULTDIR/${host}.swanctl.conns 2>/dev/null
+ for subsys in conns certs pools authorities sas pols
+ do
+ ssh $SSHCONF $HOSTLOGIN swanctl --list-$subsys \
+ > $TESTRESULTDIR/${host}.swanctl.$subsys 2>/dev/null
+ done
- ssh $SSHCONF $HOSTLOGIN swanctl --list-certs \
- > $TESTRESULTDIR/${host}.swanctl.certs 2>/dev/null
-
- ssh $SSHCONF $HOSTLOGIN swanctl --list-pools \
- > $TESTRESULTDIR/${host}.swanctl.pools 2>/dev/null
-
- ssh $SSHCONF $HOSTLOGIN swanctl --list-authorities \
- > $TESTRESULTDIR/${host}.swanctl.authorities 2>/dev/null
-
- ssh $SSHCONF $HOSTLOGIN swanctl --list-sas \
- > $TESTRESULTDIR/${host}.swanctl.sas 2>/dev/null
-
- ssh $SSHCONF $HOSTLOGIN swanctl --list-pols \
- > $TESTRESULTDIR/${host}.swanctl.pols 2>/dev/null
-
- ssh $SSHCONF $HOSTLOGIN swanctl --stats \
- > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null
+ # this is quite slow due to allocation stats via leak-detective
+ ssh $SSHCONF $HOSTLOGIN swanctl --stats \
+ > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null
else
for file in ipsec.conf ipsec.secrets
do
@@ -752,7 +762,7 @@ do
for host in $IPSECHOSTS
do
eval HOSTLOGIN=root@\$ipv4_${host}
- ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \
+ ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv|pt-tls-client' \
/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
done
@@ -764,7 +774,7 @@ do
for host in $IPSECHOSTS
do
eval HOSTLOGIN=root@\$ipv4_${host}
- ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
+ ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv' \
/var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log
done
@@ -783,6 +793,15 @@ do
fi
done
+ ##########################################################################
+ # remove database directory if needed
+ #
+
+ for host in $DBHOSTS
+ do
+ eval HOSTLOGIN=root@\$ipv4_${host}
+ ssh $SSHCONF $HOSTLOGIN "umount $DBDIR; rm -r $DBDIR" > /dev/null 2>&1
+ done
##########################################################################
# copy default host config back if necessary
@@ -794,6 +813,9 @@ do
##########################################################################
# write test status to html file
#
+ testend=$(date +%s)
+ let "testend -= teststart"
+ let "timetotal += testend"
if [ $STATUS = "passed" ]
then
@@ -808,8 +830,8 @@ do
<tr>
<td>$testnumber</td>
<td><a href="$testname/index.html">$testname</a></td>
+ <td align="right">$testend</td>
<td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
- <td> </td>
</tr>
@EOF
cat >> $SUBTESTSINDEX << @EOF
@@ -851,6 +873,9 @@ cat >> $TESTRESULTSHTML << @EOF
<tr>
<td><b>Failed</b></td><td><b><font color="red">$failed_cnt</font></b></td><td> </td><td> </td>
</tr>
+ <tr>
+ <td><b>Time [s]</b></td><td><b><font color="blue">$timetotal</font></b></td><td> </td><td> </td>
+ </tr>
</table>
</body>
</html>
@@ -895,6 +920,6 @@ echo
echo "The results are available in $TODAYDIR"
echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
-ENDDATE=`date +%Y%m%d-%H%M`
+ENDDATE=`date +%Y%m%d-%H%M-%S`
echo
echo "Finished : $ENDDATE"
diff --git a/testing/hosts/default/etc/strongswan.conf.testing b/testing/hosts/default/etc/strongswan.conf.testing
new file mode 100644
index 0000000..55efbe7
--- /dev/null
+++ b/testing/hosts/default/etc/strongswan.conf.testing
@@ -0,0 +1,7 @@
+charon {
+ retransmit_tries = 2
+ retransmit_timeout = 1.0
+ retransmit_base = 1
+}
+
+include strongswan.conf
\ No newline at end of file
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index f064bdb..842c3a1 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -45,5 +45,5 @@ openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl
openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
cp strongswan_rfc3779.crl ${ROOT}
cd /etc/openssl/bliss
-pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl
+pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha3_512 > strongswan_bliss.crl
cp strongswan_bliss.crl ${ROOT}
diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan
index c52dddd..8c6ecaa 100755
--- a/testing/scripts/build-strongswan
+++ b/testing/scripts/build-strongswan
@@ -49,7 +49,21 @@ log_action "Mounting $SWANDIR as /root/strongswan"
execute "bindfs -u $SRCUID -g $SRCGID $SWANDIR $LOOPDIR/root/strongswan"
do_on_exit umount $LOOPDIR/root/strongswan
+log_action "Remove SWID tags of previous versions"
+execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete'
+
echo "Building and installing strongSwan"
+
+log_action "Determine strongSwan version"
+desc=`git -C $SWANDIR describe --dirty`
+if [ $? -eq 0 ]; then
+ SWANVERSION="$desc (`git -C $SWANDIR rev-parse --abbrev-ref HEAD`)"
+else
+ SWANVERSION="`cat $SWANDIR/configure.ac | sed -n '/^AC_INIT/{ s/.*,\[\(.*\)\])$/\1/p }'`"
+fi
+echo "$SWANVERSION" > $SHAREDDIR/.strongswan-version
+log_status 0
+
log_action "Preparing source tree"
execute_chroot 'autoreconf -i /root/strongswan'
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
index 5abd217..8799d42 100644
--- a/testing/scripts/recipes/010_tkm.mk
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -2,7 +2,7 @@
PKG = tkm
SRC = http://git.codelabs.ch/git/$(PKG).git
-REV = v0.1.2
+REV = v0.1.3
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 404c6c6..994acaa 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -18,6 +18,7 @@ NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
CONFIG_OPTS = \
--sysconfdir=/etc \
+ --with-strongswan-conf=/etc/strongswan.conf.testing \
--with-random-device=/dev/urandom \
--disable-load-warning \
--enable-curl \
@@ -98,7 +99,8 @@ CONFIG_OPTS = \
--enable-ntru \
--enable-lookip \
--enable-swanctl \
- --enable-bliss
+ --enable-bliss \
+ --enable-sha3
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
@@ -109,6 +111,7 @@ $(TAR):
$(PKG): $(TAR)
tar xfj $(TAR)
+ echo "$(SWANVERSION)" > /root/shared/.strongswan-version
configure: $(BUILDDIR)
cd $(BUILDDIR) && $(DIR)/configure $(CONFIG_OPTS)
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/af-alg/alg-camellia/pretest.dat
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
index c582e03..855c273 100644
--- a/testing/tests/af-alg/rw-cert/pretest.dat
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
-dave::ipsec up home
+dave::ipsec up home
\ No newline at end of file
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 1b8fc3b..8230de0 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -1,4 +1,4 @@
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 1b8fc3b..8230de0 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -1,4 +1,4 @@
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index c582e03..f1a4b96 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat
index 448f283..9af5c4c 100644
--- a/testing/tests/ha/active-passive/evaltest.dat
+++ b/testing/tests/ha/active-passive/evaltest.dat
@@ -16,7 +16,7 @@ dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
alice::ip xfrm policy flush::no output expected::NO
alice::ip xfrm state flush::no output expected::NO
alice::killall -9 starter charon::no output expected::NO
-carol::sleep 3::no output expected::NO
+carol::sleep 2::no output expected::NO
moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol at strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave at strongswan.org::YES
diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat
index d0efb76..2bdab28 100644
--- a/testing/tests/ha/active-passive/pretest.dat
+++ b/testing/tests/ha/active-passive/pretest.dat
@@ -12,10 +12,11 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
alice::ipsec start
moon::ipsec start
-moon::sleep 2
+moon::sleep 2
alice::echo "+1" > /var/run/charon.ha
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
index 5ffc387..f48873f 100644
--- a/testing/tests/ha/both-active/pretest.dat
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -14,6 +14,7 @@ alice::ipsec start
alice::sleep 1
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
index e507938..f1af9ed 100644
--- a/testing/tests/ike/rw-cert/pretest.dat
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -1,7 +1,7 @@
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
index f61a4cb..072d9dd 100644
--- a/testing/tests/ike/rw_v1-net_v2/pretest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -1,7 +1,7 @@
moon::ipsec start
sun::ipsec start
carol::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
+carol::expect-connection home
moon::ipsec up net-net
carol::ipsec up home
-moon::sleep 1
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 8bbea14..f1a4b96 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
index 8bbea14..f1a4b96 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/alg-sha256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/alg-sha384/pretest.dat
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index f5aa989..8230de0 100644
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,4 +1,4 @@
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat
index 3864bda..c0ec6a7 100644
--- a/testing/tests/ikev1/config-payload-push/pretest.dat
+++ b/testing/tests/ikev1/config-payload-push/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat
index 3864bda..c0ec6a7 100644
--- a/testing/tests/ikev1/config-payload/pretest.dat
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
+dave::expect-connection home
carol::ipsec up home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 17a4fe5..d300a27 100644
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des
sun::ip route add 10.1.0.0/16 via PH_IP_BOB
alice::ipsec start
bob::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-alice::sleep 1
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index 65f18b7..6a861d2 100644
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s
sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
alice::ipsec start
bob::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-alice::sleep 1
diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt
index 7f62dc5..0fb2f10 100644
--- a/testing/tests/ikev1/dpd-clear/description.txt
+++ b/testing/tests/ikev1/dpd-clear/description.txt
@@ -1,5 +1,5 @@
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat
index f6f1821..8d4fa03 100644
--- a/testing/tests/ikev1/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev1/dpd-clear/evaltest.dat
@@ -1,7 +1,7 @@
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: sleep 60::no output expected::NO
+moon:: sleep 16::no output expected::NO
moon:: cat /var/log/daemon.log::sending DPD request::YES
-moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index 83f2849..9219e70 100644
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
keyingtries=1
keyexchange=ikev1
dpdaction=clear
- dpddelay=10
- dpdtimeout=45
+ dpddelay=5
+ dpdtimeout=15
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat
index 14ed953..3a1982f 100644
--- a/testing/tests/ikev1/dpd-clear/pretest.dat
+++ b/testing/tests/ikev1/dpd-clear/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt
index 410d3d6..6f4af94 100644
--- a/testing/tests/ikev1/dpd-restart/description.txt
+++ b/testing/tests/ikev1/dpd-restart/description.txt
@@ -1,7 +1,7 @@
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
-polling interval of 10 s. When the network connectivity between <b>carol</b>
-and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
-clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+polling interval of 10s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100s, <b>moon</b>
+clears the connection after a number of unsuccessful retransmits whereas <b>carol</b>
also takes down the connection but immediately tries to reconnect which succeeds
as soon as the connection becomes available again.
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index 6a749b8..a685ce1 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 60::no output expected::NO
+carol::sleep 16::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::sleep 10::no output expected::NO
+carol::sleep 2::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index d3c105c..4e142d6 100644
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
keyingtries=1
keyexchange=ikev1
dpdaction=restart
- dpddelay=10
- dpdtimeout=45
+ dpddelay=5
+ dpdtimeout=15
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat
index 14ed953..3a1982f 100644
--- a/testing/tests/ikev1/dpd-restart/pretest.dat
+++ b/testing/tests/ikev1/dpd-restart/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
index 32ac12d..6898bd5 100644
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -1,6 +1,5 @@
dave::ipsec stop
carol::ipsec stop
-dave::sleep 1
moon::ipsec stop
carol::iptables-restore < /etc/iptables.flush
dave::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index 9aadb2a..7e6ad46 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -2,10 +2,9 @@ carol::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection moon
carol::ipsec up moon
-carol::sleep 1
carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::expect-connection moon
dave::ipsec up moon
-dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
index 32ac12d..6898bd5 100644
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -1,6 +1,5 @@
dave::ipsec stop
carol::ipsec stop
-dave::sleep 1
moon::ipsec stop
carol::iptables-restore < /etc/iptables.flush
dave::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index 8dc744f..0c423ae 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -2,10 +2,11 @@ carol::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-moon::sleep 2
+moon::expect-connection carol
moon::ipsec up carol
-moon::sleep 1
+moon::sleep 0.5
carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::expect-connection moon
dave::ipsec up moon
-dave::sleep 2
+moon::sleep 0.5
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
index 7b26098..119c8e4 100644
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -1,6 +1,5 @@
carol::ipsec stop
dave::ipsec stop
-moon::sleep 1
moon::ipsec stop
moon::mv /etc/hosts.ori /etc/hosts
moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
index 4bb2a46..c19b38f 100644
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection moon
+dave::expect-connection moon
carol::ipsec up moon
dave::ipsec up moon
-carol::sleep 1
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
index f5aa989..8230de0 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
@@ -1,4 +1,4 @@
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat
index 99789b9..997a481 100644
--- a/testing/tests/ikev1/host2host-ah/pretest.dat
+++ b/testing/tests/ikev1/host2host-ah/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 3bce9f6..997a481 100644
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index 99789b9..997a481 100644
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index a4542db..6c22fd5 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
index c99f347..37436a3 100644
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush
moon::ipsec pool --del bigpool 2> /dev/null
moon::ipsec pool --del dns 2> /dev/null
moon::ipsec pool --del nbns 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 2327eb9..337ccb2 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -1,5 +1,5 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
@@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
index 164b07f..31820ea 100644
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
index 3864bda..2d09e88 100644
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
index 2eebc0f..bee9bc7 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-moon::sleep 2
+moon::expect-connection alice
+moon::expect-connection venus
moon::ipsec up alice
moon::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
index 86dd31e..be0051e 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
carol::ipsec up alice
+dave::expect-connection venus
dave::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 755564c..2134d6b 100644
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
@@ -1,8 +1,11 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up venus
dave::ipsec up alice
diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat
index d701a1d..e3d9fc8 100644
--- a/testing/tests/ikev1/nat-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-venus::sleep 2
+venus::expect-connection nat-t
venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
index 8945d87..1732d6e 100644
--- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat
index 81a98fa..25e393c 100644
--- a/testing/tests/ikev1/net2net-ah/pretest.dat
+++ b/testing/tests/ikev1/net2net-ah/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::ipsec start
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index c724e5d..25e393c 100644
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::ipsec start
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
index c724e5d..25e393c 100644
--- a/testing/tests/ikev1/net2net-fragmentation/pretest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
@@ -1,6 +1,6 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::ipsec start
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index 0f4ae0f..fe4223a 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::ipsec start
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 0f4ae0f..fe4223a 100644
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::ipsec start
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index efb2e57..4759fdb 100644
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
carol::ipsec up home-icmp
carol::ipsec up home-ssh
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat
index 4fbe475..3a1982f 100644
--- a/testing/tests/ikev1/rw-cert-unity/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 8bbea14..e87a8ee 100644
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
index 2b80853..094e0ef 100644
--- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,4 @@
charon {
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
}
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat
index fc71734..5a97207 100644
--- a/testing/tests/ikev1/rw-initiator-only/pretest.dat
+++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+dave::expect-connection peer
dave::ipsec up peer
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1/rw-ntru-psk/pretest.dat
index 40eaede..e827687 100644
--- a/testing/tests/ikev1/rw-ntru-psk/pretest.dat
+++ b/testing/tests/ikev1/rw-ntru-psk/pretest.dat
@@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
index 44f41f9..ab5e18d 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index 44f41f9..ab5e18d 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index 44f41f9..ab5e18d 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index 1765a83..2d09e88 100644
--- a/testing/tests/ikev1/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
index 88a91ae..ab5e18d 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
index e5a06d4..a55cf37 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
index e5a06d4..a55cf37 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
index e5a06d4..a55cf37 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 88a91ae..ab5e18d 100644
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
index 9adc43d..c65fbda 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
index 9adc43d..c65fbda 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index e5a06d4..a55cf37 100644
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat
index 682c55c..c0bb035 100644
--- a/testing/tests/ikev2/acert-cached/evaltest.dat
+++ b/testing/tests/ikev2/acert-cached/evaltest.dat
@@ -5,7 +5,7 @@ moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave
moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES
dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/acert-cached/pretest.dat
+++ b/testing/tests/ikev2/acert-cached/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat
index 985f320..17d83d1 100644
--- a/testing/tests/ikev2/acert-fallback/evaltest.dat
+++ b/testing/tests/ikev2/acert-fallback/evaltest.dat
@@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.
moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat
index baacc16..de4acbb 100644
--- a/testing/tests/ikev2/acert-fallback/pretest.dat
+++ b/testing/tests/ikev2/acert-fallback/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat
index ba448f8..98128e7 100644
--- a/testing/tests/ikev2/acert-inline/evaltest.dat
+++ b/testing/tests/ikev2/acert-inline/evaltest.dat
@@ -8,7 +8,7 @@ dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O
dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES
dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/acert-inline/pretest.dat
+++ b/testing/tests/ikev2/acert-inline/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
index baacc16..de4acbb 100644
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
+++ b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
index 0a6ce8b..2f27224 100644
--- a/testing/tests/ikev2/any-interface/pretest.dat
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -4,7 +4,8 @@ alice::ipsec start
moon::ipsec start
sun::ipsec start
bob::ipsec start
-moon::sleep 2
-moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_ALICE
-moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN
-bob::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN1
+moon::expect-connection alice
+moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE
+moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN
+bob::expect-connection sun
+bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index 29a9035..1fd37b6 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules
moon::iptables-restore < /etc/iptables.rules
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
index 3864bda..2d09e88 100644
--- a/testing/tests/ikev2/config-payload-swapped/pretest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
index 3864bda..2d09e88 100644
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2/crl-from-cache/pretest.dat
index acdb265..d4141a3 100644
--- a/testing/tests/ikev2/crl-from-cache/pretest.dat
+++ b/testing/tests/ikev2/crl-from-cache/pretest.dat
@@ -4,5 +4,5 @@ carol::wget -q http://crl.strongswan.org/strongswan.crl
carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
index 8ffa9d3..4eed5e0 100644
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -3,6 +3,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 3
diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat
index 8984dcb..3a1982f 100644
--- a/testing/tests/ikev2/crl-revoked/pretest.dat
+++ b/testing/tests/ikev2/crl-revoked/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-to-cache/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/crl-to-cache/pretest.dat
+++ b/testing/tests/ikev2/crl-to-cache/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index ef5f670..9e291d2 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -10,10 +10,10 @@ moon::rm /etc/ipsec.d/private/*
moon::rm /etc/ipsec.d/certs/*
moon::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
-moon::sleep 5
+moon::expect-connection carol
moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
moon::ipsec reload
carol::ipsec reload
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
index 5670a2e..3b22f29 100644
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
index 5670a2e..8eafe1a 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+carol::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
index 5670a2e..3b22f29 100644
--- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
index 17a4fe5..d300a27 100644
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des
sun::ip route add 10.1.0.0/16 via PH_IP_BOB
alice::ipsec start
bob::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-alice::sleep 1
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
index 65f18b7..6a861d2 100644
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s
sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
alice::ipsec start
bob::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-alice::sleep 1
diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt
index 7f62dc5..0fb2f10 100644
--- a/testing/tests/ikev2/dpd-clear/description.txt
+++ b/testing/tests/ikev2/dpd-clear/description.txt
@@ -1,5 +1,5 @@
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat
index c1a2719..2071e8f 100644
--- a/testing/tests/ikev2/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -1,8 +1,8 @@
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: sleep 180::no output expected::NO
+moon:: sleep 13::no output expected::NO
moon:: cat /var/log/daemon.log::sending DPD request::YES
moon:: cat /var/log/daemon.log::retransmit.*of request::YES
-moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat
index 14ed953..3a1982f 100644
--- a/testing/tests/ikev2/dpd-clear/pretest.dat
+++ b/testing/tests/ikev2/dpd-clear/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat
index 4c035a6..9ce76f9 100644
--- a/testing/tests/ikev2/dpd-hold/evaltest.dat
+++ b/testing/tests/ikev2/dpd-hold/evaltest.dat
@@ -2,13 +2,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::ping -c 1 PH_IP_ALICE::trigger route::NO
-carol::sleep 2::no output expected::NO
+carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO
+carol::sleep 1::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2/dpd-hold/pretest.dat
index 14ed953..3a1982f 100644
--- a/testing/tests/ikev2/dpd-hold/pretest.dat
+++ b/testing/tests/ikev2/dpd-hold/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat
index 962bd06..25c54df 100644
--- a/testing/tests/ikev2/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::sleep 10::no output expected::NO
+carol::sleep 2::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat
index 14ed953..3a1982f 100644
--- a/testing/tests/ikev2/dpd-restart/pretest.dat
+++ b/testing/tests/ikev2/dpd-restart/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt
index e74ee15..3e441b2 100644
--- a/testing/tests/ikev2/dynamic-initiator/description.txt
+++ b/testing/tests/ikev2/dynamic-initiator/description.txt
@@ -1,12 +1,12 @@
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
+is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary
+<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary
IP address under the condition that the peer identity remains unchanged. When this happens
the old tunnel is replaced by an IPsec connection to the new origin.
<p>
In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat
index 83063a2..715bb94 100644
--- a/testing/tests/ikev2/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -1,6 +1,5 @@
dave::ipsec stop
carol::ipsec stop
-dave::sleep 1
moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat
index 3e1cfce..f354efe 100644
--- a/testing/tests/ikev2/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -4,10 +4,9 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection moon
carol::ipsec up moon
-carol::sleep 1
carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::expect-connection moon
dave::ipsec up moon
-dave::sleep 2
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
index 7b26098..119c8e4 100644
--- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
@@ -1,6 +1,5 @@
carol::ipsec stop
dave::ipsec stop
-moon::sleep 1
moon::ipsec stop
moon::mv /etc/hosts.ori /etc/hosts
moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
index 4bb2a46..ee0b156 100644
--- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
@@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection moon
carol::ipsec up moon
+dave::expect-connection moon
dave::ipsec up moon
-carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
index f0254da..1a98228 100644
--- a/testing/tests/ikev2/farp/pretest.dat
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -6,7 +6,7 @@ alice::arp -d 10.1.0.40
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat
index 7be6686..87a7764 100644
--- a/testing/tests/ikev2/force-udp-encaps/pretest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat
@@ -4,7 +4,5 @@ sun::ip route add 10.1.0.0/16 via PH_IP_MOON
winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
alice::ipsec start
sun::ipsec start
-alice::sleep 4
+alice::expect-connection nat-t
alice::ipsec up nat-t
-alice::sleep 1
-
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat
index 206bf5b..68a0c2c 100644
--- a/testing/tests/ikev2/forecast/pretest.dat
+++ b/testing/tests/ikev2/forecast/pretest.dat
@@ -1,7 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat
index 99789b9..997a481 100644
--- a/testing/tests/ikev2/host2host-ah/pretest.dat
+++ b/testing/tests/ikev2/host2host-ah/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 3bce9f6..997a481 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 3bce9f6..997a481 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
index 99789b9..997a481 100644
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index 221c593..76b45c2 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,8 +1,8 @@
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::sleep 15::NO
+carol::sleep 11::NO
carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
index b949aae..ac7b8d9 100644
--- a/testing/tests/ikev2/inactivity-timeout/pretest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -1,6 +1,5 @@
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index a4542db..6c22fd5 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index c99f347..37436a3 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush
moon::ipsec pool --del bigpool 2> /dev/null
moon::ipsec pool --del dns 2> /dev/null
moon::ipsec pool --del nbns 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 2327eb9..337ccb2 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -1,5 +1,5 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
@@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
index 164b07f..31820ea 100644
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 1466fd2..2d09e88 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
index 3864bda..2d09e88 100644
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index a4542db..6c22fd5 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
index 9d88281..6066d46 100644
--- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
@@ -3,4 +3,3 @@ dave::ipsec stop
moon::ipsec stop
moon::ipsec pool --del pool0 2> /dev/null
moon::ipsec pool --del pool1 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
index c5af81b..f745763 100644
--- a/testing/tests/ikev2/ip-split-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat
@@ -1,12 +1,12 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null
moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null
moon::ipsec pool --status 2> /dev/null
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
index 164b07f..31820ea 100644
--- a/testing/tests/ikev2/ip-split-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index fe6cdde..cf3b0d8 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 150690e..dd4abeb 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -15,4 +15,3 @@ moon::ipsec pool --del intpool 2> /dev/null
moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice at strongswan.org 2> /dev/null
moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index bb36a26..2d8b28c 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -1,5 +1,5 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null
@@ -13,14 +13,16 @@ venus::iptables-restore < /etc/iptables.rules
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
alice::ipsec start
venus::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
+alice::expect-connection home
alice::ipsec up home
+venus::expect-connection home
venus::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
index c88e11d..167c75d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice venus carol dave"
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index fe6cdde..cf3b0d8 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index 57449be..0c3cd26 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
alice::iptables-restore < /etc/iptables.flush
moon::ipsec pool --del intpool 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index 8ebfdc7..5b32741 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,13 +1,13 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
alice::iptables-restore < /etc/iptables.rules
-carol::ipsec start
moon::ipsec start
+carol::ipsec start
alice::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+alice::expect-connection home
alice::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
index 1ed3473..0c1b38d 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice carol"
# Used for IPsec logging purposes
#
IPSECHOSTS="alice moon carol"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
index c7e9a44..5176e2a 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -7,7 +7,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
index 2e78893..e46195c 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -1,4 +1,3 @@
alice::ip -6 route del default via fec1:\:1
carol::ipsec stop
moon::ipsec stop
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
index 466a5ea..60af3bc 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
@@ -1,9 +1,9 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null
moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null
alice::ip -6 route add default via fec1:\:1
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
index cd03759..6081918 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="carol"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
index 04139ba..7eb81b6 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
@@ -1,5 +1,5 @@
alice::ip -6 route add default via fec1:\:1
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index 7de2bc9..e4b0436 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -4,4 +4,3 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
alice::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index 4e8b639..56c1785 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -4,7 +4,7 @@ alice::iptables-restore < /etc/iptables.rules
carol::ipsec start
moon::ipsec start
alice::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+alice::expect-connection home
alice::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2/lookip/pretest.dat
index 3864bda..2d09e88 100644
--- a/testing/tests/ikev2/lookip/pretest.dat
+++ b/testing/tests/ikev2/lookip/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
index 6dd261f..450e7ce 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -5,11 +5,15 @@
-P OUTPUT DROP
-P FORWARD DROP
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
# allow IPsec tunnel traffic
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-# allow ESP
+# allow ESP
-A INPUT -i eth0 -p 50 -j ACCEPT
-A INPUT -i eth1 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index fde195d..68df1b5 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -5,6 +5,5 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection mobike
alice::ipsec up mobike
-alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
index a238c8d..450e7ce 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -5,6 +5,10 @@
-P OUTPUT DROP
-P FORWARD DROP
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
# allow IPsec tunnel traffic
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
index 067c1a1..8197296 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules
sun::ip route add 10.1.0.0/16 via PH_IP_MOON
alice::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection mobike
alice::ipsec up mobike
-alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
index a238c8d..450e7ce 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -5,6 +5,10 @@
-P OUTPUT DROP
-P FORWARD DROP
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
# allow IPsec tunnel traffic
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
index 067c1a1..8197296 100644
--- a/testing/tests/ikev2/mobike/pretest.dat
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules
sun::ip route add 10.1.0.0/16 via PH_IP_MOON
alice::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection mobike
alice::ipsec up mobike
-alice::sleep 1
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 8457ae0..eb20c7f 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -18,4 +18,4 @@ moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 22806012345600
moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002 at strongswan.org::NO
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index eb69d2e..07ffe10 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -8,7 +8,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
index 2eebc0f..bee9bc7 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-moon::sleep 2
+moon::expect-connection alice
+moon::expect-connection venus
moon::ipsec up alice
moon::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
index 86dd31e..be0051e 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
carol::ipsec up alice
+dave::expect-connection venus
dave::ipsec up venus
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
index 41319ae..d9ed527 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -1,10 +1,13 @@
winnetou::/etc/init.d/slapd start
moon::iptables-restore < /etc/iptables.rules
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up venus
dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
index bb538c1..3407743 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -1,5 +1,5 @@
moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
carol::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
index e209e60..8230de0 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -1,4 +1,4 @@
carol::ipsec start
moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
index 755564c..2134d6b 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -1,8 +1,11 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up venus
dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat
index 1646d5e..0f3f1ff 100644
--- a/testing/tests/ikev2/multi-level-ca/posttest.dat
+++ b/testing/tests/ikev2/multi-level-ca/posttest.dat
@@ -2,4 +2,3 @@ moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
index 755564c..2134d6b 100644
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -1,8 +1,11 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up venus
dave::ipsec up alice
diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat
index 6cddfd4..9d68e3c 100644
--- a/testing/tests/ikev2/nat-rw-mark/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat
@@ -13,8 +13,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
sun::ipsec start
alice::ipsec start
venus::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-venus::sleep 2
+venus::expect-connection nat-t
venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat
index c5d091f..e52bc9d 100644
--- a/testing/tests/ikev2/nat-rw-psk/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -9,8 +9,7 @@ sun::rm /etc/ipsec.d/cacerts/*
sun::ipsec start
alice::ipsec start
venus::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-venus::sleep 2
+venus::expect-connection nat-t
venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index 12676f7..e3d9fc8 100644
--- a/testing/tests/ikev2/nat-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-venus::sleep 2
+venus::expect-connection nat-t
venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index 8945d87..1732d6e 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat
index 81a98fa..1732d6e 100644
--- a/testing/tests/ikev2/net2net-ah/pretest.dat
+++ b/testing/tests/ikev2/net2net-ah/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
index 81a98fa..1732d6e 100644
--- a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-dnscert/pretest.dat
+++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-dnssec/pretest.dat
+++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
index 3492238..fd1ce37 100644
--- a/testing/tests/ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
@@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
index 0495890..ef3eb9e 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -9,9 +9,10 @@ moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mar
bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE
bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF
sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20
+sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection dscp-be
+moon::expect-connection dscp-ef
moon::ipsec up dscp-be
moon::ipsec up dscp-ef
diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
index cb92825..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
index cb92825..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 9fe2860..1732d6e 100644
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index e4ee3fa..a1c5670 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
-alice::ping -c 10 PH_IP_BOB
+moon::expect-connection net-net
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/ikev2/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/ikev2/net2net-same-nets/pretest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 9d23c55..b3f3710 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,6 +1,5 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
sun::ipsec start
-sun::sleep 2
moon::ipsec start
-moon::sleep 3
+moon::sleep 1
diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/ocsp-local-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
index 86dd31e..be0051e 100644
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
carol::ipsec up alice
+dave::expect-connection venus
dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
index afb64c3..6296b4e 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/ocsp-revoked/pretest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/ocsp-root-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index c31e05e..934df4e 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,5 +1,5 @@
moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::libcurl request failed::YES
moon:: cat /var/log/daemon.log::certificate status is not available::YES
moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
index 86dd31e..be0051e 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -1,6 +1,7 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection alice
carol::ipsec up alice
+dave::expect-connection venus
dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
index 9ee5db9..ad7de9e 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt
+++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
@@ -6,5 +6,5 @@ OCSP server is listening. Thanks to timeouts the connection can nevertheless
be established successfully by contacting a valid OCSP URI contained in
<b>carol</b>'s certificate.
<p>
-As an additional test the OCSP response is delayed by 5 seconds in order to check
+As an additional test the OCSP response is delayed by a few seconds in order to check
the correct handling of retransmitted IKE_AUTH messages.
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
index f50d5e8..d4e41db 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -1,9 +1,9 @@
-moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::libcurl request failed::YES
moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
moon:: cat /var/log/daemon.log::ocsp response is valid::YES
moon:: cat /var/log/daemon.log::certificate status is good::YES
-carol::cat /var/log/daemon.log::libcurl http request failed::YES
+carol::cat /var/log/daemon.log::libcurl request failed::YES
carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES
carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
carol::cat /var/log/daemon.log::ocsp response is valid::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index aa70321..46a716f 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,7 +6,7 @@ echo "Content-type: application/ocsp-response"
echo ""
# simulate a delayed response
-sleep 5
+sleep 2
cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-rkey ocspKey.pem -rsigner ocspCert.pem \
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
index d92333d..3a1982f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
@@ -1,4 +1,4 @@
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
index 7c0a9a5..cb7997f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -1,4 +1,4 @@
-moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::libcurl request failed::YES
moon:: cat /var/log/daemon.log::certificate status is not available::YES
moon:: cat /var/log/daemon.log::constraint check failed::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
index 7d9d600..a43ba35 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
@@ -1,6 +1,6 @@
-moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
-carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
+carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
index afb64c3..6296b4e 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
index efb2e57..4759fdb 100644
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
carol::ipsec up home-icmp
carol::ipsec up home-ssh
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
index 5a15574..433d0cf 100644
--- a/testing/tests/ikev2/protoport-route/pretest.dat
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
carol::ssh PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_ALICE > /dev/null
-carol::sleep 2
+carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat
index 153ea7c..d3ce70e 100644
--- a/testing/tests/ikev2/reauth-early/pretest.dat
+++ b/testing/tests/ikev2/reauth-early/pretest.dat
@@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
carol::sleep 30
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat
index 153ea7c..d3ce70e 100644
--- a/testing/tests/ikev2/reauth-late/pretest.dat
+++ b/testing/tests/ikev2/reauth-late/pretest.dat
@@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
carol::sleep 30
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
index baacc16..de4acbb 100644
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat
index baacc16..de4acbb 100644
--- a/testing/tests/ikev2/reauth-mbb/pretest.dat
+++ b/testing/tests/ikev2/reauth-mbb/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index d1eb770..646bcee 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index d1eb770..646bcee 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index d1eb770..646bcee 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index c582e03..e87a8ee 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+moon::expect-connection rw
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat
index 40eaede..e827687 100644
--- a/testing/tests/ikev2/rw-dnssec/pretest.dat
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
index 17f1b5f..a55cf37 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
index 698a719..98bf0b1 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -5,7 +5,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
+carol::expect-connection home
+carol::ipsec up home
+dave::expect-connection home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
index a2704e8..8893e01 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -5,9 +5,11 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up alice
dave::ipsec up venus
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
index 180537f..d44910d 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -2,7 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec stroke user-creds home carol "Ar3etTnp"
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 9adc43d..c65fbda 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 9adc43d..c65fbda 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
index 17f1b5f..a55cf37 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
index 17f1b5f..a55cf37 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index 3e7fc0b..98bf0b1 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -5,7 +5,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index f8a9cc8..fa11647 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -5,6 +5,5 @@ carol::cat /etc/ipsec.d/triplets.dat
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index f434ddf..4f8f728 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave at strongsw
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 0e9e46b..a204f88 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -11,7 +11,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index a514f48..01aed24 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave at strongsw
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index 57c9f11..fdb50fc 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -11,7 +11,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
index ae464b5..3e05e4e 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -4,6 +4,5 @@ moon::cat /etc/ipsec.d/triplets.dat
carol::cat /etc/ipsec.d/triplets.dat
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
index 3d680ab..7ed2021 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -4,6 +4,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index 9adc43d..c65fbda 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
index 589d478..a55cf37 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 2
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
index 17f1b5f..a55cf37 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index 3e7fc0b..98bf0b1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -5,7 +5,7 @@ alice::radiusd
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
index 2b80853..094e0ef 100644
--- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -2,8 +2,4 @@
charon {
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
}
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat
index fc71734..4660c29 100644
--- a/testing/tests/ikev2/rw-initiator-only/pretest.dat
+++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection peer
dave::ipsec up peer
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
index 8e9dd2f..7288314 100644
--- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -1,8 +1,8 @@
alice::iptables-restore < /etc/iptables.rules
venus::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
@@ -10,8 +10,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 2
-alice::ipsec up home
-venus::sleep 2
+alice::expect-connection home
+alice::ipsec up home
+venus::expect-connection home
venus::ipsec up home
-venus::sleep 2
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
index 5a88b66..72f3a0e 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -1,15 +1,15 @@
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave at strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol at strongswan.org.*with BLISS_WITH_SHA256 successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave at strongswan.org.*with BLISS_WITH_SHA384 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol at strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave at strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
index f13e47a..647a47f 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ strictcrlpolicy=yes
conn %default
ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
index ab824c9..c47ca80 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
send_vendor_id = yes
fragment_size = 1500
}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
index 5f605a4..e778604 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ strictcrlpolicy=yes
conn %default
ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
index ab824c9..c47ca80 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
send_vendor_id = yes
fragment_size = 1500
}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
index 2a9b33a..e5c2bf8 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
@@ -1,6 +1,7 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
+ strictcrlpolicy=yes
conn %default
ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
index ab824c9..c47ca80 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
send_vendor_id = yes
fragment_size = 1500
}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
index 2424943..c0f963d 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2/rw-ntru-psk/pretest.dat
index 40eaede..e827687 100644
--- a/testing/tests/ikev2/rw-ntru-psk/pretest.dat
+++ b/testing/tests/ikev2/rw-ntru-psk/pretest.dat
@@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
index 64ce593..ab5e18d 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
index 64ce593..ab5e18d 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
index 64ce593..ab5e18d 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
index 446f814..08b891a 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -5,6 +5,7 @@ carol::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 9f437fe..d262296 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -4,6 +4,5 @@ alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
alice::radiusd
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat
index bec31cc..9c26ea1 100644
--- a/testing/tests/ikev2/rw-sig-auth/pretest.dat
+++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat
@@ -4,9 +4,11 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up alice
dave::ipsec up venus
-dave::sleep 1
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 3522c3d..a9917bc 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -6,7 +6,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave at strongswan.org::NO
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
index dea5fc1..a55cf37 100644
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat
index bcba9ef..b62e890 100644
--- a/testing/tests/ikev2/trap-any/evaltest.dat
+++ b/testing/tests/ikev2/trap-any/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
-moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
-sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
-dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
-dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+sun::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+dave::ping -c 2 -W 1 -i 0.2 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
+dave::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index fe2aaec..5936eda 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
-carol::sleep 1
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
index 1765a83..2d09e88 100644
--- a/testing/tests/ikev2/virtual-ip-override/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
index 1765a83..2d09e88 100644
--- a/testing/tests/ikev2/virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
index 3c4832e..2134d6b 100644
--- a/testing/tests/ikev2/wildcards/pretest.dat
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -1,8 +1,11 @@
carol::ipsec start
dave::ipsec start
moon::ipsec start
-carol::sleep 1
+carol::expect-connection alice
+carol::expect-connection venus
carol::ipsec up alice
carol::ipsec up venus
+dave::expect-connection alice
+dave::expect-connection venus
dave::ipsec up venus
dave::ipsec up alice
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
index 8e6478c..f64bc23 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
@@ -5,7 +5,7 @@ config setup
ca strongswan
cacert=strongswanCert.pem
certuribase=http://ip6-winnetou.strongswan.org/certs/
- crluri=http://ip6-winnetou.org/strongswan.crl
+ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
auto=add
conn %default
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
index a880b12..e739fc8 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
@@ -5,7 +5,7 @@ config setup
ca strongswan
cacert=strongswanCert.pem
certuribase=http://ip6-winnetou.strongswan.org/certs/
- crluri=http://ip6-winnetou.org/strongswan.crl
+ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
auto=add
conn %default
diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
index 0a0b1a7..8229b62 100644
--- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat
@@ -8,6 +8,7 @@ moon:: ip xfrm state::proto comp spi::YES
carol::ip xfrm state::proto comp spi::YES
# send two pings because the first is lost due to Path MTU Discovery between alice and moon
carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
-carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES
+# reduce the size as the default is already larger than the threshold of 90 bytes
+carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat
index d8d30af..b095bf5 100644
--- a/testing/tests/libipsec/host2host-cert/pretest.dat
+++ b/testing/tests/libipsec/host2host-cert/pretest.dat
@@ -4,5 +4,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/libipsec/net2net-3des/pretest.dat
+++ b/testing/tests/libipsec/net2net-3des/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/libipsec/net2net-cert/pretest.dat
+++ b/testing/tests/libipsec/net2net-cert/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-null/description.txt b/testing/tests/libipsec/net2net-null/description.txt
new file mode 100644
index 0000000..d8f019d
--- /dev/null
+++ b/testing/tests/libipsec/net2net-null/description.txt
@@ -0,0 +1,11 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b>
+plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication
+algorithms are <b>NULL</b> and <b>SHA-256</b>, respectively.<br/>
+Just by way of example, <b>NULL</b> encryption is also configured for the IKEv2 connection,
+using the NULL-crypter provided by the OpenSSL library.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat
new file mode 100644
index 0000000..e455a36
--- /dev/null
+++ b/testing/tests/libipsec/net2net-null/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
+sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
similarity index 56%
copy from testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
copy to testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
index 83f2849..4ecfb0e 100644
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
@@ -7,16 +7,18 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
- dpdaction=clear
- dpddelay=10
- dpdtimeout=45
+ keyexchange=ikev2
+ ike=null-sha256-modp2048!
+ esp=null-sha256-modp2048!
+ mobike=no
-conn rw
+conn net-net
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol at strongswan.org
+ leftupdown=/etc/updown
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
auto=add
diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..c283474
--- /dev/null
+++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/src/_updown/_updown.in b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown
old mode 100644
new mode 100755
similarity index 96%
copy from src/_updown/_updown.in
copy to testing/tests/libipsec/net2net-null/hosts/moon/etc/updown
index 6e7abca..61f6531
--- a/src/_updown/_updown.in
+++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown
@@ -131,7 +131,7 @@
#
# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
# comment to disable logging VPN connections to syslog
@@ -231,10 +231,24 @@ down-host:)
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
;;
up-host:iptables)
# connection to me, with (left/right)firewall=yes, coming up
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
similarity index 57%
copy from testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
copy to testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
index a880b12..95ea20d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
@@ -2,30 +2,23 @@
config setup
-ca strongswan
- cacert=strongswanCert.pem
- certuribase=http://ip6-winnetou.strongswan.org/certs/
- crluri=http://ip6-winnetou.org/strongswan.crl
- auto=add
-
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=null-sha256-modp2048!
+ esp=null-sha256-modp2048!
mobike=no
conn net-net
- also=host-host
- leftsubnet=10.2.0.0/16
- rightsubnet=10.1.0.0/16
-
-conn host-host
- left=PH_IP6_SUN
+ left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
- leftfirewall=yes
- right=PH_IP6_MOON
+ leftsubnet=10.2.0.0/16
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..c283474
--- /dev/null
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/src/_updown/_updown.in b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
old mode 100644
new mode 100755
similarity index 96%
copy from src/_updown/_updown.in
copy to testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
index 6e7abca..61f6531
--- a/src/_updown/_updown.in
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
@@ -131,7 +131,7 @@
#
# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
# comment to disable logging VPN connections to syslog
@@ -231,10 +231,24 @@ down-host:)
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
;;
up-host:iptables)
# connection to me, with (left/right)firewall=yes, coming up
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat
similarity index 67%
copy from testing/tests/sql/net2net-start-pem/posttest.dat
copy to testing/tests/libipsec/net2net-null/posttest.dat
index 329a572..1f7aa73 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/libipsec/net2net-null/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat
similarity index 82%
copy from testing/tests/ikev1/net2net-ah/pretest.dat
copy to testing/tests/libipsec/net2net-null/pretest.dat
index 81a98fa..1732d6e 100644
--- a/testing/tests/ikev1/net2net-ah/pretest.dat
+++ b/testing/tests/libipsec/net2net-null/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/libipsec/net2net-null/test.conf
similarity index 100%
copy from testing/tests/sql/net2net-cert/test.conf
copy to testing/tests/libipsec/net2net-null/test.conf
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
index 8bbea14..e87a8ee 100644
--- a/testing/tests/libipsec/rw-suite-b/pretest.dat
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
index 972d930..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index 886fdf5..de4acbb 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index c724e5d..1732d6e 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index 8bbea14..a55cf37 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
index 0f4ae0f..f2cbf6a 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat
@@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
index 3492238..fd1ce37 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index c582e03..974c225 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -4,6 +4,9 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+# moon runs crypto tests, so make sure it is ready
+moon::expect-connection rw
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
index 388339f..de4acbb 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
index 7f06388..d117a30 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -3,9 +3,6 @@
charon {
load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
initiator_only = yes
integrity_test = yes
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
index b939394..290f57e 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+moon::expect-connection rw
+dave::expect-connection peer
dave::ipsec up peer
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
index 7f06388..d117a30 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -3,9 +3,6 @@
charon {
load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
initiator_only = yes
integrity_test = yes
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
index b939394..290f57e 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+moon::expect-connection rw
+dave::expect-connection peer
dave::ipsec up peer
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index eb1d67f..6d92170 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -7,8 +7,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
carol::ipsec start
-carol::sleep 1
+carol::expect-connection medsrv
alice::ipsec start
alice::sleep 1
venus::ipsec start
-venus::sleep 4
+venus::sleep 2
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index 09b6583..9505200 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -12,8 +12,8 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s
sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT
sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT
carol::ipsec start
-carol::sleep 1
+carol::expect-connection medsrv
bob::ipsec start
bob::sleep 1
alice::ipsec start
-alice::sleep 4
+alice::sleep 2
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/pfkey/alg-sha384/pretest.dat
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/pfkey/alg-sha512/pretest.dat
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat
index 29a9035..1fd37b6 100644
--- a/testing/tests/pfkey/compress/pretest.dat
+++ b/testing/tests/pfkey/compress/pretest.dat
@@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules
moon::iptables-restore < /etc/iptables.rules
carol::ipsec start
moon::ipsec start
-carol::sleep 2
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
index 4fc2577..de4acbb 100644
--- a/testing/tests/pfkey/esp-alg-null/pretest.dat
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
index 99789b9..997a481 100644
--- a/testing/tests/pfkey/host2host-transport/pretest.dat
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat
index d701a1d..e3d9fc8 100644
--- a/testing/tests/pfkey/nat-rw/pretest.dat
+++ b/testing/tests/pfkey/nat-rw/pretest.dat
@@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 2
+alice::expect-connection nat-t
alice::ipsec up nat-t
-venus::sleep 2
+venus::expect-connection nat-t
venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
index e4ee3fa..a1c5670 100644
--- a/testing/tests/pfkey/net2net-route/pretest.dat
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 2
-alice::ping -c 10 PH_IP_BOB
+moon::expect-connection net-net
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
index efb2e57..12112b1 100644
--- a/testing/tests/pfkey/protoport-dual/pretest.dat
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 2
+carol::expect-connection home-icmp
carol::ipsec up home-icmp
+carol::expect-connection home-ssh
carol::ipsec up home-ssh
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
index 5a15574..b1bf238 100644
--- a/testing/tests/pfkey/protoport-route/pretest.dat
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home-icmp
+carol::expect-connection home-ssh
carol::ssh PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_ALICE > /dev/null
-carol::sleep 2
+carol::ping -c 1 -W 1 PH_IP_ALICE > /dev/null
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
index c582e03..e87a8ee 100644
--- a/testing/tests/pfkey/rw-cert/pretest.dat
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+moon::expect-connection rw
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 3b720bf..64e7cc7 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
@@ -12,7 +12,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index 1b963fc..b757d8b 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -4,7 +4,3 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 10a51bc..3e1b762 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --leases 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
@@ -14,6 +14,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 9b1ec0b..450100f 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 3b720bf..64e7cc7 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
@@ -12,7 +12,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index 1b963fc..b757d8b 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -4,7 +4,3 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index 639cfd9..4976693 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --leases 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
@@ -14,7 +14,7 @@ dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 9b1ec0b..450100f 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index 62d9edb..4346eca 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index 62d9edb..4346eca 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 3b720bf..64e7cc7 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
@@ -12,7 +12,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 1b963fc..4706143 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -4,7 +4,6 @@ moon::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
+moon::dbdir-remove
+carol::dbdir-remove
+dave::dbdir-remove
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index 46f3332..0cea9d8 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -1,19 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 9b1ec0b..450100f 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index 3b720bf..64e7cc7 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
@@ -12,7 +12,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
index 0fce500..a851d09 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -1,7 +1,3 @@
carol::ipsec stop
dave::ipsec stop
moon::ipsec stop
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
index ba3f4d1..706cb32 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
@@ -1,18 +1,18 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --status 2> /dev/null
moon::ipsec pool --leases 2> /dev/null
moon::ipsec start
dave::ipsec start
carol::ipsec start
-dave::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 9b1ec0b..450100f 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 3b720bf..64e7cc7 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
@@ -12,7 +12,7 @@ charon {
libhydra {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
index 0fce500..a851d09 100644
--- a/testing/tests/sql/ip-split-pools-db/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -1,7 +1,3 @@
carol::ipsec stop
dave::ipsec stop
moon::ipsec stop
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat
index 6c76338..e820c81 100644
--- a/testing/tests/sql/ip-split-pools-db/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db/pretest.dat
@@ -1,17 +1,17 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --status 2> /dev/null
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 9b1ec0b..450100f 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index e9ad4be..1865a1c 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 6d56ede..0cea9d8 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 329a572..1f7aa73 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index b62da61..05fe277 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index 646b8b3..1b7e280 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 329a572..1f7aa73 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index b62da61..05fe277 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection net-net
moon::ipsec up net-net
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index 646b8b3..1b7e280 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 329a572..1f7aa73 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 537aa63..cef74e4 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -1,13 +1,13 @@
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
sun::ipsec start
moon::ipsec start
-moon::sleep 1
-alice::ping -c 1 PH_IP_BOB
-bob::ping -c 1 PH_IP_VENUS
+moon::expect-connection net-net
+alice::ping -c 1 -W 1 PH_IP_BOB
+bob::ping -c 1 -W 1 PH_IP_VENUS
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index 10c582c..ee97968 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 329a572..1f7aa73 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -2,5 +2,3 @@ moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index 7307aca..f260b39 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -1,11 +1,11 @@
moon::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
sun::ipsec start
moon::ipsec start
-moon::sleep 3
+moon::sleep 1
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index 10c582c..ee97968 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 7e8023f..4946b15 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 7e8023f..4946b15 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 7e8023f..7fed45b 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -3,13 +3,10 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
integrity_test = yes
- crypto_test {
- on_add = yes
- }
}
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index e9ad4be..1865a1c 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 7958f09..0cea9d8 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 3
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index ec5899c..2fba945 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 4195108..b06c611 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 584356d..046d4cf 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -2,6 +2,3 @@ moon::ipsec stop
carol::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index 2a8e460..a6cbee7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 4a5fc47..81b1d3b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index e9ad4be..1865a1c 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 6d56ede..0cea9d8 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 5e4eb12..e20fecc 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index ab75350..4e59395 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -10,6 +10,3 @@ dave::ip6tables-restore < /etc/ip6tables.flush
alice::"ip route del fec0:\:/16 via fec1:\:1"
carol::"ip route del fec1:\:/16 via fec0:\:1"
dave::"ip route del fec1:\:/16 via fec0:\:1"
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index fdb5f19..8946896 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -1,12 +1,12 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
@@ -19,6 +19,7 @@ dave::"ip route add fec1:\:/16 via fec0:\:1"
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 05bb8ab..024105e 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 174f8c2..8b25be7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index e9ad4be..1865a1c 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.*
-carol::rm /etc/ipsec.d/ipsec.*
-dave::rm /etc/ipsec.d/ipsec.*
-~
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 6d56ede..0cea9d8 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index 892650c..1865a1c 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.db
-carol::rm /etc/ipsec.d/ipsec.db
-dave::rm /etc/ipsec.d/ipsec.db
-~
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 6d56ede..0cea9d8 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 4c06ca4..75a2b06 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index 892650c..1865a1c 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -4,7 +4,3 @@ dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-moon::rm /etc/ipsec.d/ipsec.db
-carol::rm /etc/ipsec.d/ipsec.db
-dave::rm /etc/ipsec.d/ipsec.db
-~
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 6d56ede..0cea9d8 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -1,18 +1,19 @@
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index f292988..f6fb44f 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="$IPSECHOSTS"
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index 7f02ba1..f4dd8f1 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index 6a89855..6210c21 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -3,10 +3,10 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index 7f02ba1..f4dd8f1 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -3,7 +3,7 @@
charon {
plugins {
sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
index f410dd7..e772be6 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
+++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
@@ -2,7 +2,4 @@ sun::ipsec stop
alice::ipsec stop
venus::ipsec stop
sun::iptables-restore < /etc/iptables.flush
-alice::rm /etc/ipsec.d/ipsec.*
-venus::rm /etc/ipsec.d/ipsec.*
-sun::rm /etc/ipsec.d/ipsec.*
moon::iptables -t nat -F
\ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
index 0314e7a..c23c099 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
+++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
@@ -1,12 +1,12 @@
alice::rm /etc/ipsec.d/cacerts/*
venus::rm /etc/ipsec.d/cacerts/*
sun::rm /etc/ipsec.d/cacerts/*
-alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
-alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
+alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
+sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
sun::iptables-restore < /etc/iptables.rules
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf
index bd82f03..d797acb 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/test.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="alice venus sun"
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
index c5ddd38..1eab75a 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -14,7 +14,7 @@ charon {
plugins {
attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
+ database = sqlite:///etc/db.d/ipsec.db
}
}
}
diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat
index 4b88a6f..91380e6 100755
--- a/testing/tests/swanctl/ip-pool-db/pretest.dat
+++ b/testing/tests/swanctl/ip-pool-db/pretest.dat
@@ -1,5 +1,5 @@
-moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql
+moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/swanctl/ip-pool-db/test.conf
index 1227b9d..5554b46 100755
--- a/testing/tests/swanctl/ip-pool-db/test.conf
+++ b/testing/tests/swanctl/ip-pool-db/test.conf
@@ -20,6 +20,10 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave"
+# Guest instances on which databases are used
+#
+DBHOSTS="moon"
+
# charon controlled by swanctl
#
SWANCTL=1
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index a16ed01..a0891c3 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -3,6 +3,8 @@ dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol at strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave at strongswan.org status=online::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol at strongswan.org::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave at strongswan.org::YES
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index 6b7c713..3478c07 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index 8fab1fb..d181aab 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -9,7 +9,8 @@ dave::cat /etc/tnc/dummyimc.file
moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::sleep 1
+moon::expect-connection rw-allow
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index b9eee4f..3f3aa9f 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -10,5 +10,5 @@ moon:: cat /var/log/daemon.log::authentication of 'carol at strongswan.org' with EA
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave at strongswan.org' failed::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave at strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index 96163aa..d2bb945 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -8,7 +8,7 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
index 2248078..955584b 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
index 23f840f..4584571 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
@@ -3,11 +3,11 @@
libimcv {
load = random nonce openssl pubkey sqlite
debug_level = 3
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
assessment_result = no
}
attest {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
index b8488fe..e870608 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,8 @@ charon {
multiple_authentication=no
+ retransmit_tries = 5
+
plugins {
eap-tnc {
protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
index dc8507d..18e0374 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
@@ -3,7 +3,6 @@ carol::ipsec stop
dave::ipsec stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
-alice::rm /etc/pts/config.db
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
index 03b2474..31ee7d1 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -6,7 +6,7 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
@@ -14,9 +14,9 @@ dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
-dave::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
alice::ipsec attest --sessions
alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
index f23a193..318dfdf 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
#
RADIUSHOSTS="alice"
+# Guest instances on which databases are used
+#
+DBHOSTS="alice"
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index 2248078..955584b 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index 71dff71..fcfb145 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -10,7 +10,7 @@ dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
index ac03fed..4dbff64 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat
@@ -6,6 +6,6 @@ carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::hostapd -B /etc/hostapd/hostapd.conf
carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
-carol::sleep 4
+carol::sleep 4
dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0
dave::sleep 4
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index 6b7c713..3478c07 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index cac1cfa..8562203 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -7,7 +7,7 @@ dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index 03b576e..e0f3d93 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -9,4 +9,4 @@ moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol at strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave at strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index f5b3b2e..c66a2e1 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -8,7 +8,7 @@ dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index bac7294..c69940c 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index b2b243b..8562203 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -5,9 +5,9 @@ moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
+carol::ipsec start
+dave::ipsec start
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
index 38c6513..8562203 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -5,8 +5,9 @@ moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
-carol::ipsec start
+carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
index 6947c4b..e5c2029 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -3,6 +3,6 @@ carol::iptables-restore < /etc/iptables.rules
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
moon::ipsec start
-carol::ipsec start
-carol::sleep 1
+carol::ipsec start
+carol::expect-connection home
carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index bac7294..c69940c 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 72c9b16..39b0e03 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -8,9 +8,10 @@ carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
moon::cat /etc/tnc/dummyimv.policy
moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::sleep 1
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+moon::expect-connection rw-allow
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default
deleted file mode 100644
index 6260006..0000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default
+++ /dev/null
@@ -1,26 +0,0 @@
-WSGIPythonPath /var/www/tnc
-
-<VirtualHost *:80>
- ServerName tnc.strongswan.org
- ServerAlias tnc
- ServerAdmin webmaster at localhost
-
- DocumentRoot /var/www/tnc
-
- <Directory /var/www/tnc/config>
- <Files wsgi.py>
- Order deny,allow
- Allow from all
- </Files>
- </Directory>
-
- WSGIScriptAlias / /var/www/tnc/config/wsgi.py
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-
- Alias /static/ /var/www/tnc/static/
-
- ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
- LogLevel warn
- CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
-</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql
deleted file mode 100644
index d6a547b..0000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql
+++ /dev/null
@@ -1,61 +0,0 @@
-/* Devices */
-
-INSERT INTO devices ( /* 1 */
- value, product, created
-)
-SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
-FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
-
-/* Groups Members */
-
-INSERT INTO groups_members (
- group_id, device_id
-) VALUES (
- 10, 1
-);
-
-/* Identities */
-
-INSERT INTO identities (
- type, value
-) VALUES ( /* dave at strongswan.org */
- 5, X'64617665'
-);
-
-/* Sessions */
-
-INSERT INTO sessions (
- time, connection, identity, device, product, rec
-)
-SELECT NOW, 1, 1, 1, id, 0
-FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
-
-/* Results */
-
-INSERT INTO results (
- session, policy, rec, result
-) VALUES (
- 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (
- policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
- 3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 17, 2, 86400
-);
-
-INSERT INTO enforcements (
- policy, group_id, max_age
-) VALUES (
- 18, 10, 86400
-);
-
-DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini
deleted file mode 100644
index 5e7b7b5..0000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini
+++ /dev/null
@@ -1,19 +0,0 @@
-[debug]
-DEBUG=0
-TEMPLATE_DEBUG=0
-DEBUG_TOOLBAR=0
-
-[db]
-DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
-STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
-
-[localization]
-LANGUAGE_CODE=en-us
-TIME_ZONE=Europe/Zurich
-
-[admins]
-Your Name: alice at strongswan.org
-
-[security]
-SECRET_KEY=strongSwan
-ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
index d22a7e9..1ecf6f8 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
@@ -23,13 +23,6 @@ charon {
}
libimcv {
- debug_level = 3
- database = sqlite:///etc/pts/config.db
+ debug_level = 3
policy_script = ipsec imv_policy_manager
-
- plugins {
- imv-swid {
- rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
- }
- }
}
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
index 913dd21..0978d12 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
@@ -11,7 +11,7 @@ alice::ipsec start
moon::ipsec start
carol::ipsec start
dave::ipsec start
-dave::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
index 3bce9f6..997a481 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
@@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
-moon::sleep 1
+moon::expect-connection host-host
moon::ipsec up host-host
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
index fab55d1..07b1760 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -1,4 +1,4 @@
sun::ipsec start
moon::cat /etc/pts/options
-moon::sleep 1
-moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
+sun::expect-connection pdp
+moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
index 14c2aaf..8c9e59a 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
@@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
index 2284412..156a2e4 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
@@ -5,6 +5,8 @@ charon {
multiple_authentication = no
+ retransmit_tries = 5
+
plugins {
tnc-imc {
preferred_language = de
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
index 88a4ad3..c8992bd 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
@@ -15,7 +15,7 @@ charon {
}
libimcv {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-attestation {
@@ -26,5 +26,5 @@ libimcv {
attest {
load = random nonce openssl sqlite
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
index 48514d6..74b902c 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
@@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
index 7a562ee..345f548 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
@@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
-dave::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
moon::ipsec attest --sessions
moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf
index a8a05af..4b1c410 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/test.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf
@@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
-
+DBHOSTS="moon"
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index 1cf7ed6..2921163 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
index baa7dbb..43cf395 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -15,11 +15,11 @@ charon {
}
libimcv {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
}
attest {
load = random nonce openssl sqlite
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
}
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
index 48514d6..74b902c 100644
--- a/testing/tests/tnc/tnccs-20-os/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index fc102ec..3c5cd32 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
index a8a05af..f4fd4dc 100644
--- a/testing/tests/tnc/tnccs-20-os/test.conf
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
-
+DBHOSTS="moon"
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index f744453..d373eb3 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -24,6 +24,6 @@ moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP succe
moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
index 5e7b7b5..ea9cbbe 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
@@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0
[db]
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
-STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db
[localization]
LANGUAGE_CODE=en-us
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
index 1c34f51..48d5d70 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
@@ -24,7 +24,7 @@ charon {
libimcv {
debug_level = 3
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
plugins {
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
index ee16a4c..8aa2ab9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
@@ -3,6 +3,8 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
plugins {
eap-ttls {
max_message_count = 0
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
index dd7d160..aea7a71 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
@@ -3,7 +3,9 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- plugins {
+ retransmit_timeout =
+
+ plugins {
eap-ttls {
max_message_count = 0
}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
index 1e5c3f8..fe9f59e 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
@@ -3,7 +3,6 @@ carol::ipsec stop
dave::ipsec stop
alice::ipsec stop
alice::service apache2 stop
-alice::rm /etc/pts/config.db
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
index ca3c559..4b8d3f0 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
@@ -8,15 +8,16 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
-alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
+alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
alice::service apache2 start
alice::ipsec start
moon::ipsec start
dave::ipsec start
carol::ipsec start
-carol::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
carol::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
index c4ca1a1..345e911 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
@@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave alice"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
+DBHOSTS="alice"
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
index 5e7b7b5..ea9cbbe 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
@@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0
[db]
DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
-STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db
[localization]
LANGUAGE_CODE=en-us
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
index 857e6d6..5fa49e7 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@@ -18,7 +18,7 @@ libtls {
}
libimcv {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
plugins {
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
index b7da857..2f45a14 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
@@ -3,7 +3,6 @@ dave::ip route del 10.1.0.0/16 via 192.168.0.1
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
alice::ipsec stop
alice::service apache2 stop
-alice::rm /etc/pts/config.db
alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
index eed7967..e14ba89 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
@@ -8,12 +8,12 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
dave::cat /etc/tnc_config
alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
-alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
+alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
alice::service apache2 start
alice::ipsec start
-alice::sleep 1
+alice::expect-connection aaa
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
dave::ip route add 10.1.0.0/16 via 192.168.0.1
dave::cat /etc/pts/options
@@ -21,4 +21,3 @@ dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
carol::ip route add 10.1.0.0/16 via 192.168.0.1
carol::cat /etc/pts/options
carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
-carol::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
index 5f4f8e7..baeceb9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
@@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="carol moon dave alice"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
-
+DBHOSTS="alice"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
index 14c2aaf..8c9e59a 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
index e67223b..c69f945 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
@@ -3,6 +3,8 @@
charon {
load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
index e72ab09..38b2e2e 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@@ -15,7 +15,7 @@ charon {
}
libimcv {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-attestation {
@@ -28,5 +28,5 @@ libimcv {
attest {
load = random nonce openssl sqlite
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
index 48514d6..74b902c 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
@@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
index 7a562ee..345f548 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
@@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
-dave::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
moon::ipsec attest --sessions
moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
index a8a05af..2fd3139 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
@@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
+DBHOSTS="moon"
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
index 0bf4f2b..d677563 100644
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
index 3c41f15..b6c9ab6 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -3,6 +3,8 @@
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
tnc-imc {
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
index 88a4ad3..d9d0624 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -3,6 +3,8 @@
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
@@ -15,7 +17,7 @@ charon {
}
libimcv {
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-attestation {
@@ -26,5 +28,5 @@ libimcv {
attest {
load = random nonce openssl sqlite
- database = sqlite:///etc/pts/config.db
+ database = sqlite:///etc/db.d/config.db
}
diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat
index 48514d6..74b902c 100644
--- a/testing/tests/tnc/tnccs-20-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat
@@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
index 7a562ee..345f548 100644
--- a/testing/tests/tnc/tnccs-20-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
-moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
-dave::sleep 1
+dave::expect-connection home
dave::ipsec up home
+carol::expect-connection home
carol::ipsec up home
-carol::sleep 1
moon::ipsec attest --sessions
moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf
index a8a05af..2fd3139 100644
--- a/testing/tests/tnc/tnccs-20-pts/test.conf
+++ b/testing/tests/tnc/tnccs-20-pts/test.conf
@@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon"
#
IPSECHOSTS="moon carol dave"
-# Guest instances on which FreeRadius is started
+# Guest instances on which databases are used
#
-RADIUSHOSTS=
+DBHOSTS="moon"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index bac7294..c69940c 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index b2b243b..8562203 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -5,9 +5,9 @@ moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
+carol::ipsec start
+dave::ipsec start
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index 40d5e24..fe1becb 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index cac1cfa..8562203 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -7,7 +7,7 @@ dave::cat /etc/tnc_config
moon::ipsec start
carol::ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index bac7294..c69940c 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave at strongswan.org' with EAP
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index b2b243b..8562203 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -5,9 +5,9 @@ moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
+carol::ipsec start
+dave::ipsec start
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 4052983..3d0c554 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -21,7 +21,7 @@ moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index 60775a1..927b89d 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -7,7 +7,7 @@ dave::cat /etc/tnc_config
moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
dave::ipsec start
-carol::sleep 1
+carol::expect-connection home
carol::ipsec up home
+dave::expect-connection home
dave::ipsec up home
-dave::sleep 1
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list